rpms
/
NetworkManager
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'i9c' with version 1.48.10-3 into i9

Browse Source
i9 changed/i9/NetworkManager-1.48.10-3.el9_5.inferit
Sergey Cherevko 1 month ago
parent 975ed6088f 7c07f71957
commit e9098afca2
Signed by: scherevko
GPG Key ID: D87CBBC16D2E4A72
18 changed files with 526 additions and 1956 deletions
Show Stats Download Patch File Download Diff File

2
.NetworkManager.metadata
Unescape View File

@ -1 +1 @@
3c11d700a2e81a7abce285ab94d015ac966f59d3 SOURCES/NetworkManager-1.46.0.tar.xz
6423adef5f4bb2c0cc20c2173e03a7ac8b8565ca SOURCES/NetworkManager-1.48.10.tar.xz

2
.gitignore vendored
Unescape View File

@ -1 +1 @@
SOURCES/NetworkManager-1.46.0.tar.xz
SOURCES/NetworkManager-1.48.10.tar.xz

45
SOURCES/1001-cloud-setup-allow-bigger-restart-bursts-rhel-56740.patch
Unescape View File

@ -0,0 +1,45 @@
From 065584036f8072c994a8bdab210bcfd0ff483960 Mon Sep 17 00:00:00 2001
From: Lubomir Rintel <lkundrak@v3.sk>
Date: Tue, 27 Aug 2024 00:29:17 +0200
Subject: [PATCH] cloud-setup: allow bigger restart bursts
On daemon startup, we may end up enqueueing many nm-cloud-setup.service
restarts in very a short time. That is perfectly fine, just bump the
thresholds so that systemd doesn't get in the way too quickly.
100 requests in 1 seconds seem like a fair choice -- little bit on the
conservative side, yet still giving the service manager some room to
interfere on a chance things really go awry.
https://issues.redhat.com/browse/RHEL-49694
(cherry picked from commit 927cff9f178911b2a146259a89bfcc9727cbd8c3)
(cherry picked from commit 4dc35c72744f8820575ab0ea4638c4ddd880547d)
---
src/nm-cloud-setup/nm-cloud-setup.service.in | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/src/nm-cloud-setup/nm-cloud-setup.service.in b/src/nm-cloud-setup/nm-cloud-setup.service.in
index e73654d892..ecb70e1c8e 100644
--- a/src/nm-cloud-setup/nm-cloud-setup.service.in
+++ b/src/nm-cloud-setup/nm-cloud-setup.service.in
@@ -8,6 +8,17 @@ After=NetworkManager.service
Type=oneshot
ExecStart=@libexecdir@/nm-cloud-setup
+# The service restart gets triggered from dispatcher script
+# (pre-up and dhcp4-change actions), possibly ending up with many
+# restart requests at the same time (e.g. on initial daemon startup
+# on a machine with multiple NICs). The systemd handles multiple
+# concurrent restart requests gracefully (the newer requests supersede
+# older, which wait for them to finish), but the default limits are way
+# too low: 5 restarts in 10 seconds. Raise that high enough for us to
+# be on the safe side.
+StartLimitIntervalSec=1
+StartLimitBurst=100
+
#Environment=NM_CLOUD_SETUP_LOG=TRACE
# Cloud providers are disabled by default. You need to
--
2.46.0

25
SOURCES/1001-drop-privateusers-directive-from-nm-cloud-setup-rhel27053.patch
Unescape View File

@ -1,25 +0,0 @@
From 6e84d852487f070ab3f61c24d78fc05338f171f6 Mon Sep 17 00:00:00 2001
From: Fernando Fernandez Mancera <ffmancera@riseup.net>
Date: Wed, 20 Mar 2024 19:10:45 +0100
Subject: [PATCH] cloud: drop PrivateUsers directive from nm-cloud-setup
https://issues.redhat.com/browse/RHEL-27503
---
src/nm-cloud-setup/nm-cloud-setup.service.in | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/nm-cloud-setup/nm-cloud-setup.service.in b/src/nm-cloud-setup/nm-cloud-setup.service.in
index e73654d892..4aa6017e48 100644
--- a/src/nm-cloud-setup/nm-cloud-setup.service.in
+++ b/src/nm-cloud-setup/nm-cloud-setup.service.in
@@ -28,7 +28,6 @@ MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
-PrivateUsers=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
--
2.44.0

235
SOURCES/1002-allow-rollback-on-internal-global-dns-rhel-29725.patch
Unescape View File

@ -1,235 +0,0 @@
From ba47f23b08bb59ec2daf6bce73a94182d8028c82 Mon Sep 17 00:00:00 2001
From: Gris Ge <fge@redhat.com>
Date: Wed, 13 Mar 2024 20:52:37 +0800
Subject: [PATCH] checkpoint: Allow rollback on internal global DNS
With `NM_CHECKPOINT_CREATE_FLAG_TRACK_INTERNAL_GLOBAL_DNS` flag set on
checkpoint creation, the checkpoint rollback will restore the
global DNS in internal configure file
`/var/lib/NetworkManager/NetworkManager-intern.conf`.
If user has set global DNS in /etc folder, this flag will not take any
effect.
Resolves: https://issues.redhat.com/browse/RHEL-23446
Signed-off-by: Gris Ge <fge@redhat.com>
(cherry picked from commit 86d67da28dd047a08a01687d8154b377d1c25b4c)
(cherry picked from commit 69d5761fa87bb85df037ad9044c03dd1922d3ee4)
---
src/core/nm-checkpoint.c | 28 ++++++++++++++
src/core/nm-config-data.c | 47 +++++++++++++++++++++++
src/core/nm-config-data.h | 3 +-
src/core/nm-manager.c | 11 +++++-
src/core/nm-manager.h | 3 ++
src/libnm-core-public/nm-dbus-interface.h | 6 +++
6 files changed, 96 insertions(+), 2 deletions(-)
diff --git a/src/core/nm-checkpoint.c b/src/core/nm-checkpoint.c
index 74adf48477..cc5c189bf9 100644
--- a/src/core/nm-checkpoint.c
+++ b/src/core/nm-checkpoint.c
@@ -13,6 +13,7 @@
#include "nm-core-utils.h"
#include "nm-dbus-interface.h"
#include "devices/nm-device.h"
+#include "nm-config.h"
#include "nm-manager.h"
#include "settings/nm-settings.h"
#include "settings/nm-settings-connection.h"
@@ -55,6 +56,8 @@ struct _NMCheckpointPrivate {
NMCheckpointTimeoutCallback timeout_cb;
gpointer timeout_data;
+
+ NMGlobalDnsConfig *global_dns_config;
};
struct _NMCheckpointClass {
@@ -491,6 +494,17 @@ next_dev:
}
}
}
+ if (NM_FLAGS_HAS(priv->flags, NM_CHECKPOINT_CREATE_FLAG_TRACK_INTERNAL_GLOBAL_DNS)
+ && priv->global_dns_config) {
+ gs_free_error GError *error = NULL;
+ NMConfig *config;
+
+ config = nm_manager_get_config(priv->manager);
+ nm_assert(config);
+ if (!nm_config_set_global_dns(config, priv->global_dns_config, &error)) {
+ _LOGE("set global DNS failed with error: %s", error->message);
+ }
+ }
return g_variant_new("(a{su})", &builder);
}
@@ -742,6 +756,19 @@ nm_checkpoint_new(NMManager *manager,
NM_MANAGER_DEVICE_REMOVED,
G_CALLBACK(_device_removed),
self);
+ if (NM_FLAGS_HAS(flags, NM_CHECKPOINT_CREATE_FLAG_TRACK_INTERNAL_GLOBAL_DNS)) {
+ NMConfigData *config_data;
+ NMGlobalDnsConfig *dns_config = NULL;
+
+ config_data = nm_config_get_data(nm_manager_get_config(manager));
+ if (config_data) {
+ dns_config = nm_config_data_get_global_dns_config(config_data);
+ if (!dns_config || nm_global_dns_config_is_internal(dns_config)) {
+ priv->global_dns_config = nm_global_dns_config_clone(dns_config);
+ }
+ }
+ }
+
return self;
}
@@ -756,6 +783,7 @@ dispose(GObject *object)
nm_clear_pointer(&priv->devices, g_hash_table_unref);
nm_clear_pointer(&priv->connection_uuids, g_hash_table_unref);
nm_clear_pointer(&priv->removed_devices, g_ptr_array_unref);
+ nm_global_dns_config_free(priv->global_dns_config);
nm_clear_g_signal_handler(priv->manager, &priv->dev_removed_id);
g_clear_object(&priv->manager);
diff --git a/src/core/nm-config-data.c b/src/core/nm-config-data.c
index 468e56b821..d4498edd88 100644
--- a/src/core/nm-config-data.c
+++ b/src/core/nm-config-data.c
@@ -2436,3 +2436,50 @@ nm_config_data_class_init(NMConfigDataClass *config_class)
g_object_class_install_properties(object_class, _PROPERTY_ENUMS_LAST, obj_properties);
}
+
+static NMGlobalDnsDomain *
+nm_global_dns_domain_clone(NMGlobalDnsDomain *old_domain)
+{
+ if (old_domain) {
+ NMGlobalDnsDomain *new_domain = g_malloc0(sizeof(NMGlobalDnsDomain));
+ new_domain->name = g_strdup(old_domain->name);
+ new_domain->servers = (char **) nm_strv_dup(old_domain->servers, -1, TRUE);
+ new_domain->options = (char **) nm_strv_dup(old_domain->options, -1, TRUE);
+ return new_domain;
+ } else {
+ return NULL;
+ }
+}
+
+NMGlobalDnsConfig *
+nm_global_dns_config_clone(NMGlobalDnsConfig *old_dns_config)
+{
+ NMGlobalDnsConfig *new_dns_config;
+ gpointer key, value;
+ NMGlobalDnsDomain *old_domain;
+ GHashTableIter iter;
+
+ new_dns_config = g_malloc0(sizeof(NMGlobalDnsConfig));
+ new_dns_config->internal = TRUE;
+
+ if (old_dns_config) {
+ new_dns_config->internal = old_dns_config->internal;
+ new_dns_config->searches = nm_strv_dup(old_dns_config->searches, -1, TRUE);
+ new_dns_config->options = nm_strv_dup(old_dns_config->options, -1, TRUE);
+ new_dns_config->domains = g_hash_table_new_full(nm_str_hash,
+ g_str_equal,
+ g_free,
+ (GDestroyNotify) global_dns_domain_free);
+ if (old_dns_config->domains) {
+ g_hash_table_iter_init(&iter, old_dns_config->domains);
+ while (g_hash_table_iter_next(&iter, &key, &value)) {
+ old_domain = value;
+ g_hash_table_insert(new_dns_config->domains,
+ g_strdup(key),
+ nm_global_dns_domain_clone(old_domain));
+ }
+ }
+ global_dns_config_seal_domains(new_dns_config);
+ }
+ return new_dns_config;
+}
diff --git a/src/core/nm-config-data.h b/src/core/nm-config-data.h
index 9e7a50fc24..0344ce9055 100644
--- a/src/core/nm-config-data.h
+++ b/src/core/nm-config-data.h
@@ -280,7 +280,8 @@ int nm_global_dns_config_cmp(const NMGlobalDnsConfig *a,
const NMGlobalDnsConfig *b,
gboolean check_internal);
void nm_global_dns_config_update_checksum(const NMGlobalDnsConfig *dns_config, GChecksum *sum);
-void nm_global_dns_config_free(NMGlobalDnsConfig *dns_config);
+NMGlobalDnsConfig *nm_global_dns_config_clone(NMGlobalDnsConfig *dns_config);
+void nm_global_dns_config_free(NMGlobalDnsConfig *dns_config);
NMGlobalDnsConfig *nm_global_dns_config_from_dbus(const GValue *value, GError **error);
void nm_global_dns_config_to_dbus(const NMGlobalDnsConfig *dns_config, GValue *value);
diff --git a/src/core/nm-manager.c b/src/core/nm-manager.c
index 730ba4763b..6739e5599e 100644
--- a/src/core/nm-manager.c
+++ b/src/core/nm-manager.c
@@ -8458,7 +8458,8 @@ impl_manager_checkpoint_create(NMDBusObject *obj,
| NM_CHECKPOINT_CREATE_FLAG_DELETE_NEW_CONNECTIONS
| NM_CHECKPOINT_CREATE_FLAG_DISCONNECT_NEW_DEVICES
| NM_CHECKPOINT_CREATE_FLAG_ALLOW_OVERLAPPING
- | NM_CHECKPOINT_CREATE_FLAG_NO_PRESERVE_EXTERNAL_PORTS)))) {
+ | NM_CHECKPOINT_CREATE_FLAG_NO_PRESERVE_EXTERNAL_PORTS
+ | NM_CHECKPOINT_CREATE_FLAG_TRACK_INTERNAL_GLOBAL_DNS)))) {
g_dbus_method_invocation_return_error_literal(invocation,
NM_MANAGER_ERROR,
NM_MANAGER_ERROR_INVALID_ARGUMENTS,
@@ -9765,3 +9766,11 @@ nm_manager_class_init(NMManagerClass *manager_class)
1,
NM_TYPE_DEVICE);
}
+
+NMConfig *
+nm_manager_get_config(NMManager *self)
+{
+ NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE(self);
+
+ return priv->config;
+}
diff --git a/src/core/nm-manager.h b/src/core/nm-manager.h
index 3028eb7ebe..3c5213c4f2 100644
--- a/src/core/nm-manager.h
+++ b/src/core/nm-manager.h
@@ -10,6 +10,7 @@
#include "settings/nm-settings-connection.h"
#include "c-list/src/c-list.h"
#include "nm-dbus-manager.h"
+#include "nm-config-data.h"
#define NM_TYPE_MANAGER (nm_manager_get_type())
#define NM_MANAGER(obj) (_NM_G_TYPE_CHECK_INSTANCE_CAST((obj), NM_TYPE_MANAGER, NMManager))
@@ -266,4 +267,6 @@ gboolean nm_manager_devcon_autoconnect_blocked_reason_set(NMManager *
NMSettingsAutoconnectBlockedReason value,
gboolean set);
+NMConfig *nm_manager_get_config(NMManager *self);
+
#endif /* __NETWORKMANAGER_MANAGER_H__ */
diff --git a/src/libnm-core-public/nm-dbus-interface.h b/src/libnm-core-public/nm-dbus-interface.h
index 66cd590d6c..ab94244c21 100644
--- a/src/libnm-core-public/nm-dbus-interface.h
+++ b/src/libnm-core-public/nm-dbus-interface.h
@@ -991,6 +991,11 @@ typedef enum {
* With this flag, the rollback detaches all external ports.
* This only has an effect for bridge ports. Before 1.38, this was the default
* behavior. Since: 1.38.
+ * @NM_CHECKPOINT_CREATE_FLAG_TRACK_INTERNAL_GLOBAL_DNS: during rollback,
+ * by default changes to global DNS via D-BUS interface are preserved.
+ * With this flag, the rollback reverts the global DNS changes made via D-Bus
+ * interface. Global DNS defined in [global-dns] section of
+ * NetworkManager.conf is not impacted by this flag. Since: 1.48.
*
* The flags for CheckpointCreate call
*
@@ -1003,6 +1008,7 @@ typedef enum /*< flags >*/ {
NM_CHECKPOINT_CREATE_FLAG_DISCONNECT_NEW_DEVICES = 0x04,
NM_CHECKPOINT_CREATE_FLAG_ALLOW_OVERLAPPING = 0x08,
NM_CHECKPOINT_CREATE_FLAG_NO_PRESERVE_EXTERNAL_PORTS = 0x10,
+ NM_CHECKPOINT_CREATE_FLAG_TRACK_INTERNAL_GLOBAL_DNS = 0x20,
} NMCheckpointCreateFlags;
/**
--
2.44.0

