libnm,core: add support for "suppress_prefixlength" rule attribute

WireGuard's wq-quick configures such rules to avoid routing loops.
While we currently don't have an automatic solution for this, at least
we should support it via explicit user configuration.

One problem is that suppress_prefixlength is relatively new and kernel
might not support this attribute. That can lead to odd results, because
the NetworkManager is valid but it cannot be configured on the current
kernel. But this is a general problem, and we would require a general
solution. The solution cannot be to only support rule attributes that
are supported by the oldest possible kernel. It's not clear how much of
a problem there really is, or which general solution is required (if
any).

libnm-core/nm-core-internal.h

@@ -676,6 +676,7 @@ gboolean nm_ip_routing_rule_get_xifname_bin (const NMIPRoutingRule *self,
 #define NM_IP_ROUTING_RULE_ATTR_PRIORITY              "priority"
 #define NM_IP_ROUTING_RULE_ATTR_SPORT_END             "sport-end"
 #define NM_IP_ROUTING_RULE_ATTR_SPORT_START           "sport-start"
+#define NM_IP_ROUTING_RULE_ATTR_SUPPRESS_PREFIXLENGTH "suppress-prefixlength"
 #define NM_IP_ROUTING_RULE_ATTR_TABLE                 "table"
 #define NM_IP_ROUTING_RULE_ATTR_TO                    "to"
 #define NM_IP_ROUTING_RULE_ATTR_TOS                   "tos"

libnm-core/nm-setting-ip-config.c

@@ -1392,6 +1392,7 @@ struct NMIPRoutingRule {
 	guint ref_count;
 	guint32 priority;
 	guint32 table;
+	gint32 suppress_prefixlength;
 	guint32 fwmark;
 	guint32 fwmask;
 	guint16 sport_start;
@@ -1476,6 +1477,7 @@ nm_ip_routing_rule_new (int addr_family)
 		.is_v4                 = (addr_family == AF_INET),
 		.action                = FR_ACT_TO_TBL,
 		.table                 = RT_TABLE_MAIN,
+		.suppress_prefixlength = -1,
 	};
 	return self;
 }
@@ -1543,6 +1545,8 @@ nm_ip_routing_rule_new_clone (const NMIPRoutingRule *rule)
 
 		.action                = rule->action,
 		.table                 = rule->table,
+
+		.suppress_prefixlength = rule->suppress_prefixlength,
 	};
 	return self;
 }
@@ -2325,6 +2329,38 @@ nm_ip_routing_rule_set_table (NMIPRoutingRule *self, guint32 table)
 	self->table = table;
 }
 
+/**
+ * nm_ip_routing_rule_get_suppress_prefixlength:
+ * @self: the #NMIPRoutingRule instance
+ *
+ * Returns: the suppress_prefixlength of the rule. -1 means that the value is unset.
+ *
+ * Since: 1.20
+ */
+gint32
+nm_ip_routing_rule_get_suppress_prefixlength (const NMIPRoutingRule *self)
+{
+	g_return_val_if_fail (NM_IS_IP_ROUTING_RULE (self, TRUE), -1);
+
+	return self->suppress_prefixlength;
+}
+
+/**
+ * nm_ip_routing_rule_set_suppress_prefixlength:
+ * @self: the #NMIPRoutingRule instance
+ * @suppress_prefixlength: the suppress_prefixlength to set. The value -1 means
+ *   unset.
+ *
+ * Since: 1.20
+ */
+void
+nm_ip_routing_rule_set_suppress_prefixlength (NMIPRoutingRule *self, gint32 suppress_prefixlength)
+{
+	g_return_if_fail (NM_IS_IP_ROUTING_RULE (self, FALSE));
+
+	self->suppress_prefixlength = suppress_prefixlength;
+}
+
 /**
  * nm_ip_routing_rule_cmp:
  * @rule: (allow-none): the #NMIPRoutingRule instance to compare
@@ -2361,6 +2397,8 @@ nm_ip_routing_rule_cmp (const NMIPRoutingRule *rule,
 
 	NM_CMP_FIELD (rule, other, table);
 
