summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
| * libnmc-base: fix port extraction for openconnect authDavid Woodhouse2023-05-111-3/+44
| | | | | | | | | | | | | | | | | | | | | | | | | | | | With old versions of openconnect we need to extract the port# from the initial URL and then append it to the hostname we eventually get back. Using strrchr(gw, ':') isn't going to work right with IPv6 literals, ad we should also be dropping any path element. So switch to using an int for the port instead of a string, and import a cut-down variant of openconnect's internal_parse_url() which does *largely* the same thing with strrchr() but is saved by using the 'end' value returned from strtol() and insisting that the port is the very end of the host part of the URL.
| * libnmc-base: report explicit error if not gateway configured for openconnectDavid Woodhouse2023-05-111-2/+10
| | | | | | | | | | | | Rather than letting openconnect run, and whine that there's no gateway, and making the user scroll up past the openconnect usage information, give them an explicit error.
| * nmtui: do not prompt for secrets if openconnect already provided themDavid Woodhouse2023-05-111-38/+25
| | | | | | | | | | | | While we're at it, kill the separate openconnect_authenticate() function since it barely does anything any more and it wants visibility to both 's_vpn' and 'success' variables in the caller.
| * nmcli, nmtui: reduce duplication around openconnect auth helperDavid Woodhouse2023-05-114-133/+69
| | | | | | | | | | | | | | Pull a bunch of stuff into nm_vpn_openconnect_authenticate_helper() that both callers were doing for themselves, and make its API a bit simpler. It's given the NMSettingVpn and the GPtrArray of secrets, and it simply succeeds or fails.
| * libnmc-base: add supported options for OpenConnect CLI authenticationDavid Woodhouse2023-05-111-5/+85
| | | | | | | | | | | | | | | | | | | | Ideally, we wouldn't have this hard-coded in NetworkManager itself; we would invoke a tool to do it for us, like the GUI auth-dialog, which can live in the NetworkManager-openconnect repository and be kept up to date as new options are added. To start with though, let's bring it into sync. We don't add new options that often, and this will cover the majority of use cases.
| * nmcli, nmtui: update authentication for OpenConnectDavid Woodhouse2023-05-114-43/+99
|/ | | | | | | | | | | | | | | | Since OpenConnect 8.20, 'openconnect --authenticate' will return the full gateway URL, including the hostname and the path. This allows servers behind SNI-based proxies to work. To ensure we end up at the same IP address even behind round-robin DNS, there is a separate --resolve argument. Update nmcli/nmtui to use this, as NetworkManager-openconnect does. Shift some of the logic into the nm_vpn_openconnect_authenticate_helper() function instead of duplicating it in the callers. Also, pass the correct protocol in rather than only supporting Cisco AnyConnect.
* po: fix mistranslation in Turkish (tr)Sabri Unal2023-05-111-1/+1
| | | | https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1626
* bond: merge branch 'th/slb-bond-no-counters'Thomas Haller2023-05-107-30/+223
|\ | | | | | | https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1623
| * core/tests: add test for nm_firewall_nft_stdio_mlag()Thomas Haller2023-05-101-0/+122
| | | | | | | | | | If only to hit some of the code paths in our test, and to have valgrind check (some of) the code paths.
| * bond: don't configure "counter" on nft rules for slb-bonding/mlagThomas Haller2023-05-103-20/+34
| | | | | | | | | | Counters are convenient for debugging, but have a performance overhead. Configure them only when debug logging in NetworkManager is enabled.
| * glib-aux: add nmtst_assert_cmpmem() helperThomas Haller2023-05-101-0/+48
| | | | | | | | | | | | | | | | | | | | g_assert_cmpmem() exists, but it does not print the actual buffer content on test failure. It is useful to see what actually failed in the test output. Also, nmtst_assert_cmpmem() prints a backslash escaped output, that you can unescape in the terminal with `echo -e`. You can also directly copy and paste the output to C source code.
| * glib-aux: add NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_DOUBLE_QUOTE flag to escape ↵Thomas Haller2023-05-102-10/+19
|/ | | | | | | | double quotes This is useful when printing a string for debugging. Then we can printf("v=\"%s\"", utf8safe_escaped_text), which can be safely unescaped with `echo -e`.