140
SOURCES/1002-cloud-setup-ensure-azure-places-primary-address-first-rhel-56387.patch
Unescape View File

@ -0,0 +1,140 @@
From 7183fbf6f35572f9fb0c2eeef5c155a3b9c82a54 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= <ihuguet@redhat.com>
Date: Tue, 27 Aug 2024 12:08:16 +0200
Subject: [PATCH] cloud-setup: azure: ensure that primary address is placed
first
The primary address is that placed at position 0 of all the IP Addresses
of the interface. Sometimes we put it in a different position in the
ipv4s array because we insert them in the order we receive, but it might
happen that the HTTP responses comes back in wrong order.
In order to solve this, we pass the index of the IPv4 address to the
callback and the address is added in the right position directly.
Co-authored-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
(cherry picked from commit 72014db629cff33611ade58190d45a714efa1bbf)
(cherry picked from commit c976e212372da9683a1e2f8618e3bcfdf21d5e25)
---
src/nm-cloud-setup/nmcs-provider-azure.c | 43 ++++++++++++++++--------
1 file changed, 29 insertions(+), 14 deletions(-)
diff --git a/src/nm-cloud-setup/nmcs-provider-azure.c b/src/nm-cloud-setup/nmcs-provider-azure.c
index 771c43d9ad..78eda16cbb 100644
--- a/src/nm-cloud-setup/nmcs-provider-azure.c
+++ b/src/nm-cloud-setup/nmcs-provider-azure.c
@@ -102,6 +102,11 @@ typedef struct {
guint n_iface_data_pending;
} AzureIfaceData;
+typedef struct {
+ AzureIfaceData *iface_data;
+ guint64 ipaddress_idx;
+} AzureIpAddressReqData;
+
static void
_azure_iface_data_destroy(AzureIfaceData *iface_data)
{
@@ -112,7 +117,8 @@ static void
_get_config_fetch_done_cb(NMHttpClient *http_client,
GAsyncResult *result,
AzureIfaceData *iface_data,
- GetConfigFetchType fetch_type)
+ GetConfigFetchType fetch_type,
+ guint64 ipaddress_idx)
{
NMCSProviderGetConfigTaskData *get_config_data;
NMCSProviderGetConfigIfaceData *iface_get_config;
@@ -149,9 +155,7 @@ _get_config_fetch_done_cb(NMHttpClient *http_client,
_LOGD("interface[%" G_GSSIZE_FORMAT "]: received address %s",
iface_data->intern_iface_idx,
nm_inet4_ntop(tmp_addr, tmp_addr_str));
- iface_get_config->ipv4s_arr[iface_get_config->ipv4s_len] = tmp_addr;
- iface_get_config->has_ipv4s = TRUE;
- iface_get_config->ipv4s_len++;
+ iface_get_config->ipv4s_arr[ipaddress_idx] = tmp_addr;
break;
case GET_CONFIG_FETCH_TYPE_IPV4_SUBNET_0_ADDRESS:
@@ -203,10 +207,14 @@ _get_config_fetch_done_cb_ipv4_ipaddress_x_privateipaddress(GObject *source
GAsyncResult *result,
gpointer user_data)
{
+ AzureIpAddressReqData *ipaddress_req_data = user_data;
+
_get_config_fetch_done_cb(NM_HTTP_CLIENT(source),
result,
- user_data,
- GET_CONFIG_FETCH_TYPE_IPV4_IPADDRESS_X_PRIVATEIPADDRESS);
+ ipaddress_req_data->iface_data,
+ GET_CONFIG_FETCH_TYPE_IPV4_IPADDRESS_X_PRIVATEIPADDRESS,
+ ipaddress_req_data->ipaddress_idx);
+ g_free(ipaddress_req_data);
}
static void
@@ -217,7 +225,8 @@ _get_config_fetch_done_cb_ipv4_subnet_0_address(GObject *source,
_get_config_fetch_done_cb(NM_HTTP_CLIENT(source),
result,
user_data,
- GET_CONFIG_FETCH_TYPE_IPV4_SUBNET_0_ADDRESS);
+ GET_CONFIG_FETCH_TYPE_IPV4_SUBNET_0_ADDRESS,
+ 0);
}
static void
@@ -228,7 +237,8 @@ _get_config_fetch_done_cb_ipv4_subnet_0_prefix(GObject *source,
_get_config_fetch_done_cb(NM_HTTP_CLIENT(source),
result,
user_data,
- GET_CONFIG_FETCH_TYPE_IPV4_SUBNET_0_PREFIX);
+ GET_CONFIG_FETCH_TYPE_IPV4_SUBNET_0_PREFIX,
+ 0);
}
static void
@@ -265,9 +275,10 @@ _get_config_ips_prefix_list_cb(GObject *source, GAsyncResult *result, gpointer u
nm_sprintf_buf(iface_idx_str, "%" G_GSSIZE_FORMAT, iface_data->intern_iface_idx);
while (nm_utils_parse_next_line(&response_str, &response_len, &line, &line_len)) {
- gint64 ips_prefix_idx;
- gs_free char *uri = NULL;
- char buf[100];
+ AzureIpAddressReqData *ipaddress_req_data;
+ gint64 ips_prefix_idx;
+ gs_free char *uri = NULL;
+ char buf[100];
if (line_len == 0)
continue;
@@ -284,8 +295,11 @@ _get_config_ips_prefix_list_cb(GObject *source, GAsyncResult *result, gpointer u
if (ips_prefix_idx < 0)
continue;
- iface_data->n_iface_data_pending++;
+ ipaddress_req_data = g_new(AzureIpAddressReqData, 1);
+ ipaddress_req_data->iface_data = iface_data;
+ ipaddress_req_data->ipaddress_idx = ips_prefix_idx;
+ iface_data->n_iface_data_pending++;
nm_http_client_poll_req(
NM_HTTP_CLIENT(source),
(uri = _azure_uri_interfaces(iface_idx_str,
@@ -302,11 +316,12 @@ _get_config_ips_prefix_list_cb(GObject *source, GAsyncResult *result, gpointer u
NULL,
NULL,
_get_config_fetch_done_cb_ipv4_ipaddress_x_privateipaddress,
- iface_data);
+ ipaddress_req_data);
}
- iface_data->iface_get_config->ipv4s_len = 0;
iface_data->iface_get_config->ipv4s_arr = g_new(in_addr_t, iface_data->n_iface_data_pending);
+ iface_data->iface_get_config->has_ipv4s = TRUE;
+ iface_data->iface_get_config->ipv4s_len = iface_data->n_iface_data_pending;
{
gs_free char *uri = NULL;
--
2.46.0

127
SOURCES/1003-do-not-allow-ovs-bridge-and-port-to-be-parent-rhel-28545.patch
Unescape View File

@ -1,127 +0,0 @@
From cf230074965216c94bb25bc3c3fff7f1d698c250 Mon Sep 17 00:00:00 2001
From: Gris Ge <fge@redhat.com>
Date: Fri, 15 Mar 2024 15:46:02 +0800
Subject: [PATCH] ovs: Do not allow OVS bridge and port to be parent
When creating VLAN over OVS internal interface which holding the same
name as its controller OVS bridge, NetworkManager will fail with error:
Error: Connection activation failed: br0.101 failed to create
resources: cannot retrieve ifindex of interface br0 (Open vSwitch
Bridge)
Expanded the `find_device_by_iface()` with additional argument
`child: NmConnection *` which will validate whether candidate is
suitable to be parent device.
In `nm_device_check_parent_connection_compatible()`, we only not allow OVS
bridge and OVS port being parent.
Resolves: https://issues.redhat.com/browse/RHEL-26753
Signed-off-by: Gris Ge <fge@redhat.com>
(cherry picked from commit 7096f52a5967ef053a4cf8e5ca8a71c1495578f9)
(cherry picked from commit d3329f0599f5fdfc2ef9f2c1395b5eb7bcc3c2a5)
---
src/core/devices/nm-device.c | 11 +++++++++++
src/core/devices/nm-device.h | 1 +
src/core/nm-manager.c | 14 +++++++++-----
3 files changed, 21 insertions(+), 5 deletions(-)
diff --git a/src/core/devices/nm-device.c b/src/core/devices/nm-device.c
index 30c38ba990..78b0e618be 100644
--- a/src/core/devices/nm-device.c
+++ b/src/core/devices/nm-device.c
@@ -9508,6 +9508,17 @@ nm_device_check_slave_connection_compatible(NMDevice *self, NMConnection *slave)
return nm_streq(connection_type, slave_type);
}
+gboolean
+nm_device_can_be_parent(NMDevice *self)
+{
+ NMDeviceType device_type = nm_device_get_device_type(self);
+
+ if ((device_type == NM_DEVICE_TYPE_OVS_BRIDGE) || (device_type == NM_DEVICE_TYPE_OVS_PORT))
+ return FALSE;
+ else
+ return TRUE;
+}
+
/**
* nm_device_can_assume_connections:
* @self: #NMDevice instance
diff --git a/src/core/devices/nm-device.h b/src/core/devices/nm-device.h
index b096d23ac1..7353a3f327 100644
--- a/src/core/devices/nm-device.h
+++ b/src/core/devices/nm-device.h
@@ -550,6 +550,7 @@ gboolean nm_device_check_connection_compatible(NMDevice *device,
GError **error);
gboolean nm_device_check_slave_connection_compatible(NMDevice *device, NMConnection *connection);
+gboolean nm_device_can_be_parent(NMDevice *device);
gboolean nm_device_can_assume_connections(NMDevice *self);
gboolean nm_device_unmanage_on_quit(NMDevice *self);
diff --git a/src/core/nm-manager.c b/src/core/nm-manager.c
index 6739e5599e..7f94f7cd9c 100644
--- a/src/core/nm-manager.c
+++ b/src/core/nm-manager.c
@@ -1914,7 +1914,8 @@ find_device_by_ip_iface(NMManager *self, const char *iface)
* is given, this function will only return master devices and will ensure
* @slave, when activated, can be a slave of the returned master device. If
* @connection is given, this function will only consider devices that are
- * compatible with @connection.
+ * compatible with @connection. If @child is given, this function will only
+ * return parent device.
*
* Returns: the matching #NMDevice
*/
@@ -1922,7 +1923,8 @@ static NMDevice *
find_device_by_iface(NMManager *self,
const char *iface,
NMConnection *connection,
- NMConnection *slave)
+ NMConnection *slave,
+ NMConnection *child)
{
NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE(self);
NMDevice *fallback = NULL;
@@ -1941,6 +1943,8 @@ find_device_by_iface(NMManager *self,
if (!nm_device_check_slave_connection_compatible(candidate, slave))
continue;
}
+ if (child && !nm_device_can_be_parent(candidate))
+ continue;
if (nm_device_is_real(candidate))
return candidate;
@@ -2405,7 +2409,7 @@ find_parent_device_for_connection(NMManager *self,
NM_SET_OUT(out_parent_spec, parent_name);
/* Try as an interface name of a parent device */
- parent = find_device_by_iface(self, parent_name, NULL, NULL);
+ parent = find_device_by_iface(self, parent_name, NULL, NULL, connection);
if (parent)
return parent;
@@ -5003,7 +5007,7 @@ find_master(NMManager *self,
}
if (!master_connection) {
- master_device = find_device_by_iface(self, master, NULL, connection);
+ master_device = find_device_by_iface(self, master, NULL, connection, NULL);
if (!master_device) {
g_set_error(error,
NM_MANAGER_ERROR,
@@ -6445,7 +6449,7 @@ validate_activation_request(NMManager *self,
if (!iface)
return NULL;
- device = find_device_by_iface(self, iface, connection, NULL);
+ device = find_device_by_iface(self, iface, connection, NULL, NULL);
if (!device) {
g_set_error_literal(error,
NM_MANAGER_ERROR,
--
2.44.0

74
SOURCES/1003-only-validate-sriov-capability-when-enabled-rhel-58397.patch
Unescape View File

@ -0,0 +1,74 @@
From d9dd0aeff8ba2e1a0005c2e5751907c453927c5c Mon Sep 17 00:00:00 2001
From: Gris Ge <fge@redhat.com>
Date: Mon, 21 Oct 2024 21:13:29 +0800
Subject: [PATCH] sriov: only valid sriov capacity when enabled
NetworkManager current code will refuse to activate a connection if its
interface has no SRIOV capacity but holding a empty SRIOV settings.
This patch only valid SRIOV capacity when it is enabled(total_vfs > 0).
Resolves: https://issues.redhat.com/browse/RHEL-58397
Signed-off-by: Gris Ge <fge@redhat.com>
(cherry picked from commit 421ccf8b4cb85c96db3bf1cb6a860e41a784c950)
(cherry picked from commit c9e31e70cbf62c65cec460dc198712a61351e9f4)
(cherry picked from commit 90a3b014683c3c98c9fb4bbe2add65510e7f1b31)
---
src/core/devices/nm-device.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/src/core/devices/nm-device.c b/src/core/devices/nm-device.c
index 4780003a0a..e86c32a902 100644
--- a/src/core/devices/nm-device.c
+++ b/src/core/devices/nm-device.c
@@ -9468,6 +9468,7 @@ check_connection_compatible(NMDevice *self,
NMSettingMatch *s_match;
const GSList *specs;
gboolean has_match = FALSE;
+ NMSettingSriov *s_sriov = NULL;
klass = NM_DEVICE_GET_CLASS(self);
if (klass->connection_type_check_compatible) {
@@ -9485,12 +9486,14 @@ check_connection_compatible(NMDevice *self,
return FALSE;
}
- if (!nm_device_has_capability(self, NM_DEVICE_CAP_SRIOV)
- && nm_connection_get_setting(connection, NM_TYPE_SETTING_SRIOV)) {
- nm_utils_error_set_literal(error,
- NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
- "device does not support SR-IOV");
- return FALSE;
+ if (!nm_device_has_capability(self, NM_DEVICE_CAP_SRIOV)) {
+ s_sriov = (NMSettingSriov *) nm_connection_get_setting(connection, NM_TYPE_SETTING_SRIOV);
+ if (s_sriov && nm_setting_sriov_get_total_vfs(s_sriov)) {
+ nm_utils_error_set_literal(error,
+ NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
+ "device does not support SR-IOV");
+ return FALSE;
+ }
}
conn_iface = nm_manager_get_connection_iface(NM_MANAGER_GET, connection, NULL, NULL, &local);
@@ -10101,7 +10104,7 @@ activate_stage1_device_prepare(NMDevice *self)
s_sriov = nm_device_get_applied_setting(self, NM_TYPE_SETTING_SRIOV);
}
- if (s_sriov) {
+ if (s_sriov && nm_device_has_capability(self, NM_DEVICE_CAP_SRIOV)) {
nm_auto_freev NMPlatformVF **plat_vfs = NULL;
gs_free_error GError *error = NULL;
NMSriovVF *vf;
@@ -10109,8 +10112,6 @@ activate_stage1_device_prepare(NMDevice *self)
guint num;
guint i;
- nm_assert(nm_device_has_capability(self, NM_DEVICE_CAP_SRIOV));
-
autoprobe = nm_setting_sriov_get_autoprobe_drivers(s_sriov);
if (autoprobe == NM_TERNARY_DEFAULT) {
autoprobe = nm_config_data_get_connection_default_int64(
--
2.45.2

