libnm-core: add NMSettingIPTunnel

Add a generic NMSettingTunnel which describes properties of tunnels
over IPv4 and IPv6 (GRE, SIT, IPIP, IPIP6, IP6GRE, etc.). Since those
tunnel types all have similar properties it makes sense to have a
single setting type for them.

11 files changed, 889 insertions, 1 deletions

diff --git a/libnm-core/Makefile.libnm-core b/libnm-core/Makefile.libnm-core
index 867dd9045d..02c1d1021b 100644
--- a/libnm-core/Makefile.libnm-core
+++ b/libnm-core/Makefile.libnm-core
@@ -25,6 +25,7 @@ libnm_core_headers =				\
 	$(core)/nm-setting-gsm.h		\
 	$(core)/nm-setting-infiniband.h		\
 	$(core)/nm-setting-ip-config.h		\
+	$(core)/nm-setting-ip-tunnel.h		\
 	$(core)/nm-setting-ip4-config.h		\
 	$(core)/nm-setting-ip6-config.h		\
 	$(core)/nm-setting-olpc-mesh.h		\
@@ -82,6 +83,7 @@ libnm_core_sources =				\
 	$(core)/nm-setting-gsm.c		\
 	$(core)/nm-setting-infiniband.c		\
 	$(core)/nm-setting-ip-config.c		\
+	$(core)/nm-setting-ip-tunnel.c		\
 	$(core)/nm-setting-ip4-config.c		\
 	$(core)/nm-setting-ip6-config.c		\
 	$(core)/nm-setting-olpc-mesh.c		\
diff --git a/libnm-core/nm-connection.c b/libnm-core/nm-connection.c
index 94a897539a..0f599984c9 100644
--- a/libnm-core/nm-connection.c
+++ b/libnm-core/nm-connection.c
@@ -1866,6 +1866,24 @@ nm_connection_get_setting_ip4_config (NMConnection *connection)
 }
 
 /**
+ * nm_connection_get_setting_ip_tunnel:
+ * @connection: the #NMConnection
+ *
+ * A shortcut to return any #NMSettingIPTunnel the connection might contain.
+ *
+ * Returns: (transfer none): an #NMSettingIPTunnel if the connection contains one, otherwise %NULL
+ *
+ * Since: 1.2
+ **/
+NMSettingIPTunnel *
+nm_connection_get_setting_ip_tunnel (NMConnection *connection)
+{
+	g_return_val_if_fail (NM_IS_CONNECTION (connection), NULL);
+
+	return (NMSettingIPTunnel *) nm_connection_get_setting (connection, NM_TYPE_SETTING_IP_TUNNEL);
+}
+
+/**
  * nm_connection_get_setting_ip6_config:
  * @connection: the #NMConnection
  *
diff --git a/libnm-core/nm-connection.h b/libnm-core/nm-connection.h
index fc2117f61e..8896e59bab 100644
--- a/libnm-core/nm-connection.h
+++ b/libnm-core/nm-connection.h
@@ -202,6 +202,8 @@ NMSettingDcb *             nm_connection_get_setting_dcb               (NMConnec
 NMSettingGeneric *         nm_connection_get_setting_generic           (NMConnection *connection);
 NMSettingGsm *             nm_connection_get_setting_gsm               (NMConnection *connection);
 NMSettingInfiniband *      nm_connection_get_setting_infiniband        (NMConnection *connection);
+NM_AVAILABLE_IN_1_2
+NMSettingIPTunnel *        nm_connection_get_setting_ip_tunnel         (NMConnection *connection);
 NMSettingIPConfig *        nm_connection_get_setting_ip4_config        (NMConnection *connection);
 NMSettingIPConfig *        nm_connection_get_setting_ip6_config        (NMConnection *connection);
 NMSettingOlpcMesh *        nm_connection_get_setting_olpc_mesh         (NMConnection *connection);
diff --git a/libnm-core/nm-core-internal.h b/libnm-core/nm-core-internal.h
index d1b0992900..c1eea777f2 100644
--- a/libnm-core/nm-core-internal.h
+++ b/libnm-core/nm-core-internal.h
@@ -49,6 +49,7 @@
 #include "nm-setting-generic.h"
 #include "nm-setting-gsm.h"
 #include "nm-setting-infiniband.h"
+#include "nm-setting-ip-tunnel.h"
 #include "nm-setting-ip4-config.h"
 #include "nm-setting-ip6-config.h"
 #include "nm-setting-olpc-mesh.h"
diff --git a/libnm-core/nm-core-types.h b/libnm-core/nm-core-types.h
index 1355c92da6..29a34cc68d 100644
--- a/libnm-core/nm-core-types.h
+++ b/libnm-core/nm-core-types.h
@@ -42,6 +42,7 @@ typedef struct _NMSettingGeneric          NMSettingGeneric;
 typedef struct _NMSettingGsm              NMSettingGsm;
 typedef struct _NMSettingInfiniband       NMSettingInfiniband;
 typedef struct _NMSettingIPConfig         NMSettingIPConfig;
+typedef struct _NMSettingIPTunnel         NMSettingIPTunnel;
 typedef struct _NMSettingIP4Config        NMSettingIP4Config;
 typedef struct _NMSettingIP6Config        NMSettingIP6Config;