* glib-aux: use GModule instead of dlopen() in _inet_aton()Thomas Haller2023-05-101-8/+8
| | | | | | | | | | Using dlopen() requires us to link with libdl (at least with some libc). That is cumbersome and was not done by all users of libnm-glib-aux, thereby causing a linker error. The code path is only used via nm_assert(). Use GModule instead. Fixes: a23af8f76469 ('glib-aux: avoid using inet_aton()')
* device: don't reset "net.ipv6.conf.$IFACE.forwarding"Thomas Haller2023-05-091-3/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | According to systemd, IPv6 forwarding is special anyway, and they only enable forwarding for "net.ipv6.conf.all.forwarding" ([1]). Since commit 46e63e03af58 ('device: announce the managed IPv6 configuration with ipv6.method=shared') we support "ipv6.method=shared" and enable forwarding for IPv6, on the interface. Whether that makes sense is questionable, given [1] and the claim that setting it per-interface is not useful. Anyway, since that change we always reset the "forwarding" sysctl to zero, when we don't enable shared mode. That is not right, because the user didn't explicitly ask for that (and there is no configuration option like systemd-networkd's "IPForward=" setting to control that). What we instead should do, not touch/reset the sysctl, unless we really want to. No longer set "forwarding" to zero by default. And only restore the previous value (_dev_sysctl_save_ip6_properties()) if we actually changed the value to "1". [1] https://github.com/systemd/systemd/blob/b8fba0cded2c3e14fe8c0b52aae3ecf2c9fa718e/src/network/networkd-sysctl.c#L79 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/923 Fixes: 46e63e03af58 ('device: announce the managed IPv6 configuration with ipv6.method=shared') https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1616
* gitlab-ci: remove container cleanup stagesThomas Haller2023-05-092-362/+11
| | | | | | | | | | | | | These stages were not properly implemented and don't seem to work. Drop them. Note that we do want that our cached containers get collected eventually. As these are just caches for performance reasons, that could be done with little downsides (we can just regenerate the containers when we need them). However, that's not done by our gitlab-ci stages. Instead, it should be done on a project level. It's not clear whether that is actually done, but if there is a need (because of the resources that this wastes), then we should do that (on freedesktop.org's gitlab instance).
* n-dhcp4: re-import git-subtree for 'src/n-dhcp4'Thomas Haller2023-05-093-2/+2
|\ | | | | | | git subtree pull --prefix src/n-dhcp4 git@github.com:nettools/n-dhcp4.git master --squash
| * Squashed 'src/n-dhcp4/' changes from f8fc48dc014d..b2a382ac4500Thomas Haller2023-05-093-2/+2
| | | | | | | | | | | | | | | | | | b2a382ac4500 test: use inet_pton() instead of inet_aton() in test tool 45df6a37a710 meson: no longer pass -Wl,--no-undefined explicitly bb9bcdee5754 n-dhcp4-client: make n_dhcp4_client_set_log_level public git-subtree-dir: src/n-dhcp4 git-subtree-split: b2a382ac4500dee1abfb7cd5acaa3678e47e9662
* | glib-aux: merge branch 'th/no-inet-aton'Thomas Haller2023-05-094-40/+243
|\ \ | | | | | | | | | | | | | | | | | | See-also: https://bugs.python.org/issue37495 https://bugzilla.redhat.com/show_bug.cgi?id=2049134 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1620
| * | glib-aux: avoid using inet_aton()Thomas Haller2023-05-084-40/+127
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | nm_inet_parse_bin_full() supports a legacy mode for IPv4, which used inet_aton(). This is only used by initrd reader, which parses the kernel command line as defined by dracut. Since that dracut API is old and not defined by us, we want to be more forgiving in case a user specifies something that used to work in the past. In particular, we want to parse "255.256.256.000" as netmask (which inet_pton() would reject). inet_aton() trips off some ABI checkers that we shouldn't use this ABI. It was anyway only used as *additional* guard when we parsed certain legacy formats for IPv4 addresses. We can drop that and just use our parser. Note that there is still an nm_assert() path, which loads inet_aton() dynamically, just to ensure that our legacy parser implementation is in agree with inet_aton(). https://bugzilla.redhat.com/show_bug.cgi?id=2049134
| * | glib-aux/tests: add unit test for nm_inet_parse_bin_full()Thomas Haller2023-05-081-0/+116
|/ /
* | triage: only make stale issues/merge-requests with a label instead of ↵Thomas Haller2023-05-081-41/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | autoclosing them An issue/merge-requests only moves forward by a human putting effort in. Wether the issue is open, closed, autoclosed or flagged with a "stale" label doesn't matter in theory. In practice, humans don't like getting their issues/merge-requests autoclosed. Instead, add a "stale" label. There was always a benefit of this automatic action. It tended to generate some feedback and new action. Sometimes it even brought new attention to the issue/merge-request to get it fixed. That is hopefully also the case with the stale label.