136
SOURCES/1004-fix-bug-when-deactivating-port-connections-rhel-50747.patch
Unescape View File

@ -0,0 +1,136 @@
From 3b1181dc02172033d8e2bb7fd2336b2ea0355a87 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Mon, 23 Sep 2024 17:28:03 +0200
Subject: [PATCH] device: fix bug when deactivating port connections
asynchronously
When the attach_port()/detach_port() methods do not return immediately
(currently, only for OVS ports), the following situation can arise:
- nm_device_controller_attach_port() starts the attachment by sending
the command to ovsdb. Note that here we don't set
`PortInfo->port_is_attached` to TRUE yet; that happens only after
the asynchronous command returns;
- the activation of the port gets interrupted because the connection
is deleted;
- the port device enters the deactivating state, triggering function
port_state_changed()
- the function calls nm_device_controller_release_port() which checks
whether the port is already attached; since
`PortInfo->port_is_attached` is not set yet, it assumes the port
doesn't need to be detached;
- in the meantime, the ovsdb operation succeeds. As a consequence,
the kernel link is created even if the connection no longer exists.
Fix this by turning `port_is_attached` into a tri-state variable that
also tracks when the port is attaching. When it is, we need to perform
an explicit detach during deactivation.
Fixes: 9fcbc6b37dec ('device: make attach_port() asynchronous')
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2043
Resolves: https://issues.redhat.com/browse/RHEL-58026
(cherry picked from commit a8329587c8bdd53e2bc4513a4e82529727cfa5ef)
(cherry picked from commit d809ca6db24b5145fcc1857b962afb7ae17d07a5)
(cherry picked from commit ca6ca684b21235f706b02cee42075f2ee3cb1795)
---
src/core/devices/nm-device.c | 27 ++++++++++++++++++++++-----
1 file changed, 22 insertions(+), 5 deletions(-)
diff --git a/src/core/devices/nm-device.c b/src/core/devices/nm-device.c
index e86c32a902..f9a2e7e8fe 100644
--- a/src/core/devices/nm-device.c
+++ b/src/core/devices/nm-device.c
@@ -126,12 +126,18 @@ typedef enum _nm_packed {
ADDR_METHOD_STATE_FAILED,
} AddrMethodState;
+typedef enum {
+ PORT_STATE_NOT_ATTACHED,
+ PORT_STATE_ATTACHED,
+ PORT_STATE_ATTACHING,
+} PortState;
+
typedef struct {
CList lst_port;
NMDevice *port;
GCancellable *cancellable;
gulong watch_id;
- bool port_is_attached;
+ PortState port_state;
bool configure;
} PortInfo;
@@ -6693,7 +6699,7 @@ attach_port_done(NMDevice *self, NMDevice *port, gboolean success)
if (!info)
return;
- info->port_is_attached = success;
+ info->port_state = (success ? PORT_STATE_ATTACHED : PORT_STATE_NOT_ATTACHED);
nm_device_port_notify_attach_as_port(info->port, success);
@@ -6756,7 +6762,7 @@ nm_device_controller_attach_port(NMDevice *self, NMDevice *port, NMConnection *c
if (!info)
return;
- if (info->port_is_attached)
+ if (info->port_state == PORT_STATE_ATTACHED)
success = TRUE;
else {
configure = (info->configure && connection != NULL);
@@ -6765,6 +6771,7 @@ nm_device_controller_attach_port(NMDevice *self, NMDevice *port, NMConnection *c
nm_clear_g_cancellable(&info->cancellable);
info->cancellable = g_cancellable_new();
+ info->port_state = PORT_STATE_ATTACHING;
success = NM_DEVICE_GET_CLASS(self)->attach_port(self,
port,
connection,
@@ -6819,6 +6826,7 @@ nm_device_controller_release_port(NMDevice *self,
PortInfo *info;
gs_unref_object NMDevice *self_free = NULL;
gs_unref_object NMDevice *port_free = NULL;
+ const char *port_state_str;
g_return_if_fail(NM_DEVICE(self));
g_return_if_fail(NM_DEVICE(port));
@@ -6830,11 +6838,20 @@ nm_device_controller_release_port(NMDevice *self,
info = find_port_info(self, port);
+ if (info->port_state == PORT_STATE_ATTACHED)
+ port_state_str = "(attached)";
+ else if (info->port_state == PORT_STATE_NOT_ATTACHED)
+ port_state_str = "(not attached)";
+ else {
+ nm_assert(info->port_state == PORT_STATE_ATTACHING);
+ port_state_str = "(attaching)";
+ }
+
_LOGT(LOGD_CORE,
"controller: release one port " NM_HASH_OBFUSCATE_PTR_FMT "/%s %s%s",
NM_HASH_OBFUSCATE_PTR(port),
nm_device_get_iface(port),
- !info ? "(not registered)" : (info->port_is_attached ? "(attached)" : "(not attached)"),
+ !info ? "(not registered)" : port_state_str,
release_type == RELEASE_PORT_TYPE_CONFIG_FORCE
? " (force-configure)"
: (release_type == RELEASE_PORT_TYPE_CONFIG ? " (configure)" : "(no-config)"));
@@ -6850,7 +6867,7 @@ nm_device_controller_release_port(NMDevice *self,
nm_clear_g_cancellable(&info->cancellable);
/* first, let subclasses handle the release ... */
- if (info->port_is_attached || nm_device_sys_iface_state_is_external(port)
+ if (info->port_state != PORT_STATE_NOT_ATTACHED || nm_device_sys_iface_state_is_external(port)
|| release_type >= RELEASE_PORT_TYPE_CONFIG_FORCE) {
NMTernary ret;
--
2.45.2

50
SOURCES/1004-nm-dispatcher-fix-crash-rhel28973.patch
Unescape View File

@ -1,50 +0,0 @@
From e4fb80046cf36a7e210e8660ef50c93ef8971a5e Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Wed, 13 Mar 2024 10:47:31 +0100
Subject: [PATCH 1/2] nm-dispatcher: fix crash when parsing output dictionary
'stdout' is NULL when the script didn't write anything or failed.
Fixes the following crash detected by NMCI in test
'dispatcher_device_handler_dummy'.
nm-dispatcher[936339]: g_strsplit: assertion 'string != NULL' failed
build_result_options (nm-dispatcher)
complete_request (nm-dispatcher)
complete_script (nm-dispatcher)
script_watch_cb (nm-dispatcher)
g_child_watch_dispatch (libglib-2.0.so.0)
g_main_dispatch (libglib-2.0.so.0)
g_main_context_iterate (libglib-2.0.so.0)
g_main_context_iteration (libglib-2.0.so.0)
main (nm-dispatcher)
__libc_start_main (libc.so.6)
_start (nm-dispatcher)
Fixes: d72f26b87528 ('dispatcher: read device-handler's stdout into a dictionary')
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1889
(cherry picked from commit e5c2c5f1c2f55c139f39830651df2c901c3a0bf9)
(cherry picked from commit 669bf33de38a8a15e77662daadf94d6395838eee)
---
src/nm-dispatcher/nm-dispatcher.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/nm-dispatcher/nm-dispatcher.c b/src/nm-dispatcher/nm-dispatcher.c
index efb4ec0087..ce252b92bf 100644
--- a/src/nm-dispatcher/nm-dispatcher.c
+++ b/src/nm-dispatcher/nm-dispatcher.c
@@ -306,6 +306,9 @@ build_result_options(char *stdout)
char *key;
char *value;
+ if (!stdout)
+ return NULL;
+
lines = g_strsplit(stdout, "\n", 65);
for (i = 0; lines[i] && i < 64; i++) {
--
2.41.0

66
SOURCES/1005-fix-race-condition-while-enumerating-devices-rhel25808.patch
Unescape View File

@ -1,66 +0,0 @@
From 8ff08068342d1d8efe1e6d6c9a241e3395641a76 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Thu, 21 Mar 2024 09:45:15 +0100
Subject: [PATCH 2/2] manager: fix race condition while enumerating devices at
startup
While enumerating devices at startup, we take a snapshot of existing
links from platform and we start creating device instances for
them. It's possible that in the meantime, while processing netlink
events in platform_link_added(), a link gets renamed. If that happens,
then we have two different views of the same ifindex: the cached link
from `links` and the link in platform.
This can cause issues: in platform_link_added() we create the device
with the cached name; then in NMDevice's constructor(), we look up
from platform the ifindex for the given name. Because of the rename,
this lookup can match a newly created, different link.
The end result is that the ifindex from the initial snapshot doesn't
get a NMDevice and is not handled by NetworkManager.
Fix this problem by fetching the latest version of the link from
platform to make sure we have a consistent view of the state.
https://issues.redhat.com/browse/RHEL-25808
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1897
(cherry picked from commit de130df3e2207dc015c4fa82ecf766be2851532c)
(cherry picked from commit 6f3739e76f1f31d71bc3fbd7a4b0955071d59cc4)
---
src/core/nm-manager.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/src/core/nm-manager.c b/src/core/nm-manager.c
index 7f94f7cd9c..a77ba9d3b1 100644
--- a/src/core/nm-manager.c
+++ b/src/core/nm-manager.c
@@ -4438,10 +4438,25 @@ platform_query_devices(NMManager *self)
links = nm_platform_link_get_all(priv->platform);
if (!links)
return;
+
for (i = 0; i < links->len; i++) {
- const NMPlatformLink *link = NMP_OBJECT_CAST_LINK(links->pdata[i]);
+ const NMPlatformLink *elem = NMP_OBJECT_CAST_LINK(links->pdata[i]);
+ const NMPlatformLink *link;
const NMConfigDeviceStateData *dev_state;
+ /*
+ * @links is an immutable snapshot of the platform links captured before
+ * the loop was started. It's possible that in the meantime, while
+ * processing netlink events in platform_link_added(), a link was
+ * renamed. If that happens, we have 2 different views of the same
+ * ifindex: the one from @links and the one from platform. This can
+ * cause race conditions; make sure to use the latest known version of
+ * the link.
+ */
+ link = nm_platform_link_get(priv->platform, elem->ifindex);
+ if (!link)
+ continue;
+
dev_state = nm_config_device_state_get(priv->config, link->ifindex);
platform_link_added(self,
link->ifindex,
--
2.41.0

57
SOURCES/1005-fix-validation-of-ovs-dpdk-interface-name-rhel-60022.patch
Unescape View File

@ -0,0 +1,57 @@
From fd2768da4c3f966a215f01f09f8b5d7d534d0193 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Tue, 24 Sep 2024 16:25:03 +0200
Subject: [PATCH] libnm-core: fix validation of ovs-dpdk interface name
An ovs-dpdk interface doesn't have a kernel link and doesn't have the
15-character limit on the name.
Fixes: 3efe070dfc7a ('libnm: validate "connection.interface-name" at one place only')
Resolves: https://issues.redhat.com/browse/RHEL-60233
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2044
(cherry picked from commit fda05b0af085d9f7e4cc5691075dae63e7bf02a6)
(cherry picked from commit f6e4e537757a414cc896bc1b402da8c9c9e32eaa)
(cherry picked from commit c7035db5b43beff7ad7e91685ff17982a540d8e2)
---
src/libnm-core-impl/nm-setting-connection.c | 4 ++--
src/libnm-core-impl/tests/test-general.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/libnm-core-impl/nm-setting-connection.c b/src/libnm-core-impl/nm-setting-connection.c
index b51cd46bdd..3298dce60a 100644
--- a/src/libnm-core-impl/nm-setting-connection.c
+++ b/src/libnm-core-impl/nm-setting-connection.c
@@ -1379,13 +1379,13 @@ verify(NMSetting *setting, NMConnection *connection, GError **error)
if (connection)
goto after_interface_name;
iface_type = NMU_IFACE_ANY;
- } else if (NM_IN_STRSET(ovs_iface_type, "patch")) {
+ } else if (NM_IN_STRSET(ovs_iface_type, "patch", "dpdk")) {
/* this interface type is internal to OVS. */
iface_type = NMU_IFACE_OVS;
} else {
/* This interface type also requires a netdev. We need to validate
* for both OVS and KERNEL. */
- nm_assert(NM_IN_STRSET(ovs_iface_type, "internal", "system", "dpdk"));
+ nm_assert(NM_IN_STRSET(ovs_iface_type, "internal", "system"));
iface_type = NMU_IFACE_OVS_AND_KERNEL;
}
} else
diff --git a/src/libnm-core-impl/tests/test-general.c b/src/libnm-core-impl/tests/test-general.c
index 0a39010c11..8d4ea069c5 100644
--- a/src/libnm-core-impl/tests/test-general.c
+++ b/src/libnm-core-impl/tests/test-general.c
@@ -10832,7 +10832,7 @@ test_connection_ovs_ifname(gconstpointer test_data)
/* good if bridge, port, or patch interface */
g_object_set(s_con, NM_SETTING_CONNECTION_INTERFACE_NAME, "ovs123123123123130123123", NULL);
- if (!ovs_iface_type || nm_streq(ovs_iface_type, "patch"))
+ if (!ovs_iface_type || NM_IN_STRSET(ovs_iface_type, "patch", "dpdk"))
nmtst_assert_connection_verifies(con);
else {
nmtst_assert_connection_unnormalizable(con,
--
2.45.2

40
SOURCES/1006-fix-lldp-for-ovs-bridge-ports-rhel31766.patch
Unescape View File

@ -1,40 +0,0 @@
From 6394c2b262d86824a41ca82ad76288c06bfd1989 Mon Sep 17 00:00:00 2001
From: Fernando Fernandez Mancera <ffmancera@riseup.net>
Date: Tue, 26 Mar 2024 12:53:27 +0100
Subject: [PATCH] libnm-lldp: use ETH_P_ALL instead of NM_ETHERTYPE_LLDP for
the socket
When creating the socket for listening to LLDP frames we are setting
NM_ETHERTYPE_LLDP (0x88cc) as protocol. In most of the cases, that is
correct but when the interface is attached as a port to a OVS bridge,
kernel is not matching the protocol correctly. The reason might be that
some metadata is added to the packet, but we are not completely sure
about it.
Instead, we should use ETH_P_ALL to match all the protocols. Later, we
have a eBPF filter to drop the packet by multicast MAC address or
protocol. This is how lldpd is doing it for example.
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1903
(cherry picked from commit 9ac1d6e22bfac7f576dec034a26ac7c9012e5b80)
(cherry picked from commit 2fac176986f3afaa84242e069613cc543bfcc58c)
---
src/libnm-lldp/nm-lldp-network.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/libnm-lldp/nm-lldp-network.c b/src/libnm-lldp/nm-lldp-network.c
index 811c3a7291..28cc745249 100644
--- a/src/libnm-lldp/nm-lldp-network.c
+++ b/src/libnm-lldp/nm-lldp-network.c
@@ -46,7 +46,7 @@ nm_lldp_network_bind_raw_socket(int ifindex)
assert(ifindex > 0);
- fd = socket(AF_PACKET, SOCK_RAW | SOCK_CLOEXEC | SOCK_NONBLOCK, htobe16(NM_ETHERTYPE_LLDP));
+ fd = socket(AF_PACKET, SOCK_RAW | SOCK_CLOEXEC | SOCK_NONBLOCK, htobe16(ETH_P_ALL));
if (fd < 0)
return -errno;
--
2.44.0