 typedef struct _NMSettingOlpcMesh         NMSettingOlpcMesh;
diff --git a/libnm-core/nm-dbus-interface.h b/libnm-core/nm-dbus-interface.h
index ddd6834c23..e81f081dff 100644
--- a/libnm-core/nm-dbus-interface.h
+++ b/libnm-core/nm-dbus-interface.h
@@ -67,7 +67,7 @@
 #define NM_DBUS_INTERFACE_DEVICE_MACVLAN    NM_DBUS_INTERFACE_DEVICE ".Macvlan"
 #define NM_DBUS_INTERFACE_DEVICE_VXLAN      NM_DBUS_INTERFACE_DEVICE ".Vxlan"
 #define NM_DBUS_INTERFACE_DEVICE_GRE        NM_DBUS_INTERFACE_DEVICE ".Gre"
-
+#define NM_DBUS_INTERFACE_DEVICE_IP_TUNNEL  NM_DBUS_INTERFACE_DEVICE ".IPTunnel"
 
 #define NM_DBUS_INTERFACE_SETTINGS        "org.freedesktop.NetworkManager.Settings"
 #define NM_DBUS_PATH_SETTINGS             "/org/freedesktop/NetworkManager/Settings"
@@ -668,4 +668,34 @@ typedef enum /*< flags >*/ {
 #define NM_LLDP_DEST_NEAREST_NON_TPMR_BRIDGE "nearest-non-tpmr-bridge"
 #define NM_LLDP_DEST_NEAREST_CUSTOMER_BRIDGE "nearest-customer-bridge"
 
+/**
+ * NMIPTunnelMode:
+ * @NM_IP_TUNNEL_MODE_UNKNOWN: Unknown/unset tunnel mode
+ * @NM_IP_TUNNEL_MODE_IPIP:    IP in IP tunnel
+ * @NM_IP_TUNNEL_MODE_GRE:     GRE tunnel
+ * @NM_IP_TUNNEL_MODE_SIT:     SIT tunnel
+ * @NM_IP_TUNNEL_MODE_ISATAP:  ISATAP tunnel
+ * @NM_IP_TUNNEL_MODE_VTI:     VTI tunnel
+ * @NM_IP_TUNNEL_MODE_IP6IP6:  IPv6 in IPv6 tunnel
+ * @NM_IP_TUNNEL_MODE_IPIP6:   IPv4 in IPv6 tunnel
+ * @NM_IP_TUNNEL_MODE_IP6GRE:  IPv6 GRE tunnel
+ * @NM_IP_TUNNEL_MODE_VTI6:    IPv6 VTI tunnel
+ *
+ * The tunneling mode.
+ *
+ * Since: 1.2
+ */
+typedef enum {
+	NM_IP_TUNNEL_MODE_UKNOWN      = 0,
+	NM_IP_TUNNEL_MODE_IPIP        = 1,
+	NM_IP_TUNNEL_MODE_GRE         = 2,
+	NM_IP_TUNNEL_MODE_SIT         = 3,
+	NM_IP_TUNNEL_MODE_ISATAP      = 4,
+	NM_IP_TUNNEL_MODE_VTI         = 5,
+	NM_IP_TUNNEL_MODE_IP6IP6      = 6,
+	NM_IP_TUNNEL_MODE_IPIP6       = 7,
+	NM_IP_TUNNEL_MODE_IP6GRE      = 8,
+	NM_IP_TUNNEL_MODE_VTI6        = 9,
+} NMIPTunnelMode;
+
 #endif /* __NM_DBUS_INTERFACE_H__ */
diff --git a/libnm-core/nm-setting-ip-tunnel.c b/libnm-core/nm-setting-ip-tunnel.c
new file mode 100644
index 0000000000..d561524950
--- /dev/null
+++ b/libnm-core/nm-setting-ip-tunnel.c
@@ -0,0 +1,724 @@
+/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */
+/*
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the
+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301 USA.
+ *
+ * Copyright 2015 Red Hat, Inc.
+ */
+
+#include "nm-setting-ip-tunnel.h"
+
+#include "config.h"
+
+#include "nm-setting-private.h"
+#include "nm-macros-internal.h"
+#include "nm-utils.h"
+
+/**
+ * SECTION:nm-setting-tunnel
+ * @short_description: Describes connection properties for IP tunnel devices
+ **/
+
+G_DEFINE_TYPE_WITH_CODE (NMSettingIPTunnel, nm_setting_ip_tunnel, NM_TYPE_SETTING,
+                         _nm_register_setting (IP_TUNNEL, 1))
+NM_SETTING_REGISTER_TYPE (NM_TYPE_SETTING_IP_TUNNEL)
+
+#define NM_SETTING_IP_TUNNEL_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), NM_TYPE_SETTING_IP_TUNNEL, NMSettingIPTunnelPrivate))
+
+typedef struct {
+	char *parent;
+	NMIPTunnelMode mode;
+	char *local;
+	char *remote;
+	guint ttl;
+	guint tos;
+	gboolean path_mtu_discovery;
+	char *input_key;
+	char *output_key;
+	guint encapsulation_limit;
+	guint flow_label;
+} NMSettingIPTunnelPrivate;
+
+enum {
+	PROP_0,
+	PROP_PARENT,
+	PROP_MODE,
+	PROP_LOCAL,
+	PROP_REMOTE,
+	PROP_TTL,
+	PROP_TOS,
+	PROP_PATH_MTU_DISCOVERY,
+	PROP_INPUT_KEY,
+	PROP_OUTPUT_KEY,
+	PROP_ENCAPSULATION_LIMIT,
+	PROP_FLOW_LABEL,
+
+	LAST_PROP
+};
+
+/**
+ * nm_setting_ip_tunnel_get_parent:
+ * @setting: the #NMSettingIPTunnel
+ *
+ * Returns the #NMSettingIPTunnel:parent property of the setting
+ *
+ * Returns: the parent device
+ *
+ * Since: 1.2
+ **/
+const char *
+nm_setting_ip_tunnel_get_parent (NMSettingIPTunnel *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_IP_TUNNEL (setting), NULL);
+	return NM_SETTING_IP_TUNNEL_GET_PRIVATE (setting)->parent;
+}
+
+/**
+ * nm_setting_ip_tunnel_get_mode:
+ * @setting: the #NMSettingIPTunnel
+ *
+ * Returns the #NMSettingIPTunnel:mode property of the setting.
