summaryrefslogtreecommitdiff
path: root/src/network/networkd-ndisc.c
Commit message (Collapse)AuthorAgeFilesLines
* network: do not enter failed state when received an invalid RAYu Watanabe2023-01-191-10/+11
| | | | Fixes the issue reported at https://github.com/systemd/systemd/issues/25891#issuecomment-1368509262.
* network: introduce QuickAck= for [DHCPv4] and [IPv6AcceptRA]Yu Watanabe2023-01-161-0/+3
| | | | Closes #25906.
* network: unset Link.ndisc_configured only when a new address or route is ↵Yu Watanabe2022-12-011-6/+18
| | | | | | | | | | | | | | | | | requested This fixes an issue introduced by af2aea8bb64b0dc42ecbe5549216eb567681a803. When an outdated address or route is passed to link_request_address()/route(), then they return 0 and the address or route will not be assigned. Such situation can happen when we receive RA with zero lifetime. In that case, we should not unset Link.ndisc_configured flag, otherwise even no new address nor route will assigned, the interface will enter to the configuring state, and unnecessary DBus property change is emit and the state file will be updated. That makes resolved or timesyncd triggered to reconfigure the interface. Fixes #25456.
* network: drop invalid and unused flagYu Watanabe2022-11-291-1/+0
| | | | | Route.flags can only take RTNH_F_ONLINK, and other flags are silently dropped.
* network: fix indentationYu Watanabe2022-11-291-1/+1
|
* network: adjust route priority based on preferenceYu Watanabe2022-10-281-2/+23
| | | | | | | | Even if different preference is specified, the kernel merges multiple routes with the same preference. This is problematic when a network has multiple routers. Fixes #25138.
* network: drop unnecessary call of ndisc_vacuum()Yu Watanabe2022-10-071-21/+0
| | | | | | | | | | | | After the commit 773024685b37170395a11716f8e4ad99d3580455, DNS servers or domains are dropped when their lifefime become zero. Hence, it is not necessary to try to them when writing state file. Of course, because of the accuracy of the timer event source or priority of event sources, a possibility is introduced that a DNS server or domain with zero lifetime is stored in the state file. However, such entry will be dropped soon when the timer event source is triggered. Hence, that should not cause any real issues.
* network: ndisc: do not accept too many DNS servers or domainsYu Watanabe2022-10-041-13/+16
| | | | | If there exists multiple routers, then the previous logic may introduce too many DNS servers or domains.
* network: ndisc: drop addresses and friends when RA with zero lifetime is ↵Yu Watanabe2022-10-041-20/+14
| | | | | | | | | | | | received Routers may send options with zero lifetime if previously announced information is outdated. Hence, if we receive such messages, then we need to drop relevant addresses or friends. See e.g. https://www.rfc-editor.org/rfc/rfc4861#section-12. Follow-up for 2ccada8dc4a3571468a335808fd6fe49b8c6c6dd.
* network: ndisc: also introduce timer event source to drop outdated settingsYu Watanabe2022-10-041-0/+77
| | | | | Otherwise, settings based on previously received RA messages will never removed without receiving a new RA message.
* network: ndisc: drop outdated settings before processing RA messageYu Watanabe2022-10-041-12/+71
| | | | | | | Otherwise, e.g. if a router is replaced, then the previously received settings may never dropped. Follow-up for 2ccada8dc4a3571468a335808fd6fe49b8c6c6dd.
* network: ndisc: address_get() returns 0 on successYu Watanabe2022-10-041-1/+1
| | | | | After the commit 3b6a3bdebfb555754fdc6ee507e3f6964de7b61c, address_get() does not return 1.
* network: ndisc: ignore prefix option with link-local prefixYu Watanabe2022-10-041-0/+8
| | | | See https://www.rfc-editor.org/rfc/rfc4861#section-4.6.2.
* network: ndisc: read prefix earlierYu Watanabe2022-10-041-4/+6
| | | | No functional changes.