* | man: qualify properties in `man nm-settings-nmcli` with setting nameThomas Haller2023-05-081-2/+2
| | | | | | | | | | | | | | | | | | The manual page is large. When you search for a properties, then it's not immediately clear to which setting it belongs. You would have to scroll up for the setting name. This also makes sense for the nmcli manual page, because on the command line you have to specify the full name.
* | libnm: merge branch 'th/connection-get-setting-cleanup'Thomas Haller2023-05-055-85/+113
|\ \ | | | | | | | | | https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1618
| * | core: add nm_settings_connection_get_setting() helperThomas Haller2023-05-042-0/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For efficiently and conveniently lookup an NMSetting from the NMConnection inside the NMSettingsConnection. Note that this uses the NMMetaSettingType as lookup key. That is a novel approach, compared to lookup by name (nm_connection_get_setting_by_name()) or GType (nm_connection_get_setting()). Using the NMMetaSettingType enum is however faster, because it does not require resolving the name/GType first. This is perfecly fine internal API, we should use it.
| * | libnm: expose _nm_connection_get_setting_by_metatype() in internal headerThomas Haller2023-05-042-2/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We have several variants to get the NMSetting from an NMConnection. Some of them are public API (nm_connection_get_setting(), nm_connection_get_setting_by_name()). The most efficient way is lookup by NMMetaSettingType. Expose that as internal API, so it can be used. The NMMetaSettingType is internal, but it exists because it's a very useful enum. Allow others to make use of it. Also, add a static assert which prevents various wrong uses at compile time, for example _nm_connection_get_setting_by_metatype(connection, NM_TYPE_SETTING_CONNECTION)
| * | libnm: cleanup redundant nm_connection_get_setting functionsThomas Haller2023-05-042-43/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Refactor and cleanup the functions to get a setting from a connection. As the NMConnection tracks the settings in an array indexed by NMMetaSettingType, the most direct and efficient way is to look up via that enum. Previously, nm_connection_get_setting_by_name() would first look up the GType (which already involved looking up the NMMetaSettingInfo), then based on the GType it would look up the NMMetaSettingInfo again to get the meta_type. That is unnecessary. Directly look up the NMMetaSettingInfo, which directly gives the meta_type.
| * | libnm/trivial: rename internal connection-get-setting methodsThomas Haller2023-05-041-41/+40
|/ / | | | | | | | | This function will be exposed on the internal header. Rename to _nm_connection_get_setting_by_metatype().
* | core: merge branch 'th/autoconnect-cleanups'Thomas Haller2023-05-044-94/+163
|\ \ | | | | | | | | | https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1615
| * | core: only trigger recheck when something changes in ↵Thomas Haller2023-05-041-3/+2
| | | | | | | | | | | | | | | | | | | | | activate_slave_connections() We need to detect when nothing relevant changes, and shortcut doing things when they are unnecessary.
| * | core: return whether anything changed from ↵Thomas Haller2023-05-042-12/+18
| | | | | | | | | | | | nm_manager_devcon_autoconnect_retries_reset()
| * | core: use switch statement in device_state_changed()Thomas Haller2023-05-041-3/+7
| | | | | | | | | | | | | | | | | | | | | It seems better for readability, because reacting based on the state-reason is ugly already. This way, we access nm_device_state_reason_check(reason) only at once place. With the if, it's not immediately obvious that both if/else parts only switch on the reason too.
| * | core: avoid creating devcon data that we don't needThomas Haller2023-05-042-6/+15
| | | | | | | | | | | | | | | Otherwise, we create device × profiles entries, most of them nonsensical.
| * | core: improve handling for blocking autoconnectThomas Haller2023-05-043-62/+110
| | | | | | | | | | | | | | | | | | | | | Cleanup logging to always print a "block-autoconnect:" prefix to related lines. Also, make sure that everywhere where the state changes, a line gets logged. Also, for devconf data print both the interface and the profile.
| * | core: assert for valid blocked reasons in autoconnect codeThomas Haller2023-05-043-15/+18
|/ / | | | | | | | | | | We only have a few blocked reasons. Some of them can be only set on the devcon data, and some only on the settings connection. Assert that we don't mix that up.
