g_random_*() is based on GRand, which is not a CSPRNG. Instead, rely on
kernel to give us good random numbers, which is what nm_random_*() does.
Note that nm_random_*() calls getrandom() (or reads /dev/urandom), which
most likely is slower than GRand. It doesn't matter for our uses though.
It is cumbersome to review all uses of g_rand_*() whether their usage of
a non-cryptographically secure generator is appropriate. Instead, just
always use an appropriate function, thereby avoiding this question. Even
glib documentation refers to reading "/dev/urandom" as alternative. Which
is what nm_random_*() does. These days, it seems unnecessary to not use
the best random generator available, unless it's not fast enough or you
need a stable/seedable stream of random numbers.
In particular in nmcli, we used g_random_int_range() to generate
passwords. That is not appropriate. Sure, it's *only* for the hotspot,
but still.
(cherry picked from commit 6e96d71731)
The present version of the EC2 metadata API (IMDSv2) requires a header
with a token to be present in all requests. The token is essentially a
cookie that's not actually a cookie that's obtained with a PUT call that
doesn't put anything. Apparently it's too easy to trick someone into
calling a GET method.
EC2 now supports IMDSv2 everywhere with IMDSv1 being optional, so let's
just use IMDSv2 unconditionally. Also, the presence of a token API can
be used to detect the AWS EC2 cloud.
https://bugzilla.redhat.com/show_bug.cgi?id=2151986
(cherry picked from commit 8b7e12c2d6)
Clarify that detect() needs to succeed before get_config().
I thought it's sort of common sense, but it's better to be explicit as
we're going to rely on that.
(cherry picked from commit 088bfd817a)
We're going to extend those to issue methods other than GET.
Also, "request" would've been too long, "req" looks nicer.
(cherry picked from commit 85ce088616)
No need to do a deep clone. The strv array is not ever modified and we
pack it together in one memory allocation.
(cherry picked from commit 599fe234ea)
The compiler may dislike this:
CC src/core/platform/tests/libNetworkManagerTest_la-test-common.lo
In function '_ip_address_add',
inlined from 'nmtstp_ip4_address_add' at ../src/core/platform/tests/test-common.c:1892:5:
../src/core/platform/tests/test-common.c:1807:63: error: array subscript 'NMIPAddr {aka const struct _NMIPAddr}[0]' is partly outside array bounds of 'in_addr_t[1]' {aka 'unsigned int[1]'} [-Werror=array-bounds]
1807 | peer_address->addr4,
| ~~~~~~~~~~~~^~~~~~~
../src/core/platform/tests/test-common.c: In function 'nmtstp_ip4_address_add':
../src/core/platform/tests/test-common.c:1886:36: note: object 'peer_address' of size 4
1886 | in_addr_t peer_address,
| ~~~~~~~~~~~~^~~~~~~~~~~~
...
Fixes: 06aafabf14 ('platform/test: add test adding IPv4 addresses that only differ by their peer-address')
(cherry picked from commit 40dd8bf93a)
When reloading the configuration and there is a global DNS
configuration without domains, NM crashes in global_dns_equal()
because `old->domains` and `new->domains` are both NULL. Fix that.
Thread 1 "NetworkManager" received signal SIGTRAP, Trace/breakpoint trap.
0 g_logv (log_domain=0x7fe81a2110be "GLib", log_level=G_LOG_LEVEL_CRITICAL, format=<optimized out>, args=<optimized out>) at ../glib/gmessages.c:1433
1 g_log (log_domain=<optimized out>, log_level=<optimized out>, format=<optimized out>) at ../glib/gmessages.c:1471
2 g_hash_table_size (hash_table=<optimized out>) at ../glib/ghash.c:2183
3 g_hash_table_size (hash_table=<optimized out>) at ../glib/ghash.c:2181
4 global_dns_equal (new=0xecc540, old=0xe618e0) at ../src/core/nm-config-data.c:1466
5 nm_config_data_diff (old_data=old_data@entry=0xe60020, new_data=new_data@entry=0xe606a0) at ../src/core/nm-config-data.c:1946
6 _set_config_data (self=0xe45810, new_data=0xe606a0, reload_flags=NM_CONFIG_CHANGE_CAUSE_SIGHUP) at ../src/core/nm-config.c:2923
7 nm_config_reload (self=0xe45810, reload_flags=NM_CONFIG_CHANGE_CAUSE_SIGHUP, emit_warnings=emit_warnings@entry=1) at ../src/core/nm-config.c:2875
8 nm_main_config_reload (signal=<optimized out>) at ../src/core/main.c:141
9 sighup_handler (user_data=<optimized out>) at ../src/core/main-utils.c:26
10 g_main_dispatch (context=0xe619e0) at ../glib/gmain.c:3444
11 g_main_context_dispatch (context=0xe619e0) at ../glib/gmain.c:4162
12 g_main_context_iterate.constprop.0 (context=0xe619e0, block=1, dispatch=1, self=<optimized out>) at ../glib/gmain.c:4238
13 g_main_loop_run (loop=0xe5e310) at ../glib/gmain.c:4438
14 main (argc=<optimized out>, argv=<optimized out>) at ../src/core/main.c:515
Fixes: 1f0d1d78d2 ('dns-manager: always apply options from [global-dns]')
(cherry picked from commit ba4a9ea79a)
We must first check whether a->arp_ip_targets_num and
b->arp_ip_targets_num are identical. Otherwise, this accesses
potentially uninitialized values.
