parent
336e67597b
commit
6daa59f8f1
@ -0,0 +1,45 @@
|
|||||||
|
From 18ce5f43bd16b3cc394424619652c782cb3795c3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gris Ge <fge@redhat.com>
|
||||||
|
Date: Tue, 27 Jun 2023 15:02:54 +0800
|
||||||
|
Subject: [PATCH] setting-connection: Unblock autoconnect upon finish of
|
||||||
|
`Reapply`
|
||||||
|
|
||||||
|
The activation of a connection will clear the block of autoconnect,
|
||||||
|
we should do the same for reapply.
|
||||||
|
|
||||||
|
Signed-off-by: Gris Ge <fge@redhat.com>
|
||||||
|
(cherry picked from commit 0486efd3584c70179072f611e63b9c0ff6851b80)
|
||||||
|
---
|
||||||
|
src/core/devices/nm-device.c | 9 +++++++++
|
||||||
|
1 file changed, 9 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/core/devices/nm-device.c b/src/core/devices/nm-device.c
|
||||||
|
index c168fa045d..62a9ff1e84 100644
|
||||||
|
--- a/src/core/devices/nm-device.c
|
||||||
|
+++ b/src/core/devices/nm-device.c
|
||||||
|
@@ -12902,6 +12902,7 @@ check_and_reapply_connection(NMDevice *self,
|
||||||
|
NMConnection *con_old;
|
||||||
|
NMConnection *con_new;
|
||||||
|
GHashTableIter iter;
|
||||||
|
+ NMSettingsConnection *sett_conn;
|
||||||
|
|
||||||
|
if (priv->state < NM_DEVICE_STATE_PREPARE || priv->state > NM_DEVICE_STATE_ACTIVATED) {
|
||||||
|
g_set_error_literal(error,
|
||||||
|
@@ -13074,6 +13075,14 @@ check_and_reapply_connection(NMDevice *self,
|
||||||
|
if (priv->state >= NM_DEVICE_STATE_ACTIVATED)
|
||||||
|
nm_device_update_metered(self);
|
||||||
|
|
||||||
|
+ sett_conn = nm_device_get_settings_connection(self);
|
||||||
|
+ if (sett_conn) {
|
||||||
|
+ nm_settings_connection_autoconnect_blocked_reason_set(
|
||||||
|
+ sett_conn,
|
||||||
|
+ NM_SETTINGS_AUTO_CONNECT_BLOCKED_REASON_USER_REQUEST,
|
||||||
|
+ FALSE);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* Notify dispatcher when re-applied */
|
||||||
|
_LOGD(LOGD_DEVICE, "Notifying re-apply complete");
|
||||||
|
nm_dispatcher_call_device(NM_DISPATCHER_ACTION_REAPPLY, self, NULL, NULL, NULL, NULL);
|
||||||
|
--
|
||||||
|
2.39.3
|
||||||
|
|
@ -0,0 +1,88 @@
|
|||||||
|
From d6f13aefda85ea06985e7fe2f776abd8ee0406cf Mon Sep 17 00:00:00 2001
|
||||||
|
From: Beniamino Galvani <bgalvani@redhat.com>
|
||||||
|
Date: Fri, 24 Mar 2023 17:42:45 +0100
|
||||||
|
Subject: [PATCH] core: fix l3cd comparison
|
||||||
|
|
||||||
|
NM_CMP_SELF(a, b) returns immediately if the objects are the same.
|
||||||
|
|
||||||
|
Fixes: cb29244552af ('core: support compare flags in nm_l3_config_data_cmp_full()')
|
||||||
|
Fixes-test: @dracut_NM_iSCSI_ibft_table
|
||||||
|
|
||||||
|
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1583
|
||||||
|
(cherry picked from commit 0a02995175e06e62924705393121a1c5efc3822d)
|
||||||
|
(cherry picked from commit 5d95c20787077a91d684259d67f2e0ff3a1d7a1a)
|
||||||
|
---
|
||||||
|
src/core/nm-l3-config-data.c | 54 +++++++++++++++++++-----------------
|
||||||
|
1 file changed, 28 insertions(+), 26 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/core/nm-l3-config-data.c b/src/core/nm-l3-config-data.c
|
||||||
|
index 17bb9db87d..d5dedb9c8a 100644
|
||||||
|
--- a/src/core/nm-l3-config-data.c
|
||||||
|
+++ b/src/core/nm-l3-config-data.c
|
||||||
|
@@ -2297,35 +2297,37 @@ nm_l3_config_data_cmp_full(const NML3ConfigData *a,
|
||||||
|
const NMPObject *def_route_a = a->best_default_route_x[IS_IPv4];
|
||||||
|
const NMPObject *def_route_b = b->best_default_route_x[IS_IPv4];
|
||||||
|
|
||||||
|
- NM_CMP_SELF(def_route_a, def_route_b);
|
||||||
|
-
|
||||||
|
- if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_ROUTES)) {
|
||||||
|
- NM_CMP_RETURN(nmp_object_cmp_full(def_route_a,
|
||||||
|
- def_route_b,
|
||||||
|
- NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_IFINDEX)
|
||||||
|
- ? NMP_OBJECT_CMP_FLAGS_NONE
|
||||||
|
- : NMP_OBJECT_CMP_FLAGS_IGNORE_IFINDEX));
|
||||||
|