* network: don't forget old RAs when a new one arrivesThomas Hebb2022-10-031-108/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | IPv6 Neighbor Discovery lets us autoconfigure a link's IPv6 addresses, routes, DNS servers, and DNS search domains by listening for Router Advertisement (RA) packets broadcast by one or more routers on the link. Each RA can contain zero or more "options," each describing one piece of configuration (e.g. a single route). Currently, when we receive an RA from a router, we delete any addresses, routes, etc. that originated from that router's previous RAs unless they're also present as options in the new RA. That behavior is a violation of RFC 4861[1]. In Section 9, the RFC states that Senders MAY send a subset of options in different packets. ... Thus, a receiver MUST NOT associate any action with the absence of an option in a particular packet. This protocol specifies that receivers should only act on the expiration of timers and on the information that is received in the packets. Several other passages in the RFC reiterate this. Section 6.2.3: A router MAY choose not to include some or all options when sending unsolicited Router Advertisements. Section 6.3.4: Hosts accept the union of all received information; the receipt of a Router Advertisement MUST NOT invalidate all information received in a previous advertisement or from another source. At least one consumer router in production today, the Google Nest Wifi, often sends RAs that omit its global IPv6 prefix. When current versions of systemd-networkd receive those RAs, they immediately delete the interface's global IPv6 address, which breaks IPv6 connectivity. Fix the issue by removing the invalidation logic entirely. It's not needed at all, since we already invalidate addresses, routes, and DNS configuration when the interface goes down or their lifetimes expire. This fix does have the side effect of preventing changes to the .network file (e.g. denylisted prefixes, whether to add routes from RAs) from taking effect as soon as a new RA arrives. Instead, a full interface reconfiguration is needed. But triggering those changes on RA receipt was already rather arbitrary and out of the administrator's control, so I think this change is fine. commit 69203fba700e ("network: ndisc: remove old addresses and routes after at least one SLAAC address becomes ready") introduced this behavior. commit 50550722e3ba fixed it partially, by preventing one router's RAs from invalidating another router's configuration. [1] https://www.rfc-editor.org/rfc/rfc4861 Fixes: 69203fba700e ("network: ndisc: remove old addresses and routes after at least one SLAAC address becomes ready")
* tree-wide: use ASSERT_PTR moreDavid Tardon2022-09-131-3/+1
|
* tree-wide: Use correct format specifiersJan Janssen2022-08-301-2/+2
| | | | gcc will complain about all these with -Wformat-signedness.
* network: NetLabel integrationTopi Miettinen2022-08-291-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | New directive `NetLabel=` provides a method for integrating static and dynamic network configuration into Linux NetLabel subsystem rules, used by Linux Security Modules (LSMs) for network access control. The label, with suitable LSM rules, can be used to control connectivity of (for example) a service with peers in the local network. At least with SELinux, only the ingress can be controlled but not egress. The benefit of using this setting is that it may be possible to apply interface independent part of NetLabel configuration at very early stage of system boot sequence, at the time when the network interfaces are not available yet, with netlabelctl(8), and the per-interface configuration with systemd-networkd once the interfaces appear later. Currently this feature is only implemented for SELinux. The option expects a single NetLabel label. The label must conform to lexical restrictions of LSM labels. When an interface is configured with IP addresses, the addresses and subnetwork masks will be appended to the NetLabel Fallback Peer Labeling rules. They will be removed when the interface is deconfigured. Failures to manage the labels will be ignored. Example: ``` [DHCPv4] NetLabel=system_u:object_r:localnet_peer_t:s0 ``` With the above rules for interface `eth0`, when the interface is configured with an IPv4 address of 10.0.0.123/8, `systemd-networkd` performs the equivalent of `netlabelctl` operation ``` $ sudo netlabelctl unlbl add interface eth0 address:10.0.0.0/8 label:system_u:object_r:localnet_peer_t:s0 ``` Result: ``` $ sudo netlabelctl -p unlbl list ... interface: eth0 address: 10.0.0.0/8 label: "system_u:object_r:localnet_peer_t:s0" ... ```
* network: check link state with link_is_ready_to_configure() before ↵Yu Watanabe2022-08-051-1/+1
| | | | | | | configuring DHCP client or friends Otherwise, DHCP client or friends may started before link-layer properties, e.g. MAC address, being configured or the link being activated.
* network: make link_may_have_ipv6ll() optionally check Multicast= settingYu Watanabe2022-08-021-1/+1
| | | | Fixes the IPv6LL issue in #23197.
