wired-setting: add support to accept-all-mac-addresses

This patch is introducing the wired setting accept-all-mac-addresses
property. The value corresponds to the kernel flag IFF_PROMISC.

When accept-all-mac-address is enabled, the interface will accept all
the packets without checking the destination mac address.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>

src/core/devices/nm-device.c

@@ -693,6 +693,8 @@ typedef struct _NMDevicePrivate {
     } stats;
 
     bool mtu_force_set_done : 1;
+
+    NMOptionBool promisc_reset;
 } NMDevicePrivate;
 
 G_DEFINE_ABSTRACT_TYPE(NMDevice, nm_device, NM_TYPE_DBUS_OBJECT)
@@ -8435,8 +8437,10 @@ activate_stage2_device_config(NMDevice *self)
     NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE(self);
     NMDeviceClass *  klass;
     NMActStageReturn ret;
+    NMSettingWired * s_wired;
     gboolean         no_firmware = FALSE;
     CList *          iter;
+    NMTernary        accept_all_mac_addresses;
 
     nm_device_state_changed(self, NM_DEVICE_STATE_CONFIG, NM_DEVICE_STATE_REASON_NONE);
 
@@ -8494,6 +8498,25 @@ activate_stage2_device_config(NMDevice *self)
             nm_device_queue_recheck_assume(info->slave);
     }
 
+    s_wired = nm_device_get_applied_setting(self, NM_TYPE_SETTING_WIRED);
+    accept_all_mac_addresses =
+        s_wired ? nm_setting_wired_get_accept_all_mac_addresses(s_wired) : NM_TERNARY_DEFAULT;
+    if (accept_all_mac_addresses != NM_TERNARY_DEFAULT) {
+        int ifi_flags;
+
+        ifi_flags = nm_platform_link_get_ifi_flags(nm_device_get_platform(self),
+                                                   nm_device_get_ip_ifindex(self),
+                                                   IFF_PROMISC);
+        if (ifi_flags >= 0 && ((!!ifi_flags) != (!!accept_all_mac_addresses))) {
+            nm_platform_link_change_flags(nm_device_get_platform(self),
+                                          nm_device_get_ip_ifindex(self),
+                                          IFF_PROMISC,
+                                          !!accept_all_mac_addresses);
+            if (priv->promisc_reset == NM_OPTION_BOOL_DEFAULT)
+                priv->promisc_reset = !accept_all_mac_addresses;
+        }
+    }
+
     lldp_setup(self, NM_TERNARY_DEFAULT);
 
     nm_device_activate_schedule_stage3_ip_config_start(self);
@@ -16007,6 +16030,14 @@ nm_device_cleanup(NMDevice *self, NMDeviceStateReason reason, CleanupType cleanu
 
     _ethtool_state_reset(self);
 
+    if (priv->promisc_reset != NM_OPTION_BOOL_DEFAULT && ifindex > 0) {
+        nm_platform_link_change_flags(nm_device_get_platform(self),
+                                      ifindex,
+                                      IFF_PROMISC,
+                                      !!priv->promisc_reset);
+        priv->promisc_reset = NM_OPTION_BOOL_DEFAULT;
+    }
+
     _cleanup_generic_post(self, cleanup_type);
 }
 
@@ -18212,6 +18243,8 @@ nm_device_init(NMDevice *self)
 
     priv->v4_commit_first_time = TRUE;
     priv->v6_commit_first_time = TRUE;
+
+    priv->promisc_reset = NM_OPTION_BOOL_DEFAULT;
 }
 
 static GObject *

src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c

@@ -5179,6 +5179,11 @@ make_wired_setting(shvarFile *ifcfg, const char *file, NMSetting8021x **s_8021x,
     }
     nm_clear_g_free(&value);
 
+    g_object_set(s_wired,
+                 NM_SETTING_WIRED_ACCEPT_ALL_MAC_ADDRESSES,
+                 svGetValueTernary(ifcfg, "ACCEPT_ALL_MAC_ADDRESSES"),
+                 NULL);
+
     if (!found) {
         g_set_error(error,
                     NM_UTILS_ERROR,

src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-utils.c

@@ -800,6 +800,7 @@ nms_ifcfg_rh_utils_is_numbered_tag_impl(const char *key,
     }
 
 const NMSIfcfgKeyTypeInfo nms_ifcfg_well_known_keys[] = {
+    _KEY_TYPE("ACCEPT_ALL_MAC_ADDRESSES", NMS_IFCFG_KEY_TYPE_IS_PLAIN),
     _KEY_TYPE("ACD_TIMEOUT", NMS_IFCFG_KEY_TYPE_IS_PLAIN),
     _KEY_TYPE("ADDRESS", NMS_IFCFG_KEY_TYPE_IS_NUMBERED),
     _KEY_TYPE("AP_ISOLATION", NMS_IFCFG_KEY_TYPE_IS_PLAIN),

src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-utils.h

@@ -33,7 +33,7 @@ typedef struct {
     NMSIfcfgKeyTypeFlags key_flags;
 } NMSIfcfgKeyTypeInfo;
 