- } else if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_ROUTES_ID)) {
|
||||||
|
- if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_IFINDEX)) {
|
||||||
|
- NM_CMP_DIRECT(def_route_a->obj_with_ifindex.ifindex,
|
||||||
|
- def_route_b->obj_with_ifindex.ifindex);
|
||||||
|
- }
|
||||||
|
+ if (def_route_a != def_route_b) {
|
||||||
|
+ if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_ROUTES)) {
|
||||||
|
+ NM_CMP_RETURN(
|
||||||
|
+ nmp_object_cmp_full(def_route_a,
|
||||||
|
+ def_route_b,
|
||||||
|
+ NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_IFINDEX)
|
||||||
|
+ ? NMP_OBJECT_CMP_FLAGS_NONE
|
||||||
|
+ : NMP_OBJECT_CMP_FLAGS_IGNORE_IFINDEX));
|
||||||
|
+ } else if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_ROUTES_ID)) {
|
||||||
|
+ if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_IFINDEX)) {
|
||||||
|
+ NM_CMP_DIRECT(def_route_a->obj_with_ifindex.ifindex,
|
||||||
|
+ def_route_b->obj_with_ifindex.ifindex);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- if (IS_IPv4) {
|
||||||
|
- NMPlatformIP4Route ra = def_route_a->ip4_route;
|
||||||
|
- NMPlatformIP4Route rb = def_route_b->ip4_route;
|
||||||
|
+ if (IS_IPv4) {
|
||||||
|
+ NMPlatformIP4Route ra = def_route_a->ip4_route;
|
||||||
|
+ NMPlatformIP4Route rb = def_route_b->ip4_route;
|
||||||
|
|
||||||
|
- NM_CMP_DIRECT(ra.metric, rb.metric);
|
||||||
|
- NM_CMP_DIRECT(ra.plen, rb.plen);
|
||||||
|
- NM_CMP_RETURN_DIRECT(nm_ip4_addr_same_prefix_cmp(ra.network, rb.network, ra.plen));
|
||||||
|
- } else {
|
||||||
|
- NMPlatformIP6Route ra = def_route_a->ip6_route;
|
||||||
|
- NMPlatformIP6Route rb = def_route_b->ip6_route;
|
||||||
|
+ NM_CMP_DIRECT(ra.metric, rb.metric);
|
||||||
|
+ NM_CMP_DIRECT(ra.plen, rb.plen);
|
||||||
|
+ NM_CMP_RETURN_DIRECT(
|
||||||
|
+ nm_ip4_addr_same_prefix_cmp(ra.network, rb.network, ra.plen));
|
||||||
|
+ } else {
|
||||||
|
+ NMPlatformIP6Route ra = def_route_a->ip6_route;
|
||||||
|
+ NMPlatformIP6Route rb = def_route_b->ip6_route;
|
||||||
|
|
||||||
|
- NM_CMP_DIRECT(ra.metric, rb.metric);
|
||||||
|
- NM_CMP_DIRECT(ra.plen, rb.plen);
|
||||||
|
- NM_CMP_RETURN_DIRECT(
|
||||||
|
- nm_ip6_addr_same_prefix_cmp(&ra.network, &rb.network, ra.plen));
|
||||||
|
+ NM_CMP_DIRECT(ra.metric, rb.metric);
|
||||||
|
+ NM_CMP_DIRECT(ra.plen, rb.plen);
|
||||||
|
+ NM_CMP_RETURN_DIRECT(
|
||||||
|
+ nm_ip6_addr_same_prefix_cmp(&ra.network, &rb.network, ra.plen));
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.38.1
|
||||||
|
|
@ -0,0 +1,530 @@
|
|||||||
|
From c00002b12d34c12d418f5753e03df43ecb6ef67d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Thomas Haller <thaller@redhat.com>
|
||||||
|
Date: Wed, 10 May 2023 08:37:06 +0200
|
||||||
|
Subject: [PATCH 1/5] glib-aux: add
|
||||||
|
NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_DOUBLE_QUOTE flag to escape double quotes
|
||||||
|
|
||||||
|
This is useful when printing a string for debugging. Then we can
|
||||||
|
printf("v=\"%s\"", utf8safe_escaped_text), which can be safely unescaped
|
||||||
|
with `echo -e`.
|
||||||
|
|
||||||
|
(cherry picked from commit c26a94e95551021d86cae6fc0e6aafb97b1363f6)
|
||||||
|
(cherry picked from commit 18848c77c7a44b179ad0c582ac60cee7602d1786)
|
||||||
|
---
|
||||||
|
src/libnm-glib-aux/nm-shared-utils.c | 21 +++++++++++++--------
|
||||||
|
src/libnm-glib-aux/nm-shared-utils.h | 8 ++++++--
|
||||||
|
2 files changed, 19 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libnm-glib-aux/nm-shared-utils.c b/src/libnm-glib-aux/nm-shared-utils.c
|
||||||
|
index 702a63e9f6..49f2c93e35 100644
|
||||||
|
--- a/src/libnm-glib-aux/nm-shared-utils.c
|
||||||
|
+++ b/src/libnm-glib-aux/nm-shared-utils.c
|
||||||
|
@@ -2755,13 +2755,16 @@ nm_utils_buf_utf8safe_escape(gconstpointer buf,
|
||||||
|
if (g_utf8_validate(str, buflen, &p) && nul_terminated) {
|
||||||
|
/* note that g_utf8_validate() does not allow NUL character inside @str. Good.