* Merge pull request #24001 from yuwata/network-lifetime-fixLuca Boccassi2022-07-181-11/+12
|\ | | | | network: fixes for lifetime handling
| * network: fix infinite lifetime handlingYu Watanabe2022-07-141-7/+7
| |
| * network: use sd_event_now()Yu Watanabe2022-07-141-4/+5
| |
* | network: do not set invalid MAC address for non-ethernet interfaceYu Watanabe2022-07-141-3/+5
| |
* | network: NDisc does not require MAC addressYu Watanabe2022-07-141-10/+0
|/ | | | | | This effectively revert ba4c7184b320bb8698d470530d46a6c94641cc6e. Fixes #23546.
* tree-wide: drop duplicated semicolonsZbigniew Jędrzejewski-Szmek2022-07-051-1/+1
|
* basic/in-addr-util: add IN_ADDR_PREFIX_TO_STRINGZbigniew Jędrzejewski-Szmek2022-06-061-22/+15
|
* basic/in-addr-util: add IN_ADDR_TO_STRINGZbigniew Jędrzejewski-Szmek2022-06-061-17/+7
| | | | | | | | | | | | | | | Since we don't need the error value, and the buffer is allocated with a fixed size, the whole logic provided by in_addr_to_string() becomes unnecessary, so it's enough to wrap inet_ntop() directly. inet_ntop() can only fail with ENOSPC. But we specify a buffer that is supposed to be large enough, so this should never fail. A bunch of tests of this are added. This allows all the wrappers like strna(), strnull(), strempty() to be dropped. The guard of 'if (DEBUG_LOGGING)' can be dropped from around log_debug(), because log_debug() implements the check outside of the function call. But log_link_debug() does not, so it we need it to avoid unnecessary evaluation of the formatting.
* network: clarify the relationship between RA flags and DHCPv6 modesAlex Henrie2022-05-061-3/+3
| | | | | | | | | | | | | | | | | | In the documentation, using the term "managed" for both the RA flag and the DHCPv6 mode is confusing because the mode is referred to as "solicit" both in the official DHCPv6 documentation (see RFC 8415) and in the WithoutRA option. Furthermore, calling the other RA flag "other information" or "other address configuration" is confusing because its official name is simply "other configuration" (see RFC 4861 and RFC 5175) and it isn't used to assign IP addresses. Rewrite the documentation for DHCPv6Client and WithoutRA to make it clear that getting the "managed" RA flag triggers the same kind of DHCP request as WithoutRA=solicit, whereas getting the "other configuration" RA flag triggers the same kind of DHCP request as WithoutRA=information-request.
* Fix "link-local" language inconsistenciesSebastian Pucilowski2022-03-311-1/+1
| | | | | | "Link-local" and "link local" are used throughout man pages and program output, with the former used far more than the latter. This commit makes it consistent throughout the project.
* time-util: assume CLOCK_BOOTTIME always existsLennart Poettering2022-03-281-7/+7
| | | | | | | | Let's raise our supported baseline a bit: CLOCK_BOOTTIME started to work with timerfd in kernel 3.15 (i.e. back in 2014), let's require support for it now. This will raise our baseline only modestly from 3.13 → 3.15.
* strv: make iterator in STRV_FOREACH() declaread in the loopYu Watanabe2022-03-191-1/+0
| | | | This also avoids multiple evaluations in STRV_FOREACH_BACKWARDS()
* network: re-design request queueYu Watanabe2022-03-111-2/+2
| | | | | | | | This makes Request object takes hash, compare, free, and process functions. With this change, the logic in networkd-queue.c can be mostly independent of the type of the request or the object (e.g. Address) assigned to the request, and it becomes simpler.
* network: introduce request_call_netlink_async()Yu Watanabe2022-03-111-8/+2
| | | | | | | | | | | | | | | | | | | | | In most netlink handlers, we do the following, 1. decrease the message counter, 2. check the link state, 3. error handling, 4. update link state via e.g. link_check_ready(). The first two steps are mostly common, hence let's extract it. Moreover, this is not only extracting the common logic, but provide a strong advantage; `request_call_netlink_async()` assigns the relevant Request object to the userdata of the netlink slot, and the request object has full information about the message we sent. Hence, in the future, netlink handler can print more detailed error message. E.g. when an address is failed to configure, then currently we only show an address is failed to configure, but with this commit, potentially we can show which address is failed explicitly. This does not change such error handling yet. But let's do that later.
