| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It does more than intended; apart from denying messages to that particular
interface it also denies all messages non-qualified with an
interface globally.
This blocks messages completely unrelated to wpa_supplicant, such as
NetworkManager communication with the VPN plugins.
From the dbus-daemon manual:
Be careful with send_interface/receive_interface, because the
interface field in messages is optional. In particular, do NOT
specify <deny send_interface="org.foo.Bar"/>! This will cause
no-interface messages to be blocked for all services, which is
almost certainly not what you intended. Always use rules of the form:
<deny send_interface="org.foo.Bar" send_destination="org.foo.Service"/>
We can just safely remove those rules, since we're sufficiently protected
by the send_destination matches and method calls are disallowed by default
anyway.
https://bugzilla.gnome.org/show_bug.cgi?id=763880
|
| | |
|
| |
|
|
|
|
| |
No point ins storing "TRUE" as value in the @shared_ips hash
table. That forces glib to allocate a separate storage for the
value. Just use g_hash_table_add() instead.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The return_method would be rejected by the dbus-daemon when the NM drops
its match, resulting in an ugly message in the log:
method call time=1458301860.187048 sender=:1.267 -> destination=:1.276
serial=5302 path=/org/freedesktop/NetworkManager/VPN/Plugin;
interface=org.freedesktop.NetworkManager.VPN.Plugin; member=Disconnect
method call time=1458301860.187054 sender=:1.267 -> destination=org.freedesktop.DBus
serial=5303 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus;
member=RemoveMatch
string "type='signal',sender='org.freedesktop.DBus',
interface='org.freedesktop.DBus',
member='NameOwnerChanged',
path='/org/freedesktop/DBus',
arg0='org.freedesktop.NetworkManager.libreswan.Connection_10'"
method return time=1458301860.187061 sender=org.freedesktop.DBus -> destination=:1.267
serial=1835 reply_serial=5303
...
method return time=1458301860.195351 sender=:1.276 -> destination=:1.267
serial=19 reply_serial=5302
error time=1458301860.195361 sender=org.freedesktop.DBus -> destination=:1.276
error_name=org.freedesktop.DBus.Error.AccessDenied reply_serial=19
string "Rejected send message, 7 matched rules; type="method_return",
sender=":1.276" (uid=0 pid=26915
comm="/usr/libexec/nm-libreswan-service --bus-name org.f")
interface="(unset)" member="(unset)" error name="(unset)"
requested_reply="0" destination=":1.267" (uid=0 pid=25724
comm="/usr/sbin/NetworkManager --no-daemon ")"
Also, refcount the connection instance. While the proxy is alive, it
invokes singal callbacks that get the object as a parameter.
|
| | |
|
| |
|
|
|
|
|
|
| |
The macro _LOGx_ENABLED() is defined with a default implementation
that depends on _NMLOG_DOMAIN. Although that default does not
check for LOGD_DHCP4 vs. LOGD_DHCP6, still provide it.
Determining the correct domain might involve a larger performance
impact that what we would safe.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We're expecting four callbacks: a client::devices change,
client::active-connections change, client::activate callback,
and a device::active-connection change.
We only hook the second one in the callback to the first one, and
only if client::active-connections is not set already. If it is
(when running slowly in valgrind), we just decrement the counter.
However, as the counter is one less than it should be, it would
underflow and we wait forever* instead.
For the value of forever=20s, given that's the timeout of the
mockup service.
|
| |
|
|
|
|
|
| |
We obtain the netns from the platform instance that is passed
in. It's wrong to set the current netns in nm_rdisc_init().
Fixes: 3ba944472853d5221ed83c369a77f80ee7305648
|
| |\
| |
| |
| | |
https://bugzilla.gnome.org/show_bug.cgi?id=763499
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The fields in the neighbor variant should have a defined order.
Instead of sorting the hash table entries while constructing the
variant in lldp_neighbor_to_variant(), refactor the management of
the TLV attributes.
As we only support known attributes, we can
store them in an array at a known index instead of putting them
in a hash table.
An alternative would be to have explict fields for every known
attribute. That would be even more efficient, but requires more
work when adding new attributes.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
We register the callback early on, so we get notified about
every single neighbor as they show up. No need to iterate over
them explicitly -- and probably, at that early state, there are
no neighbors yet.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The systemd event tells which neighbor changed. Make use
of this information and don't rebuild all the neighbors
all the time.
