Media Access Control Security (MACsec) is an 802.1AE IEEE
industry-standard security technology that provides secure
communication for all traffic on Ethernet links.
MACsec provides point-to-point security on Ethernet links between
directly connected nodes and is capable of identifying and preventing
most security threats, including denial of service, intrusion,
man-in-the-middle, masquerading, passive wiretapping, and playback attacks.
Closes#5754
If e.g., an [Address] section has an invalid setting, then
previously assigned settings in the section is freed, and
only later settings are stored. That may cause partially broken
section stored in Network object.
This makes if an invalid setting is found, then set 'invalid' flag
instead of freeing it. And invalid sections are dropped later by
network_verify().
Previously, the route is added when the .network config is assigned
to a Link. So, if multiple links match the .network file, the route
entry becomes duplicated in the corresponding Network object.
When enabled, three samples are used to determine the value of a
received bit by majority rule.
This patch adds support for the TripleSampling= option in the [CAN]
section of .network files.
Previously, if a .networ file contains invalid [Address] or [Route]
section, then the file is completely dropped. This makes networkd
just drops invalid sections.
This test case is a bit silly, but it shows that our code is unprepared to
handle so many network servers, with quadratic complexity in various places.
I don't think there are any valid reasons to have hundres of NTP servers
configured, so let's just emit a warning and cut the list short.
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13354
And before resolving NetDev names, check conditions in .network,
and if they do not match the system environment, drop the network
unit earlier.
Fixes#4211.
We were already using OrderedSets in the manager object, but strvs in the
configuration parsing code. Using sets gives us better scaling when many
domains are used.
In oss-fuzz #13059 the attached reproducer takes approximately 30.5 s to be
parsed. Converting to sets makes this go down to 10s. This is not _vastly_
faster, but using sets seems like a nicer approach anyway. In particular, we
avoid the quadratic de-unification operation after each addition.
Some settings cannot set simultaneously. Let's warn and drop
incompatible settings.
Currently, it is not comprehensive. But this may be a good first step.
Otherwise, LIST_REMOVE() in network_free() fails.
This fixes the following assertion:
```
systemd-networkd[2595]: Bus bus-api-network: changing state UNSET → OPENING
systemd-networkd[2595]: Bus bus-api-network: changing state OPENING → AUTHENTICATING
systemd-networkd[2595]: timestamp of '/etc/systemd/network' changed
systemd-networkd[2595]: /etc/systemd/network/10-hoge.network:1: Invalid section header '[Network]Address=192.168.0.1'
systemd-networkd[2595]: /etc/systemd/network/10-hoge.network:1: Failed to parse file: Bad message
systemd-networkd[2595]: Assertion '*_head == _item' failed at ../../home/watanabe/git/systemd/src/network/networkd-network.c:378, function network_free(). Aborting.
valgrind[2595]: ==2595==
valgrind[2595]: ==2595== Process terminating with default action of signal 6 (SIGABRT): dumping core
valgrind[2595]: ==2595== at 0x4BCA53F: raise (in /usr/lib64/libc-2.28.so)
valgrind[2595]: ==2595== by 0x4BB4894: abort (in /usr/lib64/libc-2.28.so)
valgrind[2595]: ==2595== by 0x4955F09: log_assert_failed_realm (log.c:795)
valgrind[2595]: ==2595== by 0x417101: network_free (networkd-network.c:378)
valgrind[2595]: ==2595== by 0x415E99: network_freep (networkd-network.h:282)
valgrind[2595]: ==2595== by 0x416AB2: network_load_one (networkd-network.c:101)
valgrind[2595]: ==2595== by 0x416C39: network_load (networkd-network.c:293)
valgrind[2595]: ==2595== by 0x414031: manager_load_config (networkd-manager.c:1502)
valgrind[2595]: ==2595== by 0x40B258: run (networkd.c:82)
valgrind[2595]: ==2595== by 0x40B74A: main (networkd.c:117)
valgrind[2595]: ==2595==
valgrind[2595]: ==2595== HEAP SUMMARY:
valgrind[2595]: ==2595== in use at exit: 32,621 bytes in 201 blocks
valgrind[2595]: ==2595== total heap usage: 746 allocs, 545 frees, 241,027 bytes allocated
valgrind[2595]: ==2595==
valgrind[2595]: ==2595== LEAK SUMMARY:
valgrind[2595]: ==2595== definitely lost: 0 bytes in 0 blocks
valgrind[2595]: ==2595== indirectly lost: 0 bytes in 0 blocks
valgrind[2595]: ==2595== possibly lost: 0 bytes in 0 blocks
valgrind[2595]: ==2595== still reachable: 32,621 bytes in 201 blocks
valgrind[2595]: ==2595== suppressed: 0 bytes in 0 blocks
valgrind[2595]: ==2595== Reachable blocks (those to which a pointer was found) are not shown.