+	NM_CMP_FIELD (rule, other, suppress_prefixlength);
+
 	NM_CMP_FIELD (rule, other, sport_start);
 	NM_CMP_FIELD (rule, other, sport_end);
 	NM_CMP_FIELD (rule, other, dport_start);
@@ -2571,6 +2609,20 @@ nm_ip_routing_rule_validate (const NMIPRoutingRule *self,
 		return FALSE;
 	}
 
+	if (self->suppress_prefixlength != -1) {
+		if (   self->suppress_prefixlength < -1
+		    || self->suppress_prefixlength > (self->is_v4 ? 32 : 128)) {
+			g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY,
+			                     _("suppress_prefixlength out of range"));
+			return FALSE;
+		}
+		if (self->action != FR_ACT_TO_TBL) {
+			g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY,
+			                     _("suppress_prefixlength is only allowed with the to-table action"));
+			return FALSE;
+		}
+	}
+
 	return TRUE;
 }
 
@@ -2593,6 +2645,7 @@ typedef enum {
 	RR_DBUS_ATTR_SPORT_END,
 	RR_DBUS_ATTR_SPORT_START,
 	RR_DBUS_ATTR_TABLE,
+	RR_DBUS_ATTR_SUPPRESS_PREFIXLENGTH,
 	RR_DBUS_ATTR_TO,
 	RR_DBUS_ATTR_TOS,
 	RR_DBUS_ATTR_TO_LEN,
@@ -2622,6 +2675,7 @@ static const RRDbusData rr_dbus_data[_RR_DBUS_ATTR_NUM] = {
 	_D (RR_DBUS_ATTR_PRIORITY,              NM_IP_ROUTING_RULE_ATTR_PRIORITY,              G_VARIANT_TYPE_UINT32),
 	_D (RR_DBUS_ATTR_SPORT_END,             NM_IP_ROUTING_RULE_ATTR_SPORT_END,             G_VARIANT_TYPE_UINT16),
 	_D (RR_DBUS_ATTR_SPORT_START,           NM_IP_ROUTING_RULE_ATTR_SPORT_START,           G_VARIANT_TYPE_UINT16),
+	_D (RR_DBUS_ATTR_SUPPRESS_PREFIXLENGTH, NM_IP_ROUTING_RULE_ATTR_SUPPRESS_PREFIXLENGTH, G_VARIANT_TYPE_INT32),
 	_D (RR_DBUS_ATTR_TABLE,                 NM_IP_ROUTING_RULE_ATTR_TABLE,                 G_VARIANT_TYPE_UINT32),
 	_D (RR_DBUS_ATTR_TO,                    NM_IP_ROUTING_RULE_ATTR_TO,                    G_VARIANT_TYPE_STRING),
 	_D (RR_DBUS_ATTR_TOS,                   NM_IP_ROUTING_RULE_ATTR_TOS,                   G_VARIANT_TYPE_BYTE),
@@ -2788,6 +2842,9 @@ nm_ip_routing_rule_from_dbus (GVariant *variant,
 	if (variants[RR_DBUS_ATTR_TABLE])
 		nm_ip_routing_rule_set_table (self, g_variant_get_uint32 (variants[RR_DBUS_ATTR_TABLE]));
 
+	if (variants[RR_DBUS_ATTR_SUPPRESS_PREFIXLENGTH])
+		nm_ip_routing_rule_set_suppress_prefixlength (self, g_variant_get_int32 (variants[RR_DBUS_ATTR_SUPPRESS_PREFIXLENGTH]));
+
 	if (   strict
 	    && !nm_ip_routing_rule_validate (self, error))
 		return NULL;
@@ -2889,6 +2946,9 @@ nm_ip_routing_rule_to_dbus (const NMIPRoutingRule *self)
 	if (self->table != 0)
 		_rr_to_dbus_add (&builder, RR_DBUS_ATTR_TABLE, g_variant_new_uint32 (self->table));
 
+	if (self->suppress_prefixlength != -1)
+		_rr_to_dbus_add (&builder, RR_DBUS_ATTR_SUPPRESS_PREFIXLENGTH, g_variant_new_int32 (self->suppress_prefixlength));
+
 	return g_variant_builder_end (&builder);;
 }
 
