device: introduce ipv6.temp-valid-lifetime and ipv6.temp-preferred-lifetime properties

When IPv6 privacy extensions are enabled, by default temporary addresses
have a valid lifetime of 1 week and a preferred lifetime of 1 day.
That's far too long for privacy-conscious users, some of whom want a new
address once every few seconds. Add connection options that correspond
to /proc/sys/net/ipv6/conf/*/temp_valid_lft and
/proc/sys/net/ipv6/conf/*/temp_prefered_lft to allow configuring the
address rotation time on a per-connection basis.

The new properties are defined as 32-bit signed integers to match the
sysctl parameters which are also signed, although currently only
positive numbers are valid.

man/NetworkManager.conf.xml

@@ -1028,6 +1028,20 @@ ipv6.ip6-privacy=0
             started.
           </para></listitem>
         </varlistentry>
+        <varlistentry>
+          <term><varname>ipv6.temp-valid-lifetime</varname></term>
+          <listitem><para>If <literal>ipv6.temp-valid-lifetime</literal> is unset, fall back to the
+            original value of "/proc/sys/net/ipv6/conf/&lt;iface&gt;/temp_valid_lft" from before
+            NetworkManager started.
+          </para></listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><varname>ipv6.temp-preferred-lifetime</varname></term>
+          <listitem><para>If <literal>ipv6.temp-preferred-lifetime</literal> is unset, fall back to
+            the original value of "/proc/sys/net/ipv6/conf/&lt;iface&gt;/temp_prefered_lft" from
+            before NetworkManager started.
+          </para></listitem>
+        </varlistentry>
         <varlistentry>
           <term><varname>ipv6.required-timeout</varname></term>
         </varlistentry>

src/core/devices/nm-device.c

@@ -95,6 +95,9 @@
 #define CARRIER_WAIT_TIME_MS             6000
 #define CARRIER_WAIT_TIME_AFTER_MTU_MSEC 10000
 
+#define SECONDS_PER_WEEK 604800
+#define SECONDS_PER_DAY  86400
+
 #define NM_DEVICE_AUTH_RETRIES_UNSET    -1
 #define NM_DEVICE_AUTH_RETRIES_INFINITY -2
 #define NM_DEVICE_AUTH_RETRIES_DEFAULT  3
@@ -2314,6 +2317,92 @@ _prop_get_ipv6_ip6_privacy(NMDevice *self)
         NM_SETTING_IP6_CONFIG_PRIVACY_UNKNOWN));
 }
 
+static gint32
+_prop_get_ipv6_temp_valid_lifetime(NMDevice *self)
+{
+    NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE(self);
+    gint32           temp_valid_lifetime;
+    NMConnection    *connection;
+
+    g_return_val_if_fail(self, 0);
+
+    /* 1.) First look at the per-connection setting. If it is not 0 (unknown), use it. */
+    connection = nm_device_get_applied_connection(self);
+    if (connection) {
+        NMSettingIPConfig *s_ip6 = nm_connection_get_setting_ip6_config(connection);
+
+        if (s_ip6) {
+            temp_valid_lifetime =
+                nm_setting_ip6_config_get_temp_valid_lifetime(NM_SETTING_IP6_CONFIG(s_ip6));
+            if (temp_valid_lifetime)
+                return temp_valid_lifetime;
+        }
+    }
+
+    /* 2.) Use the default value from the configuration. */
+    temp_valid_lifetime =
+        nm_config_data_get_connection_default_int64(NM_CONFIG_GET_DATA,
+                                                    NM_CON_DEFAULT("ipv6.temp-valid-lifetime"),
+                                                    self,
+                                                    0,
+                                                    G_MAXINT32,
+                                                    0);
+    if (temp_valid_lifetime)
+        return temp_valid_lifetime;
+
+    /* 3.) No valid default value configured. Fall back to the original value
+     * from before NM started. */
+    return _nm_utils_ascii_str_to_int64(
+        g_hash_table_lookup(priv->ip6_saved_properties, "temp_valid_lft"),
+        10,
+        0,
+        G_MAXINT32,
+        SECONDS_PER_WEEK /* final hardcoded fallback: 1 week */);
+}
+
+static gint32
+_prop_get_ipv6_temp_preferred_lifetime(NMDevice *self)
+{
+    NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE(self);
+    gint32           temp_preferred_lifetime;
+    NMConnection    *connection;
+
+    g_return_val_if_fail(self, 0);
+
+    /* 1.) First look at the per-connection setting. If it is not 0 (unknown), use it. */
+    connection = nm_device_get_applied_connection(self);
+    if (connection) {
+        NMSettingIPConfig *s_ip6 = nm_connection_get_setting_ip6_config(connection);
+
+        if (s_ip6) {
+            temp_preferred_lifetime =
+                nm_setting_ip6_config_get_temp_preferred_lifetime(NM_SETTING_IP6_CONFIG(s_ip6));
+            if (temp_preferred_lifetime)
+                return temp_preferred_lifetime;
+        }
+    }
+
+    /* 2.) Use the default value from the configuration. */
+    temp_preferred_lifetime =
+        nm_config_data_get_connection_default_int64(NM_CONFIG_GET_DATA,
+                                                    NM_CON_DEFAULT("ipv6.temp-preferred-lifetime"),
+                                                    self,
+                                                    0,
+                                                    G_MAXINT32,
+                                                    0);
+    if (temp_preferred_lifetime)
+        return temp_preferred_lifetime;
+
+    /* 3.) No valid default value configured. Fall back to the original value
+     * from before NM started. */
+    return _nm_utils_ascii_str_to_int64(
+        g_hash_table_lookup(priv->ip6_saved_properties, "temp_prefered_lft"),
+        10,
+        0,
+        G_MAXINT32,
+        SECONDS_PER_DAY /* final hardcoded fallback: 1 day */);
+}
+
 static NMSettingIP6ConfigAddrGenMode
 _prop_get_ipv6_addr_gen_mode(NMDevice *self)
 {
@@ -12425,6 +12514,8 @@ _dev_sysctl_save_ip6_properties(NMDevice *self)
         "disable_ipv6",
         "hop_limit",
         "use_tempaddr",
+        "temp_valid_lft",
+        "temp_prefered_lft",
     };
     NMDevicePrivate *priv     = NM_DEVICE_GET_PRIVATE(self);
     NMPlatform      *platform = nm_device_get_platform(self);
@@ -12524,6 +12615,17 @@ _dev_addrgenmode6_set(NMDevice *self, guint8 addr_gen_mode)
         }
     }
 