+ *
+ * Returns: the tunnel mode
+ *
+ * Since: 1.2
+ **/
+NMIPTunnelMode
+nm_setting_ip_tunnel_get_mode (NMSettingIPTunnel *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_IP_TUNNEL (setting), 0);
+
+	return NM_SETTING_IP_TUNNEL_GET_PRIVATE (setting)->mode;
+}
+
+/**
+ * nm_setting_ip_tunnel_get_local:
+ * @setting: the #NMSettingIPTunnel
+ *
+ * Returns the #NMSettingIPTunnel:local property of the setting.
+ *
+ * Returns: the local endpoint
+ *
+ * Since: 1.2
+ **/
+const char *
+nm_setting_ip_tunnel_get_local (NMSettingIPTunnel *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_IP_TUNNEL (setting), NULL);
+
+	return NM_SETTING_IP_TUNNEL_GET_PRIVATE (setting)->local;
+}
+
+/**
+ * nm_setting_ip_tunnel_get_remote:
+ * @setting: the #NMSettingIPTunnel
+ *
+ * Returns the #NMSettingIPTunnel:remote property of the setting.
+ *
+ * Returns: the remote endpoint
+ *
+ * Since: 1.2
+ **/
+const char *
+nm_setting_ip_tunnel_get_remote (NMSettingIPTunnel *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_IP_TUNNEL (setting), NULL);
+
+	return NM_SETTING_IP_TUNNEL_GET_PRIVATE (setting)->remote;
+}
+
+/**
+ * nm_setting_ip_tunnel_get_ttl:
+ * @setting: the #NMSettingIPTunnel
+ *
+ * Returns the #NMSettingIPTunnel:ttl property of the setting.
+ *
+ * Returns: the Time-to-live value
+ *
+ * Since: 1.2
+ **/
+
+guint
+nm_setting_ip_tunnel_get_ttl (NMSettingIPTunnel *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_IP_TUNNEL (setting), 0);
+
+	return NM_SETTING_IP_TUNNEL_GET_PRIVATE (setting)->ttl;
+}
+
+/**
+ * nm_setting_ip_tunnel_get_tos:
+ * @setting: the #NMSettingIPTunnel
+ *
+ * Returns the #NMSettingIPTunnel:tos property of the setting.
+ *
+ * Returns: the TOS value
+ *
+ * Since: 1.2
+ **/
+guint
+nm_setting_ip_tunnel_get_tos (NMSettingIPTunnel *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_IP_TUNNEL (setting), 0);
+
+	return NM_SETTING_IP_TUNNEL_GET_PRIVATE (setting)->tos;
+}
+
+/**
+ * nm_setting_ip_tunnel_get_path_mtu_discovery:
+ * @setting: the #NMSettingIPTunnel
+ *
+ * Returns the #NMSettingIPTunnel:path-mtu-discovery property of the setting.
+ *
+ * Returns: whether path MTU discovery is enabled
+ *
+ * Since: 1.2
+ **/
+gboolean
+nm_setting_ip_tunnel_get_path_mtu_discovery (NMSettingIPTunnel *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_IP_TUNNEL (setting), TRUE);
+
+	return NM_SETTING_IP_TUNNEL_GET_PRIVATE (setting)->path_mtu_discovery;
+}
+
+/**
+ * nm_setting_ip_tunnel_get_input_key:
+ * @setting: the #NMSettingIPTunnel
+ *
+ * Returns the #NMSettingIPTunnel:input-key property of the setting.
+ *
+ * Returns: the input key
+ *
+ * Since: 1.2
+ **/
+const char *
+nm_setting_ip_tunnel_get_input_key (NMSettingIPTunnel *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_IP_TUNNEL (setting), NULL);
+
+	return NM_SETTING_IP_TUNNEL_GET_PRIVATE (setting)->input_key;
+}
+
+/**
+ * nm_setting_ip_tunnel_get_output_key:
+ * @setting: the #NMSettingIPTunnel
+ *
+ * Returns the #NMSettingIPTunnel:output-key property of the setting.
+ *
+ * Returns: the output key
+ *
+ * Since: 1.2
+ **/
+const char *
+nm_setting_ip_tunnel_get_output_key (NMSettingIPTunnel *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_IP_TUNNEL (setting), NULL);
+
+	return NM_SETTING_IP_TUNNEL_GET_PRIVATE (setting)->output_key;
+}
+
+/**
+ * nm_setting_ip_tunnel_get_encapsulation_limit:
+ * @setting: the #NMSettingIPTunnel
+ *
+ * Returns the #NMSettingIPTunnel:encapsulation-limit property of the setting.
