networkd: Tunnel allows tunnel traffic on ip6tnl devices (#7756)

where the remote endpoint is a local host address.

3 files changed, 7 insertions, 0 deletions

diff --git a/src/network/netdev/netdev-gperf.gperf b/src/network/netdev/netdev-gperf.gperf
index 03b8661957..1b4cb5a60c 100644
--- a/src/network/netdev/netdev-gperf.gperf
+++ b/src/network/netdev/netdev-gperf.gperf
@@ -63,6 +63,7 @@ Tunnel.IPv6FlowLabel,        config_parse_ipv6_flowlabel,          0,
 Tunnel.CopyDSCP,             config_parse_bool,                    0,                             offsetof(Tunnel, copy_dscp)
 Tunnel.EncapsulationLimit,   config_parse_encap_limit,             0,                             offsetof(Tunnel, encap_limit)
 Tunnel.Independent,          config_parse_bool,                    0,                             offsetof(Tunnel, independent)
+Tunnel.AllowLocalRemote,     config_parse_tristate,                0,                             offsetof(Tunnel, allow_localremote)
 Peer.Name,                   config_parse_ifname,                  0,                             offsetof(Veth, ifname_peer)
 Peer.MACAddress,             config_parse_hwaddr,                  0,                             offsetof(Veth, mac_peer)
 VXCAN.Peer,                  config_parse_ifname,                  0,                             offsetof(VxCan, ifname_peer)
diff --git a/src/network/netdev/tunnel.c b/src/network/netdev/tunnel.c
index 8d6d54d567..bbc6dca53b 100644
--- a/src/network/netdev/tunnel.c
+++ b/src/network/netdev/tunnel.c
@@ -37,6 +37,7 @@
 
 #define DEFAULT_TNL_HOP_LIMIT   64
 #define IP6_FLOWINFO_FLOWLABEL  htobe32(0x000FFFFF)
+#define IP6_TNL_F_ALLOW_LOCAL_REMOTE 0x40
 
 static const char* const ip6tnl_mode_table[_NETDEV_IP6_TNL_MODE_MAX] = {
         [NETDEV_IP6_TNL_MODE_IP6IP6] = "ip6ip6",
@@ -336,6 +337,9 @@ static int netdev_ip6tnl_fill_message_create(NetDev *netdev, Link *link, sd_netl
         if (t->copy_dscp)
                 t->flags |= IP6_TNL_F_RCV_DSCP_COPY;
 
+        if (t->allow_localremote != -1)
+                SET_FLAG(t->flags, IP6_TNL_F_ALLOW_LOCAL_REMOTE, t->allow_localremote);
+
         if (t->encap_limit != IPV6_DEFAULT_TNL_ENCAP_LIMIT) {
                 r = sd_netlink_message_append_u8(m, IFLA_IPTUN_ENCAP_LIMIT, t->encap_limit);
                 if (r < 0)
@@ -682,6 +686,7 @@ static void ip6tnl_init(NetDev *n) {
         t->encap_limit = IPV6_DEFAULT_TNL_ENCAP_LIMIT;
         t->ip6tnl_mode = _NETDEV_IP6_TNL_MODE_INVALID;
         t->ipv6_flowlabel = _NETDEV_IPV6_FLOWLABEL_INVALID;
+        t->allow_localremote = -1;
 }
 
 const NetDevVTable ipip_vtable = {
diff --git a/src/network/netdev/tunnel.h b/src/network/netdev/tunnel.h
index 67f8fe35c7..7ffafe9e98 100644
--- a/src/network/netdev/tunnel.h
+++ b/src/network/netdev/tunnel.h
@@ -45,6 +45,7 @@ typedef struct Tunnel {
 
         int family;
         int ipv6_flowlabel;
+        int allow_localremote;
 
         unsigned ttl;
         unsigned tos;