valgrind[2595]: ==2595== To see them, rerun with: --leak-check=full --show-leak-kinds=all
valgrind[2595]: ==2595==
valgrind[2595]: ==2595== For counts of detected and suppressed errors, rerun with: -v
valgrind[2595]: ==2595== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
systemd-coredump[2600]: Process 2595 (memcheck-amd64-) of user 192 dumped core.
```
An earlier commit 0e408b82b (dhcp6-client: handle IAID with value zero)
introduced a flag to sd_dhcp6_client to distinguish between an unset
IAID and a value set to zero.
However, that was not sufficient and broke leaving the setting
uninitialized in networkd configuration. The configuration parsing
also must distinguish between the default, unset value and an
explict zero configuration.
Fixes: 0e408b82b8
https://tools.ietf.org/html/rfc1035#section-2.3.1 says (approximately)
that only letters, numbers, and non-leading non-trailing dashes are allowed
(for entries with A/AAAA records). We set no restrictions.
hosts(5) says:
> Host names may contain only alphanumeric characters, minus signs ("-"), and
> periods ("."). They must begin with an alphabetic character and end with an
> alphanumeric character.
nss-files follows those rules, and will ignore names in /etc/hosts that do not
follow this rule.
Let's follow the documented rules for /etc/hosts. In particular, this makes us
consitent with nss-files, reducing surprises for the user.
I'm pretty sure we should apply stricter filtering to names received over DNS
and LLMNR and MDNS, but it's a bigger project, because the rules differ
depepending on which level the label appears (rules for top-level names are
stricter), and this patch takes the minimalistic approach and only changes
behaviour for /etc/hosts.
Escape syntax is also disallowed in /etc/hosts, even if the resulting character
would be allowed. Other tools that parse /etc/hosts do not support this, and
there is no need to use it because no allowed characters benefit from escaping.
When using networkd we currently have no way of ensuring that static
neighbor entries are set when our link comes up. This change adds a new
section to the network definition that allows multiple static neighbors
to be set on a link.
The assertion was added in dbffab87f1 but I'm not exactly sure
why. Now it just crashes a fuzzer I wrote. I, of course, could fix the fuzzer
so that it would generate names ending in ".network" if anyone would tell
me why the assertion should be kept here.
This part of the copyright blurb stems from the GPL use recommendations:
https://www.gnu.org/licenses/gpl-howto.en.html
The concept appears to originate in times where version control was per
file, instead of per tree, and was a way to glue the files together.
Ultimately, we nowadays don't live in that world anymore, and this
information is entirely useless anyway, as people are very welcome to
copy these files into any projects they like, and they shouldn't have to
change bits that are part of our copyright header for that.
hence, let's just get rid of this old cruft, and shorten our codebase a
bit.
This patch add support to enables to send User Class option code 77
RFC 3004.
This option MAY carry multiple User Classes.
The format of this option is as follows:
Code Len Value
+-----+-----+--------------------- . . . --+
| 77 | N | User Class Data ('Len' octets) |
+-----+-----+--------------------- . . . --+
where Value consists of one or more instances of User Class Data.
Each instance of User Class Data is formatted as follows:
UC_Len_i User_Class_Data_i
+--------+------------------------ . . . --+
| L_i | Opaque-Data ('UC_Len_i' octets) |
+--------+------------------------ . . . --+
UserClass=
A DHCPv4 client can use UserClass option to identify the type or category of user or applications
it represents. The information contained in this option is an string that represents the user class
of which the client is a member. Each class sets an identifying string of information to be used by the DHCP service to classify clients. Takes a whitespace-separated list.
UserClass= hello world how are you
Closes: RFC: #5134
Rather than choosing to set or unset any of these flag
use kernel defaults. This patch makes following properties to unset.