@@ -2965,6 +3025,7 @@ nm_ip_routing_rule_from_string (const char *str,
 	gint64 i64_fwmask = -1;
 	gint64 i64_sport_start = -1;
 	gint64 i64_ipproto = -1;
+	gint64 i64_suppress_prefixlength = -1;
 	guint16 sport_end = 0;
 	gint64 i64_dport_start = -1;
 	guint16 dport_end = 0;
@@ -3160,6 +3221,17 @@ nm_ip_routing_rule_from_string (const char *str,
 			word_oifname = word1;
 			goto next_words_consumed;
 		}
+		if (NM_IN_STRSET (word0, "suppress_prefixlength",
+		                         "sup_pl")) {
+			if (!word1)
+				continue;
+			if (i64_suppress_prefixlength != -1)
+				goto next_fail_word0_duplicate_key;
+			i64_suppress_prefixlength = _nm_utils_ascii_str_to_int64 (word1, 0, 0, G_MAXINT32, -1);;
+			if (i64_suppress_prefixlength == -1)
+				goto next_fail_word1_invalid_value;
+			goto next_words_consumed;
+		}
 
 		/* also the action is still unsupported. For the moment, we only support
 		 * FR_ACT_TO_TBL, which is the default (by not expressing it on the command
@@ -3253,6 +3325,9 @@ next_words_consumed:
 	if (i64_dport_start != -1)
 		nm_ip_routing_rule_set_destination_port (self, i64_dport_start, dport_end);
 
+	if (i64_suppress_prefixlength != -1)
+		nm_ip_routing_rule_set_suppress_prefixlength (self, i64_suppress_prefixlength);
+
 	if (   val_from_len > 0
 	    || (   val_from_len == 0
 	        && !nm_ip_addr_is_null (addr_family, &val_from))) {
@@ -3489,6 +3564,12 @@ nm_ip_routing_rule_to_string (const NMIPRoutingRule *self,
 		                        (guint) self->table);
 	}
 
+	if (self->suppress_prefixlength != -1) {
+		g_string_append_printf (nm_gstring_add_space_delimiter (str),
+		                        "suppress_prefixlength %d",
+		                        (int) self->suppress_prefixlength);
+	}
+
 	return g_string_free (g_steal_pointer (&str), FALSE);
 }
 

libnm-core/nm-setting-ip-config.h

@@ -262,6 +262,11 @@ guint32 nm_ip_routing_rule_get_table (const NMIPRoutingRule *self);
 NM_AVAILABLE_IN_1_18
 void nm_ip_routing_rule_set_table (NMIPRoutingRule *self, guint32 table);
 
+NM_AVAILABLE_IN_1_20
+gint32 nm_ip_routing_rule_get_suppress_prefixlength (const NMIPRoutingRule *self);
+NM_AVAILABLE_IN_1_20
+void nm_ip_routing_rule_set_suppress_prefixlength (NMIPRoutingRule *self, gint32 suppress_prefixlength);
+
 NM_AVAILABLE_IN_1_18
 int nm_ip_routing_rule_cmp (const NMIPRoutingRule *rule,
                             const NMIPRoutingRule *other);

libnm/libnm.ver

@@ -1614,6 +1614,8 @@ global:
 	nm_device_modem_get_apn;
 	nm_device_modem_get_device_id;
 	nm_device_modem_get_operator_code;
+	nm_ip_routing_rule_get_suppress_prefixlength;
+	nm_ip_routing_rule_set_suppress_prefixlength;
 	nm_setting_connection_get_wait_device_timeout;
 	nm_setting_ethtool_get_optnames;
 	nm_setting_ovs_dpdk_get_devargs;

src/NetworkManagerUtils.c

@@ -946,6 +946,7 @@ nm_ip_routing_rule_to_platform (const NMIPRoutingRule *rule,
 		.dst_len                    = nm_ip_routing_rule_get_to_len (rule),
 		.action                     = nm_ip_routing_rule_get_action (rule),
 		.table                      = nm_ip_routing_rule_get_table (rule),
+		.suppress_prefixlen_inverse = ~((guint32) nm_ip_routing_rule_get_suppress_prefixlength (rule)),
 	};
 
 	nm_ip_routing_rule_get_xifname_bin (rule, TRUE,  out_pl->iifname);