|
||||||
|
* We can treat @str like a NUL terminated string. */
|
||||||
|
- if (!NM_STRCHAR_ANY(str,
|
||||||
|
- ch,
|
||||||
|
- (ch == '\\'
|
||||||
|
- || (NM_FLAGS_HAS(flags, NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_CTRL)
|
||||||
|
- && nm_ascii_is_ctrl_or_del(ch))
|
||||||
|
- || (NM_FLAGS_HAS(flags, NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_NON_ASCII)
|
||||||
|
- && nm_ascii_is_non_ascii(ch)))))
|
||||||
|
+ if (!NM_STRCHAR_ANY(
|
||||||
|
+ str,
|
||||||
|
+ ch,
|
||||||
|
+ (ch == '\\'
|
||||||
|
+ || (NM_FLAGS_HAS(flags, NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_CTRL)
|
||||||
|
+ && nm_ascii_is_ctrl_or_del(ch))
|
||||||
|
+ || (NM_FLAGS_HAS(flags, NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_NON_ASCII)
|
||||||
|
+ && nm_ascii_is_non_ascii(ch))
|
||||||
|
+ || (NM_FLAGS_HAS(flags, NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_DOUBLE_QUOTE)
|
||||||
|
+ && ch == '"'))))
|
||||||
|
return str;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -2781,7 +2784,9 @@ nm_utils_buf_utf8safe_escape(gconstpointer buf,
|
||||||
|
else if ((NM_FLAGS_HAS(flags, NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_CTRL)
|
||||||
|
&& nm_ascii_is_ctrl_or_del(ch))
|
||||||
|
|| (NM_FLAGS_HAS(flags, NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_NON_ASCII)
|
||||||
|
- && nm_ascii_is_non_ascii(ch)))
|
||||||
|
+ && nm_ascii_is_non_ascii(ch))
|
||||||
|
+ || (NM_FLAGS_HAS(flags, NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_DOUBLE_QUOTE)
|
||||||
|
+ && ch == '"'))
|
||||||
|
_str_buf_append_c_escape_octal(&strbuf, ch);
|
||||||
|
else
|
||||||
|
nm_str_buf_append_c(&strbuf, ch);
|
||||||
|
diff --git a/src/libnm-glib-aux/nm-shared-utils.h b/src/libnm-glib-aux/nm-shared-utils.h
|
||||||
|
index 083ed137ee..ad24e7c427 100644
|
||||||
|
--- a/src/libnm-glib-aux/nm-shared-utils.h
|
||||||
|
+++ b/src/libnm-glib-aux/nm-shared-utils.h
|
||||||
|
@@ -1243,12 +1243,16 @@ typedef enum {
|
||||||
|
* It will backslash escape ascii characters according to nm_ascii_is_non_ascii(). */
|
||||||
|
NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_NON_ASCII = 0x0002,
|
||||||
|
|
||||||
|
+ /* Escape '"' as ASCII "\\042". This is useful when escaping a string so that
|
||||||
|
+ * it can be unescaped with `echo -e $PASTE_TEXT`. */
|
||||||
|
+ NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_DOUBLE_QUOTE = 0x0004,
|
||||||
|
+
|
||||||
|
/* This flag only has an effect during escaping to ensure we
|
||||||
|
* don't leak secrets in memory. Note that during unescape we
|
||||||
|
* know the maximum result size from the beginning, and no
|
||||||
|
* reallocation happens. Thus, unescape always avoids leaking
|
||||||
|
* secrets already. */
|
||||||
|
- NM_UTILS_STR_UTF8_SAFE_FLAG_SECRET = 0x0004,
|
||||||
|
+ NM_UTILS_STR_UTF8_SAFE_FLAG_SECRET = 0x0008,
|
||||||
|
|
||||||
|
/* This flag only has an effect during unescaping. It means
|
||||||
|
* that non-escaped whitespaces (g_ascii_isspace()) will be
|
||||||
|
@@ -1256,7 +1260,7 @@ typedef enum {
|
||||||
|
* this flag is only useful for gracefully accepting user input
|
||||||
|
* with spaces. With this flag, escape and unescape may no longer
|
||||||
|
* yield the original input. */
|
||||||
|
- NM_UTILS_STR_UTF8_SAFE_UNESCAPE_STRIP_SPACES = 0x0008,
|
||||||
|
+ NM_UTILS_STR_UTF8_SAFE_UNESCAPE_STRIP_SPACES = 0x0010,
|
||||||
|
} NMUtilsStrUtf8SafeFlags;
|
||||||
|
|
||||||
|
const char *nm_utils_buf_utf8safe_escape(gconstpointer buf,
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
||||||
|
|
||||||
|
From 668d8caff3b0a8ea45a63ef9676f05d87428825d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Thomas Haller <thaller@redhat.com>
|
||||||
|
Date: Wed, 10 May 2023 08:41:00 +0200
|
||||||
|
Subject: [PATCH 2/5] glib-aux: add nmtst_assert_cmpmem() helper
|
||||||
|
|
||||||
|
g_assert_cmpmem() exists, but it does not print the actual buffer
|
||||||
|
content on test failure. It is useful to see what actually failed in
|
||||||
|
the test output.
|
||||||
|
|
||||||
|
Also, nmtst_assert_cmpmem() prints a backslash escaped output, that you
|
||||||
|
can unescape in the terminal with `echo -e`. You can also directly copy
|
||||||
|
and paste the output to C source code.