UseBPDU = unset
HairPin = unset
FastLeave = unset
AllowPortToBeRoot = unset
UnicastFlood = unset
This cleans up handling of MTU values across the codebase. Previously
MTU values where stored sometimes in uint32_t, sometimes in uint16_t,
sometimes unsigned and sometimes in size_t. This now unifies this to
uint32_t across the codebase, as that's what netlink spits out, and what
the majority was already using.
Also, all MTU parameters are now parsed with config_parse_mtu() and
config_parse_ipv6_mtu() is dropped as it is now unneeded.
(Note there is one exception for the MTU typing: in the DCHPv4 code we
continue to process the MTU as uint16_t value, as it is encoded like
that in the protocol, and it's probably better stay close to the
protocol there.)
This drops a good number of type-specific _cleanup_ macros, and patches
all users to just use the generic ones.
In most recent code we abstained from defining type-specific macros, and
this basically removes all those added already, with the exception of
the really low-level ones.
Having explicit macros for this is not too useful, as the expression
without the extra macro is generally just 2ch wider. We should generally
emphesize generic code, unless there are really good reasons for
specific code, hence let's follow this in this case too.
Note that _cleanup_free_ and similar really low-level, libc'ish, Linux
API'ish macros continue to be defined, only the really high-level OO
ones are dropped. From now on this should really be the rule: for really
low-level stuff, such as memory allocation, fd handling and so one, go
ahead and define explicit per-type macros, but for high-level, specific
program code, just use the generic _cleanup_() macro directly, in order
to keep things simple and as readable as possible for the uninitiated.
Note that before this patch some of the APIs (notable libudev ones) were
already used with the high-level macros at some places and with the
generic _cleanup_ macro at others. With this patch we hence unify on the
latter.
Files which are installed as-is (any .service and other unit files, .conf
files, .policy files, etc), are left as is. My assumption is that SPDX
identifiers are not yet that well known, so it's better to retain the
extended header to avoid any doubt.
I also kept any copyright lines. We can probably remove them, but it'd nice to
obtain explicit acks from all involved authors before doing that.
This macro will read a pointer of any type, return it, and set the
pointer to NULL. This is useful as an explicit concept of passing
ownership of a memory area between pointers.
This takes inspiration from Rust:
https://doc.rust-lang.org/std/option/enum.Option.html#method.take
and was suggested by Alan Jenkins (@sourcejedi).
It drops ~160 lines of code from our codebase, which makes me like it.
Also, I think it clarifies passing of ownership, and thus helps
readability a bit (at least for the initiated who know the new macro)
This makes users can configure DHCPv4 client with ClientIdentifier=duid-only.
If set so, then DHCP client sends only DUID as the client identifier.
This may not be RFC compliant, but some setups require this.
Closes#7828.
The DHCPv6 client can obtain configuration parameters from a
DHCPv6 server through a rapid two-message exchange solicit and reply).
When the rapid commit option is enabled by both the DHCPv6 client and
the DHCPv6 server, the two-message exchange is used, rather than the default
four-method exchange (solicit, advertise, request, and reply). The two-message
exchange provides faster client configuration and is beneficial in environments
in which networks are under a heavy load.
Closes#5845
This adds a simple condition/assert/match to the service manager, to
udev's .link handling and to networkd, for matching the kernel version
string.
In this version we only do fnmatch() based globbing, but we might want
to extend that to version comparisons later on, if we like, by slightly
extending the syntax with ">=", "<=", ">", "<" and "==" expressions.
RequiredForOnline= denotes a link/network that does/does not require being up
for systemd-networkd-wait-online to consider the system online; this makes it
possible to ignore devices without modifying parameters to wait-online.
Add EmitDNS= and EmitDomains= options to the IPv6PrefixDelegation
network configuration file section so that sending DNS servers
and DNS search domains can be configured independent of each other.
The default values for both are set to true.
When an interface has been enslaved to a VRF the received routes should
be added to the VRFs RT instead of the main table.
This change modifies the default behaviour of routes in the case where a
network belongs to an VRF. When the user does not configure a
`DHCP.RouteTable` in a `systemd.network` file and the interface belongs
to a VRF, the VRFs routing table is used instead of RT_TABLE_MAIN.
When the user has configured a custom routing table for DHCP the VRFs
table is ignored and the users preference takes precedence.