-extern const NMSIfcfgKeyTypeInfo nms_ifcfg_well_known_keys[247];
+extern const NMSIfcfgKeyTypeInfo nms_ifcfg_well_known_keys[248];
 
 const NMSIfcfgKeyTypeInfo *nms_ifcfg_well_known_key_find_info(const char *key, gssize *out_idx);
 

src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c

@@ -1170,6 +1170,10 @@ write_wired_setting(NMConnection *connection, shvarFile *ifcfg, GError **error)
 
     svSetValueStr(ifcfg, "TYPE", TYPE_ETHERNET);
 
+    svSetValueTernary(ifcfg,
+                      "ACCEPT_ALL_MAC_ADDRESSES",
+                      nm_setting_wired_get_accept_all_mac_addresses(s_wired));
+
     return TRUE;
 }
 

src/libnm-client-impl/libnm.ver

@@ -1788,4 +1788,5 @@ global:
 libnm_1_32_0 {
 global:
 	nm_setting_match_new;
+	nm_setting_wired_get_accept_all_mac_addresses;
 } libnm_1_30_0;

src/libnm-core-impl/nm-setting-wired.c

@@ -44,7 +44,8 @@ NM_GOBJECT_PROPERTIES_DEFINE(NMSettingWired,
                              PROP_S390_NETTYPE,
                              PROP_S390_OPTIONS,
                              PROP_WAKE_ON_LAN,
-                             PROP_WAKE_ON_LAN_PASSWORD, );
+                             PROP_WAKE_ON_LAN_PASSWORD,
+                             PROP_ACCEPT_ALL_MAC_ADDRESSES, );
 
 typedef struct {
     struct {
@@ -62,6 +63,7 @@ typedef struct {
     char *                  s390_nettype;
     char *                  wol_password;
     NMSettingWiredWakeOnLan wol;
+    NMTernary               accept_all_mac_addresses;
     guint32                 speed;
     guint32                 mtu;
     bool                    auto_negotiate : 1;
@@ -735,6 +737,22 @@ nm_setting_wired_get_wake_on_lan_password(NMSettingWired *setting)
     return NM_SETTING_WIRED_GET_PRIVATE(setting)->wol_password;
 }
 
+/**
+ * nm_setting_wired_get_accept_all_mac_addresses:
+ * @setting: the #NMSettingWired
+ *
+ * Returns: the #NMSettingWired:accept-all-mac-addresses property of the setting
+ *
+ * Since: 1.32
+ **/
+NMTernary
+nm_setting_wired_get_accept_all_mac_addresses(NMSettingWired *setting)
+{
+    g_return_val_if_fail(NM_IS_SETTING_WIRED(setting), NM_TERNARY_DEFAULT);
+
+    return NM_SETTING_WIRED_GET_PRIVATE(setting)->accept_all_mac_addresses;
+}
+
 static gboolean
 verify(NMSetting *setting, NMConnection *connection, GError **error)
 {
@@ -1039,6 +1057,9 @@ get_property(GObject *object, guint prop_id, GValue *value, GParamSpec *pspec)
     case PROP_WAKE_ON_LAN_PASSWORD:
         g_value_set_string(value, priv->wol_password);
         break;
+    case PROP_ACCEPT_ALL_MAC_ADDRESSES:
+        g_value_set_enum(value, priv->accept_all_mac_addresses);
+        break;
     default:
         G_OBJECT_WARN_INVALID_PROPERTY_ID(object, prop_id, pspec);
         break;
@@ -1174,6 +1195,9 @@ set_property(GObject *object, guint prop_id, const GValue *value, GParamSpec *ps
         g_free(priv->wol_password);
         priv->wol_password = g_value_dup_string(value);
         break;
+    case PROP_ACCEPT_ALL_MAC_ADDRESSES:
+        priv->accept_all_mac_addresses = g_value_get_enum(value);
+        break;
     default:
         G_OBJECT_WARN_INVALID_PROPERTY_ID(object, prop_id, pspec);
         break;
@@ -1191,7 +1215,8 @@ nm_setting_wired_init(NMSettingWired *setting)
     priv->mac_address_blacklist = g_array_new(TRUE, FALSE, sizeof(char *));
     g_array_set_clear_func(priv->mac_address_blacklist, (GDestroyNotify) clear_blacklist_item);
 