Fixes: f900f7bc2c ('platform: add netlink support for bond link')
(cherry picked from commit 8dd18d91b2)
Now the settings in the [global-dns] section are used *in addition* to
connection-specific ones. Only the global domains sections, when
valid, override connection settings. Update the man page to clarify
that.
Fixes: 1f0d1d78d2 ('dns-manager: always apply options from [global-dns]')
(cherry picked from commit f57a848da5)
The global configuration now can be valid when there are no global
domains defined. The dnsmasq backend must process it and then, if
there is no global default domain, also process the per-connection
settings.
Fixes: 1f0d1d78d2 ('dns-manager: always apply options from [global-dns]')
(cherry picked from commit 5c0a927e0f)
We are passing to the plugin only 'sett_flags', which is the bitmask
of flags to change and works together with 'sett_mask'; however,
plugins interpret that value as the new flags value. The result is
that if there is no change needed (0/0), the existing flags are lost.
Simple reproducer:
ip link add dummy1 type dummy
ip link set dummy1 up
ip addr add dev dummy1 fd01::12/64
sleep 1
# now, a external connection is created by NM
echo "BEFORE:"
cat /run/NetworkManager/system-connections/dummy1.nmconnection | grep "nm-generated\|volatile\|external"
# just add a new address to the interface to make it lose
# the external flag
ip addr add dev dummy1 172.25.42.1/24
sleep 1
echo "AFTER:"
cat /run/NetworkManager/system-connections/dummy1.nmconnection | grep "nm-generated\|volatile\|external"
Output:
BEFORE:
nm-generated=true
volatile=true
external=true
AFTER:
Fixes: d35d3c468a ('settings: rework tracking settings connections and settings plugins')
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1548
(cherry picked from commit 86b922695f)
We just lookup the link info by ifindex. There is no guarantee that that
ifindex is of the expected type, to have a suitable ext-data. Check for
that.
Fixes: a7d2cad67e ('platform/linux: add support for WPAN links')
(cherry picked from commit 6dafe78088)
This affects the order in which properties are listed in `nmcli
connection show`. The replace-local-rule property should be after the
routing-rule property.
(cherry picked from commit f46512c54f)
To embrace the inclusive language, deprecate the NMActiveConnection
Master property and in favor of the NMActiveConnection Controller
property.
(cherry picked from commit af677542b5)
This setting allows the user to remove the local route rule that is
autogenerated for both IPv4 and IPv6. By default, NetworkManager won't
touch the local route rule.
(cherry picked from commit d2ca44ffc6)
The new function tracks local route rule in the GlobalTracker properly.
It also allow the developer to specify the untrack user tag.
(cherry picked from commit 79611e4fcc)
A tentative IPv6 address can still fail DAD, so don't use it to
resolve the hostname via DNS. Furthermore, tentative addresses can't
be used to contact the nameserver and so the resolution will fail if
there is no other valid IPv6 address. Wait that the address becomes
non-tentative.
(cherry picked from commit 4138be6a5a)
Currently the only way to return an error code from the daemon helper
is via the process exit code, but that is not enough to fully describe
an error from getaddrinfo(); in fact, the function returns a EAI_*
error code and when the value is EAI_SYSTEM, the error code is
returned in errno.
At the moment, any messages printed to stderr by the helper goes to NM
stderr; instead, we want to capture it and pass it through the logging
mechanism of NM, so that it can be filtered according to level and
domain.
(cherry picked from commit d65702803c)
Improve logging:
- log only when something changes
- print the new resolver state, instead of the old one
- rename state "in-progress" to "started"
- log when the resolver state is reset due to DNS changes
(cherry picked from commit 7037aa66c6)