Typically when DHCP server sets MTU it is a lower one. And a lower than usual
MTU is then thus required on said network to have operational networking. This
makes networkd's dhcp client to work in more similar way to other dhcp-clients
(e.g. isc-dhcp). In particular, in a cloud setting, without this default
instances have resulted in timing out talking to cloud metadata source and
failing to provision.
This does not change this default for the Annonymize code path.
Parse DNS search domains from .network files so that they are included
in Router Advertisement DNSSL options.
DNS search domains are added to the [IPv6PrefixDelegation] section using
the following syntax:
Domains=foo.example.com bar.example.com
If IDNA libraries are enabled in systemd, international domain names
are supported.
Routing Policy rule manipulates rules in the routing policy database control the
route selection algorithm.
This work supports to configure Rule
```
[RoutingPolicyRule]
TypeOfService=0x08
Table=7
From= 192.168.100.18
```
```
ip rule show
0: from all lookup local
0: from 192.168.100.18 tos 0x08 lookup 7
```
V2 changes:
1. Added logic to handle duplicate rules.
2. If rules are changed or deleted and networkd restarted
then those are deleted when networkd restarts next time
V3:
1. Add parse_fwmark_fwmask
Parse DNS IPv6 addresses and DNS server lifetime from .network files
so that they can be included in Router Advertisement RDNSS options.
RDNSS address and lifetime information is added to the
[IPv6PrefixDelegation] section according to the following syntax:
DNS=2001:db8:🅰️b 2001:db8::c:d
DNSLifetimeSec=1042
to initialize Network variables when Anonymize is true.
* do not send hostname
* client identifier set to MAC
* do not send vendor class identifier
* do not send other PRL options
Add variables for enabling Router Advertisements, router lifetime as
well as managed and other information flags indicating use of DHCPv6.
Add configuration of default router preferences as defined in RFC 4191.
IPv6PrefixDelegation in the [Network] section has to be set in order
to enable prefix delegation. The rest of the prefix delegation values
are stored in the [IPv6PrefixDelegation] section. The host will act as
a default router if it is given a non-zero lifetime with
RouterLifetimeSec. Managed and OtherInformation booleans set the level
of DHCPv6 support, and the RouterPreference configures the router's
preference between low, medium and high. Words 'normal' and 'default'
are added as synonyms for 'medium' just to make configuration simpler.
This adds a section like the following to .network configuration files:
[Network]
IPv6PrefixDelegation=true
[IPv6PrefixDelegation]
RouterLifetimeSec=2000
Managed=false
OtherInformation=true
RouterPreference=medium
Support zero or more [IPv6Prefix] sections in the network configuration
files. Each section can have one Prefix=<subnet>[/<prefixlength>]
option, with the preferred and valid lifetimes specified by
ValidLifetimeSec and PreferredLifetimeSec measured in seconds, and
with onlink and address autoconfiguration booleans specified by
OnLink and AddressAutoconfiguration variables.
This adds a section like the following to .network configuration files:
[IPv6Prefix]
Prefix=2001:db8:dead:beef::/64
OnLink=true
AddressAutoconfiguration=true
ValidLifetimeSec=1500
PreferredLifetimeSec=1000
Allow setting bridge port priority in the Bridge section of the network file,
similar to e.g. port path cost setting.
Set the default to an invalid value of 128, and only set the port priority when
it's not 128. Unlike e.g. path cost, zero is a valid priority value.
Add a networkd-test.py to check that bridge port priority is correctly set.
Incidently, fix bridge port cost type and document valid ranges.
Now we track the sections for example [Address] via line number.
Which was fine till we din't had dropins dir. If we have multiple
sections which have the ideantical line number in diffrent files
we are overwriting these since line number is the key.
This patch fixes this by taking filename and line number as key.
This fixes [Address] and [Route] section overwriting.
fixes: #5141
IPv6 Neighbor discovery proxy is the IPv6 equivalent to proxy ARP for IPv4.
It is required when ISPs do not unconditional route IPv6 subnets
to their designated target, but expect neighbor solicitation messages
for every address on a link.
A variable IPv6ProxyNDPAddress= is introduced to the [Network] section,
each representing a IPv6 neighbour proxy entry in the neighbour table.
DNS servers must be specified as IP addresses, hence let's store them as that
internally, so that they are guaranteed to be fully normalized always, and
invalid data cannot be stored.