210
SOURCES/1007-platform-avoid-routes-resync-rhel36162.patch
Unescape View File

@ -1,210 +0,0 @@
From ed5cbbc5847527ed0cfc33f521f7c724975c846b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= <ihuguet@redhat.com>
Date: Tue, 30 Apr 2024 12:45:04 +0200
Subject: [PATCH] platform: avoid routes resync for routes that we don't track
When we recibe a Netlink message with a "route change" event, normally
we just ignore it if it's a route that we don't track (i.e. because of
the route protocol).
However, it's not that easy if it has the NLM_F_REPLACE flag because
that means that it might be replacing another route. If the kernel has
similar routes which are candidates for the replacement, it's hard for
NM to guess which one of those is being replaced (as the kernel doesn't
have a "route ID" or similar field to indicate it). Moreover, the kernel
might choose to replace a route that we don't have on cache, so we know
nothing about it.
It is important to note that we cannot just discard Netlink messages of
routes that we don't track if they has the NLM_F_REPLACE. For example,
if we are tracking a route with proto=static, we might receive a replace
message, changing that route to proto=other_proto_that_we_dont_track. We
need to process that message and remove the route from our cache.
As NM doesn't know what route is being replaced, trying to guess will
lead to errors that will leave the cache in an inconsistent state.
Because of that, it just do a cache resync for the routes.
For IPv4 there was an optimization to this: if we don't have in the
cache any route candidate for the replacement there are only 2 possible
options: either add the new route to the cache or discard it if we are
not interested on it. We don't need a resync for that.
This commit is extending that optimization to IPv6 routes. There is no
reason why it shouldn't work in the same way than with IPv4. This
optimization will only work well as long as we find potential candidate
routes in the same way than the kernel (comparing the same fields). NM
calls to this "comparing by WEAK_ID". But this can also happen with IPv4
routes.
It is worth it to enable this optimization because there are routing
daemons using custom routing protocols that makes tens or hundreds of
updates per second. If they use NLM_F_REPLACE, this caused NM to do a
resync hundreds of times per second leading to a 100% CPU usage:
https://issues.redhat.com/browse/RHEL-26195
An additional but smaller optimization is done in this commit: if we
receive a route message for routes that we don't track AND doesn't have
the NLM_F_REPLACE flag, we can ignore the entire message, thus avoiding
the memory allocation of the nmp_object. That nmp_object was going to be
ignored later, anyway, so better to avoid these allocations that, with
the routing daemon of the above's example, can happen hundreds of times
per second.
With this changes, the CPU usage doing `ip route replace` 300 times/s
drops from 100% to 1%. Doing `ip route replace` as fast as possible,
without any rate limitting, still keeps NM with a 3% CPU usage in the
system that I have used to test.
(cherry picked from commit 4d426f581de402e0aebd2ab273ff6649a0a6fee6)
(cherry picked from commit 15ffa8ec6ff7bf43ed1eb123c0d419d6fab8b268)
---
src/libnm-platform/nm-linux-platform.c | 69 ++++++++++++++++----------
src/libnm-platform/nmp-object.c | 22 +++++---
2 files changed, 57 insertions(+), 34 deletions(-)
diff --git a/src/libnm-platform/nm-linux-platform.c b/src/libnm-platform/nm-linux-platform.c
index 9ecac2d9b3..5b595a9b71 100644
--- a/src/libnm-platform/nm-linux-platform.c
+++ b/src/libnm-platform/nm-linux-platform.c
@@ -3903,6 +3903,34 @@ _new_from_nl_addr(const struct nlmsghdr *nlh, gboolean id_only)
return g_steal_pointer(&obj);
}
+static gboolean
+ip_route_is_tracked(guint8 proto, guint8 type)
+{
+ if (proto > RTPROT_STATIC && !NM_IN_SET(proto, RTPROT_DHCP, RTPROT_RA)) {
+ /* We ignore certain rtm_protocol, because NetworkManager would only ever
+ * configure certain protocols. Other routes are not configured by NetworkManager
+ * and we don't track them in the platform cache.
+ *
+ * This is to help with the performance overhead of a huge number of
+ * routes, for example with the bird BGP software, that adds routes
+ * with RTPROT_BIRD protocol. */
+ return FALSE;
+ }
+
+ if (!NM_IN_SET(type,
+ RTN_UNICAST,
+ RTN_LOCAL,
+ RTN_BLACKHOLE,
+ RTN_UNREACHABLE,
+ RTN_PROHIBIT,
+ RTN_THROW)) {
+ /* Certain route types are ignored and not placed into the cache. */
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
/* Copied and heavily modified from libnl3's rtnl_route_parse() and parse_multipath(). */
static NMPObject *
_new_from_nl_route(const struct nlmsghdr *nlh, gboolean id_only, ParseNlmsgIter *parse_nlmsg_iter)
@@ -3963,6 +3991,16 @@ _new_from_nl_route(const struct nlmsghdr *nlh, gboolean id_only, ParseNlmsgIter
* only handle ~supported~ routes.
*****************************************************************/
+ /* If it's a route that we don't need to track, abort here to avoid unnecessary
+ * memory allocations to create the nmp_object. However, if the message has the
+ * NLM_F_REPLACE flag, it might be replacing a route that we were tracking so we
+ * have to stop tracking it. That means that we have to process all messages with
+ * NLM_F_REPLACE. See nmp_cache_update_netlink_route().
+ */
+ if (!ip_route_is_tracked(rtm->rtm_protocol, rtm->rtm_type)
+ && !(nlh->nlmsg_flags & NLM_F_REPLACE))
+ return NULL;
+
addr_family = rtm->rtm_family;
if (addr_family == AF_INET)
@@ -5519,39 +5557,18 @@ ip_route_get_lock_flag(const NMPlatformIPRoute *route)
static gboolean
ip_route_is_alive(const NMPlatformIPRoute *route)
{
- guint8 prot;
+ guint8 proto, type;
nm_assert(route);
nm_assert(route->rt_source >= NM_IP_CONFIG_SOURCE_RTPROT_UNSPEC
&& route->rt_source <= _NM_IP_CONFIG_SOURCE_RTPROT_LAST);
- prot = route->rt_source - 1;
-
- nm_assert(nmp_utils_ip_config_source_from_rtprot(prot) == route->rt_source);
-
- if (prot > RTPROT_STATIC && !NM_IN_SET(prot, RTPROT_DHCP, RTPROT_RA)) {
- /* We ignore certain rtm_protocol, because NetworkManager would only ever
- * configure certain protocols. Other routes are not configured by NetworkManager
- * and we don't track them in the platform cache.
- *
- * This is to help with the performance overhead of a huge number of
- * routes, for example with the bird BGP software, that adds routes
- * with RTPROT_BIRD protocol. */
- return FALSE;
- }
+ proto = route->rt_source - 1;
+ type = nm_platform_route_type_uncoerce(route->type_coerced);
- if (!NM_IN_SET(nm_platform_route_type_uncoerce(route->type_coerced),
- RTN_UNICAST,
- RTN_LOCAL,
- RTN_BLACKHOLE,
- RTN_UNREACHABLE,
- RTN_PROHIBIT,
- RTN_THROW)) {
- /* Certain route types are ignored and not placed into the cache. */
- return FALSE;
- }
+ nm_assert(nmp_utils_ip_config_source_from_rtprot(proto) == route->rt_source);
- return TRUE;
+ return ip_route_is_tracked(proto, type);
}
/* Copied and modified from libnl3's build_route_msg() and rtnl_route_build_msg(). */
diff --git a/src/libnm-platform/nmp-object.c b/src/libnm-platform/nmp-object.c
index 4090da71a3..cb4e9764d1 100644
--- a/src/libnm-platform/nmp-object.c
+++ b/src/libnm-platform/nmp-object.c
@@ -2988,6 +2988,13 @@ nmp_cache_update_netlink_route(NMPCache *cache,
* Since we don't cache all routes (see "route_is_alive"), we cannot know
* with certainty which route was replaced.
*
+ * For example, the kernel might have 3 similar routes (same WEAK_ID), one
+ * of which is not tracked by us so we don't have it into the cache. If we
+ * receive a route replace message, we don't know to what of the 3 routes
+ * it affects (one of the 3 we don't even know that exists). Moreover, if
+ * we only have one route on cache, we don't know if the replace is for a
+ * different one that we don't track.
+ *
* Even if we would cache *all* routes (which we cannot, if kernel adds new
* routing features that modify the known nmp_object_id_equal()), it would
* be hard to find the right route that was replaced. Well, probably we
@@ -3002,15 +3009,14 @@ nmp_cache_update_netlink_route(NMPCache *cache,
* [2] https://bugzilla.redhat.com/show_bug.cgi?id=1337860
*
* We need to resync.
+ *
+ * However, a resync is expensive. Think of a routing daemon that updates
+ * hundreds of routes per second, the performance penalty is huge. We can
+ * optimize it: if we don't have any matching route on cache (by WEAK_ID),
+ * we don't have anything to replace and we don't need a full resync, but
+ * only to add or discard the new route as usual.
*/
- if (NMP_OBJECT_GET_TYPE(obj_hand_over) == NMP_OBJECT_TYPE_IP4_ROUTE
- && !nmp_cache_lookup_all(cache, NMP_CACHE_ID_TYPE_ROUTES_BY_WEAK_ID, obj_hand_over)) {
- /* For IPv4, we can do a small optimization. We skip the resync, if we have
- * no conflicting routes (by weak-id).
- *
- * This optimization does not work for IPv6 (maybe should be fixed).
- */
- } else {
+ if (nmp_cache_lookup_all(cache, NMP_CACHE_ID_TYPE_ROUTES_BY_WEAK_ID, obj_hand_over)) {
entry_replace = NULL;
resync_required = TRUE;
goto out;
--
2.44.0

