When a failure occurs on deactivation of a connection, no error was
shown on the TUI client. It was not obvious if anything was actually
happening after pressing the <Deactivate> button.
This patch shows the error in a dialog just like we do when a failure
occurs on activation of a connection.
https://mail.gnome.org/archives/networkmanager-list/2020-May/msg00004.html
When the interface is in IPv4 or IPv6 shared mode and the user didn't
specify an explicit zone, use the nm-shared one.
Note that masquerade is still done through iptables direct calls
because at the moment it is not possible for a firewalld zone to do
masquerade based on the input interface.
The firewalld zone is needed on systems where firewalld is using the
nftables backend and the 'iptables' binary uses the iptables API
(instead of the nftables one). On such systems, even if the traffic is
allowed in iptables by our direct rules, it can still be dropped in
nftables by firewalld.
Install a NM-specific firewalld zone to be used for interfaces that
are used for connection sharing. The zone blocks all traffic to the
local machine except some protocols (DHCP, DNS and ICMP) and allows
all forwarded traffic.
For ip-tunnel modes that encapsulate layer2 packets (gretap and
ip6gretap) we allow the presence of an ethernet setting in the
connection and honor the cloned-mac-address specified in it.
For all other modes, the ethernet setting is removed during
normalization, but a value different from 'preserve' could be set via
global default.
The kernel doesn't allow setting a MAC for layer3 devices, don't do
it.
Suppress a leak report from openssl:
Direct leak of 192 byte(s) in 1 object(s) allocated from:
#0 0x7f6fe9c6b677 in __interceptor_malloc (/lib64/libasan.so.6+0xb0677)
#1 0x7f6fe4d4046d in CRYPTO_zalloc crypto/mem.c:230
#2 0x7f6fe4d0a91f in ENGINE_new crypto/engine/eng_lib.c:34
#3 0x7f6fe4d0c40d in ENGINE_rdrand crypto/engine/eng_rdrand.c:70
#4 0x7f6fe4d0c40d in engine_load_rdrand_int crypto/engine/eng_rdrand.c:85
#5 0x7f6fe4d370ec in ossl_init_engine_rdrand crypto/init.c:353
#6 0x7f6fe4d370ec in ossl_init_engine_rdrand_ossl_ crypto/init.c:347
#7 0x7f6fe995aace in __pthread_once_slow (/lib64/libpthread.so.0+0x11ace)
#8 0x7f6fe4da68fc in CRYPTO_THREAD_run_once crypto/threads_pthread.c:118
#9 0x7f6fe4d378ec in OPENSSL_init_crypto crypto/init.c:723
#10 0x7f6fe4d378ec in OPENSSL_init_crypto crypto/init.c:620
#11 0x7f6fe5292280 (/usr/lib64/pkcs11/libsofthsm2.so+0x78280)
#12 0x7f6fe5292364 (/usr/lib64/pkcs11/libsofthsm2.so+0x78364)
#13 0x7f6fe526f151 in SoftHSM::C_Initialize(void*) /usr/src/debug/softhsm-2.5.0-4.fc32.3.x86_64/src/lib/SoftHSM.cpp:485
#14 0x7f6fe523cc97 in C_Initialize (/usr/lib64/pkcs11/libsofthsm2.so+0x22c97)
#15 0x7f6fe4ecb233 in initialize_module_inlock_reentrant ../p11-kit/modules.c:738
#16 0x7f6fe4ecb382 in managed_C_Initialize ../p11-kit/modules.c:1584
#17 0x7f6fe4ecdbdf in p11_kit_modules_initialize ../p11-kit/modules.c:2157
#18 0x7f6fe4ecdbdf in p11_kit_modules_initialize ../p11-kit/modules.c:2145