+ *
+ * Returns: the encapsulation limit value
+ *
+ * Since: 1.2
+ **/
+guint
+nm_setting_ip_tunnel_get_encapsulation_limit (NMSettingIPTunnel *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_IP_TUNNEL (setting), 0);
+
+	return NM_SETTING_IP_TUNNEL_GET_PRIVATE (setting)->encapsulation_limit;
+}
+
+/**
+ * nm_setting_ip_tunnel_get_flow_label:
+ * @setting: the #NMSettingIPTunnel
+ *
+ * Returns the #NMSettingIPTunnel:flow-label property of the setting.
+ *
+ * Returns: the flow label value
+ *
+ * Since: 1.2
+ **/
+guint
+nm_setting_ip_tunnel_get_flow_label (NMSettingIPTunnel *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_IP_TUNNEL (setting), 0);
+
+	return NM_SETTING_IP_TUNNEL_GET_PRIVATE (setting)->flow_label;
+}
+
+/*********************************************************************/
+
+static gboolean
+verify (NMSetting *setting, NMConnection *connection, GError **error)
+{
+	NMSettingIPTunnelPrivate *priv = NM_SETTING_IP_TUNNEL_GET_PRIVATE (setting);
+	int family;
+
+	switch (priv->mode) {
+	case NM_IP_TUNNEL_MODE_IPIP:
+	case NM_IP_TUNNEL_MODE_SIT:
+	case NM_IP_TUNNEL_MODE_ISATAP:
+	case NM_IP_TUNNEL_MODE_GRE:
+	case NM_IP_TUNNEL_MODE_VTI:
+		family = AF_INET;
+		break;
+	case NM_IP_TUNNEL_MODE_IP6IP6:
+	case NM_IP_TUNNEL_MODE_IPIP6:
+	case NM_IP_TUNNEL_MODE_IP6GRE:
+	case NM_IP_TUNNEL_MODE_VTI6:
+		family = AF_INET6;
+		break;
+	default:
+		family = AF_UNSPEC;
+	}
+
+	if (family == AF_UNSPEC) {
+		g_set_error (error,
+		             NM_CONNECTION_ERROR,
+		             NM_CONNECTION_ERROR_INVALID_PROPERTY,
+		             _("'%d' is not a valid tunnel mode"),
+		             (int) priv->mode);
+		g_prefix_error (error, "%s.%s: ", NM_SETTING_IP_TUNNEL_SETTING_NAME, NM_SETTING_IP_TUNNEL_MODE);
+		return FALSE;
+	}
+
+	if (   priv->parent
+	    && !nm_utils_iface_valid_name (priv->parent)
+	    && !nm_utils_is_uuid (priv->parent)) {
+		g_set_error (error,
+		             NM_CONNECTION_ERROR,
+		             NM_CONNECTION_ERROR_INVALID_PROPERTY,
+		             _("'%s' is neither an UUID nor an interface name"),
+		             priv->parent);
+		g_prefix_error (error, "%s.%s: ", NM_SETTING_IP_TUNNEL_SETTING_NAME,
+		                NM_SETTING_IP_TUNNEL_PARENT);
+		return FALSE;
+	}
+
+	if (priv->local && !nm_utils_ipaddr_valid (family, priv->local)) {
+		g_set_error (error,
+		             NM_CONNECTION_ERROR,
+		             NM_CONNECTION_ERROR_INVALID_PROPERTY,
+		             _("'%s' is not a valid IPv%c address"),
+		             priv->local,
+		             family == AF_INET ? '4' : '6');
+		g_prefix_error (error, "%s.%s: ", NM_SETTING_IP_TUNNEL_SETTING_NAME, NM_SETTING_IP_TUNNEL_LOCAL);
+		return FALSE;
+	}
+
+	if (priv->remote && !nm_utils_ipaddr_valid (family, priv->remote)) {
+		g_set_error (error,
+		             NM_CONNECTION_ERROR,
+		             NM_CONNECTION_ERROR_INVALID_PROPERTY,
+		             _("'%s' is not a valid IPv%c address"),
+		             priv->remote,
+		             family == AF_INET ? '4' : '6');
+		g_prefix_error (error, "%s.%s: ", NM_SETTING_IP_TUNNEL_SETTING_NAME, NM_SETTING_IP_TUNNEL_REMOTE);
+		return FALSE;
+	}
+
+	if (   (priv->input_key && priv->input_key[0])
+	    || (priv->output_key && priv->output_key[0])) {
+		if (   priv->mode != NM_IP_TUNNEL_MODE_GRE
+		    && priv->mode != NM_IP_TUNNEL_MODE_IP6GRE) {
+			g_set_error_literal (error,
+			                     NM_CONNECTION_ERROR,
+			                     NM_CONNECTION_ERROR_INVALID_PROPERTY,
+			                     _("tunnel keys can only be specified for GRE tunnels"));
+			return FALSE;
+		}
+	}
+
+	if (priv->input_key && priv->input_key[0]) {
+		gint64 val;
+
+		val = _nm_utils_ascii_str_to_int64 (priv->input_key, 10, 0, G_MAXUINT32, -1);
+		if (val == -1) {
+			g_set_error (error,
+			             NM_CONNECTION_ERROR,
+			             NM_CONNECTION_ERROR_INVALID_PROPERTY,
+			             _("'%s' is not a valid tunnel key"),
+			             priv->input_key);
+			g_prefix_error (error, "%s.%s: ", NM_SETTING_IP_TUNNEL_SETTING_NAME,
+			                NM_SETTING_IP_TUNNEL_INPUT_KEY);
+		return FALSE;
+		}
+	}
+
+	if (priv->output_key && priv->output_key[0]) {
+		gint64 val;
+
+		val = _nm_utils_ascii_str_to_int64 (priv->output_key, 10, 0, G_MAXUINT32, -1);
+		if (val == -1) {
+			g_set_error (error,
+			             NM_CONNECTION_ERROR,
+			             NM_CONNECTION_ERROR_INVALID_PROPERTY,
+			             _("'%s' is not a valid tunnel key"),
+			             priv->output_key);
+			g_prefix_error (error, "%s.%s: ", NM_SETTING_IP_TUNNEL_SETTING_NAME,
+			                NM_SETTING_IP_TUNNEL_OUTPUT_KEY);
+		return FALSE;
+		}
+	}
+
+	if (!priv->path_mtu_discovery && priv->ttl != 0) {
+		g_set_error_literal (error,
+		                     NM_CONNECTION_ERROR,
+		                     NM_CONNECTION_ERROR_INVALID_PROPERTY,
+		                     _("a fixed TTL is allowed only when path MTU discovery is enabled"));
+		g_prefix_error (error, "%s.%s: ", NM_SETTING_IP_TUNNEL_SETTING_NAME,
+		                NM_SETTING_IP_TUNNEL_TTL);
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
+/**
+ * nm_setting_ip_tunnel_new:
+ *
+ * Creates a new #NMSettingIPTunnel object with default values.