+    nm_device_sysctl_ip_conf_set(
+        self,
+        AF_INET6,
+        "temp_valid_lft",
+        nm_sprintf_buf(sbuf, "%u", (unsigned) _prop_get_ipv6_temp_valid_lifetime(self)));
+    nm_device_sysctl_ip_conf_set(
+        self,
+        AF_INET6,
+        "temp_prefered_lft",
+        nm_sprintf_buf(sbuf, "%u", (unsigned) _prop_get_ipv6_temp_preferred_lifetime(self)));
+
     if (addr_gen_mode == NM_IN6_ADDR_GEN_MODE_NONE) {
         gs_free char *value = NULL;
 

src/libnm-client-impl/libnm.ver

@@ -1983,6 +1983,8 @@ libnm_1_48_0 {
 global:
 	nm_setting_connection_down_on_poweroff_get_type;
 	nm_setting_connection_get_down_on_poweroff;
+	nm_setting_ip6_config_get_temp_preferred_lifetime;
+	nm_setting_ip6_config_get_temp_valid_lifetime;
 	nm_setting_ip_config_get_dhcp_send_release;
 	nm_setting_wired_add_mac_denylist_item;
 	nm_setting_wired_clear_mac_denylist_items;

src/libnm-core-impl/gen-metadata-nm-settings-libnm-core.xml.in

@@ -1848,6 +1848,14 @@
         <property name="routing-rules"
                   dbus-type="aa{sv}"
                   />
+        <property name="temp-preferred-lifetime"
+                  dbus-type="i"
+                  gprop-type="gint"
+                  />
+        <property name="temp-valid-lifetime"
+                  dbus-type="i"
+                  gprop-type="gint"
+                  />
         <property name="token"
                   dbus-type="s"
                   gprop-type="gchararray"

src/libnm-core-impl/nm-setting-ip6-config.c

@@ -40,6 +40,8 @@
 /*****************************************************************************/
 
 NM_GOBJECT_PROPERTIES_DEFINE_BASE(PROP_IP6_PRIVACY,
+                                  PROP_TEMP_VALID_LIFETIME,
+                                  PROP_TEMP_PREFERRED_LIFETIME,
                                   PROP_ADDR_GEN_MODE,
                                   PROP_TOKEN,
                                   PROP_DHCP_DUID,
@@ -54,6 +56,8 @@ typedef struct {
     char   *dhcp_duid;
     char   *dhcp_pd_hint;
     int     ip6_privacy;
+    gint32  temp_valid_lifetime;
+    gint32  temp_preferred_lifetime;
     gint32  addr_gen_mode;
     gint32  ra_timeout;
     guint32 mtu;
@@ -97,6 +101,44 @@ nm_setting_ip6_config_get_ip6_privacy(NMSettingIP6Config *setting)
     return NM_SETTING_IP6_CONFIG_GET_PRIVATE(setting)->ip6_privacy;
 }
 