The long name is just too hard to type. We generally should avoid using
acronyms too liberally, if they aren't established enough, but it appears that
"RA" is known well enough. Internally we call the option "ipv6_accept_ra"
anyway, and the kernel also exposes it under this name. Hence, let's rename the
IPv6AcceptRouterAdvertisements= setting and the
[IPv6AcceptRouterAdvertisements] section to IPv6AcceptRA= and [IPv6AcceptRA].
The old setting IPv6AcceptRouterAdvertisements= is kept for compatibility with
older configuration. (However the section [IPv6AcceptRouterAdvertisements] is
not, as it was never available in a published version of systemd.
This reworks sd-ndisc and networkd substantially to support IPv6 RA much more
comprehensively. Since the API is extended quite a bit networkd has been ported
over too, and the patch is not as straight-forward as one could wish. The
rework includes:
- Support for DNSSL, RDNSS and RA routing options in sd-ndisc and networkd. Two
new configuration options have been added to networkd to make this
configurable.
- sd-ndisc now exposes an sd_ndisc_router object that encapsulates a full RA
message, and has direct, friendly acessor functions for the singleton RA
properties, as well as an iterative interface to iterate through known and
unsupported options. The router object may either be retrieved from the wire,
or generated from raw data. In many ways the sd-ndisc API now matches the
sd-lldp API, except that no implicit database of seen data is kept. (Note
that sd-ndisc actually had a half-written, but unused implementaiton of such
a store, which is removed now.)
- sd-ndisc will now collect the reception timestamps of RA, which is useful to
make sd_ndisc_router fully descriptive of what it covers.
Fixes: #1079
Add an option to disable appending DHCP option 3 (Router) to the DHCP
OFFER and ACK packets.
This commit adds the boolean option EmitRouter= for the [DHCPServer]
section in .network files.
Rationale: On embedded devices, it is very useful to have a DHCP server
running on an USB OTG ethernet gadget interface to avoid manual setup on
the client PCs, but it should only serve IP addresses, no route(r)s.
Otherwise, Windows clients experience network connectivity issues, due
to them using the address set in DHCP option 3 as default gateway.
Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
Separate fields are replaced with a struct.
Second second duid type field is removed. The first field was used to carry
the result of DUIDType= configuration, and the second was either a copy of
this, or contained the type extracted from DuidRawData. The semantics are changed
so that the type specified in DUIDType is always used. DUIDRawData= no longer
overrides the type setting.
The networkd code is now more constrained than the sd-dhcp code:
DUIDRawData cannot have 0 length, length 0 is treated the same as unsetting.
Likewise, it is not possible to set a DUIDType=0. If it ever becomes necessary
to set type=0 or a zero-length duid, the code can be changed to support that.
Nevertheless, I think that's unlikely.
This addresses #3127 § 1 and 3.
v2:
- rename DUID.duid, DUID.duid_len to DUID.raw_data, DUID.raw_data_len
Let's move DUID configuration into the [DHCP] section, since it only makes
sense in a DHCP context, and should be close to the configuration of
ClientIdentifier= and suchlike.
This really shouldn't be a section of its own, we don't have any for any of our
other per-protocol specific identifiers...
Follow-up for #2890#2943
IPv6 protocol requires a minimum MTU of 1280 bytes on the interface.
This fixes#3046.
Introduce helper link_ipv6_enabled() to figure out whether IPV6 is enabled.
Introduce network_has_static_ipv6_addresses() to find out if any static
ipv6 address configured.
If IPv6 is not configured on any interface that is SLAAC, DHCPv6 and static
IPv6 addresses not configured, then IPv6 will be automatically disabled for that
interface, that is we write "1" to /proc/sys/net/ipv6/conf//disable_ipv6.
This way "networkctl status" becomes a bit more useful by default, as router
information is just visible, without any further configuration.
LLDP reception is fully passive and relatively low simple and low traffic,
hence this should be safe to enable by default.
This reworks the sd-lldp substantially, simplifying things on one hand, and
extending the logic a bit on the other.
Specifically:
- Besides the sd_lldp object only one other object is maintained now,
sd_lldp_neighbor. It's used both as storage for literal LLDP packets, and for
maintainging info about peers in the database. Separation between packet, TLV
and chassis data is not maintained anymore. This should be a major
simplification.