487
SOURCES/1008-checkpoint-preserve-in-memory-state-rhel32493.patch
Unescape View File

@ -1,487 +0,0 @@
From d6837f0bd30da069d327099cb555854630cd4584 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Thu, 2 May 2024 16:40:26 +0200
Subject: [PATCH 1/2] settings: add
nm_settings_connection_persist_mode_to_string()
(cherry picked from commit a48b7fe7b9d8adf4902c7b3cfcc4d89bc46cbbef)
(cherry picked from commit e5837aa1d3960b743adcff0a5041445ccd65fb93)
---
src/core/settings/nm-settings-connection.c | 23 ++++++++++++++++++++++
src/core/settings/nm-settings-connection.h | 4 ++++
2 files changed, 27 insertions(+)
diff --git a/src/core/settings/nm-settings-connection.c b/src/core/settings/nm-settings-connection.c
index 176cc2c252..459c60ad1e 100644
--- a/src/core/settings/nm-settings-connection.c
+++ b/src/core/settings/nm-settings-connection.c
@@ -226,6 +226,29 @@ static guint _get_seen_bssids(NMSettingsConnection *self,
/*****************************************************************************/
+char *
+nm_settings_connection_persist_mode_to_string(NMSettingsConnectionPersistMode mode)
+{
+ switch (mode) {
+ case NM_SETTINGS_CONNECTION_PERSIST_MODE_IN_MEMORY:
+ return "in-memory";
+ case NM_SETTINGS_CONNECTION_PERSIST_MODE_IN_MEMORY_DETACHED:
+ return "in-memory-detached";
+ case NM_SETTINGS_CONNECTION_PERSIST_MODE_IN_MEMORY_ONLY:
+ return "in-memory-only";
+ case NM_SETTINGS_CONNECTION_PERSIST_MODE_KEEP:
+ return "keep";
+ case NM_SETTINGS_CONNECTION_PERSIST_MODE_NO_PERSIST:
+ return "no-persist";
+ case NM_SETTINGS_CONNECTION_PERSIST_MODE_TO_DISK:
+ return "to-disk";
+ }
+
+ return nm_assert_unreachable_val(NULL);
+}
+
+/*****************************************************************************/
+
NMSettings *
nm_settings_connection_get_settings(NMSettingsConnection *self)
{
diff --git a/src/core/settings/nm-settings-connection.h b/src/core/settings/nm-settings-connection.h
index 835a978e40..d15a75b749 100644
--- a/src/core/settings/nm-settings-connection.h
+++ b/src/core/settings/nm-settings-connection.h
@@ -379,4 +379,8 @@ void _nm_settings_connection_emit_signal_updated_internal(
void _nm_settings_connection_cleanup_after_remove(NMSettingsConnection *self);
+/*****************************************************************************/
+
+char *nm_settings_connection_persist_mode_to_string(NMSettingsConnectionPersistMode mode);
+
#endif /* __NETWORKMANAGER_SETTINGS_CONNECTION_H__ */
--
2.41.0
From c6f9d0a6d5c864ba0141b6e985727cd69c5560fa Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Mon, 15 Apr 2024 10:51:24 +0200
Subject: [PATCH 2/2] checkpoint: preserve in-memory state of connections
If a connection is in-memory (i.e. has flag "unsaved"), after a
checkpoint and rollback it can be wrongly persisted to disk:
- if the connection was modified and written to disk after the
rollback, during the rollback we update it again with persist mode
"keep", which keeps it on disk;
- if the connection was deleted after the rollback, during the
rollback we add it again with persist mode "to-disk".
Instead, remember whether the connection had the "unsaved" flag set
and try to restore the previous state.
However, this is not straightforward as there are 4 different possible
states for the settings connection: persistent; in-memory only;
in-memory shadowing a persistent file; in-memory shadowing a detached
persistent file (i.e. the deletion of the connection doesn't delete
the persistent file). Handle all those cases.
Fixes: 3e09aed2a09f ('checkpoint: add create, rollback and destroy D-Bus API')
(cherry picked from commit c979bfeb8b0d3bed19bac2ad01a6a6ed899f924e)
(cherry picked from commit ebf25794d9cd89190775ac401c36d63aa1c108f7)
---
NEWS | 8 ++
src/core/nm-checkpoint.c | 242 ++++++++++++++++++++++++++++++++-------
2 files changed, 211 insertions(+), 39 deletions(-)
diff --git a/NEWS b/NEWS
index 6ac3118db9..e33152c6f4 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,11 @@
+===============================================
+NetworkManager-1.46.2
+Overview of changes since NetworkManager-1.46.0
+===============================================
+
+* Properly restore in-memory connection profiles during the rollback
+ of a checkpoint.
+
=============================================
NetworkManager-1.46
Overview of changes since NetworkManager-1.44
diff --git a/src/core/nm-checkpoint.c b/src/core/nm-checkpoint.c
index cc5c189bf9..ffcf6e3aad 100644
--- a/src/core/nm-checkpoint.c
+++ b/src/core/nm-checkpoint.c
@@ -10,6 +10,7 @@
#include "nm-active-connection.h"
#include "nm-act-request.h"
#include "libnm-core-aux-intern/nm-auth-subject.h"
+#include "libnm-core-intern/nm-keyfile-internal.h"
#include "nm-core-utils.h"
#include "nm-dbus-interface.h"
#include "devices/nm-device.h"
@@ -17,6 +18,7 @@
#include "nm-manager.h"
#include "settings/nm-settings.h"
#include "settings/nm-settings-connection.h"
+#include "settings/plugins/keyfile/nms-keyfile-storage.h"
#include "nm-simple-connection.h"
#include "nm-utils.h"
@@ -29,11 +31,14 @@ typedef struct {
NMDevice *device;
NMConnection *applied_connection;
NMConnection *settings_connection;
+ NMConnection *settings_connection_shadowed;
guint64 ac_version_id;
NMDeviceState state;
bool is_software : 1;
bool realized : 1;
bool activation_lifetime_bound_to_profile_visibility : 1;
+ bool settings_connection_is_unsaved : 1;
+ bool settings_connection_is_shadowed_owned : 1;
NMUnmanFlagOp unmanaged_explicit;
NMActivationReason activation_reason;
gulong dev_exported_change_id;
@@ -150,37 +155,111 @@ nm_checkpoint_includes_devices_of(NMCheckpoint *self, NMCheckpoint *cp_for_devic
return NULL;
}
+static NMConnection *
+parse_connection_from_shadowed_file(const char *path, GError **error)
+{
+ nm_auto_unref_keyfile GKeyFile *keyfile = NULL;
+ gs_free char *base_dir = NULL;
+ char *sep;
+
+ keyfile = g_key_file_new();
+ if (!g_key_file_load_from_file(keyfile, path, G_KEY_FILE_NONE, error))
+ return NULL;
+
+ sep = strrchr(path, '/');
+ base_dir = g_strndup(path, sep - path);
+
+ return nm_keyfile_read(keyfile, base_dir, NM_KEYFILE_HANDLER_FLAGS_NONE, NULL, NULL, error);
+}
+
static NMSettingsConnection *
-find_settings_connection(NMCheckpoint *self,
- DeviceCheckpoint *dev_checkpoint,
- gboolean *need_update,
- gboolean *need_activation)
+find_settings_connection(NMCheckpoint *self,
+ DeviceCheckpoint *dev_checkpoint,
+ gboolean *need_update,
+ gboolean *need_update_shadowed,
+ gboolean *need_activation,
+ NMSettingsConnectionPersistMode *persist_mode)
{
NMCheckpointPrivate *priv = NM_CHECKPOINT_GET_PRIVATE(self);
NMActiveConnection *active;
NMSettingsConnection *sett_conn;
+ const char *shadowed_file;
+ NMConnection *shadowed_connection = NULL;
const char *uuid, *ac_uuid;
const CList *tmp_clist;
-
- *need_activation = FALSE;
- *need_update = FALSE;
+ gboolean sett_conn_unsaved;
+ NMSettingsStorage *storage;
+
+ *need_activation = FALSE;
+ *need_update = FALSE;
+ *need_update_shadowed = FALSE;
+
+ /* With regard to storage, there are 4 different possible states for the settings
+ * connection: 1) persistent; 2) in-memory only; 3) in-memory shadowing a persistent
+ * file; 4) in-memory shadowing a detached persistent file (i.e. the deletion of
+ * the connection doesn't delete the persistent file).
+ */
+ if (dev_checkpoint->settings_connection_is_unsaved) {
+ if (dev_checkpoint->settings_connection_shadowed) {
+ if (dev_checkpoint->settings_connection_is_shadowed_owned)
+ *persist_mode = NM_SETTINGS_CONNECTION_PERSIST_MODE_IN_MEMORY;
+ else
+ *persist_mode = NM_SETTINGS_CONNECTION_PERSIST_MODE_IN_MEMORY_DETACHED;
+ } else
+ *persist_mode = NM_SETTINGS_CONNECTION_PERSIST_MODE_IN_MEMORY_ONLY;
+ } else {
+ *persist_mode = NM_SETTINGS_CONNECTION_PERSIST_MODE_TO_DISK;
+ }
uuid = nm_connection_get_uuid(dev_checkpoint->settings_connection);
sett_conn = nm_settings_get_connection_by_uuid(NM_SETTINGS_GET, uuid);
- if (!sett_conn)
- return NULL;
-
- /* Now check if the connection changed, ... */
- if (!nm_connection_compare(dev_checkpoint->settings_connection,
- nm_settings_connection_get_connection(sett_conn),
- NM_SETTING_COMPARE_FLAG_EXACT)) {
+ /* Check if the connection changed */
+ if (sett_conn
+ && !nm_connection_compare(dev_checkpoint->settings_connection,
+ nm_settings_connection_get_connection(sett_conn),
+ NM_SETTING_COMPARE_FLAG_IGNORE_TIMESTAMP)) {
_LOGT("rollback: settings connection %s changed", uuid);
*need_update = TRUE;
*need_activation = TRUE;
}
- /* ... is active, ... */
+ storage = sett_conn ? nm_settings_connection_get_storage(sett_conn) : NULL;
+ shadowed_file = storage ? nm_settings_storage_get_shadowed_storage(storage, NULL) : NULL;
+ shadowed_connection =
+ shadowed_file ? parse_connection_from_shadowed_file(shadowed_file, NULL) : NULL;
+
+ if (dev_checkpoint->settings_connection_shadowed) {
+ if (!shadowed_connection
+ || !nm_connection_compare(dev_checkpoint->settings_connection_shadowed,
+ shadowed_connection,
+ NM_SETTING_COMPARE_FLAG_IGNORE_TIMESTAMP)) {
+ _LOGT("rollback: shadowed connection changed for %s", uuid);
+ *need_update_shadowed = TRUE;
+ *need_update = TRUE;
+ }
+ } else {
+ if (shadowed_connection) {
+ _LOGT("rollback: shadowed connection changed for %s", uuid);
+ *need_update = TRUE;
+ }
+ }
+
+ if (!sett_conn)
+ return NULL;
+
+ /* Check if the connection unsaved flag changed */
+ sett_conn_unsaved = NM_FLAGS_HAS(nm_settings_connection_get_flags(sett_conn),
+ NM_SETTINGS_CONNECTION_INT_FLAGS_UNSAVED);
+ if (sett_conn_unsaved != dev_checkpoint->settings_connection_is_unsaved) {
+ _LOGT("rollback: storage changed for settings connection %s: unsaved (%d -> %d)",
+ uuid,
+ dev_checkpoint->settings_connection_is_unsaved,
+ sett_conn_unsaved);
+ *need_update = TRUE;
+ }
+
+ /* Check if the active state changed */
nm_manager_for_each_active_connection (priv->manager, active, tmp_clist) {
ac_uuid =
nm_settings_connection_get_uuid(nm_active_connection_get_settings_connection(active));
@@ -196,7 +275,7 @@ find_settings_connection(NMCheckpoint *self,
return sett_conn;
}
- /* ... or if the connection was reactivated/reapplied */
+ /* Check if the connection was reactivated/reapplied */
if (nm_active_connection_version_id_get(active) != dev_checkpoint->ac_version_id) {
_LOGT("rollback: active connection version id of %s changed", uuid);
*need_activation = TRUE;
@@ -212,12 +291,19 @@ restore_and_activate_connection(NMCheckpoint *self, DeviceCheckpoint *dev_checkp
NMSettingsConnection *connection;
gs_unref_object NMAuthSubject *subject = NULL;
GError *local_error = NULL;
- gboolean need_update, need_activation;
+ gboolean need_update;
+ gboolean need_update_shadowed;
+ gboolean need_activation;
NMSettingsConnectionPersistMode persist_mode;
NMSettingsConnectionIntFlags sett_flags;
NMSettingsConnectionIntFlags sett_mask;
- connection = find_settings_connection(self, dev_checkpoint, &need_update, &need_activation);
+ connection = find_settings_connection(self,
+ dev_checkpoint,
+ &need_update,
+ &need_update_shadowed,
+ &need_activation,
+ &persist_mode);
/* FIXME: we need to ensure to re-create/update the profile for the
* same settings plugin. E.g. if it was a keyfile in /run or /etc,
@@ -229,9 +315,26 @@ restore_and_activate_connection(NMCheckpoint *self, DeviceCheckpoint *dev_checkp
sett_mask = NM_SETTINGS_CONNECTION_INT_FLAGS_NONE;
if (connection) {
+ if (need_update_shadowed) {
+ _LOGD("rollback: updating shadowed file for connection %s",
+ nm_connection_get_uuid(dev_checkpoint->settings_connection));
+ nm_settings_connection_update(
+ connection,
+ NULL,
+ dev_checkpoint->settings_connection_shadowed,
+ NM_SETTINGS_CONNECTION_PERSIST_MODE_TO_DISK,
+ sett_flags,
+ sett_mask,
+ NM_SETTINGS_CONNECTION_UPDATE_REASON_RESET_SYSTEM_SECRETS
+ | NM_SETTINGS_CONNECTION_UPDATE_REASON_UPDATE_NON_SECRET,
+ "checkpoint-rollback",
+ NULL);
+ }
+
if (need_update) {
- _LOGD("rollback: updating connection %s", nm_settings_connection_get_uuid(connection));
- persist_mode = NM_SETTINGS_CONNECTION_PERSIST_MODE_KEEP;
+ _LOGD("rollback: updating connection %s with persist mode \"%s\"",
+ nm_connection_get_uuid(dev_checkpoint->settings_connection),
+ nm_settings_connection_persist_mode_to_string(persist_mode));
nm_settings_connection_update(
connection,
NULL,
@@ -246,21 +349,54 @@ restore_and_activate_connection(NMCheckpoint *self, DeviceCheckpoint *dev_checkp
}
} else {
/* The connection was deleted, recreate it */
- _LOGD("rollback: adding connection %s again",
- nm_connection_get_uuid(dev_checkpoint->settings_connection));
-
- persist_mode = NM_SETTINGS_CONNECTION_PERSIST_MODE_TO_DISK;
- if (!nm_settings_add_connection(NM_SETTINGS_GET,
- NULL,
- dev_checkpoint->settings_connection,
- persist_mode,
- NM_SETTINGS_CONNECTION_ADD_REASON_NONE,
- sett_flags,
- &connection,
- &local_error)) {
- _LOGD("rollback: connection add failure: %s", local_error->message);
- g_clear_error(&local_error);
- return FALSE;
+ if (need_update_shadowed) {
+ _LOGD("rollback: adding back shadowed file for connection %s",
+ nm_connection_get_uuid(dev_checkpoint->settings_connection));
+
+ if (!nm_settings_add_connection(NM_SETTINGS_GET,
+ NULL,
+ dev_checkpoint->settings_connection_shadowed,
+ NM_SETTINGS_CONNECTION_PERSIST_MODE_TO_DISK,
+ NM_SETTINGS_CONNECTION_ADD_REASON_NONE,
+ sett_flags,
+ &connection,
+ &local_error)) {
+ _LOGD("rollback: connection add failure: %s", local_error->message);
+ g_clear_error(&local_error);
+ return FALSE;
+ }
+
+ _LOGD("rollback: updating connection %s with persist mode \"%s\"",
+ nm_connection_get_uuid(dev_checkpoint->settings_connection),
+ nm_settings_connection_persist_mode_to_string(persist_mode));
+
+ nm_settings_connection_update(
+ connection,
+ NULL,
+ dev_checkpoint->settings_connection,
+ persist_mode,
+ sett_flags,
+ sett_mask,
+ NM_SETTINGS_CONNECTION_UPDATE_REASON_RESET_SYSTEM_SECRETS
+ | NM_SETTINGS_CONNECTION_UPDATE_REASON_UPDATE_NON_SECRET,
+ "checkpoint-rollback",
+ NULL);
+ } else {
+ _LOGD("rollback: adding back connection %s with persist mode \"%s\"",
+ nm_connection_get_uuid(dev_checkpoint->settings_connection),
+ nm_settings_connection_persist_mode_to_string(persist_mode));
+ if (!nm_settings_add_connection(NM_SETTINGS_GET,
+ NULL,
+ dev_checkpoint->settings_connection,
+ persist_mode,
+ NM_SETTINGS_CONNECTION_ADD_REASON_NONE,
+ sett_flags,
+ &connection,
+ &local_error)) {
+ _LOGD("rollback: connection add failure: %s", local_error->message);
+ g_clear_error(&local_error);
+ return FALSE;
+ }
}
need_activation = TRUE;
}
@@ -362,11 +498,15 @@ nm_checkpoint_rollback(NMCheckpoint *self)
while (g_hash_table_iter_next(&iter, (gpointer *) &device, (gpointer *) &dev_checkpoint)) {
guint32 result = NM_ROLLBACK_RESULT_OK;
- _LOGD("rollback: restoring device %s (state %d, realized %d, explicitly unmanaged %d)",
+ _LOGD("rollback: restoring device %s (state %d, realized %d, explicitly unmanaged %d, "
+ "connection-unsaved %d, connection-shadowed %d, connection-shadowed-owned %d)",
dev_checkpoint->original_dev_name,
(int) dev_checkpoint->state,
dev_checkpoint->realized,
- dev_checkpoint->unmanaged_explicit);
+ dev_checkpoint->unmanaged_explicit,
+ dev_checkpoint->settings_connection_is_unsaved,
+ !!dev_checkpoint->settings_connection_shadowed,
+ dev_checkpoint->settings_connection_is_shadowed_owned);
if (nm_device_is_real(device)) {
if (!dev_checkpoint->realized) {
@@ -518,6 +658,7 @@ device_checkpoint_destroy(gpointer data)
g_clear_object(&dev_checkpoint->applied_connection);
g_clear_object(&dev_checkpoint->settings_connection);
g_clear_object(&dev_checkpoint->device);
+ g_clear_object(&dev_checkpoint->settings_connection_shadowed);
g_free(dev_checkpoint->original_dev_path);
g_free(dev_checkpoint->original_dev_name);
@@ -555,7 +696,7 @@ _dev_exported_changed(NMDBusObject *obj, NMCheckpoint *checkpoint)
}
static DeviceCheckpoint *
-device_checkpoint_create(NMCheckpoint *checkpoint, NMDevice *device)
+device_checkpoint_create(NMCheckpoint *self, NMDevice *device)
{
DeviceCheckpoint *dev_checkpoint;
NMConnection *applied_connection;
@@ -579,7 +720,7 @@ device_checkpoint_create(NMCheckpoint *checkpoint, NMDevice *device)
dev_checkpoint->dev_exported_change_id = g_signal_connect(device,
NM_DBUS_OBJECT_EXPORTED_CHANGED,
G_CALLBACK(_dev_exported_changed),
- checkpoint);
+ self);
if (nm_device_get_unmanaged_mask(device, NM_UNMANAGED_USER_EXPLICIT)) {
dev_checkpoint->unmanaged_explicit =
@@ -589,6 +730,11 @@ device_checkpoint_create(NMCheckpoint *checkpoint, NMDevice *device)
act_request = nm_device_get_act_request(device);
if (act_request) {
+ NMSettingsStorage *storage;
+ gboolean shadowed_owned = FALSE;
+ const char *shadowed_file;
+ gs_free_error GError *error = NULL;
+
settings_connection = nm_act_request_get_settings_connection(act_request);
applied_connection = nm_act_request_get_applied_connection(act_request);
@@ -602,6 +748,24 @@ device_checkpoint_create(NMCheckpoint *checkpoint, NMDevice *device)
dev_checkpoint->activation_lifetime_bound_to_profile_visibility =
NM_FLAGS_HAS(nm_active_connection_get_state_flags(NM_ACTIVE_CONNECTION(act_request)),
NM_ACTIVATION_STATE_FLAG_LIFETIME_BOUND_TO_PROFILE_VISIBILITY);
+
+ dev_checkpoint->settings_connection_is_unsaved =
+ NM_FLAGS_HAS(nm_settings_connection_get_flags(settings_connection),
+ NM_SETTINGS_CONNECTION_INT_FLAGS_UNSAVED);
+
+ storage = nm_settings_connection_get_storage(settings_connection);
+ shadowed_file =
+ storage ? nm_settings_storage_get_shadowed_storage(storage, &shadowed_owned) : NULL;
+ if (shadowed_file) {
+ dev_checkpoint->settings_connection_is_shadowed_owned = shadowed_owned;
+ dev_checkpoint->settings_connection_shadowed =
+ parse_connection_from_shadowed_file(shadowed_file, &error);
+ if (!dev_checkpoint->settings_connection_shadowed) {
+ _LOGW("error reading shadowed connection file for %s: %s",
+ nm_device_get_iface(device),
+ error->message);
+ }
+ }
}
return dev_checkpoint;
--
2.41.0