+ *
+ * Returns: (transfer full): the new empty #NMSettingIPTunnel object
+ *
+ * Since: 1.2
+ **/
+NMSetting *
+nm_setting_ip_tunnel_new (void)
+{
+	return (NMSetting *) g_object_new (NM_TYPE_SETTING_IP_TUNNEL, NULL);
+}
+
+static void
+nm_setting_ip_tunnel_init (NMSettingIPTunnel *setting)
+{
+}
+
+static void
+set_property (GObject *object, guint prop_id,
+              const GValue *value, GParamSpec *pspec)
+{
+	NMSettingIPTunnel *setting = NM_SETTING_IP_TUNNEL (object);
+	NMSettingIPTunnelPrivate *priv = NM_SETTING_IP_TUNNEL_GET_PRIVATE (setting);
+
+	switch (prop_id) {
+	case PROP_PARENT:
+		g_free (priv->parent);
+		priv->parent = g_value_dup_string (value);
+		break;
+	case PROP_MODE:
+		priv->mode = g_value_get_uint (value);
+		break;
+	case PROP_LOCAL:
+		g_free (priv->local);
+		priv->local = g_value_dup_string (value);
+		break;
+	case PROP_REMOTE:
+		g_free (priv->remote);
+		priv->remote = g_value_dup_string (value);
+		break;
+	case PROP_TTL:
+		priv->ttl = g_value_get_uint (value);
+		break;
+	case PROP_TOS:
+		priv->tos = g_value_get_uint (value);
+		break;
+	case PROP_PATH_MTU_DISCOVERY:
+		priv->path_mtu_discovery = g_value_get_boolean (value);
+		break;
+	case PROP_INPUT_KEY:
+		g_free (priv->input_key);
+		priv->input_key = g_value_dup_string (value);
+		break;
+	case PROP_OUTPUT_KEY:
+		g_free (priv->output_key);
+		priv->output_key = g_value_dup_string (value);
+		break;
+	case PROP_ENCAPSULATION_LIMIT:
+		priv->encapsulation_limit = g_value_get_uint (value);
+		break;
+	case PROP_FLOW_LABEL:
+		priv->flow_label = g_value_get_uint (value);
+		break;
+	default:
+		G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
+		break;
+	}
+}
+
+static void
+get_property (GObject *object, guint prop_id,
+              GValue *value, GParamSpec *pspec)
+{
+	NMSettingIPTunnel *setting = NM_SETTING_IP_TUNNEL (object);
+	NMSettingIPTunnelPrivate *priv = NM_SETTING_IP_TUNNEL_GET_PRIVATE (setting);
+
+	switch (prop_id) {
+	case PROP_PARENT:
+		g_value_set_string (value, priv->parent);
+		break;
+	case PROP_MODE:
+		g_value_set_uint (value, priv->mode);
+		break;
+	case PROP_LOCAL:
+		g_value_set_string (value, priv->local);
+		break;
+	case PROP_REMOTE:
+		g_value_set_string (value, priv->remote);
+		break;
+	case PROP_TTL:
+		g_value_set_uint (value, priv->ttl);
+		break;
+	case PROP_TOS:
+		g_value_set_uint (value, priv->tos);
+		break;
+	case PROP_PATH_MTU_DISCOVERY:
+		g_value_set_boolean (value, priv->path_mtu_discovery);
+		break;
+	case PROP_INPUT_KEY:
+		g_value_set_string (value, priv->input_key);
+		break;
+	case PROP_OUTPUT_KEY:
+		g_value_set_string (value, priv->output_key);
+		break;
+	case PROP_ENCAPSULATION_LIMIT:
+		g_value_set_uint (value, priv->encapsulation_limit);
+		break;
+	case PROP_FLOW_LABEL:
+		g_value_set_uint (value, priv->flow_label);
+		break;
+	default:
+		G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
+		break;
+	}
+}
+
+static void
+finalize (GObject *object)
+{
+	NMSettingIPTunnel *setting = NM_SETTING_IP_TUNNEL (object);
+	NMSettingIPTunnelPrivate *priv = NM_SETTING_IP_TUNNEL_GET_PRIVATE (setting);
+
+	g_free (priv->local);
+	g_free (priv->remote);
+	g_free (priv->input_key);
+	g_free (priv->output_key);
+
+	G_OBJECT_CLASS (nm_setting_ip_tunnel_parent_class)->finalize (object);
+}
+
+static void
+nm_setting_ip_tunnel_class_init (NMSettingIPTunnelClass *setting_class)
+{
+	GObjectClass *object_class = G_OBJECT_CLASS (setting_class);
+	NMSettingClass *parent_class = NM_SETTING_CLASS (setting_class);
+
+	g_type_class_add_private (setting_class, sizeof (NMSettingIPTunnelPrivate));
+
+	/* virtual methods */
+	object_class->set_property = set_property;
+	object_class->get_property = get_property;
+	object_class->finalize     = finalize;
+	parent_class->verify       = verify;
+
+	/**
+	 * NMSettingIPTunnel:parent:
+	 *
+	 * If given, specifies the parent interface name or parent connection UUID
+	 * the new device will be bound to so that tunneled packets will only be
+	 * routed via that interface.