- The sd-lldp API has been extended so that a couple of per-neighbor fields may
be queried directly, without iterating through the object. Other fields that
may appear multiple times, OTOH have to be iterated through.
- The maximum number of entries in the neighbor database is now configurable
during runtime.
- The generation of callbacks from sd_lldp objects is more restricted:
callbacks are only invoked when actual data changed.
- The TTL information is now hooked with a timer event, so that removals from
the neighbor database due to TTLs now result in a callback event.
- Querying LLDP neighbor database will now return a strictly ordered array, to
guarantee stability.
- A "capabilities" mask may now be configured, that selects what type of LLDP
neighbor data is collected. This may be used to restrict collection of LLDP
info about routers instead of all neighbors. This is now exposed via
networkd's LLDP= setting.
- sd-lldp's API to serialize the collected data to text files has been removed.
Instead, there's now an API to extract the raw binary data from LLDP neighbor
objects, as well as one to convert this raw binary data back to an LLDP
neighbor object. networkd will save this raw binary data to /run now, and the
client side can simply parse the information.
- support for parsing the more exotic TLVs has been removed, since we are not
using that. Instead there are now APIs to extract the raw data from TLVs.
Given how easy it is to parse the TLVs clients should do so now directly
instead of relying on our APIs for that.
- A lot of the APIs that parse out LLDP strings have been simplified so that
they actually return strings, instead of char arrays with a length. To deal
with possibly dangerous characters the strings are escaped if needed.
- APIs to extract and format the chassis and port IDs as strings has been
added.
- lldp.h has been simplified a lot. The enums are anonymous now, since they
were never used as enums, but simply as constants. Most definitions we don't
actually use ourselves have eben removed.
This changes the UseDomains= setting of .network files to take an optional third value "route", in addition to the
boolean values. If set, the passed domain information is used for routing rules only, but not for the search path
logic.
All booleans called dhcp_xyz are now called ".dhcp_use_xyz", to match their respective configuration file settings. This
should clarify things a bit, in particular as there is a DHCP hostname that was previously called just ".hostname"
because ".dhcp_hostname" was already existing as a bool. Since this confusion is removed now because the bool is called
".dhcp_use_hostname", the string field is now renamed to ".dhcp_hostname".
Previously, .network files only knew a vaguely defined "Domains=" concept, for which the documentation declared it was
the "DNS domain" for the network connection, without specifying what that means.
With this the Domains setting is reworked, so that there are now "routing" domains and "search" domains. The former are
to be used by resolved to route DNS request to specific network interfaces, the latter is to be used for searching
single-label hostnames with (in addition to being used for routing). Both settings are configured in the "Domains="
setting. Normal domain names listed in it are now considered search domains (for compatibility with existing setups),
while those prefixed with "~" are considered routing domains only. To route all lookups to a specific interface the
routing domain "." may be used, referring to the root domain. An alternative syntax for this is the "*", as was already
implemented before using the "wildcard" domain concept.
This commit adds proper parsers for this new logic, and exposes this via the sd-network API. This information is not
used by resolved yet, this will be added in a later commit.
For now only deserialize some basic state and the applied addresses.
When a link is added, try to deserialize it's state from /run. This
is relevant only when networkd is restarted at runtime.
There are more than enough calls doing string manipulations to deserve
its own files, hence do something about it.
This patch also sorts the #include blocks of all files that needed to be
updated, according to the sorting suggestions from CODING_STYLE. Since
pretty much every file needs our string manipulation functions this
effectively means that most files have sorted #include blocks now.
Also touches a few unrelated include files.
- Rely everywhere that we use abs() on the error code passed in anyway,
thus don't need to explicitly negate what we pass in
- Never attach synthetic error number information to log messages. Only
log about errors we *receive* with the error number we got there,
don't log any synthetic error, that don#t even propagate, but just eat
up.
- Be more careful with attaching exactly the error we get, instead of
errno or unrelated errors randomly.
- Fix one occasion where the error number and line number got swapped.
- Make sure we never tape over OOM issues, or inability to resolve
specifiers
Tests are modified to check behaviour with relax and without relax.
New tests are added for hostname_cleanup().
Tests are moved a new file (test-hostname-util) because there's
now a bunch of them.
New parameter is not used anywhere, except in tests, so there should
be no observable change.