-    priv->wol = NM_SETTING_WIRED_WAKE_ON_LAN_DEFAULT;
+    priv->wol                      = NM_SETTING_WIRED_WAKE_ON_LAN_DEFAULT;
+    priv->accept_all_mac_addresses = NM_TERNARY_DEFAULT;
 }
 
 /**
@@ -1684,6 +1709,29 @@ nm_setting_wired_class_init(NMSettingWiredClass *klass)
                             "",
                             NULL,
                             G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);
+    /**
+     * NMSettingWired:accept-all-mac-addresses:
+     *
+     * When %TRUE, setup the interface to accept packets for all MAC addresses.
+     * This is enabling the kernel interface flag IFF_PROMISC.
+     * When %FALSE, the interface will only accept the packets with the
+     * interface destination mac address or broadcast.
+     *
+     * Since: 1.32
+     **/
+    /* ---ifcfg-rh---
+     * property: accept-all-mac-addresses
+     * variable: ACCEPT_ALL_MAC_ADDRESSES
+     * description: Enforce the interface to accept all the packets.
+     * ---end---
+     */
+    obj_properties[PROP_ACCEPT_ALL_MAC_ADDRESSES] =
+        g_param_spec_enum(NM_SETTING_WIRED_ACCEPT_ALL_MAC_ADDRESSES,
+                          "",
+                          "",
+                          NM_TYPE_TERNARY,
+                          NM_TERNARY_DEFAULT,
+                          G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);
 
     g_object_class_install_properties(object_class, _PROPERTY_ENUMS_LAST, obj_properties);
 

src/libnm-core-impl/tests/test-general.c

@@ -3841,6 +3841,7 @@ test_connection_diff_a_only(void)
              {NM_SETTING_WIRED_S390_OPTIONS, NM_SETTING_DIFF_RESULT_IN_A},
              {NM_SETTING_WIRED_WAKE_ON_LAN, NM_SETTING_DIFF_RESULT_IN_A},
              {NM_SETTING_WIRED_WAKE_ON_LAN_PASSWORD, NM_SETTING_DIFF_RESULT_IN_A},
+             {NM_SETTING_WIRED_ACCEPT_ALL_MAC_ADDRESSES, NM_SETTING_DIFF_RESULT_IN_A},
              {NULL, NM_SETTING_DIFF_RESULT_UNKNOWN},
          }},
         {NM_SETTING_IP4_CONFIG_SETTING_NAME,

src/libnm-core-public/nm-setting-wired.h

@@ -79,6 +79,7 @@ typedef enum {                                             /*< flags >*/
 #define NM_SETTING_WIRED_S390_OPTIONS              "s390-options"
 #define NM_SETTING_WIRED_WAKE_ON_LAN               "wake-on-lan"
 #define NM_SETTING_WIRED_WAKE_ON_LAN_PASSWORD      "wake-on-lan-password"
+#define NM_SETTING_WIRED_ACCEPT_ALL_MAC_ADDRESSES  "accept-all-mac-addresses"
 
 /**
  * NMSettingWired:
@@ -106,6 +107,9 @@ gboolean    nm_setting_wired_get_auto_negotiate(NMSettingWired *setting);
 const char *nm_setting_wired_get_mac_address(NMSettingWired *setting);
 const char *nm_setting_wired_get_cloned_mac_address(NMSettingWired *setting);
 
+NM_AVAILABLE_IN_1_32
+NMTernary nm_setting_wired_get_accept_all_mac_addresses(NMSettingWired *setting);
+
 NM_AVAILABLE_IN_1_4
 const char *nm_setting_wired_get_generate_mac_address_mask(NMSettingWired *setting);
 

src/libnmc-setting/nm-meta-setting-desc.c

@@ -7455,6 +7455,9 @@ static const NMMetaPropertyInfo *const property_infos_WIRED[] = {
     PROPERTY_INFO_WITH_DESC (NM_SETTING_WIRED_WAKE_ON_LAN_PASSWORD,
         .property_type =                &_pt_gobject_mac,
     ),
+    PROPERTY_INFO_WITH_DESC (NM_SETTING_WIRED_ACCEPT_ALL_MAC_ADDRESSES,
+        .property_type =                &_pt_gobject_enum,
+    ),
     NULL
 };
 