+	 *
+	 * Since: 1.2
+	 **/
+	g_object_class_install_property
+		(object_class, PROP_PARENT,
+		 g_param_spec_string (NM_SETTING_IP_TUNNEL_PARENT, "", "",
+		                      NULL,
+		                      G_PARAM_READWRITE |
+		                      NM_SETTING_PARAM_INFERRABLE |
+		                      G_PARAM_STATIC_STRINGS));
+
+	/**
+	 * NMSettingIPTunnel:mode:
+	 *
+	 * The tunneling mode, for example %NM_IP_TUNNEL_MODE_IPIP or
+	 * %NM_IP_TUNNEL_MODE_GRE.
+	 *
+	 * Since: 1.2
+	 **/
+	g_object_class_install_property
+		(object_class, PROP_MODE,
+		 g_param_spec_uint (NM_SETTING_IP_TUNNEL_MODE, "", "",
+		                    0, G_MAXUINT, 0,
+		                    G_PARAM_READWRITE |
+		                    NM_SETTING_PARAM_INFERRABLE |
+		                    G_PARAM_STATIC_STRINGS));
+
+	/**
+	 * NMSettingIPTunnel:local:
+	 *
+	 * The local endpoint of the tunnel; the value can be empty, otherwise it
+	 * must contain an IPv4 or IPv6 address.
+	 *
+	 * Since: 1.2
+	 **/
+	g_object_class_install_property
+		(object_class, PROP_LOCAL,
+		 g_param_spec_string (NM_SETTING_IP_TUNNEL_LOCAL, "", "",
+		                      NULL,
+		                      G_PARAM_READWRITE |
+		                      NM_SETTING_PARAM_INFERRABLE |
+		                      G_PARAM_STATIC_STRINGS));
+
+	/**
+	 * NMSettingIPTunnel:remote:
+	 *
+	 * The remote endpoint of the tunnel; the value must contain an IPv4 or IPv6
+	 * address.
+	 *
+	 * Since: 1.2
+	 **/
+	g_object_class_install_property
+		(object_class, PROP_REMOTE,
+		 g_param_spec_string (NM_SETTING_IP_TUNNEL_REMOTE, "", "",
+		                      NULL,
+		                      G_PARAM_READWRITE |
+		                      NM_SETTING_PARAM_INFERRABLE |
+		                      G_PARAM_STATIC_STRINGS));
+
+	/**
+	 * NMSettingIPTunnel:ttl
+	 *
+	 * The TTL to assign to tunneled packets. 0 is a special value meaning that
+	 * packets inherit the TTL value.
+	 *
+	 * Since: 1.2
+	 **/
+	g_object_class_install_property
+		(object_class, PROP_TTL,
+		 g_param_spec_uint (NM_SETTING_IP_TUNNEL_TTL, "", "",
+		                    0, 255, 0,
+		                    G_PARAM_READWRITE |
+		                    G_PARAM_CONSTRUCT |
+		                    NM_SETTING_PARAM_INFERRABLE |
+		                    G_PARAM_STATIC_STRINGS));
+
+	/**
+	 * NMSettingIPTunnel:tos
+	 *
+	 * The type of service (IPv4) or traffic class (IPv6) field to be set on
+	 * tunneled packets.
+	 *
+	 * Since: 1.2
+	 **/
+	g_object_class_install_property
+		(object_class, PROP_TOS,
+		 g_param_spec_uint (NM_SETTING_IP_TUNNEL_TOS, "", "",
+		                    0, 255, 0,
+		                    G_PARAM_READWRITE |
+		                    G_PARAM_CONSTRUCT |
+		                    NM_SETTING_PARAM_INFERRABLE |
+		                    G_PARAM_STATIC_STRINGS));
+
+	/**
+	 * NMSettingIPTunnel:path-mtu-discovery
+	 *
+	 * Whether to enable Path MTU Discovery on this tunnel.