+/**
+ * nm_setting_ip6_config_get_temp_valid_lifetime:
+ * @setting: the #NMSettingIP6Config
+ *
+ * Returns the value contained in the #NMSettingIP6Config:temp-valid-lifetime
+ * property.
+ *
+ * Returns: The valid lifetime of autogenerated temporary addresses.
+ *
+ * Since: 1.48
+ **/
+gint32
+nm_setting_ip6_config_get_temp_valid_lifetime(NMSettingIP6Config *setting)
+{
+    g_return_val_if_fail(NM_IS_SETTING_IP6_CONFIG(setting), 0);
+
+    return NM_SETTING_IP6_CONFIG_GET_PRIVATE(setting)->temp_valid_lifetime;
+}
+
+/**
+ * nm_setting_ip6_config_get_temp_preferred_lifetime:
+ * @setting: the #NMSettingIP6Config
+ *
+ * Returns the value contained in the #NMSettingIP6Config:temp-preferred-lifetime
+ * property.
+ *
+ * Returns: The preferred lifetime of autogenerated temporary addresses.
+ *
+ * Since: 1.48
+ **/
+gint32
+nm_setting_ip6_config_get_temp_preferred_lifetime(NMSettingIP6Config *setting)
+{
+    g_return_val_if_fail(NM_IS_SETTING_IP6_CONFIG(setting), 0);
+
+    return NM_SETTING_IP6_CONFIG_GET_PRIVATE(setting)->temp_preferred_lifetime;
+}
+
 /**
  * nm_setting_ip6_config_get_dhcp_pd_hint:
  * @setting: the #NMSettingIP6Config
@@ -952,6 +994,54 @@ nm_setting_ip6_config_class_init(NMSettingIP6ConfigClass *klass)
                                                  NMSettingIP6ConfigPrivate,
                                                  ip6_privacy);
 
+    /**
+     * NMSettingIP6Config:temp-valid-lifetime:
+     *
+     * The valid lifetime of autogenerated temporary addresses, in seconds.
+     *
+     * If set to "0" (unknown) for a connection, the value is taken from the
+     * global "ipv6.temp-valid-lifetime" setting. If the global setting is
+     * unspecified or also set to "0", the value is set from the original value
+     * of "/proc/sys/net/ipv6/conf/<iface>/temp_valid_lft" from before
+     * NetworkManager started.
+     *
+     * Since: 1.48
+     **/
+    _nm_setting_property_define_direct_int32(properties_override,
+                                             obj_properties,
+                                             NM_SETTING_IP6_CONFIG_TEMP_VALID_LIFETIME,
+                                             PROP_TEMP_VALID_LIFETIME,
+                                             0,
+                                             G_MAXINT32,
+                                             0,
+                                             NM_SETTING_PARAM_FUZZY_IGNORE,
+                                             NMSettingIP6ConfigPrivate,
+                                             temp_valid_lifetime);
+
+    /**
+     * NMSettingIP6Config:temp-preferred-lifetime:
+     *
+     * The preferred lifetime of autogenerated temporary addresses, in seconds.
+     *
+     * If set to "0" (unknown) for a connection, the value is taken from the
+     * global "ipv6.temp-preferred-lifetime" setting. If the global setting is
+     * unspecified or also set to "0", the value is set from the original value
+     * of "/proc/sys/net/ipv6/conf/<iface>/temp_prefered_lft" from before
+     * NetworkManager started.
+     *
+     * Since: 1.48
+     **/
+    _nm_setting_property_define_direct_int32(properties_override,
+                                             obj_properties,
+                                             NM_SETTING_IP6_CONFIG_TEMP_PREFERRED_LIFETIME,
+                                             PROP_TEMP_PREFERRED_LIFETIME,
+                                             0,
+                                             G_MAXINT32,
+                                             0,
+                                             NM_SETTING_PARAM_FUZZY_IGNORE,
+                                             NMSettingIP6ConfigPrivate,
+                                             temp_preferred_lifetime);
+
     /**
      * NMSettingIP6Config:addr-gen-mode:
      *

src/libnm-core-public/nm-setting-ip6-config.h

@@ -30,6 +30,10 @@ G_BEGIN_DECLS
 
 #define NM_SETTING_IP6_CONFIG_IP6_PRIVACY "ip6-privacy"
 