|
||||||
|
|
||||||
|
(cherry picked from commit 3c3938406dd825f6a0d9e6e55319f0f68a6e2f83)
|
||||||
|
(cherry picked from commit 4ec00efca9154029f377f8498ef4bd3bd9b4cfa9)
|
||||||
|
---
|
||||||
|
src/libnm-glib-aux/nm-test-utils.h | 48 ++++++++++++++++++++++++++++++
|
||||||
|
1 file changed, 48 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/libnm-glib-aux/nm-test-utils.h b/src/libnm-glib-aux/nm-test-utils.h
|
||||||
|
index b65818e00a..a55977d1ce 100644
|
||||||
|
--- a/src/libnm-glib-aux/nm-test-utils.h
|
||||||
|
+++ b/src/libnm-glib-aux/nm-test-utils.h
|
||||||
|
@@ -203,6 +203,54 @@
|
||||||
|
} \
|
||||||
|
G_STMT_END
|
||||||
|
|
||||||
|
+#define nmtst_assert_cmpmem(m1, l1, m2, l2) \
|
||||||
|
+ G_STMT_START \
|
||||||
|
+ { \
|
||||||
|
+ const guint8 *const _m1 = (gpointer) (m1); \
|
||||||
|
+ const guint8 *const _m2 = (gpointer) (m2); \
|
||||||
|
+ const gsize _l1 = (l1); \
|
||||||
|
+ const gsize _l2 = (l2); \
|
||||||
|
+ \
|
||||||
|
+ /* This is like g_assert_cmpmem(), however on failure it actually
|
||||||
|
+ * prints the compared buffer contents, which is useful for debugging
|
||||||
|
+ * the test failure. */ \
|
||||||
|
+ \
|
||||||
|
+ g_assert(_l1 == 0 || _m1); \
|
||||||
|
+ g_assert(_l2 == 0 || _m2); \
|
||||||
|
+ \
|
||||||
|
+ if (_l1 != _l2 || (_l1 > 0 && memcmp(_m1, _m2, _l1) != 0)) { \
|
||||||
|
+ gs_free char *_s1 = NULL; \
|
||||||
|
+ gs_free char *_s2 = NULL; \
|
||||||
|
+ \
|
||||||
|
+ g_error( \
|
||||||
|
+ "ERROR: %s:%d : buffer [\"%s\" (%s, %zu bytes)] differs from [\"%s\" (%s, %zu " \
|
||||||
|
+ "bytes)]:\n" \
|
||||||
|
+ " a=[ \"%s\" ]\n" \
|
||||||
|
+ " b=[ \"%s\" ]\n", \
|
||||||
|
+ __FILE__, \
|
||||||
|
+ (int) __LINE__, \
|
||||||
|
+ #m1, \
|
||||||
|
+ #l1, \
|
||||||
|
+ _l1, \
|
||||||
|
+ #m2, \
|
||||||
|
+ #l2, \
|
||||||
|
+ _l2, \
|
||||||
|
+ (_s1 = nm_utils_buf_utf8safe_escape_cp( \
|
||||||
|
+ _m1, \
|
||||||
|
+ _l1, \
|
||||||
|
+ NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_CTRL \
|
||||||
|
+ | NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_DOUBLE_QUOTE)) \
|
||||||
|
+ ?: "", \
|
||||||
|
+ (_s2 = nm_utils_buf_utf8safe_escape_cp( \
|
||||||
|
+ _m2, \
|
||||||
|
+ _l2, \
|
||||||
|
+ NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_CTRL \
|
||||||
|
+ | NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_DOUBLE_QUOTE)) \
|
||||||
|
+ ?: ""); \
|
||||||
|
+ } \
|
||||||
|
+ } \
|
||||||
|
+ G_STMT_END
|
||||||
|
+
|
||||||
|
/*****************************************************************************/
|
||||||
|
|
||||||
|
/* Our nm-error error numbers use negative values to signal failure.
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
||||||
|
|
||||||
|
From 90b9aa2be6ec9ee3527edf146d6fce74cb2d9926 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Thomas Haller <thaller@redhat.com>
|
||||||
|
Date: Wed, 10 May 2023 07:44:52 +0200
|
||||||
|
Subject: [PATCH 3/5] bond: don't configure "counter" on nft rules for
|
||||||
|
slb-bonding/mlag
|
||||||
|
|
||||||
|
Counters are convenient for debugging, but have a performance overhead.
|
||||||
|
Configure them only when debug logging in NetworkManager is enabled.
|
||||||
|
|
||||||
|
(cherry picked from commit 2c716f04f9b75ed8df70314920a705b48c36c8eb)
|
||||||
|
(cherry picked from commit 7bb285abb70d76dff33517252b71d0b8f96adc41)
|
||||||
|
---
|
||||||
|
src/core/nm-bond-manager.c | 8 ++++++-
|
||||||
|
src/core/nm-firewall-utils.c | 43 +++++++++++++++++++++---------------
|
||||||
|
src/core/nm-firewall-utils.h | 3 ++-
|
||||||
|
3 files changed, 34 insertions(+), 20 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/core/nm-bond-manager.c b/src/core/nm-bond-manager.c
|
||||||
|
index 2d15b0b5a0..9985fccf11 100644
|
||||||
|
--- a/src/core/nm-bond-manager.c
|
||||||
|
+++ b/src/core/nm-bond-manager.c
|
||||||
|
@@ -438,6 +438,7 @@ _nft_call(NMBondManager *self,
|
||||||
|
{
|
||||||
|
gs_unref_bytes GBytes *stdin_buf = NULL;
|
||||||
|
gs_free const char *const *previous_members_strv = NULL;
|
||||||
|
+ gboolean with_counters;
|
||||||
|
|
||||||
|
if (up) {
|
||||||
|
gs_unref_ptrarray GPtrArray *arr = NULL;
|
||||||
|
@@ -480,11 +481,16 @@ _nft_call(NMBondManager *self,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* counters in the nft rules are convenient for debugging, but have a performance overhead.