+	 *
+	 * Since: 1.2
+	 **/
+	g_object_class_install_property
+		(object_class, PROP_PATH_MTU_DISCOVERY,
+		 g_param_spec_boolean (NM_SETTING_IP_TUNNEL_PATH_MTU_DISCOVERY, "", "",
+		                       TRUE,
+		                       G_PARAM_READWRITE |
+		                       G_PARAM_CONSTRUCT |
+		                       NM_SETTING_PARAM_INFERRABLE |
+		                       G_PARAM_STATIC_STRINGS));
+
+	/**
+	 * NMSettingIPTunnel:input-key:
+	 *
+	 * The key used for tunnel input packets; the property is valid only for
+	 * certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
+	 *
+	 * Since: 1.2
+	 **/
+	g_object_class_install_property
+		(object_class, PROP_INPUT_KEY,
+		 g_param_spec_string (NM_SETTING_IP_TUNNEL_INPUT_KEY, "", "",
+		                      NULL,
+		                      G_PARAM_READWRITE |
+		                      NM_SETTING_PARAM_INFERRABLE |
+		                      G_PARAM_STATIC_STRINGS));
+
+	/**
+	 * NMSettingIPTunnel:output-key:
+	 *
+	 * The key used for tunnel output packets; the property is valid only for
+	 * certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
+	 *
+	 * Since: 1.2
+	 **/
+	g_object_class_install_property
+		(object_class, PROP_OUTPUT_KEY,
+		 g_param_spec_string (NM_SETTING_IP_TUNNEL_OUTPUT_KEY, "", "",
+		                      NULL,
+		                      G_PARAM_READWRITE |
+		                      NM_SETTING_PARAM_INFERRABLE |
+		                      G_PARAM_STATIC_STRINGS));
+
+	/**
+	 * NMSettingIPTunnel:encapsulation-limit:
+	 *
+	 * How many additional levels of encapsulation are permitted to be prepended
+	 * to packets. This property applies only to IPv6 tunnels.
+	 *
+	 * Since: 1.2
+	 **/
+	g_object_class_install_property
+		(object_class, PROP_ENCAPSULATION_LIMIT,
+		 g_param_spec_uint (NM_SETTING_IP_TUNNEL_ENCAPSULATION_LIMIT, "", "",
+		                    0, 255, 0,
+		                    G_PARAM_READWRITE |
+		                    G_PARAM_CONSTRUCT |
+		                    NM_SETTING_PARAM_INFERRABLE |
+		                    G_PARAM_STATIC_STRINGS));
+
+	/**
+	 * NMSettingIPTunnel:flow-label:
+	 *
+	 * The flow label to assign to tunnel packets. This property applies only to
+	 * IPv6 tunnels.
+	 *
+	 * Since: 1.2
+	 **/
+	g_object_class_install_property
+		(object_class, PROP_FLOW_LABEL,
+		 g_param_spec_uint (NM_SETTING_IP_TUNNEL_FLOW_LABEL, "", "",
+		                    0, (1 << 20) - 1, 0,
+		                    G_PARAM_READWRITE |
+		                    G_PARAM_CONSTRUCT |
+		                    NM_SETTING_PARAM_INFERRABLE |
+		                    G_PARAM_STATIC_STRINGS));
+}
diff --git a/libnm-core/nm-setting-ip-tunnel.h b/libnm-core/nm-setting-ip-tunnel.h
new file mode 100644
index 0000000000..a07bd50db0
--- /dev/null
+++ b/libnm-core/nm-setting-ip-tunnel.h
@@ -0,0 +1,95 @@
+/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */
+/*
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the
+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301 USA.
+ *
+ * Copyright 2015 Red Hat, Inc.
+ */
+
+#ifndef __NM_SETTING_IP_TUNNEL_H__
+#define __NM_SETTING_IP_TUNNEL_H__
+
+#if !defined (__NETWORKMANAGER_H_INSIDE__) && !defined (NETWORKMANAGER_COMPILATION)
+#error "Only <NetworkManager.h> can be included directly."
+#endif
+
+#include <nm-setting.h>
+
+G_BEGIN_DECLS
+
+#define NM_TYPE_SETTING_IP_TUNNEL            (nm_setting_ip_tunnel_get_type ())
+#define NM_SETTING_IP_TUNNEL(obj)            (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_SETTING_IP_TUNNEL, NMSettingIPTunnel))
+#define NM_SETTING_IP_TUNNEL_CLASS(klass)    (G_TYPE_CHECK_CLASS_CAST ((klass), NM_TYPE_SETTING_IP_TUNNEL, NMSettingIPTunnelClass))
+#define NM_IS_SETTING_IP_TUNNEL(obj)         (G_TYPE_CHECK_INSTANCE_TYPE ((obj), NM_TYPE_SETTING_IP_TUNNEL))
+#define NM_IS_SETTING_IP_TUNNEL_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE ((klass), NM_TYPE_SETTING_IP_TUNNEL))
+#define NM_SETTING_IP_TUNNEL_GET_CLASS(obj)  (G_TYPE_INSTANCE_GET_CLASS ((obj), NM_TYPE_SETTING_IP_TUNNEL, NMSettingIPTunnelClass))
+
+#define NM_SETTING_IP_TUNNEL_SETTING_NAME        "ip-tunnel"
+
+#define NM_SETTING_IP_TUNNEL_PARENT              "parent"