* | release: bump version to 1.43.7 (development)1.43.7-devThomas Haller2023-05-032-2/+2
| |
* | merge: branch 'ff/bond_port_options'Fernando Fernandez Mancera2023-05-0321-56/+440
|\ \ | | | | | | | | | https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1564
| * | bonding: add support to prio property in bond portsff/bond_port_optionsFernando Fernandez Mancera2023-05-0314-16/+145
| | | | | | | | | | | | | | | | | | | | | Add per port priority support for bond active port re-selection during failover. A higher number means a higher priority in selection. The primary port still has the highest priority. This option is only compatible with active-backup, balance-tlb and balance-alb modes.
| * | platform: add support to prio property in bond portsFernando Fernandez Mancera2023-05-035-10/+78
| | |
| * | platform: add netlink support for bond port optionsFernando Fernandez Mancera2023-05-038-46/+233
| | | | | | | | | | | | | | | | | | sysfs is deprecated and kernel will not add new bond port options to sysfs. Netlink is a stable API and therefore is the right method to communicate with kernel in order to set the link options.
| * | libnm: fix ifcfg variable documentation at queue-id propertyFernando Fernandez Mancera2023-05-031-1/+1
|/ / | | | | | | The correct variable for queue-id in ifcfg is BOND_PORT_QUEUE_ID.
* | firewall: create "dynamic" sets for nft rules for slb-bondingThomas Haller2023-05-031-2/+2
| | | | | | | | | | | | | | | | | | | | A workaround for a nftables issue ([1]). I don't know why that matters. [1] https://bugzilla.redhat.com/show_bug.cgi?id=2177667 Fixes: e9268e392418 ('firewall: add mlag firewall utils for multi chassis link aggregation (MLAG) for bonding-slb') https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1614
* | dns: merge branch 'ts/1281-resolv-conf-non-public-tld'Thomas Haller2023-05-022-11/+53
|\ \ | | | | | | | | | | | | | | | https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1281 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1613
| * | NEWS: updateThomas Haller2023-05-021-0/+2
| | |
| * | dns: refactor domain_is_valid() to combine #if blocksThomas Haller2023-05-021-30/+32
| | |
| * | dns/trivial: rename check_public_suffix parameter of domain_is_valid()Thomas Haller2023-05-021-3/+5
| | | | | | | | | | | | | | | Names are important. The previous name was counter intuitive for what the behavior was.
| * | dns: use NM_STR_HAS_SUFFIX() instead of g_str_has_suffix()Thomas Haller2023-05-021-1/+2
| | | | | | | | | | | | It translates to a plain memcmp() as the argument is a string literal.
| * | dns: fix logging for resetting the host-domainThomas Haller2023-05-021-3/+3
| | | | | | | | | | | | | | | | | | | | | The previous logging happened, when the value did not change. Log instead, when the value changes. Fixes: 86bb09c93be3 ('dns: generate correct search domain for hostnames on non-public TLD')
| * | dns: generate correct search domain for hostnames on non-public TLDTom Sobczynski2023-05-021-8/+43
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | dns-manager uses the Mozilla Public Suffix List to determine an appropriate search domain when generating /etc/resolv.conf. It is presumed that if the hostname is "example.com", the user does not want to automatically search "com" for unqualified hostnames, which is reasonable. To implement that, prior to the fix, domain_is_valid() implicitly used the PSL "prevailing star rule", which had the consequence of assuming that any top-level domain (TLD) is public whether it is on the official suffix list or not. That meant "example.local" or "example.localdomain" would not result in searching "local" or "localdomain" respectively, but rather /etc/resolv.conf would contain the full hostname "example.local" as the search domain and not give users what they expect. The fix here uses the newer PSL API function that allows us to turn off the "prevailing star rule" so that "local" and "localdomain" are NOT considered public TLDs because they are not literally on the suffix list. That in turn gives us the search domain "local" or "localdomain" in /etc/resolv.conf and allows unqualified hostname lookups "e.g., resolvectl query example" to find example.local while example.com still maintains the previous behavior (i.e., search domain of "example.com" rather than "com"). [thaller@redhat.com: reworded commit message] https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1281 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1613
* | all: fix various wrong "return FALSE" for returning pointersThomas Haller2023-05-022-9/+9
| |
* | systemd: define ENABLE_GSHADOW to zeroThomas Haller2023-05-021-1/+1
| | | | | | | | To be consistent with other defines.
View Lorry Controller Status