src/libnmc-setting/settings-docs.h.in

@@ -89,6 +89,7 @@
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD_FLAGS N_("Flags indicating how to handle the \"private-key-password\" property.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_SUBJECT_MATCH N_("Substring to be matched against the subject of the certificate presented by the authentication server. When unset, no verification of the authentication server certificate's subject is performed.  This property provides little security, if any, and its use is deprecated in favor of NMSetting8021x:domain-suffix-match.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_SYSTEM_CA_CERTS N_("When TRUE, overrides the \"ca-path\" and \"phase2-ca-path\" properties using the system CA directory specified at configure time with the --system-ca-path switch.  The certificates in this directory are added to the verification chain in addition to any certificates specified by the \"ca-cert\" and \"phase2-ca-cert\" properties. If the path provided with --system-ca-path is rather a file name (bundle of trusted CA certificates), it overrides \"ca-cert\" and \"phase2-ca-cert\" properties instead (sets ca_cert/ca_cert2 options for wpa_supplicant).")
+#define DESCRIBE_DOC_NM_SETTING_WIRED_ACCEPT_ALL_MAC_ADDRESSES N_("When TRUE, setup the interface to accept packets for all MAC addresses. This is enabling the kernel interface flag IFF_PROMISC. When FALSE, the interface will only accept the packets with the interface destination mac address or broadcast.")
 #define DESCRIBE_DOC_NM_SETTING_WIRED_AUTO_NEGOTIATE N_("When TRUE, enforce auto-negotiation of speed and duplex mode. If \"speed\" and \"duplex\" properties are both specified, only that single mode will be advertised and accepted during the link auto-negotiation process: this works only for BASE-T 802.3 specifications and is useful for enforcing gigabits modes, as in these cases link negotiation is mandatory. When FALSE, \"speed\" and \"duplex\" properties should be both set or link configuration will be skipped.")
 #define DESCRIBE_DOC_NM_SETTING_WIRED_CLONED_MAC_ADDRESS N_("If specified, request that the device use this MAC address instead. This is known as MAC cloning or spoofing. Beside explicitly specifying a MAC address, the special values \"preserve\", \"permanent\", \"random\" and \"stable\" are supported. \"preserve\" means not to touch the MAC address on activation. \"permanent\" means to use the permanent hardware address if the device has one (otherwise this is treated as \"preserve\"). \"random\" creates a random MAC address on each connect. \"stable\" creates a hashed MAC address based on connection.stable-id and a machine dependent key. If unspecified, the value can be overwritten via global defaults, see manual of NetworkManager.conf. If still unspecified, it defaults to \"preserve\" (older versions of NetworkManager may use a different default value). On D-Bus, this field is expressed as \"assigned-mac-address\" or the deprecated \"cloned-mac-address\".")
 #define DESCRIBE_DOC_NM_SETTING_WIRED_DUPLEX N_("When a value is set, either \"half\" or \"full\", configures the device to use the specified duplex mode. If \"auto-negotiate\" is \"yes\" the specified duplex mode will be the only one advertised during link negotiation: this works only for BASE-T 802.3 specifications and is useful for enforcing gigabits modes, as in these cases link negotiation is mandatory. If the value is unset (the default), the link configuration will be either skipped (if \"auto-negotiate\" is \"no\", the default) or will be auto-negotiated (if \"auto-negotiate\" is \"yes\") and the local device will advertise all the supported duplex modes. Must be set together with the \"speed\" property if specified. Before specifying a duplex mode be sure your device supports it.")

src/nmcli/generate-docs-nm-settings-nmcli.xml.in

@@ -232,6 +232,8 @@
                   description="The NMSettingWiredWakeOnLan options to enable. Not all devices support all options. May be any combination of NM_SETTING_WIRED_WAKE_ON_LAN_PHY (0x2), NM_SETTING_WIRED_WAKE_ON_LAN_UNICAST (0x4), NM_SETTING_WIRED_WAKE_ON_LAN_MULTICAST (0x8), NM_SETTING_WIRED_WAKE_ON_LAN_BROADCAST (0x10), NM_SETTING_WIRED_WAKE_ON_LAN_ARP (0x20), NM_SETTING_WIRED_WAKE_ON_LAN_MAGIC (0x40) or the special values NM_SETTING_WIRED_WAKE_ON_LAN_DEFAULT (0x1) (to use global settings) and NM_SETTING_WIRED_WAKE_ON_LAN_IGNORE (0x8000) (to disable management of Wake-on-LAN in NetworkManager)." />
         <property name="wake-on-lan-password"
                   description="If specified, the password used with magic-packet-based Wake-on-LAN, represented as an Ethernet MAC address.  If NULL, no password will be required." />
+        <property name="accept-all-mac-addresses"
+                  description="When TRUE, setup the interface to accept packets for all MAC addresses. This is enabling the kernel interface flag IFF_PROMISC. When FALSE, the interface will only accept the packets with the interface destination mac address or broadcast." />
     </setting>
     <setting name="adsl" >
         <property name="username"