Justification is similar to BPDUGuard rename. "Positive" values
are easier. This is a rather uncommon option, so using a slightly
longer name should not be a problem, and may in fact may make it
easier to guess what the option does without reading the
documentation.
Looking at the kernel commit, "on" seems to be the default value:
commit 867a59436fc35593ae0e0efcd56cc6d2f8506586
Author: Vlad Yasevich <vyasevic@redhat.com>
Date: Wed Jun 5 10:08:01 2013 -0400
bridge: Add a flag to control unicast packet flood.
Add a flag to control flood of unicast traffic. By default, flood is
on and the bridge will flood unicast traffic if it doesn't know
the destination. When the flag is turned off, unicast traffic
without an FDB will not be forwarded to the specified port.
... and it seems to be the reasonable thing to do by default.
Rename to follow the follow the style of other options.
In general "positive" options are preferred to "negative" ones,
because they are easier to describe and easier for humans to
parse (c.f. the shortening on the man page entry).
- Make sure that the IPv6PrivacyExtensions=yes results in
prefer-temporary, not prefer-public.
- Introduce special enum value "kernel" to leave setting unset, similar
how we have it for the IP forwarding settings.
- Bring the enum values in sync with the the strings we parse for them,
to the level this makes sense (specifically, rename "disabled" to
"no", and "prefer-temporary" to "yes").
- Make sure we really set the value to to "no" by default, the way it is
already documented in the man page.
- Fix whitespace error.
- Make sure link_ipv6_privacy_extensions() actually returns the correct
enum type, rather than implicitly casting it to "bool".
- properly size formatting buffer for ipv6 sysctl value
- Don't complain if /proc/sys isn't writable
- Document that the enum follows the kernel's own values (0 = off, 1 =
prefer-public, 2 = prefer-temporary)
- Drop redundant negating of error code passed to log_syntax()
- Manpage fixes
This fixes a number of issues from PR #417
This patch add support for ipv6 privacy extensions.
The variable /proc/sys/net/ipv6/conf/<if>/use_tempaddr
can be changed via the boolean
IPv6PrivacyExtensions=[yes/no/prefer-temporary]
When true enables privacy extensions, but prefer public addresses over
temporary addresses.
prefer-temporary prefers temporary adresses over public addresses.
Defaults to false.
[Match]
Name=enp0s25
[Network]
IPv6PrivacyExtensions=prefer-temporary
In 5a8bcb674f, IPForwarding was introduced
to set forwarding flags on interfaces in .network files. networkd sets
forwarding options regardless of the previous setting, even if it was
set by e.g. sysctl. This commit creates a new option for IPForwarding,
"kernel", that preserves the sysctl settings rather than always setting
them.
See https://bugs.freedesktop.org/show_bug.cgi?id=89509 for the initial
bug report.
previously hostname_is_valid was used to validate domain names, which
would silently drop perfectly valid dns names that were longer than a
single dns label.
This patch add support to create vti6 tunnel
test:
vt6.network
[Match]
Name=wlan0
[Network]
Tunnel=ip6vti
vti6.netdev
[NetDev]
Name=ip6vti
Kind=vti6
[Tunnel]
Local=2a00:ffde:4567:edde::4987
Remote=2001:473:fece:cafe::5179
ip link
11: ip6_vti0@NONE: <NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT
group default
link/tunnel6 :: brd ::
12: ip6vti@wlan0: <POINTOPOINT,NOARP> mtu 1500 qdisc noop state DOWN
mode DEFAULT group default
link/tunnel6 2a00:ffde:4567:edde::4987 peer 2001:473:fece:cafe::5179
This makes adds a couple of fixes:
- Introduces log_netdev_error_errno() and friends, which takes an error
number, and matches what log_link_error_errno() and friends do.
- Replaces a lof ot strerror() usage with log_netdev_error_errno(),
log_link_error_errno() and log_erro_errno()
- Uppercases the first character of many log messages, after all this is
supposed to be english language
- Drops manual negating of error codes before passing them to log
functions, the log functions all do that internally anyway.
Some other minor fixes.
Behaviour should not change really.
Introduce BindCarrier= to indicate the set of links that determine if
the current link should be brought UP or DOWN.
[tomegun: add a bit to commit message]
This patch removes includes that are not used. The removals were found with
include-what-you-use which checks if any of the symbols from a header is
in use.