398
SOURCES/1010-allow-ip-configurations-without-addresses-rhel28544.patch
Unescape View File

@ -1,398 +0,0 @@
From 3806d476ab8c45a8ea534be064515744ccea16e2 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Tue, 7 May 2024 17:51:19 +0200
Subject: [PATCH 1/4] vpn: allow IP configurations without addresses
An IPv4-over-IPv6 (or vice-versa) IPsec VPN can return IP
configurations with routes and without addresses. For example, in this
scenario:
+---------------+ +---------------+
| fd01::10/64 <-- VPN --> fd02::20/64 |
| host1 | | host2 |
+-------^-------+ +-------^-------+
| |
+-------v-------+ +-------v-------+
| subnet1 | | subnet2 |
| 172.16.1.0/24 | | 172.16.2.0/24 |
+---------------+ +---------------+
host1 and host2 establish a IPv6 tunnel which encapsulates packets
between the two IPv4 subnets. Therefore, in routed mode, host1 will
need to configure a route like "172.16.2.0/24 via ipsec1" even if the
host doesn't have any IPv4 address on the VPN interface.
Accept IP configurations without address from the VPN; only check that
the address and prefix are sane if they are provided.
(cherry picked from commit 97f185e1f8e5a60d770711d8bce8bd12a205590f)
(cherry picked from commit 518b7c5bd51d3f652c8179594a522f6ddf93f449)
(cherry picked from commit 476a9553f61c4bd6f0c8dec476b3179de6cf2293)
---
src/core/vpn/nm-vpn-connection.c | 44 ++++++++++++++++++++------------
1 file changed, 27 insertions(+), 17 deletions(-)
diff --git a/src/core/vpn/nm-vpn-connection.c b/src/core/vpn/nm-vpn-connection.c
index 3dba9ff6c8..62aecbd286 100644
--- a/src/core/vpn/nm-vpn-connection.c
+++ b/src/core/vpn/nm-vpn-connection.c
@@ -1988,6 +1988,12 @@ _dbus_signal_ip_config_cb(NMVpnConnection *self, int addr_family, GVariant *dict
nm_l3_config_data_set_dns_priority(l3cd, AF_INET, NM_DNS_PRIORITY_DEFAULT_VPN);
+ _vardict_to_addr(addr_family,
+ dict,
+ IS_IPv4 ? NM_VPN_PLUGIN_IP4_CONFIG_INT_GATEWAY
+ : NM_VPN_PLUGIN_IP6_CONFIG_INT_GATEWAY,
+ &priv->ip_data_x[IS_IPv4].gw_internal);
+
if (IS_IPv4) {
address.a4 = (NMPlatformIP4Address){
.plen = 24,
@@ -1998,16 +2004,17 @@ _dbus_signal_ip_config_cb(NMVpnConnection *self, int addr_family, GVariant *dict
};
}
- _vardict_to_addr(addr_family,
- dict,
- IS_IPv4 ? NM_VPN_PLUGIN_IP4_CONFIG_INT_GATEWAY
- : NM_VPN_PLUGIN_IP6_CONFIG_INT_GATEWAY,
- &priv->ip_data_x[IS_IPv4].gw_internal);
-
- _vardict_to_addr(addr_family,
- dict,
- IS_IPv4 ? NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS : NM_VPN_PLUGIN_IP6_CONFIG_ADDRESS,
- address.ax.address_ptr);
+ if (_vardict_to_addr(addr_family,
+ dict,
+ IS_IPv4 ? NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS
+ : NM_VPN_PLUGIN_IP6_CONFIG_ADDRESS,
+ address.ax.address_ptr)
+ && nm_ip_addr_is_null(addr_family, &address.ax.address_ptr)) {
+ _LOGW("invalid IP%c config received: address is zero",
+ nm_utils_addr_family_to_char(addr_family));
+ _check_complete(self, FALSE);
+ return;
+ }
if (!_vardict_to_addr(addr_family,
dict,
@@ -2024,17 +2031,20 @@ _dbus_signal_ip_config_cb(NMVpnConnection *self, int addr_family, GVariant *dict
&u32))
address.ax.plen = u32;
- if (address.ax.plen > 0 && address.ax.plen <= (IS_IPv4 ? 32 : 128)
- && !nm_ip_addr_is_null(addr_family, &address.ax.address_ptr)) {
- address.ax.addr_source = NM_IP_CONFIG_SOURCE_VPN;
- nm_l3_config_data_add_address(l3cd, addr_family, NULL, &address.ax);
- } else {
- _LOGW("invalid IP%c config received: no valid IP address/prefix",
- nm_utils_addr_family_to_char(addr_family));
+ if (!nm_ip_addr_is_null(addr_family, &address.ax.address_ptr)
+ && (address.ax.plen == 0 || address.ax.plen > (IS_IPv4 ? 32 : 128))) {
+ _LOGW("invalid IP%c config received: invalid prefix %u",
+ nm_utils_addr_family_to_char(addr_family),
+ address.ax.plen);
_check_complete(self, FALSE);
return;
}
+ if (!nm_ip_addr_is_null(addr_family, &address.ax.address_ptr)) {
+ address.ax.addr_source = NM_IP_CONFIG_SOURCE_VPN;
+ nm_l3_config_data_add_address(l3cd, addr_family, NULL, &address.ax);
+ }
+
if (IS_IPv4) {
if (g_variant_lookup(dict, NM_VPN_PLUGIN_IP4_CONFIG_DNS, "au", &var_iter)) {
while (g_variant_iter_next(var_iter, "u", &u32))
--
2.45.2
From 044f85613f09861d908045feda6d6f3b499d75b5 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Wed, 8 May 2024 10:49:27 +0200
Subject: [PATCH 2/4] core: rename l3cd's "dhcp_enabled" to
"allow_routes_without_address"
The name "dhcp_enabled" is misleading because the flag is set for
method=auto, which doesn't necessarily imply DHCP. Also, it doesn't
convey what the flag is used for. Rename it to
"allow_routes_without_address".
(cherry picked from commit b31febea22485d3dd063cfff8fc61c1e3901a7ca)
(cherry picked from commit 6897b6ecfdd5ed2e50c7db45a4ea3c7c7998d908)
(cherry picked from commit ea731bba9b1f5a22e48c0a6c1881bc91c3cf1032)
---
src/core/nm-l3-config-data.c | 68 +++++++++++++++++++-----------------
src/core/nm-l3-config-data.h | 3 +-
src/core/nm-l3cfg.c | 9 +++--
3 files changed, 41 insertions(+), 39 deletions(-)
diff --git a/src/core/nm-l3-config-data.c b/src/core/nm-l3-config-data.c
index a4647116a9..fbee1bf7e8 100644
--- a/src/core/nm-l3-config-data.c
+++ b/src/core/nm-l3-config-data.c
@@ -157,8 +157,8 @@ struct _NML3ConfigData {
bool has_routes_with_type_local_6_set : 1;
bool has_routes_with_type_local_4_val : 1;
bool has_routes_with_type_local_6_val : 1;
- bool dhcp_enabled_4 : 1;
- bool dhcp_enabled_6 : 1;
+ bool allow_routes_without_address_4 : 1;
+ bool allow_routes_without_address_6 : 1;
bool ndisc_hop_limit_set : 1;
bool ndisc_reachable_time_msec_set : 1;
@@ -678,26 +678,28 @@ nm_l3_config_data_new(NMDedupMultiIndex *multi_idx, int ifindex, NMIPConfigSourc
self = g_slice_new(NML3ConfigData);
*self = (NML3ConfigData){
- .ref_count = 1,
- .ifindex = ifindex,
- .multi_idx = nm_dedup_multi_index_ref(multi_idx),
- .mdns = NM_SETTING_CONNECTION_MDNS_DEFAULT,
- .llmnr = NM_SETTING_CONNECTION_LLMNR_DEFAULT,
- .dns_over_tls = NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT,
- .flags = NM_L3_CONFIG_DAT_FLAGS_NONE,
- .metered = NM_TERNARY_DEFAULT,
- .proxy_browser_only = NM_TERNARY_DEFAULT,
- .proxy_method = NM_PROXY_CONFIG_METHOD_UNKNOWN,
- .route_table_sync_4 = NM_IP_ROUTE_TABLE_SYNC_MODE_NONE,
- .route_table_sync_6 = NM_IP_ROUTE_TABLE_SYNC_MODE_NONE,
- .never_default_6 = NM_OPTION_BOOL_DEFAULT,
- .never_default_4 = NM_OPTION_BOOL_DEFAULT,
- .source = source,
- .ip6_privacy = NM_SETTING_IP6_CONFIG_PRIVACY_UNKNOWN,
- .mptcp_flags = NM_MPTCP_FLAGS_NONE,
- .ndisc_hop_limit_set = FALSE,
- .ndisc_reachable_time_msec_set = FALSE,
- .ndisc_retrans_timer_msec_set = FALSE,
+ .ref_count = 1,
+ .ifindex = ifindex,
+ .multi_idx = nm_dedup_multi_index_ref(multi_idx),
+ .mdns = NM_SETTING_CONNECTION_MDNS_DEFAULT,
+ .llmnr = NM_SETTING_CONNECTION_LLMNR_DEFAULT,
+ .dns_over_tls = NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT,
+ .flags = NM_L3_CONFIG_DAT_FLAGS_NONE,
+ .metered = NM_TERNARY_DEFAULT,
+ .proxy_browser_only = NM_TERNARY_DEFAULT,
+ .proxy_method = NM_PROXY_CONFIG_METHOD_UNKNOWN,
+ .route_table_sync_4 = NM_IP_ROUTE_TABLE_SYNC_MODE_NONE,
+ .route_table_sync_6 = NM_IP_ROUTE_TABLE_SYNC_MODE_NONE,
+ .never_default_6 = NM_OPTION_BOOL_DEFAULT,
+ .never_default_4 = NM_OPTION_BOOL_DEFAULT,
+ .source = source,
+ .ip6_privacy = NM_SETTING_IP6_CONFIG_PRIVACY_UNKNOWN,
+ .mptcp_flags = NM_MPTCP_FLAGS_NONE,
+ .ndisc_hop_limit_set = FALSE,
+ .ndisc_reachable_time_msec_set = FALSE,
+ .ndisc_retrans_timer_msec_set = FALSE,
+ .allow_routes_without_address_4 = TRUE,
+ .allow_routes_without_address_6 = TRUE,
};
_idx_type_init(&self->idx_addresses_4, NMP_OBJECT_TYPE_IP4_ADDRESS);
@@ -1936,15 +1938,15 @@ nm_l3_config_data_set_mptcp_flags(NML3ConfigData *self, NMMptcpFlags mptcp_flags
}
gboolean
-nm_l3_config_data_get_dhcp_enabled(const NML3ConfigData *self, int addr_family)
+nm_l3_config_data_get_allow_routes_without_address(const NML3ConfigData *self, int addr_family)
{
const int IS_IPv4 = NM_IS_IPv4(addr_family);
nm_assert(_NM_IS_L3_CONFIG_DATA(self, TRUE));
if (IS_IPv4) {
- return self->dhcp_enabled_4;
+ return self->allow_routes_without_address_4;
} else {
- return self->dhcp_enabled_6;
+ return self->allow_routes_without_address_6;
}
}
@@ -2758,18 +2760,18 @@ _init_from_connection_ip(NML3ConfigData *self, int addr_family, NMConnection *co
method = nm_setting_ip_config_get_method(s_ip);
if (IS_IPv4) {
if (nm_streq(method, NM_SETTING_IP4_CONFIG_METHOD_AUTO)) {
- self->dhcp_enabled_4 = TRUE;
+ self->allow_routes_without_address_4 = FALSE;
} else {
- self->dhcp_enabled_4 = FALSE;
+ self->allow_routes_without_address_4 = TRUE;
}
} else {
method = nm_setting_ip_config_get_method(s_ip);
if (NM_IN_STRSET(method,
NM_SETTING_IP6_CONFIG_METHOD_AUTO,
NM_SETTING_IP6_CONFIG_METHOD_DHCP)) {
- self->dhcp_enabled_6 = TRUE;
+ self->allow_routes_without_address_6 = FALSE;
} else {
- self->dhcp_enabled_6 = FALSE;
+ self->allow_routes_without_address_6 = TRUE;
}
}
@@ -3456,11 +3458,11 @@ nm_l3_config_data_merge(NML3ConfigData *self,
self->dhcp_lease_x[0] = nm_dhcp_lease_ref(self->dhcp_lease_x[0]);
self->dhcp_lease_x[1] = nm_dhcp_lease_ref(self->dhcp_lease_x[1]);
}
- if (src->dhcp_enabled_4)
- self->dhcp_enabled_4 = TRUE;
+ if (!src->allow_routes_without_address_4)
+ self->allow_routes_without_address_4 = FALSE;
- if (src->dhcp_enabled_6)
- self->dhcp_enabled_6 = TRUE;
+ if (!src->allow_routes_without_address_6)
+ self->allow_routes_without_address_6 = FALSE;
}
NML3ConfigData *
diff --git a/src/core/nm-l3-config-data.h b/src/core/nm-l3-config-data.h
index b55b2f4194..5c8491a704 100644
--- a/src/core/nm-l3-config-data.h
+++ b/src/core/nm-l3-config-data.h
@@ -554,7 +554,8 @@ NMSettingIP6ConfigPrivacy nm_l3_config_data_get_ip6_privacy(const NML3ConfigData
gboolean nm_l3_config_data_set_ip6_privacy(NML3ConfigData *self,
NMSettingIP6ConfigPrivacy ip6_privacy);
-gboolean nm_l3_config_data_get_dhcp_enabled(const NML3ConfigData *self, int addr_family);
+gboolean nm_l3_config_data_get_allow_routes_without_address(const NML3ConfigData *self,
+ int addr_family);
NMProxyConfigMethod nm_l3_config_data_get_proxy_method(const NML3ConfigData *self);
diff --git a/src/core/nm-l3cfg.c b/src/core/nm-l3cfg.c
index f428d04cc6..ab9844d642 100644
--- a/src/core/nm-l3cfg.c
+++ b/src/core/nm-l3cfg.c
@@ -1301,7 +1301,6 @@ _commit_collect_routes(NML3Cfg *self,
const int IS_IPv4 = NM_IS_IPv4(addr_family);
const NMDedupMultiHeadEntry *head_entry;
const NMDedupMultiEntry *entry;
- gboolean is_dhcp_enabled;
nm_assert(routes && !*routes);
nm_assert(routes_nodev && !*routes_nodev);
@@ -1321,10 +1320,10 @@ _commit_collect_routes(NML3Cfg *self,
else {
nm_assert(NMP_OBJECT_CAST_IP_ROUTE(obj)->ifindex == self->priv.ifindex);
- is_dhcp_enabled =
- nm_l3_config_data_get_dhcp_enabled(self->priv.p->combined_l3cd_commited,
- addr_family);
- if (!any_addrs && is_dhcp_enabled) {
+ if (!any_addrs
+ && !nm_l3_config_data_get_allow_routes_without_address(
+ self->priv.p->combined_l3cd_commited,
+ addr_family)) {
/* This is a unicast route (or a similar route, which has an
* ifindex).
*
--
2.45.2
From 66f8dfc453eda98a77c9a85c2b6110955f02b5c7 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Wed, 8 May 2024 11:02:20 +0200
Subject: [PATCH 3/4] core: add
nm_l3_config_data_set_allow_routes_without_address()
Add a function to set the allow-routes-without-address flag for
l3cds. It will be used in the next commit.
(cherry picked from commit a3ce13c947e6eda71fa07de273ede55b806e8d45)
(cherry picked from commit 5fa063f90d443044ca1dba71478c701ce7b62b94)
(cherry picked from commit e008ec734553f7b065714025e6f3628cac10f314)
---
src/core/nm-l3-config-data.c | 15 +++++++++++++++
src/core/nm-l3-config-data.h | 4 ++++
2 files changed, 19 insertions(+)
diff --git a/src/core/nm-l3-config-data.c b/src/core/nm-l3-config-data.c
index fbee1bf7e8..908c4d65d5 100644
--- a/src/core/nm-l3-config-data.c
+++ b/src/core/nm-l3-config-data.c
@@ -1950,6 +1950,21 @@ nm_l3_config_data_get_allow_routes_without_address(const NML3ConfigData *self, i
}
}
+void
+nm_l3_config_data_set_allow_routes_without_address(NML3ConfigData *self,
+ int addr_family,
+ gboolean value)
+{
+ const int IS_IPv4 = NM_IS_IPv4(addr_family);
+
+ nm_assert(_NM_IS_L3_CONFIG_DATA(self, FALSE));
+ if (IS_IPv4) {
+ self->allow_routes_without_address_4 = value;
+ } else {
+ self->allow_routes_without_address_6 = value;
+ }
+}
+
NMProxyConfigMethod
nm_l3_config_data_get_proxy_method(const NML3ConfigData *self)
{
diff --git a/src/core/nm-l3-config-data.h b/src/core/nm-l3-config-data.h
index 5c8491a704..faf4f0bfa9 100644
--- a/src/core/nm-l3-config-data.h
+++ b/src/core/nm-l3-config-data.h
@@ -557,6 +557,10 @@ gboolean nm_l3_config_data_set_ip6_privacy(NML3ConfigData *self,
gboolean nm_l3_config_data_get_allow_routes_without_address(const NML3ConfigData *self,
int addr_family);
+void nm_l3_config_data_set_allow_routes_without_address(NML3ConfigData *self,
+ int addr_family,
+ gboolean value);
+
NMProxyConfigMethod nm_l3_config_data_get_proxy_method(const NML3ConfigData *self);
gboolean nm_l3_config_data_set_proxy_method(NML3ConfigData *self, NMProxyConfigMethod value);
--
2.45.2
From 1d041a7ada56c27dcd155ff67a1bf02f0b00e35e Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Wed, 8 May 2024 11:04:04 +0200
Subject: [PATCH 4/4] vpn: allow IP configurations with routes and without
addresses
Usually, when the method is "auto" we want to avoid configuring routes
until the automatic method completes. To achieve that, we clear the
"allow_routes_without_address" flag of l3cds when the method is "auto".
For VPNs, IP configurations with only routes are perfectly valid,
therefore set the flag.
(cherry picked from commit d1ffdb28ebaf3af23ac76b59c35fe7e4672cb5bc)
(cherry picked from commit 5b4ed809cc458504f01a02e908a91f2625613787)
(cherry picked from commit 83847cc621aaa5ee6130e4088582875fcd98dd64)
---
src/core/vpn/nm-vpn-connection.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/core/vpn/nm-vpn-connection.c b/src/core/vpn/nm-vpn-connection.c
index 62aecbd286..f26f4c42e0 100644
--- a/src/core/vpn/nm-vpn-connection.c
+++ b/src/core/vpn/nm-vpn-connection.c
@@ -1433,6 +1433,10 @@ _check_complete(NMVpnConnection *self, gboolean success)
l3cd = nm_l3_config_data_new_from_connection(nm_netns_get_multi_idx(priv->netns),
nm_vpn_connection_get_ip_ifindex(self, TRUE),
connection);
+
+ nm_l3_config_data_set_allow_routes_without_address(l3cd, AF_INET, TRUE);
+ nm_l3_config_data_set_allow_routes_without_address(l3cd, AF_INET6, TRUE);
+
_l3cfg_l3cd_set(self, L3CD_TYPE_STATIC, l3cd);
_l3cfg_l3cd_gw_extern_update(self);
--
2.45.2