|
||||||
|
+ * Enable counters based on whether NM logging is enabled. */
|
||||||
|
+ with_counters = _NMLOG_ENABLED(LOGL_TRACE);
|
||||||
|
+
|
||||||
|
stdin_buf = nm_firewall_nft_stdio_mlag(up,
|
||||||
|
bond_ifname,
|
||||||
|
bond_ifnames_down,
|
||||||
|
active_members,
|
||||||
|
- previous_members_strv);
|
||||||
|
+ previous_members_strv,
|
||||||
|
+ with_counters);
|
||||||
|
|
||||||
|
nm_clear_g_cancellable(&self->cancellable);
|
||||||
|
self->cancellable = g_cancellable_new();
|
||||||
|
diff --git a/src/core/nm-firewall-utils.c b/src/core/nm-firewall-utils.c
|
||||||
|
index f231583a21..b8ae4397bf 100644
|
||||||
|
--- a/src/core/nm-firewall-utils.c
|
||||||
|
+++ b/src/core/nm-firewall-utils.c
|
||||||
|
@@ -763,13 +763,15 @@ nm_firewall_nft_stdio_mlag(gboolean up,
|
||||||
|
const char *bond_ifname,
|
||||||
|
const char *const *bond_ifnames_down,
|
||||||
|
const char *const *active_members,
|
||||||
|
- const char *const *previous_members)
|
||||||
|
+ const char *const *previous_members,
|
||||||
|
+ gboolean with_counters)
|
||||||
|
{
|
||||||
|
nm_auto_str_buf NMStrBuf strbuf_table_name =
|
||||||
|
NM_STR_BUF_INIT_A(NM_UTILS_GET_NEXT_REALLOC_SIZE_32, FALSE);
|
||||||
|
nm_auto_str_buf NMStrBuf strbuf = NM_STR_BUF_INIT(NM_UTILS_GET_NEXT_REALLOC_SIZE_1000, FALSE);
|
||||||
|
const char *table_name;
|
||||||
|
gsize i;
|
||||||
|
+ const char *const s_counter = with_counters ? " counter" : "";
|
||||||
|
|
||||||
|
if (NM_MORE_ASSERTS > 10 && active_members) {
|
||||||
|
/* No duplicates. We make certain assumptions here, and we don't
|
||||||
|
@@ -876,9 +878,10 @@ nm_firewall_nft_stdio_mlag(gboolean up,
|
||||||
|
_append(&strbuf,
|
||||||
|
"add rule netdev %s %s pkttype {"
|
||||||
|
" broadcast, multicast "
|
||||||
|
- "} counter drop",
|
||||||
|
+ "}%s drop",
|
||||||
|
table_name,
|
||||||
|
- chain_name);
|
||||||
|
+ chain_name,
|
||||||
|
+ s_counter);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* OVS SLB rule 2
|
||||||
|
@@ -905,15 +908,17 @@ nm_firewall_nft_stdio_mlag(gboolean up,
|
||||||
|
table_name,
|
||||||
|
bond_ifname);
|
||||||
|
_append(&strbuf,
|
||||||
|
- "add rule netdev %s tx-snoop-source-mac set update ether saddr . vlan id"
|
||||||
|
- " timeout 5s @macset-tagged counter return"
|
||||||
|
+ "add rule netdev %s tx-snoop-source-mac set update ether saddr . vlan id "
|
||||||
|
+ "timeout 5s @macset-tagged%s return"
|
||||||
|
"", /* tagged */
|
||||||
|
- table_name);
|
||||||
|
+ table_name,
|
||||||
|
+ s_counter);
|
||||||
|
_append(&strbuf,
|
||||||
|
- "add rule netdev %s tx-snoop-source-mac set update ether saddr"
|
||||||
|
- " timeout 5s @macset-untagged counter"
|
||||||
|
+ "add rule netdev %s tx-snoop-source-mac set update ether saddr timeout 5s "
|
||||||
|
+ "@macset-untagged%s"
|
||||||
|
"", /* untagged*/
|
||||||
|
- table_name);
|
||||||
|
+ table_name,
|
||||||
|
+ s_counter);
|
||||||
|
|
||||||
|
_append(&strbuf,
|
||||||
|
"add chain netdev %s rx-drop-looped-packets {"
|
||||||
|
@@ -921,18 +926,20 @@ nm_firewall_nft_stdio_mlag(gboolean up,
|
||||||
|
"}",
|
||||||
|
table_name,
|
||||||
|
bond_ifname);
|
||||||
|
+ _append(
|
||||||
|
+ &strbuf,
|
||||||
|
+ "add rule netdev %s rx-drop-looped-packets ether saddr . vlan id @macset-tagged%s drop",
|
||||||
|
+ table_name,
|
||||||
|
+ s_counter);
|
||||||
|
_append(&strbuf,
|
||||||
|
- "add rule netdev %s rx-drop-looped-packets ether saddr . vlan id"
|
||||||
|
- " @macset-tagged counter drop",
|
||||||
|
- table_name);
|
||||||
|
- _append(&strbuf,
|
||||||
|
- "add rule netdev %s rx-drop-looped-packets ether type vlan counter return"
|
||||||
|
+ "add rule netdev %s rx-drop-looped-packets ether type vlan%s return"
|
||||||
|
"", /* avoid looking up tagged packets in untagged table */
|
||||||
|
- table_name);
|
||||||
|
+ table_name,
|
||||||
|
+ s_counter);
|
||||||
|
_append(&strbuf,
|
||||||
|
- "add rule netdev %s rx-drop-looped-packets ether saddr @macset-untagged"
|
||||||
|
- " counter drop",
|
||||||
|
- table_name);
|
||||||
|