+#define NM_SETTING_IP6_CONFIG_TEMP_VALID_LIFETIME "temp-valid-lifetime"
+
+#define NM_SETTING_IP6_CONFIG_TEMP_PREFERRED_LIFETIME "temp-preferred-lifetime"
+
 #define NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE "addr-gen-mode"
 
 #define NM_SETTING_IP6_CONFIG_TOKEN "token"
@@ -156,6 +160,10 @@ GType nm_setting_ip6_config_get_type(void);
 NMSetting *nm_setting_ip6_config_new(void);
 
 NMSettingIP6ConfigPrivacy nm_setting_ip6_config_get_ip6_privacy(NMSettingIP6Config *setting);
+NM_AVAILABLE_IN_1_48
+gint32 nm_setting_ip6_config_get_temp_valid_lifetime(NMSettingIP6Config *setting);
+NM_AVAILABLE_IN_1_48
+gint32 nm_setting_ip6_config_get_temp_preferred_lifetime(NMSettingIP6Config *setting);
 NM_AVAILABLE_IN_1_2
 NMSettingIP6ConfigAddrGenMode nm_setting_ip6_config_get_addr_gen_mode(NMSettingIP6Config *setting);
 NM_AVAILABLE_IN_1_4

src/libnmc-setting/nm-meta-setting-desc.c

@@ -6664,6 +6664,12 @@ static const NMMetaPropertyInfo *const property_infos_IP6_CONFIG[] = {
             ),
         ),
     ),
+    PROPERTY_INFO_WITH_DESC (NM_SETTING_IP6_CONFIG_TEMP_VALID_LIFETIME,
+        .property_type =                &_pt_gobject_int,
+    ),
+    PROPERTY_INFO_WITH_DESC (NM_SETTING_IP6_CONFIG_TEMP_PREFERRED_LIFETIME,
+        .property_type =                &_pt_gobject_int,
+    ),
     PROPERTY_INFO_WITH_DESC (NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE,
         .property_type =                &_pt_gobject_enum,
         .property_typ_data = DEFINE_PROPERTY_TYP_DATA (

src/libnmc-setting/settings-docs.h.in

@@ -228,6 +228,8 @@
 #define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_ROUTE_TABLE N_("Enable policy routing (source routing) and set the routing table used when adding routes. This affects all routes, including device-routes, IPv4LL, DHCP, SLAAC, default-routes and static routes. But note that static routes can individually overwrite the setting by explicitly specifying a non-zero routing table. If the table setting is left at zero, it is eligible to be overwritten via global configuration. If the property is zero even after applying the global configuration value, policy routing is disabled for the address family of this connection. Policy routing disabled means that NetworkManager will add all routes to the main table (except static routes that explicitly configure a different table). Additionally, NetworkManager will not delete any extraneous routes from tables except the main table. This is to preserve backward compatibility for users who manage routing tables outside of NetworkManager.")
 #define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_ROUTES N_("Array of IP routes.")
 #define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_ROUTING_RULES N_("A comma separated list of routing rules for policy routing.")
+#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_TEMP_PREFERRED_LIFETIME N_("The preferred lifetime of autogenerated temporary addresses, in seconds. If set to \"0\" (unknown) for a connection, the value is taken from the global \"ipv6.temp-preferred-lifetime\" setting. If the global setting is unspecified or also set to \"0\", the value is set from the original value of \"/proc/sys/net/ipv6/conf/<iface>/temp_prefered_lft\" from before NetworkManager started.")
+#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_TEMP_VALID_LIFETIME N_("The valid lifetime of autogenerated temporary addresses, in seconds. If set to \"0\" (unknown) for a connection, the value is taken from the global \"ipv6.temp-valid-lifetime\" setting. If the global setting is unspecified or also set to \"0\", the value is set from the original value of \"/proc/sys/net/ipv6/conf/<iface>/temp_valid_lft\" from before NetworkManager started.")
 #define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_TOKEN N_("Configure the token for draft-chown-6man-tokenised-ipv6-identifiers-02 IPv6 tokenized interface identifiers. Useful with eui64 addr-gen-mode. When set, the token is used as IPv6 interface identifier instead of the hardware address. This only applies to addresses from stateless autoconfiguration, not to IPv6 link local addresses.")
 #define DESCRIBE_DOC_NM_SETTING_IP_TUNNEL_ENCAPSULATION_LIMIT N_("How many additional levels of encapsulation are permitted to be prepended to packets. This property applies only to IPv6 tunnels. To disable this option, add 0x1 (ip6-ign-encap-limit) to ip-tunnel flags.")
 #define DESCRIBE_DOC_NM_SETTING_IP_TUNNEL_FLAGS N_("Tunnel flags. Currently, the following values are supported: 0x1 (ip6-ign-encap-limit), 0x2 (ip6-use-orig-tclass), 0x4 (ip6-use-orig-flowlabel), 0x8 (ip6-mip6-dev), 0x10 (ip6-rcv-dscp-copy) and 0x20 (ip6-use-orig-fwmark). They are valid only for IPv6 tunnels.")