This allows the admin to set the host-specific part of IPv6 addresses, but still
receive the prefix via SLAAC.
.network file snippet:
[Network]
IPv6Token=::12
gives:
$ ip token
token ::12 dev eth0
This closes https://bugs.freedesktop.org/show_bug.cgi?id=81177.
This allows both IPv4 and IPv6 link-local addresses to be enabled or disabled. By default
we still enable IPv6LL and disable IPv4LL. The old config option is kept for backwards
compatibility, but removed from the documentation.
This patch introduces ipv6 gre and gretap.
test:
ip6gre.netdev:
[NetDev]
Name=ip6gretap
Kind=ip6gretap
[Tunnel]
Local=2a00:ffde:4567:edde::4987
Remote=2001:473:fece:cafe::5179
ip6gre.network:
[Match]
Name=eno16777736
[Network]
Tunnel=ip6gretap
ip link
6: ip6gre@eno16777736: <POINTOPOINT,NOARP> mtu 1448 qdisc noop state
DOWN mode DEFAULT group default
link/gre6 2a:00:ff🇩🇪45:67:ed🇩🇪00:00:00:00:00:00:49:87 peer
20:01:04:73:fe:ce:ca:fe:00:00:00:00:00:00:51:79
This introduces am AddressFamilyBoolean type that works more or less
like a booleaan, but can optionally turn on/off things for ipv4 and ipv6
independently. THis also ports the DHCP field over to it.
This adds two new settings to networkd's .network files:
IPForwarding=yes and IPMasquerade=yes. The former controls the
"forwarding" sysctl setting of the interface, thus controlling whether
IP forwarding shall be enabled on the specific interface. The latter
controls whether a firewall rule shall be installed that exposes traffic
coming from the interface as coming from the local host to all other
interfaces.
This also enables both options by default for container network
interfaces, thus making "systemd-nspawn --network-veth" have network
connectivity out of the box.
Let's stick to generic sections that describe the general technology,
instead of specific per-object sections, unless we really have a reason
to do that otherwise.
This has been requested repeatedly, so let's give it a go. We explicitly do not allow matching
on names that have already been changed (from a previous udev run, or otherwise), and matching
on unpredictable names (ethX) is discouraged (but not currently disallowed).
We also currently allow:
[Match]
Name=veth0
[Link]
Name=my-name0
SomeOtherSetting=true
Which means that the link file will be applied the first time it is invoked, but
not on subsequent invocations, which may be surprising.
This patch add support to specify path cost of the
bridge port to be configured via conf file.
Exampe: conf
file: br.netdev
[NetDev]
Name=br-test
Kind=bridge
file: br.network
[Match]
Name=em1
[Network]
Bridge=br-test
[BridgePort]
Cost=332
bridge link
2: em1 state UP : <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master
br-test state disabled priority 32 cost 332
Using:
find . -name '*.[ch]' | while read f; do perl -i.mmm -e \
'local $/;
local $_=<>;
s/(if\s*\([^\n]+\))\s*{\n(\s*)(log_[a-z_]*_errno\(\s*([->a-zA-Z_]+)\s*,[^;]+);\s*return\s+\g4;\s+}/\1\n\2return \3;/msg;
print;'
$f
done
And a couple of manual whitespace fixups.
As a followup to 086891e5c1 "log: add an "error" parameter to all
low-level logging calls and intrdouce log_error_errno() as log calls
that take error numbers", use sed to convert the simple cases to use
the new macros:
find . -name '*.[ch]' | xargs sed -r -i -e \
's/log_(debug|info|notice|warning|error|emergency)\("(.*)%s"(.*), strerror\(-([a-zA-Z_]+)\)\);/log_\1_errno(-\4, "\2%m"\3);/'
Multi-line log_*() invocations are not covered.
And we also should add log_unit_*_errno().
It is redundant to store 'hash' and 'compare' function pointers in
struct Hashmap separately. The functions always comprise a pair.
Store a single pointer to struct hash_ops instead.
systemd keeps hundreds of hashmaps, so this saves a little bit of
memory.
This lets the routing metric for links to be specified per-network,
still defaulting to DHCP_ROUTE_METRIC (1024) if unspecified. Hopefully
this helps with multiple interfaces configured via DHCP.
This causes machines without connectivity to hang where they would otherwise fail. Keep it
opt-in for now, but consider whether we sholud just drop it.