+ "add rule netdev %s rx-drop-looped-packets ether saddr @macset-untagged%s drop",
|
||||||
|
+ table_name,
|
||||||
|
+ s_counter);
|
||||||
|
}
|
||||||
|
|
||||||
|
out:
|
||||||
|
diff --git a/src/core/nm-firewall-utils.h b/src/core/nm-firewall-utils.h
|
||||||
|
index ca138ccf78..9f13a5127e 100644
|
||||||
|
--- a/src/core/nm-firewall-utils.h
|
||||||
|
+++ b/src/core/nm-firewall-utils.h
|
||||||
|
@@ -39,6 +39,7 @@ GBytes *nm_firewall_nft_stdio_mlag(gboolean up,
|
||||||
|
const char *bond_ifname,
|
||||||
|
const char *const *bond_ifnames_down,
|
||||||
|
const char *const *active_members,
|
||||||
|
- const char *const *previous_members);
|
||||||
|
+ const char *const *previous_members,
|
||||||
|
+ gboolean with_counters);
|
||||||
|
|
||||||
|
#endif /* __NM_FIREWALL_UTILS_H__ */
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
||||||
|
|
||||||
|
From 863171b69d72053d0b6bfafe510af62098c218d8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Thomas Haller <thaller@redhat.com>
|
||||||
|
Date: Wed, 10 May 2023 08:42:49 +0200
|
||||||
|
Subject: [PATCH 4/5] core/tests: add test for nm_firewall_nft_stdio_mlag()
|
||||||
|
|
||||||
|
If only to hit some of the code paths in our test, and to have valgrind
|
||||||
|
check (some of) the code paths.
|
||||||
|
|
||||||
|
(cherry picked from commit a20d4a7a912a7e7a535318bc7294ebd8b6bb6655)
|
||||||
|
(cherry picked from commit 8e7d94b10c50a4ce963ddf441752522183b35ab3)
|
||||||
|
---
|
||||||
|
src/core/tests/test-core.c | 122 +++++++++++++++++++++++++++++++++++++
|
||||||
|
1 file changed, 122 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/core/tests/test-core.c b/src/core/tests/test-core.c
|
||||||
|
index 887803bffe..d90e44f04f 100644
|
||||||
|
--- a/src/core/tests/test-core.c
|
||||||
|
+++ b/src/core/tests/test-core.c
|
||||||
|
@@ -18,6 +18,7 @@
|
||||||
|
|
||||||
|
#include "dns/nm-dns-manager.h"
|
||||||
|
#include "nm-connectivity.h"
|
||||||
|
+#include "nm-firewall-utils.h"
|
||||||
|
|
||||||
|
#include "nm-test-utils-core.h"
|
||||||
|
|
||||||
|
@@ -2580,6 +2581,125 @@ test_connectivity_state_cmp(void)
|
||||||
|
|
||||||
|
/*****************************************************************************/
|
||||||
|
|
||||||
|
+static void
|
||||||
|
+test_nm_firewall_nft_stdio_mlag(void)
|
||||||
|
+{
|
||||||
|
+#define _T(up, \
|
||||||
|
+ bond_ifname, \
|
||||||
|
+ bond_ifnames_down, \
|
||||||
|
+ active_members, \
|
||||||
|
+ previous_members, \
|
||||||
|
+ with_counters, \
|
||||||
|
+ expected) \
|
||||||
|
+ G_STMT_START \
|
||||||
|
+ { \
|
||||||
|
+ gs_unref_bytes GBytes *_b = NULL; \
|
||||||
|
+ \
|
||||||
|
+ _b = nm_firewall_nft_stdio_mlag((up), \
|
||||||
|
+ (bond_ifname), \
|
||||||
|
+ (bond_ifnames_down), \
|
||||||
|
+ (active_members), \
|
||||||
|
+ (previous_members), \
|
||||||
|
+ (with_counters)); \
|
||||||
|
+ \
|
||||||
|
+ g_assert(_b); \
|
||||||
|
+ nmtst_assert_cmpmem(expected, \
|
||||||
|
+ NM_STRLEN(expected), \
|
||||||
|
+ g_bytes_get_data(_b, NULL), \
|
||||||
|
+ g_bytes_get_size(_b)); \
|
||||||
|
+ } \
|
||||||
|
+ G_STMT_END
|
||||||
|
+
|
||||||
|
+ _T(TRUE,
|
||||||
|
+ "bond0",
|
||||||
|
+ NM_MAKE_STRV("eth0"),
|
||||||
|
+ NM_MAKE_STRV("eth1"),
|
||||||
|
+ NM_MAKE_STRV("eth2"),
|
||||||
|
+ TRUE,
|
||||||
|
+ "add table netdev nm-mlag-eth0\012delete table netdev nm-mlag-eth0\012add table netdev "
|
||||||
|
+ "nm-mlag-bond0\012flush table netdev nm-mlag-bond0\012add chain netdev nm-mlag-bond0 "
|
||||||
|
+ "rx-drop-bc-mc-eth2 { type filter hook ingress device eth2 priority filter; }\012delete "
|
||||||
|
+ "chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth2\012add chain netdev nm-mlag-bond0 "
|
||||||
|
+ "rx-drop-bc-mc-eth1 { type filter hook ingress device eth1 priority filter; }\012delete "
|
||||||
|
+ "chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth1\012add set netdev nm-mlag-bond0 "
|
||||||
|
+ "macset-tagged { typeof ether saddr . vlan id; flags dynamic,timeout; }\012add set netdev "
|
||||||
|