#19 0x7f6fe4ed1a96 in proxy_create ../p11-kit/proxy.c:330
#20 0x7f6fe4ed1a96 in proxy_C_Initialize ../p11-kit/proxy.c:398
#21 0x7f6fe9a343b1 in secmod_ModuleInit /usr/src/debug/nss-3.51.0-1.fc32.x86_64/nss/lib/pk11wrap/pk11load.c:244
#22 0x7f6fe9a34adb in secmod_LoadPKCS11Module /usr/src/debug/nss-3.51.0-1.fc32.x86_64/nss/lib/pk11wrap/pk11load.c:501
#23 0x7f6fe9a419ec in SECMOD_LoadModule /usr/src/debug/nss-3.51.0-1.fc32.x86_64/nss/lib/pk11wrap/pk11pars.c:1840
#24 0x7f6fe9a41b27 in SECMOD_LoadModule /usr/src/debug/nss-3.51.0-1.fc32.x86_64/nss/lib/pk11wrap/pk11pars.c:1876
#25 0x7f6fe9a0dd00 in nss_Init /usr/src/debug/nss-3.51.0-1.fc32.x86_64/nss/lib/nss/nssinit.c:712
#26 0x7f6fe9a0e3ab in NSS_NoDB_Init /usr/src/debug/nss-3.51.0-1.fc32.x86_64/nss/lib/nss/nssinit.c:950
#27 0x55c942e2f1b2 in _nm_crypto_init libnm-core/nm-crypto-nss.c:61
#28 0x55c942d6f2da in nm_crypto_load_and_verify_certificate libnm-core/nm-crypto.c:721
#29 0x55c942c99681 in _cert_impl_set libnm-core/nm-setting-8021x.c:497
#30 0x55c942c9d83b in nm_setting_802_1x_set_ca_cert libnm-core/nm-setting-8021x.c:1033
#31 0x55c942c63513 in _test_8021x_cert_from_files libnm-core/tests/test-keyfile.c:382
#32 0x55c942c6425a in test_8021x_cert libnm-core/tests/test-keyfile.c:436
#33 0x7f6fe965429d in test_case_run ../glib/gtestutils.c:2633
#34 0x7f6fe965429d in g_test_run_suite_internal ../glib/gtestutils.c:2721
On CentOS 8, many devel packages are not available. Even after
# dnf config-manager --set-enabled PowerTools
certain devel packages are missing. Some of these (libndp-devel,
mobile-broadband-provider-info-devel, teamd-devel) we build in copr
([1]), but libpsl-devel and qt-devel are still missing.
Only install them optionally and allow failure for them not being
present.
[1] https://copr.fedorainfracloud.org/coprs/nmstate/nm-build-deps/repo/epel-8/nmstate-nm-build-deps-epel-8.repo
UBSan marks these:
libnm-core/tests/test-setting.c:2146:2: runtime error: left shift of 65521 by 16 places cannot be represented in type 'int'
#0 0x561739bed935 in test_tc_config_qdisc libnm-core/tests/test-setting.c:2146
By passing as length of the MAC addresses -1 for both arguments, one
could get through to compare empty strings, NULL, and addresses longer
than the maximum. Such addresses are not valid, and they should never
compare equal (not even to themselves).
This is a change in behavior of public API, but it never made sense to
claim two addresses are equal, when they are not even valid addresses.
Also, avoid undefined behavior with "NULL, -1, NULL, -1" arguments,
where we would call memcmp() with zero length and NULL arguments.
UBSan flags that too.
When configuring with sanitizers enabled, ./configure.ac sets
-DVALGRIND=1 in the CFLAGS.
This causes a compilation error later:
$ /bin/sh ./libtool --tag=CC --mode=compile gcc ... -DVALGRIND=1 ... src/dhcp/nm-dhcp-nettools.c
...
In file included from src/dhcp/nm-dhcp-nettools.c:16:
./shared/systemd/sd-adapt-shared/nm-sd-adapt-shared.h:73: error: "VALGRIND" redefined [-Werror]
#define VALGRIND 0