That means, we must also change our rate limiting. Instead of
rate limiting the processing of all neighbors, we process neighbors
right away but limit the notification that gobject property changed.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When we receive an update for a certain neighbor, the update
might be invalid and we want to reject it. However, we still
must create an invalid object to compare whether the update
causes a remove of a previously valid neighbor.
Let lldp_neighbor_new() create an instance as long as the
id fields are present.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Instead of replacing the whole hash with a new one (and all new by a new one,
LldpNeighbor instances), update the existing hash.
One point of this is that our process-all function requires less
comparisons and avoids duplicate work right earlier. E.g. if a neighbor
didn't change, we don't have to put it into a hash to compare later for
equality.
But more importantly, we preserve our LldpNeighbor instance instead
of recreating them all the time. Later, the LldpNeighbor will cache
the GVariant.
|
| | | |
|
| | |
| |
| |
| |
| | |
Our convention is to use camel case for abbreviations
that are longer then 2 charaters.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
lldp_start_timer() was only called during sd_lldp_get_neighbors().
Ensure that the timer is (re-)started when a new neighbor appears.
Otherwise, the timer is not started when relying on the events alone.
https://github.com/systemd/systemd/pull/2826
|
| | | |
|
| | | |
|
| | | |
|
| |/ |
|
| | |
|
| |\
| |
| |
| |
| |
| | |
Add domain-suffix-match properties to NMSetting8021x.
https://bugzilla.gnome.org/show_bug.cgi?id=341323
|
| | |
| |
| |
| |
| |
| | |
For some properties as *subject-match and *domain-suffix-match an
empty string means that we don't want to do any filtering and should
be stored as NULL.
|
| | | |
|
| | | |
|
| | | |
|
| |/
|
|
|
|
|
|
|
| |
The new domain-suffix-match and phase2-domain-suffix-match properties
can be used to match against a given server domain suffix in the
dNSName elements or in the SubjectName CN of the server certificate.
Also, add a comment to the old subject-match properties documentation
to suggest that they are deprecated and should not be used anymore.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Otherwise the connection wouldn't verify:
<error> [1458066126.2270] device (eth10): Generated connection does not verify:
connection.type: property type should be set to '802-3-ethernet'
<debug> [1458066126.2271] manager: (eth10): can't assume; no connection
(cherry picked from commit 4b71939e9ac3df93bfe72af0eac42b4ebaf94e15)
|
| | |
|
| |
|
|
|
|
|
|
| |
nm_connection_replace_settings_from_connection()
nm_connection_replace_settings_from_connection() can safely be used
to copy an invalid connection. The return value only says, whether
the connection is valid after the fact.
|
| |
|
|
|
|
|
| |
@now is obtained via nm_utils_get_monotonic_timestamp_s(),
which is gint32 (although it will never be negative).
Use the correct type.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We used to pad the lifetime since the beginning (commit
f121995fad93eda886b2a34a8d79a45a5688b917).
However, there is not race involved, since our platform cache
is in sync with the messages from kernel (which didn't used to
be the case).
Also, when receiving a RA with a zero preferred time, we must
not extend the address lifetime by 5 seconds, but instead deprecate
the address immediately.
https://bugzilla.gnome.org/show_bug.cgi?id=763513
|
| |
|
|
|
|
|
|
|
|
|
| |
The prune list is for elements that must be deleted from the list of
available connections. So, when processing all the existing
connections an element must be deleted from the prune list iff it's
available.
Fixes: 8b2abe0e2c8f162544a2562fc18a7becbc55d233
https://bugzilla.redhat.com/show_bug.cgi?id=1316488
|
| |\
| |
| |
| | |
https://bugzilla.gnome.org/show_bug.cgi?id=763323
|
| | |
| |
| |
| | |
Based-on-patch-by: Stjepan Gros <stjepan.gros@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously, the push/pop API to switch between namespaces would always
switch both the net and mount namespace together.
There are situations, where we want to only switch one namespace.
For example, the function nmp_netns_bind_to_path() introduced next
only wants to switch the net namespace to get /proc/self/ns/net,
but must not switch the mount namespace as it bind-mounds in the
namespace of the caller.
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
Make the test helper independent from the platform singleton instance.
That way, we can also use them for other platform instances (e.g. in a
different namespace).
|
| | |
| |
| |
| |
| | |
[thaller@redhat.com: cherry-picked original patch and modified
slightly]
|
| | |
| |
| |
| | |
Need to add more then one netns test.
|
| | | |
|