+ "nm-mlag-bond0 macset-untagged { typeof ether saddr; flags dynamic,timeout; }\012add chain "
|
||||||
|
+ "netdev nm-mlag-bond0 tx-snoop-source-mac { type filter hook egress device bond0 priority "
|
||||||
|
+ "filter; }\012add rule netdev nm-mlag-bond0 tx-snoop-source-mac set update ether saddr . "
|
||||||
|
+ "vlan id timeout 5s @macset-tagged counter return\012add rule netdev nm-mlag-bond0 "
|
||||||
|
+ "tx-snoop-source-mac set update ether saddr timeout 5s @macset-untagged counter\012add "
|
||||||
|
+ "chain netdev nm-mlag-bond0 rx-drop-looped-packets { type filter hook ingress device bond0 "
|
||||||
|
+ "priority filter; }\012add rule netdev nm-mlag-bond0 rx-drop-looped-packets ether saddr . "
|
||||||
|
+ "vlan id @macset-tagged counter drop\012add rule netdev nm-mlag-bond0 "
|
||||||
|
+ "rx-drop-looped-packets ether type vlan counter return\012add rule netdev nm-mlag-bond0 "
|
||||||
|
+ "rx-drop-looped-packets ether saddr @macset-untagged counter drop\012");
|
||||||
|
+
|
||||||
|
+ _T(TRUE,
|
||||||
|
+ "bond0",
|
||||||
|
+ NM_MAKE_STRV("eth0"),
|
||||||
|
+ NM_MAKE_STRV("eth1"),
|
||||||
|
+ NM_MAKE_STRV("eth2"),
|
||||||
|
+ FALSE,
|
||||||
|
+ "add table netdev nm-mlag-eth0\012delete table netdev nm-mlag-eth0\012add table netdev "
|
||||||
|
+ "nm-mlag-bond0\012flush table netdev nm-mlag-bond0\012add chain netdev nm-mlag-bond0 "
|
||||||
|
+ "rx-drop-bc-mc-eth2 { type filter hook ingress device eth2 priority filter; }\012delete "
|
||||||
|
+ "chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth2\012add chain netdev nm-mlag-bond0 "
|
||||||
|
+ "rx-drop-bc-mc-eth1 { type filter hook ingress device eth1 priority filter; }\012delete "
|
||||||
|
+ "chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth1\012add set netdev nm-mlag-bond0 "
|
||||||
|
+ "macset-tagged { typeof ether saddr . vlan id; flags dynamic,timeout; }\012add set netdev "
|
||||||
|
+ "nm-mlag-bond0 macset-untagged { typeof ether saddr; flags dynamic,timeout; }\012add chain "
|
||||||
|
+ "netdev nm-mlag-bond0 tx-snoop-source-mac { type filter hook egress device bond0 priority "
|
||||||
|
+ "filter; }\012add rule netdev nm-mlag-bond0 tx-snoop-source-mac set update ether saddr . "
|
||||||
|
+ "vlan id timeout 5s @macset-tagged return\012add rule netdev nm-mlag-bond0 "
|
||||||
|
+ "tx-snoop-source-mac set update ether saddr timeout 5s @macset-untagged\012add chain netdev "
|
||||||
|
+ "nm-mlag-bond0 rx-drop-looped-packets { type filter hook ingress device bond0 priority "
|
||||||
|
+ "filter; }\012add rule netdev nm-mlag-bond0 rx-drop-looped-packets ether saddr . vlan id "
|
||||||
|
+ "@macset-tagged drop\012add rule netdev nm-mlag-bond0 rx-drop-looped-packets ether type "
|
||||||
|
+ "vlan return\012add rule netdev nm-mlag-bond0 rx-drop-looped-packets ether saddr "
|
||||||
|
+ "@macset-untagged drop\012");
|
||||||
|
+
|
||||||
|
+ _T(TRUE,
|
||||||
|
+ "bond0",
|
||||||
|
+ NM_MAKE_STRV("eth0", "eth1"),
|
||||||
|
+ NM_MAKE_STRV("eth2", "eth3"),
|
||||||
|
+ NM_MAKE_STRV("eth4", "eth5"),
|
||||||
|
+ FALSE,
|
||||||
|
+ "add table netdev nm-mlag-eth0\012delete table netdev nm-mlag-eth0\012add table netdev "
|
||||||
|
+ "nm-mlag-eth1\012delete table netdev nm-mlag-eth1\012add table netdev "
|
||||||
|
+ "nm-mlag-bond0\012flush table netdev nm-mlag-bond0\012add chain netdev nm-mlag-bond0 "
|
||||||
|
+ "rx-drop-bc-mc-eth4 { type filter hook ingress device eth4 priority filter; }\012delete "
|
||||||
|
+ "chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth4\012add chain netdev nm-mlag-bond0 "
|
||||||
|
+ "rx-drop-bc-mc-eth5 { type filter hook ingress device eth5 priority filter; }\012delete "
|
||||||
|
+ "chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth5\012add chain netdev nm-mlag-bond0 "
|
||||||
|
+ "rx-drop-bc-mc-eth2 { type filter hook ingress device eth2 priority filter; }\012delete "
|
||||||
|
+ "chain netdev nm-mlag-bond0 rx-drop-bc-mc-eth2\012add chain netdev nm-mlag-bond0 "
|
||||||
|
+ "rx-drop-bc-mc-eth3 { type filter hook ingress device eth3 priority filter; }\012add rule "
|
||||||
|