241
SOURCES/1011-vpn-handle-hint-tags-in-the-daemon-rhel44712.patch
Unescape View File

@ -1,241 +0,0 @@
From 4a31371e834057712c33678b249127062b250a33 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= <ihuguet@redhat.com>
Date: Mon, 3 Jun 2024 14:29:15 +0200
Subject: [PATCH 1/2] vpn: handle hint tags in the daemon
Commit 345bd1b18731 ('libnmc: fix secrets request on 2nd stage of 2FA
authentication') and commit 27c701ebfbc9 ('libnmc: allow user input in
ECHO mode for 2FA challenges') introduced 2 new tags that hints for the
secret agents can have as prefix.
These tags were processed (and removed) in the secret agents, not in the
daemon. This is wrong because a system with an updated VPN plugin but a
not yet updated secret agent (like nm-plasma) will fail: it won't remove
the prefix and the daemon will save the secret with the prefix, i.e.
"x-dynamic-challenge:challenge-response" instead of just
"challenge-response". Then, VPN plugins doesn't recognize it, failing the
profile's activation. This is, in fact, an API break.
Also, if the VPN connection already existed before updating NM and the
VPN plugin, the secret flags are not added to the profile (they are only
added when the profile is created or modified). This causes the user's
first time response is saved to the profile, so the activation fails the
second and next times.
See:
- https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1536
- https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/issues/142
Anyway, in a good design the daemon should contain almost all the logic
and the clients should keep as simple as possible. Fix above's problems
by letting the daemon to receive the secret names with the prefix
already included. The daemon will strip it and will know what it means.
Note that this is done only in the functions that saves the secrets from
the data received via D-Bus. For example, nm_setting_vpn_add_secret
doesn't need to do it because this value shouldn't come from VPN
plugin's hints.
(cherry picked from commit 0583e1f8436e4c8a4e462a643c711b69d157b938)
(cherry picked from commit 574741783c34fc62e8df78544b619d8281ddc85d)
(cherry picked from commit bdbcda1e22c2eba9a51fb476b79fb680a99be84f)
---
src/libnm-core-impl/nm-setting-vpn.c | 55 ++++++++++++++++++++++++++--
1 file changed, 52 insertions(+), 3 deletions(-)
diff --git a/src/libnm-core-impl/nm-setting-vpn.c b/src/libnm-core-impl/nm-setting-vpn.c
index b867d01860..65a14866c8 100644
--- a/src/libnm-core-impl/nm-setting-vpn.c
+++ b/src/libnm-core-impl/nm-setting-vpn.c
@@ -577,14 +577,48 @@ verify(NMSetting *setting, NMConnection *connection, GError **error)
return TRUE;
}
+static gboolean
+_parse_secret_hint_tag(const char *secret_name,
+ const char **out_secret_name,
+ NMSettingSecretFlags *out_implied_flags)
+{
+ NMSettingSecretFlags implied_flags = NM_SETTING_SECRET_FLAG_NONE;
+ gboolean ret = FALSE;
+
+ nm_assert(secret_name);
+
+ if (g_str_has_prefix(secret_name, NM_SECRET_TAG_DYNAMIC_CHALLENGE)) {
+ secret_name += NM_STRLEN(NM_SECRET_TAG_DYNAMIC_CHALLENGE);
+ implied_flags |= NM_SETTING_SECRET_FLAG_NOT_SAVED;
+ ret = TRUE;
+ } else if (g_str_has_prefix(secret_name, NM_SECRET_TAG_DYNAMIC_CHALLENGE_ECHO)) {
+ secret_name += NM_STRLEN(NM_SECRET_TAG_DYNAMIC_CHALLENGE_ECHO);
+ implied_flags |= NM_SETTING_SECRET_FLAG_NOT_SAVED;
+ ret = TRUE;
+ }
+
+ NM_SET_OUT(out_secret_name, secret_name);
+ NM_SET_OUT(out_implied_flags, implied_flags);
+ return ret;
+}
+
static NMSettingUpdateSecretResult
update_secret_string(NMSetting *setting, const char *key, const char *value, GError **error)
{
NMSettingVpnPrivate *priv = NM_SETTING_VPN_GET_PRIVATE(setting);
+ NMSettingSecretFlags hint_implied_flags, flags;
g_return_val_if_fail(key && key[0], NM_SETTING_UPDATE_SECRET_ERROR);
g_return_val_if_fail(value, NM_SETTING_UPDATE_SECRET_ERROR);
+ /* If the name is prefixed with a hint tag, process it before saving:
+ * remove the prefix and apply the flags that it implies */
+ _parse_secret_hint_tag(key, &key, &hint_implied_flags);
+ if (hint_implied_flags) {
+ nm_setting_get_secret_flags(setting, key, &flags, NULL);
+ nm_setting_set_secret_flags(setting, key, flags | hint_implied_flags, NULL);
+ }
+
if (nm_streq0(nm_g_hash_table_lookup(priv->secrets, key), value))
return NM_SETTING_UPDATE_SECRET_SUCCESS_UNCHANGED;
@@ -599,6 +633,7 @@ update_secret_dict(NMSetting *setting, GVariant *secrets, GError **error)
GVariantIter iter;
const char *name, *value;
NMSettingUpdateSecretResult result = NM_SETTING_UPDATE_SECRET_SUCCESS_UNCHANGED;
+ NMSettingSecretFlags hint_implied_flags, flags;
g_return_val_if_fail(secrets != NULL, NM_SETTING_UPDATE_SECRET_ERROR);
@@ -618,6 +653,14 @@ update_secret_dict(NMSetting *setting, GVariant *secrets, GError **error)
/* Now add the items to the settings' secrets list */
g_variant_iter_init(&iter, secrets);
while (g_variant_iter_next(&iter, "{&s&s}", &name, &value)) {
+ /* If the name is prefixed with a hint tag, process it before saving:
+ * remove the prefix and apply the flags that it implies */
+ _parse_secret_hint_tag(name, &name, &hint_implied_flags);
+ if (hint_implied_flags) {
+ nm_setting_get_secret_flags(setting, name, &flags, NULL);
+ nm_setting_set_secret_flags(setting, name, flags | hint_implied_flags, NULL);
+ }
+
if (nm_streq0(nm_g_hash_table_lookup(priv->secrets, name), value))
continue;
@@ -727,6 +770,7 @@ get_secret_flags(NMSetting *setting,
GError **error)
{
NMSettingVpnPrivate *priv = NM_SETTING_VPN_GET_PRIVATE(setting);
+ NMSettingSecretFlags implied_flags = NM_SETTING_SECRET_FLAG_NONE;
gs_free char *flags_key_free = NULL;
const char *flags_key;
const char *flags_val;
@@ -734,6 +778,10 @@ get_secret_flags(NMSetting *setting,
nm_assert(secret_name);
+ /* Secrets received via D-Bus from VPN plugins might be prefixed by a hint tag. If
+ * that's the case, process it first: remove the tag and get the flags that it implies */
+ _parse_secret_hint_tag(secret_name, &secret_name, &implied_flags);
+
if (!secret_name[0]) {
g_set_error(error,
NM_CONNECTION_ERROR,
@@ -746,7 +794,7 @@ get_secret_flags(NMSetting *setting,
if (!priv->data
|| !g_hash_table_lookup_extended(priv->data, flags_key, NULL, (gpointer *) &flags_val)) {
- NM_SET_OUT(out_flags, NM_SETTING_SECRET_FLAG_NONE);
+ NM_SET_OUT(out_flags, implied_flags);
/* having no secret flag for the secret is fine, as long as there
* is the secret itself... */
@@ -772,7 +820,7 @@ get_secret_flags(NMSetting *setting,
return TRUE;
}
- NM_SET_OUT(out_flags, (NMSettingSecretFlags) i64);
+ NM_SET_OUT(out_flags, (NMSettingSecretFlags) i64 | implied_flags);
return TRUE;
}
@@ -783,7 +831,8 @@ set_secret_flags(NMSetting *setting,
GError **error)
{
nm_assert(secret_name);
-
+ nm_assert(!_parse_secret_hint_tag(secret_name, NULL, NULL)); /* Accept hint tags only via D-Bus,
+ saved by update_one_secret */
if (!secret_name[0]) {
g_set_error(error,
NM_CONNECTION_ERROR,
--
2.44.0
From ef781d957db80d1e628098dab2cbb1da70558511 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= <ihuguet@redhat.com>
Date: Wed, 29 May 2024 16:50:10 +0200
Subject: [PATCH 2/2] libnmc: don't strip prefix tags from secret names
The daemon is now capable of understanding and removing these prefix
tags by itself. It is better than this is not a responsibility of the
secret agent because it requires changes in all secret agents to work
properly (see https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1536).
If the secret agent knows what these prefix tags are, it can remove them
only in the text that is displayed in the UI, but maintaining the
original string as the secret name that is returned to the daemon.
Secret agents that doesn't know what these prefix tags are won't do
anything with them, and they will also return the same string as secret
name, as expected. The only drawback is that they might display the full
string to the user, which is not a nice UX but it will at least work.
Also, allow to translate the secret name for the UI in libnmc.
(cherry picked from commit 18240bb72d191c987afe150d3a5023fe79d994dd)
(cherry picked from commit e217ec040d04835450c2de92cd2cf408e22f3fcd)
(cherry picked from commit a8a59e3e0af2f0922c1e6f0e18f00fe195c2d026)
---
src/libnmc-base/nm-secret-agent-simple.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/libnmc-base/nm-secret-agent-simple.c b/src/libnmc-base/nm-secret-agent-simple.c
index 4bb77c9802..9d1a2ae962 100644
--- a/src/libnmc-base/nm-secret-agent-simple.c
+++ b/src/libnmc-base/nm-secret-agent-simple.c
@@ -431,7 +431,7 @@ add_vpn_secrets(RequestData *request, GPtrArray *secrets, char **msg)
const NmcVpnPasswordName *p;
const char *vpn_msg = NULL;
char **iter;
- char *secret_name;
+ char *ui_name;
bool is_challenge = FALSE;
bool force_echo;
@@ -442,19 +442,19 @@ add_vpn_secrets(RequestData *request, GPtrArray *secrets, char **msg)
vpn_msg = &(*iter)[NM_STRLEN(NM_SECRET_TAG_VPN_MSG)];
} else {
if (NM_STR_HAS_PREFIX(*iter, NM_SECRET_TAG_DYNAMIC_CHALLENGE)) {
- secret_name = &(*iter)[NM_STRLEN(NM_SECRET_TAG_DYNAMIC_CHALLENGE)];
+ ui_name = &(*iter)[NM_STRLEN(NM_SECRET_TAG_DYNAMIC_CHALLENGE)];
is_challenge = TRUE;
force_echo = FALSE;
} else if (NM_STR_HAS_PREFIX(*iter, NM_SECRET_TAG_DYNAMIC_CHALLENGE_ECHO)) {
- secret_name = &(*iter)[NM_STRLEN(NM_SECRET_TAG_DYNAMIC_CHALLENGE_ECHO)];
+ ui_name = &(*iter)[NM_STRLEN(NM_SECRET_TAG_DYNAMIC_CHALLENGE_ECHO)];
is_challenge = TRUE;
force_echo = TRUE;
} else {
- secret_name = *iter;
- force_echo = FALSE;
+ ui_name = *iter;
+ force_echo = FALSE;
}
- add_vpn_secret_helper(secrets, s_vpn, secret_name, secret_name, force_echo);
+ add_vpn_secret_helper(secrets, s_vpn, *iter, ui_name, force_echo);
}
}
}
--
2.44.0