+#define NM_SETTING_IP_TUNNEL_MODE                "mode"
+#define NM_SETTING_IP_TUNNEL_LOCAL               "local"
+#define NM_SETTING_IP_TUNNEL_REMOTE              "remote"
+#define NM_SETTING_IP_TUNNEL_TTL                 "ttl"
+#define NM_SETTING_IP_TUNNEL_TOS                 "tos"
+#define NM_SETTING_IP_TUNNEL_PATH_MTU_DISCOVERY  "path-mtu-discovery"
+#define NM_SETTING_IP_TUNNEL_INPUT_KEY           "input-key"
+#define NM_SETTING_IP_TUNNEL_OUTPUT_KEY          "output-key"
+#define NM_SETTING_IP_TUNNEL_ENCAPSULATION_LIMIT "encapsulation-limit"
+#define NM_SETTING_IP_TUNNEL_FLOW_LABEL          "flow-label"
+
+struct _NMSettingIPTunnel {
+	NMSetting parent;
+};
+
+typedef struct {
+	NMSettingClass parent;
+
+	/*< private >*/
+	gpointer padding[4];
+} NMSettingIPTunnelClass;
+
+NM_AVAILABLE_IN_1_2
+GType nm_setting_ip_tunnel_get_type (void);
+
+NM_AVAILABLE_IN_1_2
+NMSetting * nm_setting_ip_tunnel_new (void);
+
+NM_AVAILABLE_IN_1_2
+const char *nm_setting_ip_tunnel_get_parent (NMSettingIPTunnel *setting);
+NM_AVAILABLE_IN_1_2
+NMIPTunnelMode nm_setting_ip_tunnel_get_mode (NMSettingIPTunnel *setting);
+NM_AVAILABLE_IN_1_2
+const char *nm_setting_ip_tunnel_get_local (NMSettingIPTunnel *setting);
+NM_AVAILABLE_IN_1_2
+const char *nm_setting_ip_tunnel_get_remote (NMSettingIPTunnel *setting);
+NM_AVAILABLE_IN_1_2
+guint nm_setting_ip_tunnel_get_ttl (NMSettingIPTunnel *setting);
+NM_AVAILABLE_IN_1_2
+guint nm_setting_ip_tunnel_get_tos (NMSettingIPTunnel *setting);
+NM_AVAILABLE_IN_1_2
+gboolean nm_setting_ip_tunnel_get_path_mtu_discovery (NMSettingIPTunnel *setting);
+NM_AVAILABLE_IN_1_2
+const char *nm_setting_ip_tunnel_get_input_key (NMSettingIPTunnel *setting);
+NM_AVAILABLE_IN_1_2
+const char *nm_setting_ip_tunnel_get_output_key (NMSettingIPTunnel *setting);
+NM_AVAILABLE_IN_1_2
+guint nm_setting_ip_tunnel_get_encapsulation_limit (NMSettingIPTunnel *setting);
+NM_AVAILABLE_IN_1_2
+guint nm_setting_ip_tunnel_get_flow_label (NMSettingIPTunnel *setting);
+
+G_END_DECLS
+
+#endif /* __NM_SETTING_IP_TUNNEL_H__ */
diff --git a/libnm/NetworkManager.h b/libnm/NetworkManager.h
index 95c92965e3..17e7a3523b 100644
--- a/libnm/NetworkManager.h
+++ b/libnm/NetworkManager.h
@@ -61,6 +61,7 @@
 #include <nm-setting-gsm.h>
 #include <nm-setting-infiniband.h>
 #include <nm-setting-ip-config.h>
+#include <nm-setting-ip-tunnel.h>
 #include <nm-setting-ip4-config.h>
 #include <nm-setting-ip6-config.h>
 #include <nm-setting-olpc-mesh.h>
diff --git a/libnm/libnm.ver b/libnm/libnm.ver
index 81321f7af6..f5150d7277 100644
--- a/libnm/libnm.ver
+++ b/libnm/libnm.ver
@@ -858,6 +858,7 @@ libnm_1_0_6 {
 libnm_1_2_0 {
 global:
 	nm_access_point_get_last_seen;
+	nm_connection_get_setting_ip_tunnel;
 	nm_connection_verify_secrets;
 	nm_device_ethernet_get_s390_subchannels;
 	nm_device_get_lldp_neighbors;
@@ -874,6 +875,7 @@ global:
 	nm_device_tun_get_vnet_hdr;
 	nm_device_wifi_request_scan_options;
 	nm_device_wifi_request_scan_options_async;
+	nm_ip_tunnel_mode_get_type;
 	nm_lldp_neighbor_get_attr_names;
 	nm_lldp_neighbor_get_attr_string_value;
 	nm_lldp_neighbor_get_attr_type;
@@ -904,6 +906,17 @@ global:
 	nm_setting_ip_config_has_dns_options;
 	nm_setting_ip_config_remove_dns_option;
 	nm_setting_ip_config_remove_dns_option_by_value;
+	nm_setting_ip_tunnel_get_input_key;
+	nm_setting_ip_tunnel_get_local;
+	nm_setting_ip_tunnel_get_mode;
+	nm_setting_ip_tunnel_get_output_key;
+	nm_setting_ip_tunnel_get_parent;
+	nm_setting_ip_tunnel_get_path_mtu_discovery;
+	nm_setting_ip_tunnel_get_remote;
+	nm_setting_ip_tunnel_get_tos;
+	nm_setting_ip_tunnel_get_type;
+	nm_setting_ip_tunnel_get_ttl;
+	nm_setting_ip_tunnel_new;
 	nm_setting_mac_randomization_get_type;
 	nm_setting_tun_get_group;
 	nm_setting_tun_get_mode;
diff --git a/po/POTFILES.in b/po/POTFILES.in
index ca4b76ab1f..ba861b7eeb 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -65,6 +65,7 @@ libnm-core/nm-setting-infiniband.c
 libnm-core/nm-setting-ip-config.c
 libnm-core/nm-setting-ip4-config.c
 libnm-core/nm-setting-ip6-config.c
+libnm-core/nm-setting-ip-tunnel.c
 libnm-core/nm-setting-olpc-mesh.c
 libnm-core/nm-setting-ppp.c
 libnm-core/nm-setting-pppoe.c