+ "netdev nm-mlag-bond0 rx-drop-bc-mc-eth3 pkttype { broadcast, multicast } drop\012add set "
|
||||||
|
+ "netdev nm-mlag-bond0 macset-tagged { typeof ether saddr . vlan id; flags dynamic,timeout; "
|
||||||
|
+ "}\012add set netdev nm-mlag-bond0 macset-untagged { typeof ether saddr; flags "
|
||||||
|
+ "dynamic,timeout; }\012add chain netdev nm-mlag-bond0 tx-snoop-source-mac { type filter "
|
||||||
|
+ "hook egress device bond0 priority filter; }\012add rule netdev nm-mlag-bond0 "
|
||||||
|
+ "tx-snoop-source-mac set update ether saddr . vlan id timeout 5s @macset-tagged "
|
||||||
|
+ "return\012add rule netdev nm-mlag-bond0 tx-snoop-source-mac set update ether saddr timeout "
|
||||||
|
+ "5s @macset-untagged\012add chain netdev nm-mlag-bond0 rx-drop-looped-packets { type filter "
|
||||||
|
+ "hook ingress device bond0 priority filter; }\012add rule netdev nm-mlag-bond0 "
|
||||||
|
+ "rx-drop-looped-packets ether saddr . vlan id @macset-tagged drop\012add rule netdev "
|
||||||
|
+ "nm-mlag-bond0 rx-drop-looped-packets ether type vlan return\012add rule netdev "
|
||||||
|
+ "nm-mlag-bond0 rx-drop-looped-packets ether saddr @macset-untagged drop\012");
|
||||||
|
+
|
||||||
|
+ _T(FALSE,
|
||||||
|
+ "bond0",
|
||||||
|
+ NM_MAKE_STRV("eth0", "eth1"),
|
||||||
|
+ NM_MAKE_STRV("eth2", "eth3"),
|
||||||
|
+ NM_MAKE_STRV("eth4", "eth5"),
|
||||||
|
+ FALSE,
|
||||||
|
+ "add table netdev nm-mlag-eth0\012delete table netdev nm-mlag-eth0\012add table netdev "
|
||||||
|
+ "nm-mlag-eth1\012delete table netdev nm-mlag-eth1\012add table netdev "
|
||||||
|
+ "nm-mlag-bond0\012delete table netdev nm-mlag-bond0\012");
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*****************************************************************************/
|
||||||
|
+
|
||||||
|
NMTST_DEFINE();
|
||||||
|
|
||||||
|
int
|
||||||
|
@@ -2654,5 +2774,7 @@ main(int argc, char **argv)
|
||||||
|
g_test_add_func("/core/general/test_kernel_cmdline_match_check",
|
||||||
|
test_kernel_cmdline_match_check);
|
||||||
|
|
||||||
|
+ g_test_add_func("/core/test_nm_firewall_nft_stdio_mlag", test_nm_firewall_nft_stdio_mlag);
|
||||||
|
+
|
||||||
|
return g_test_run();
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
||||||
|
|
||||||
|
From e981987cd4315c0d37f980b28c02c35340d81a2f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Thomas Haller <thaller@redhat.com>
|
||||||
|
Date: Tue, 2 May 2023 08:54:21 +0200
|
||||||
|
Subject: [PATCH 5/5] firewall: create "dynamic" sets for nft rules for
|
||||||
|
slb-bonding
|
||||||
|
|
||||||
|
A workaround for a nftables issue ([1]). I don't know why that matters.
|
||||||
|
|
||||||
|
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2177667
|
||||||
|
|
||||||
|
Fixes: e9268e392418 ('firewall: add mlag firewall utils for multi chassis link aggregation (MLAG) for bonding-slb')
|
||||||
|
|
||||||
|
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1614
|
||||||
|
(cherry picked from commit d3b54963622f242db1ebeda21dedd9558b484355)
|
||||||
|
(cherry picked from commit 0d9d753523bc30bfd42519e1716a2d7e447f011e)
|
||||||
|
---
|
||||||
|
src/core/nm-firewall-utils.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/core/nm-firewall-utils.c b/src/core/nm-firewall-utils.c
|
||||||
|
index b8ae4397bf..ac12d3e432 100644
|
||||||
|
--- a/src/core/nm-firewall-utils.c
|
||||||
|
+++ b/src/core/nm-firewall-utils.c
|
||||||
|
@@ -892,12 +892,12 @@ nm_firewall_nft_stdio_mlag(gboolean up,
|
||||||
|
*/
|
||||||
|
_append(&strbuf,
|
||||||
|
"add set netdev %s macset-tagged {"
|
||||||
|
- " typeof ether saddr . vlan id; flags timeout; "
|
||||||
|
+ " typeof ether saddr . vlan id; flags dynamic,timeout; "
|
||||||
|
"}",
|
||||||
|
table_name);
|
||||||
|
_append(&strbuf,
|
||||||
|
"add set netdev %s macset-untagged {"
|
||||||
|
- " typeof ether saddr; flags timeout;"
|
||||||
|
+ " typeof ether saddr; flags dynamic,timeout; "
|
||||||
|
"}",
|
||||||
|
table_name);
|
||||||
|
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
Loading…
Reference in new issue