* network: make request_process_address() and friends take Link and ↵Yu Watanabe2022-03-111-7/+2
| | | | | | | | | | | | | | | | | corresponding object This also renames e.g. request_process_address() -> address_process_request(). Also, this drops type checks such as `assert(req->type == REQUEST_TYPE_ADDRESS)`, as in the later commits, the function of processing request, e.g. `address_process_request()`, will be assigned to the Request object when it is created. And the request type will be used to distinguish and to avoid deduplicating requests which do not have any assigned objects, like REQUEST_TYPE_DHCP4_CLIENT. Hence, the type checks in process functions are mostly not necessary and redundant. This is mostly cleanups and preparation for later commits, and should not change any behavior.
* network: compare addresses more strictlyYu Watanabe2022-02-241-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | This re-introduce the full hash and compre functions for Address, which was reverted 1d30fc5cb64ecba2f03fe42aa0d8c65c3decad82 (#17851). The issue #17831, which is fixed by #17851, is handled in a different way; simply ignore to configure the conflicted DHCPv6 address. Previously, we warn about the conflict, but continue to configure the address anyway, and the kernel ignores the request. So, it is not necessary to request the conflicted address in networkd side. This fixes the following issues: - when a link has an address, and corresponding .network file has the address with different prefix length, then the prefix length specified in the .network file will not be applied, - we cannot specify multiple IPv4 addresses with different prefix length, e.g. ---- Address=10.10.10.10/24 Address=10.10.10.10/16 ---- This is spurious setup, but the kernel allows it. Fixes #22515.
* network: disable NDisc for CAN interfacesYu Watanabe2022-01-311-0/+4
| | | | We already disabled DHCP clients for CAN interfaces.
* network: configure NDisc after MAC address is assignedYu Watanabe2022-01-311-2/+63
|
* network: ndisc: ignore route prefix to ::/0Yu Watanabe2021-12-281-0/+5
| | | | Fixes #21912.
* network: wireguard: allow to run NDisc and RADV when IPv6LL address is ↵Yu Watanabe2021-12-091-1/+1
| | | | | | manually configured Fixes #17380.
* network: route: make route_cancel_request() take Link*Yu Watanabe2021-12-061-1/+1
| | | | As the Route object may be managed by Manager.
* network: ndisc: introduce UseGateway= and UseRoutePrefix= settingsYu Watanabe2021-11-091-13/+26
| | | | Closes #21263.
* network: ndisc: do not read DNSSL option when UseDomains=noYu Watanabe2021-11-091-10/+14
| | | | | | | | | Previously, the following confing did not work: ``` [IPv6AcceptRA] UseDNS=no UseDomains=yes ```
* network: ndisc: split out prefix option handling into ↵Yu Watanabe2021-11-091-44/+65
| | | | ndsic_router_process_prefix()
* network: do not restart DHCPv6 client when WithoutRA= is setYu Watanabe2021-10-271-2/+2
| | | | | Previously, even if WithoutRA= is specified, the DHCPv6 client may be restarted in undesired mode when a RA is received.
* network: ndisc: fix behavior when DHCPv6Client=alwaysYu Watanabe2021-10-261-20/+45
| | | | | The man page says that when 'always' is set, the DHCPv6 client always starts in managed mode, and that means we need to ignore the RA flags.
* network: address: use usec_t for handling lifetimeYu Watanabe2021-10-211-14/+13
| | | | | | | | | | | | | | | | | | This drops stuct ifa_cacheinfo from Address, and store lifetime with usec_t. Why? Now, all requests of address configurations are once stored in the request queue, and will be processed when it is ready. So, the timestamp value passed to the kernel must be evaluated on configure. This also fixes the following two issues. - Time values in struct ifa_cacheinfo are stored in uint32_t. So, the validity check of the address configured by NDisc may fail on long running systems. - If a system uses DHCPv6PD, when an interface may appear or be reconfigured later, then the lifetime value may be inappropriate. We need to adjust the lifetime with the current time and the timestamp of the lease.
* network: ndisc: rename valid_until -> lifetime_usecYu Watanabe2021-10-211-20/+24
|
* network: ndisc: add missing lifetime checkYu Watanabe2021-10-211-4/+7
|
* network: route: rename lifetime -> lifetime_usecYu Watanabe2021-10-211-23/+25
|
View Lorry Controller Status