src/nmcli/gen-metadata-nm-settings-nmcli.xml.in

@@ -1457,6 +1457,14 @@
                   nmcli-description="Configure IPv6 Privacy Extensions for SLAAC, described in RFC4941.  If enabled, it makes the kernel generate a temporary IPv6 address in addition to the public one generated from MAC address via modified EUI-64.  This enhances privacy, but could cause problems in some applications, on the other hand.  The permitted values are: -1: unknown, 0: disabled, 1: enabled (prefer public address), 2: enabled (prefer temporary addresses). If set to "-1" (unknown) for a connection, the value is taken from the global "ipv6.ip6-privacy" setting. If the global setting is unspecified or also set to "-1", the value is set from the original value of "/proc/sys/net/ipv6/conf/<iface>/use_tempaddr" from before NetworkManager started. Note that this setting is distinct from the Stable Privacy addresses that can be enabled with the "addr-gen-mode" property's "stable-privacy" setting as another way of avoiding host tracking with IPv6 addresses."
                   format="choice (NMSettingIP6ConfigPrivacy)"
                   values="unknown (-1), disabled (0), prefer-public-addr (1), prefer-temp-addr (2)" />
+        <property name="temp-valid-lifetime"
+                  nmcli-description="The valid lifetime of autogenerated temporary addresses, in seconds. If set to &quot;0&quot; (unknown) for a connection, the value is taken from the global &quot;ipv6.temp-valid-lifetime&quot; setting. If the global setting is unspecified or also set to &quot;0&quot;, the value is set from the original value of &quot;/proc/sys/net/ipv6/conf/&lt;iface&gt;/temp_valid_lft&quot; from before NetworkManager started."
+                  format="integer"
+                  values="0 - 2147483647" />
+        <property name="temp-preferred-lifetime"
+                  nmcli-description="The preferred lifetime of autogenerated temporary addresses, in seconds. If set to &quot;0&quot; (unknown) for a connection, the value is taken from the global &quot;ipv6.temp-preferred-lifetime&quot; setting. If the global setting is unspecified or also set to &quot;0&quot;, the value is set from the original value of &quot;/proc/sys/net/ipv6/conf/&lt;iface&gt;/temp_prefered_lft&quot; from before NetworkManager started."
+                  format="integer"
+                  values="0 - 2147483647" />
         <property name="addr-gen-mode"
                   nmcli-description="Configure method for creating the IPv6 interface identifer of addresses with RFC4862 IPv6 Stateless Address Autoconfiguration and Link Local addresses. The permitted values are: &quot;eui64&quot; (0), &quot;stable-privacy&quot; (1), &quot;default&quot; (3) or &quot;default-or-eui64&quot; (2). If the property is set to &quot;eui64&quot;, the addresses will be generated using the interface token derived from hardware address. This makes the host part of the address to stay constant, making it possible to track the host&apos;s presence when it changes networks. The address changes when the interface hardware is replaced. If a duplicate address is detected, there is also no fallback to generate another address. When configured, the &quot;ipv6.token&quot; is used instead of the MAC address to generate addresses for stateless autoconfiguration. If the property is set to &quot;stable-privacy&quot;, the interface identifier is generated as specified by RFC7217. This works by hashing a host specific key (see NetworkManager(8) manual), the interface name, the connection&apos;s &quot;connection.stable-id&quot; property and the address prefix.  This improves privacy by making it harder to use the address to track the host&apos;s presence and the address is stable when the network interface hardware is replaced. The special values &quot;default&quot; and &quot;default-or-eui64&quot; will fallback to the global connection default as documented in the NetworkManager.conf(5) manual. If the global default is not specified, the fallback value is &quot;stable-privacy&quot; or &quot;eui64&quot;, respectively. If not specified, when creating a new profile the default is &quot;default&quot;. Note that this setting is distinct from the Privacy Extensions as configured by &quot;ip6-privacy&quot; property and it does not affect the temporary addresses configured with this option."
                   format="choice (NMSettingIP6ConfigAddrGenMode)"