147
SPECS/NetworkManager.spec
Unescape View File

@ -5,9 +5,9 @@
%global glib2_version %(pkg-config --modversion glib-2.0 2>/dev/null || echo bad)
%global epoch_version 1
%global real_version 1.46.0
%global real_version 1.48.10
%global rpm_version %{real_version}
%global release_version 19
%global release_version 3
%global snapshot %{nil}
%global git_sha %{nil}
%global bcond_default_debug 0
@ -220,25 +220,11 @@ Source1000: 20-connectivity-msvsphere.conf
Patch0001: 0001-revert-change-default-value-for-ipv4.dad-timeout-from-0-to-200ms.patch
# Bugfixes that are only relevant until next rebase of the package.
# Patch1001: 1001-some.patch
Patch1001: 1001-drop-privateusers-directive-from-nm-cloud-setup-rhel27053.patch
Patch1002: 1002-allow-rollback-on-internal-global-dns-rhel-29725.patch
Patch1003: 1003-do-not-allow-ovs-bridge-and-port-to-be-parent-rhel-28545.patch
Patch1004: 1004-nm-dispatcher-fix-crash-rhel28973.patch
Patch1005: 1005-fix-race-condition-while-enumerating-devices-rhel25808.patch
Patch1006: 1006-fix-lldp-for-ovs-bridge-ports-rhel31766.patch
Patch1007: 1007-platform-avoid-routes-resync-rhel36162.patch
Patch1008: 1008-checkpoint-preserve-in-memory-state-rhel32493.patch
Patch1010: 1010-allow-ip-configurations-without-addresses-rhel28544.patch
Patch1011: 1011-vpn-handle-hint-tags-in-the-daemon-rhel44712.patch
Patch1013: 1013-ovs-wait-for-the-link-to-be-ready-before-activating-rhel-49799.patch
Patch1014: 1014-ovs-fix-triggering-stage3-without-dhcp-client-rhel-49799.patch
Patch1015: 1015-policy-unblock-the-autoconnect-for-children-when-parent-is-available-rhel-53344.patch
Patch1016: 1016-fix-lldp-crash-dereferencing-null-pointer-rhel-46200.patch
Patch1017: 1017-use-etc-hosts-for-hostname-resolution-rhel-53202.patch
Patch1018: 1018-retry-hostname-resolution-when-it-fails-rhel-55397.patch
Patch1019: 1019-cloud-setup-allow-bigger-restart-bursts-rhel-56739.patch
Patch1020: 1020-cloud-setup-ensure-azure-places-primary-address-first-rhel-56386.patch
Patch1001: 1001-cloud-setup-allow-bigger-restart-bursts-rhel-56740.patch
Patch1002: 1002-cloud-setup-ensure-azure-places-primary-address-first-rhel-56387.patch
Patch1003: 1003-only-validate-sriov-capability-when-enabled-rhel-58397.patch
Patch1004: 1004-fix-bug-when-deactivating-port-connections-rhel-50747.patch
Patch1005: 1005-fix-validation-of-ovs-dpdk-interface-name-rhel-60022.patch
Requires(post): systemd
%if 0%{?fedora} || 0%{?rhel} >= 8
@ -931,7 +917,8 @@ autoreconf --install --force
--with-resolvconf=no \
--with-netconfig=no \
--with-config-dns-rc-manager-default=%{dns_rc_manager_default} \
--with-config-logging-backend-default=%{logging_backend_default}
--with-config-logging-backend-default=%{logging_backend_default} \
--disable-autotools-deprecation
%make_build
@ -1318,74 +1305,84 @@ fi
%changelog
* Fri Aug 30 2024 Fernando Fernandez Mancera <ferferna@redhat.com> - 1:1.46.0-19
- Retry hostname resolutions when it fails (RHEL-55397)
- cloud-setup: allow bigger restart bursts (RHEL-56739)
- cloud-setup: Fix Azure primary and secondary address swap (RHEL-56386)
* Tue Aug 20 2024 Fernando Fernandez Mancera <ferferna@redhat.com> - 1:1.46.0-18
- Fix crash dereferencing NULL pointer during debug logging (RHEL-46200)
- Use /etc/hosts for hostname reesolution (RHEL-53202)
* Tue Aug 13 2024 Wen Liang <wenliang@redhat.com> - 1:1.46.0-17
- Unblock the autoconnect for children when parent is available (RHEL-53344)
* Wed Jul 31 2024 Fernando Fernandez Mancera <ferferna@redhat.com> - 1:1.46.0-16
- Revert OVS checkpoint rollback patches.
- Fix OVS stage3 activation without DHCP client initialized (RHEL-49799)
* Thu Jul 25 2024 Fernando Fernandez Mancera <ferferna@redhat.com> - 1:1.46.0-15
- Wait for link to be ready before activating ovs-interface (RHEL-49799)
* Tue Jul 23 2024 Fernando Fernandez Mancera <ferferna@redhat.com> - 1:1.46.0-14
- Fix OVS checkpoint rollback (RHEL-32646)
* Fri Jun 28 2024 Beniamino Galvani <bgalvani@redhat.com> - 1:1.46.0-13
- Revert "Fix port reactivation when controller is deactivating" (RHEL-32646)
* Thu Jun 27 2024 Íñigo Huguet <ihuguet@redhat.com> - 1:1.46.0-12
- Add ipcalc as dependency of NetworkManager-dispatcher-routing-rules (RHEL-43583)
* Mon Jun 24 2024 Íñigo Huguet <ihuguet@redhat.com> - 1:1.46.0-11
- Handle hint's tags from VPN secrets in the daemon (RHEL-44712)
* Mon Jun 17 2024 Fernando Fernandez Mancera <ferferna@redhat.com> - 1:1.46.0-10
- Support IPv6 in IPSec VPN (RHEL-28544)
* Thu Dec 26 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 1:1.48.10-3.inferit
- Update to 1.48.10-3
* Tue Nov 12 2024 Beniamino Galvani <bgalvani@redhat.com> - 1:1.48.10-3
- Only validate the SR-IOV device capability when SR-IOV is enabled (RHEL-58397)
- Fix bug when deactivating port connections (RHEL-50747)
- Fix validation of ovs-dpdk interface name (RHEL-60022)
* Fri Aug 30 2024 Fernando Fernandez Mancera <ferferna@redhat.com> - 1:1.48.10-2
- cloud-setup: Allow bigger restart bursts (RHEL-56740)
- cloud-setup: Fix Azure swap of primary and secondary IP addresses (RHEL-56387)
* Thu Aug 22 2024 Íñigo Huguet <ihuguet@redhat.com> - 1:1.48.10-1
- Unblock the autoconnect for children when parent is available (RHEL-46904)
- Fix crash produced by malformed LLDP package when debug logging (RHEL-46199)
- Support reapplying bridge-port VLANs (RHEL-26750)
- Add small backoff time before resync (RHEL-29902)
* Fri Aug 09 2024 Fernando Fernandez Mancera <ferferna@redha.com> - 1:1.46.8-1
- Stop writing offensive terms into keyfiles (RHEL-52597)
- Remove offensive words (RHEL-33368)
- Fix cloned-mac-address race condition with DHCP on ovs-interfaces (RHEL-49796)
* Fri Jul 26 2024 Fernando Fernandez Mancera <ferferna@redhat.com> - 1:1.48.6-1
- Wait until link is ready before activating for ovs-interface (RHEL-49796)
- Fix rollback on OVS checkpoint (RHEL-31972)
- Assert that the auto-activate list is empty on dispose (RHEL-44345)
* Fri Jul 05 2024 Stanislas Faye <sfaye@redhat.com> 1:1.48.4-1
- Update to 1.48.4 release
- Support matching a OVS system interface by MAC address (RHEL-34617)
- When looking up the system hostname from the reverse DNS lookup of
addresses configured on interfaces, NetworkManager now takes into
account the content of /etc/hosts (RHEL-33435)
* Thu Jun 27 2024 Íñigo Huguet <ihuguet@redhat.com> 1:1.48.2-2
- Add ipcalc as dependency of NetworkManager-dispatcher-routing-rules (RHEL-36648)
* Mon Jun 24 2024 Beniamino Galvani <bgalvani@redhat.com> 1:1.48.2-1
- Update to 1.48.2 release
- Save connection timestamps when shutting down (RHEL-35539)
- Fix regression with OpenVPN dynamic challenge (RHEL-43720)
* Thu Jun 13 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 1:1.46.0-8.inferit
- Update to 1:1.46.0-8
* Sat Jun 01 2024 Fernando Fernandez Mancera <ferferna@redhat.com> - 1:1.46.0-9
- Fix port reactivation when controller is deactivating (RHEL-32646)
* Thu May 30 2024 Lubomir Rintel <lkundrak@v3.sk> - 1:1.48.0-1
- Upgrade to 1.48.0 release
* Thu May 23 2024 Beniamino Galvani <bgalvani@redhat.com> - 1:1.46.0-8
- Preserve in-memory state of connections after checkpoint/rollback (RHEL-32493)
* Thu May 16 2024 Lubomir Rintel <lkundrak@v3.sk> - 1:1.47.91-1
- Upgrade to 1.47.91 (rc2)
* Tue May 14 2024 Íñigo Huguet <ihuguet@redhat.com> - 1:1.46.0-7
- Fix CPU usage of 100% when updating routes cache (RHEL-36162)
* Fri May 03 2024 Fernando Fernandez Mancera <ferferna@redhat.com> - 1:1.47.90-1
- Upgrade to 1.47.90 (rc1)
* Wed May 1 2024 Arkady L. Shane <tigro@msvsphere-os.ru> - 1:1.46.0-4.inferit
- Implemented connectivity checking via MSVSphere infrastructur
* Mon Apr 08 2024 Fernando Fernandez Mancera <ferferna@redhat.com> - 1:1.46.0-6
- Rebuild because build must go on 0day not 9.4.0
* Fri Apr 19 2024 Íñigo Huguet <ihuguet@redhat.com> - 1:1.47.5-1
- Fix a crash during shutdown (RHEL-29856)
* Fri Apr 05 2024 Fernando Fernandez Mancera <ferferna@redhat.com> - 1:1.46.0-5
- Fix LLDP for OVS Bridge ports (RHEL-31766)
* Fri Apr 05 2024 Fernando Fernandez Mancera <ferferna@redhat.com> - 1:1.47.4-1
- Fix LLDP support for interfaces attached to OVS bridges. (RHEL-1418)
- Fix NMCI crashes on ovs_mtu and bond tests. (RHEL-30348)
* Tue Mar 26 2024 Beniamino Galvani <bgalvani@redhat.com> - 1:1.46.0-4
- Fix nm-dispatcher crash (RHEL-28973)
- Fix race condition while enumerating devices (RHEL-25808)
* Wed Apr 03 2024 Fernando Fernandez Mancera <ferferna@redhat.com> - 1.47.3-2
- Rebuild for CI gating
* Fri Mar 22 2024 Fernando Fernandez Mancera <ferferna@redhat.com> - 1:1.46.0-3
- Upgrade release number to build with the right target
* Tue Mar 26 2024 Gris Ge <fge@redhat.com> - 1.47.3-1
- Upgrade to 1.47.3 release (development)
- Support rollback on global DNS (RHEL-23446)
- Support VLAN over OVS interface which holds the same name as OVS bridge (RHEL-26753)
* Wed Mar 20 2024 Fernando Fernandez Mancera <ferferna@redhat.com> - 1.46.0-2
- Drop PrivateUser directive from nm-cloud-setup service (RHEL-27503)
- Support rollback on global DNS (RHEL-29725)
- Do not allow OVS bridge or port to be parent (RHEL-28545)
* Fri Mar 08 2024 Íñigo Huguet <ihuguet@redhat.com>
- Update to 1.47.2 release (development)
- Support sending DHCPRELEASE (RHEL-17310)
* Thu Feb 22 2024 Stanislas FAYE <sfaye@redhat.com> - 1.46.0-1
* Thu Feb 22 2024 Stanislas FAYE <sfaye@redhat.com>
- Update to 1.46.0 release
- Fix DHCPv4 lease can't be renewed after it expires (RHEL-24127)
- Support the MACsec offload mode (RHEL-24337)

Write Preview
Loading…
Cancel
Save