This is loosely based on nms-ibft-reader, but with some significant
changes. Notably, it parses /sys/firmware/ibft directly instead of
iscsiadm output.
iscsiadm is not available on early boot (perhaps it's too large) and
turns out that parsing sysfs directly is easier and more
straightforwared anyways. A win-win situation.
It is not useful alone, it's in a separate commit just for the sake of
easier review.
We need a mode that:
* doesn't leave processes behind
* doesn't force an internal dhclient
* doesn't auto-generate default connections
* doesn't write out files into libdir, only /run
The original configure-and-quit mode doesn't really fit the initrd use. But
it's proobably not a good idea to just change its behavior.
This is useful for in-memory connections to persist NetworkManager
restarts (as opposed to machine restarts).
Perhaps most improtantly, this allows generating in-memory connections outside
NetworkManager, e.g. passing configuration from early boot firmware in initrd.
Note that this does *not* aspire to do more than it says on the tin:
Notably, it doesn't touch the problem of provisioning connections in multiple
persistent connection directories and thus doesn't have to deal with the
problem of deleting or overlaying the connections tha (rh #772414) deals
with.
Especially with configure-and-quit, it's easy to encounter a condition,
where the device reached a failed state, policy decides to quit, but the
active connection is not yet torn down from the device.
Upon the next start NetworkManager would think the connection succeeded
activating.
Make them just ask for connections from GDBus, as other D-Bus clients
do. GDBus anyway reuses the connection if it has one, but allows us to
deal with errors in a more civilized manner.
Using these unormalized was wrong all along, but by chance didn't hit
paths that needed normalized connections. This may change if we
actually write in memory connections to /run with the keyfile plugin,
because that one wants them normalized.
This also saves some work, because normalization does boring things for
us, such as adding default ipv4/ipv6/proxy settings everywhere.
On networked boot we need to somehow communicate this to the early boot
machinery. Sadly, no DBus there and we're running in configure-and-quit
mode.
Abusing the state file for this sounds almost reasonable and is
reasonably straightforward thing to do.
Add a configure option to disable eBPF support in n-acd.
Note that, even if eBPF is not supported, n-acd requires a kernel >
3.19, which means that the setsockopt(..., SO_ATTACH_BPF) option must
be defined. To allow building on older kernels without modifying the
n-acd code, we inject the SO_ATTACH_BPF value as a preprocessor define
in the compiler the command line.
a40949267 build: add CI run without ebpf
044db2056 n-acd: drop redundant headers
6a391cd83 n-acd: fix build without eBPF
bb194cf09 n-acd/config: make transport mandatory
ec2865743 build: drop unused c-sundry
721d9d84f n-acd: inline c_container_of()
1a7ee317c util/timer: fix coding-style
6c96f926b util/timer: fall back to CLOCK_MONOTONIC if necessary
4ea3165fc n-acd: only use CLOCK_BOOTTIME if really necessary
c1b853c6c util/timer: cleanup headers
b1d6ad272 n-acd: add destructors that return void
185be55b6 test-bpf: skip test in case of unsufficient privs
84a40e8fa build: add NEWS file
bf11443ff build: mention mailinglist in readme
e2797984a test-bpf: drop bpf-filter.h
668ed3c82 subprojects: pull in updates
dd8cab3f0 test-veth: reduce parallel execution to 9
68b09ba2b build: update AUTHORS
3f77e3e88 test: make function headers valid C
5275a5120 test: get rid of spurious tab
037df412c n-acd: make struct initializers valid C
346ec0c67 build: upgrade CI
38682a36d n-acd: fix signed vs unsigned comparison
5e7578b33 bpf: properly zero out trailing bpf_attr space
ee1e432ae probe: fix coding-style
a143540f9 build: use lower-case build options
835533e7d build: minor style fixes
2bd6d1d29 build: get rid of tabs
b14979934 eBPF: make compile-time optional
6f13c27ee n-acd: filter out invalid packets
4e6a169a0 build: sync with c-util repositories
6c4a9117b build: document eBPF kernel requirement
3ef08394d n-acd: don't remember dropped defense attempts
4dff8771f n-acd: fix coding-style
b11fb9706 n-acd/config: default to the RFC-specified timeout
d885bb3b7 n-acd/event: don't expose the type of operation that caused a conflict
e2f87e047 TODO: drop remaining items
f06993856 test/veth: reduce the number of probed addresses
8b4f7ed64 test/veth: bump the timeout a bit
14e4606f6 n-acd/probe: don't cap the jitter at 4s
a0247b86f test/veth: fix stackvariable corruption
a64ac8389 n-acd/probe: update comments
aa9c25bc1 n-acd/handle_timeout: update comments
b6c2df3a9 timer: rename timer_pop() to timer_pop_timeout()
47c657a8d test: fix handling of child addresses
27168ba9e timer: move timer_read() from n-acd.c to util/timer.c
21a1e37aa timer: require timer to be explicitly rearmed
ee1080820 bpf/map: make key/value sizes self-documenting
fd444353e test/veth: rework test
ba2bc433c test: rework child_ip() helper
07881b8da test: silence a warning
38da00b0a test/bpf: make tests for map modifications more comprehensive
6a2ffd23a test/timerfd: for documentation purposes verify the kernel API
01a9cf54b probe: move from ms to ns internally
4fe438dd9 n-acd: move to use the Timer utility library
e098cfc79 util: add a timer utility helper
8ea196e5b subprojects: pull in c-sundry
0c0b3c29f acd/probe: do not subscribe to packets in FAILED state
9c922ea3d acd/probe: introduce probe_{un,}link() helpers
024a830e6 acd/probe: use unschedule() helper in free()
b098a3bcc tests/veth: minor fixes to the test
fe3d9578a acd/packet: consider unexpected packets a fatal error
34d7656d7 acd: stop state-machine after USED or CONFLICT events
7d9e5ec6b acd: don't declare iovec entries inline
7afd8d8a3 tests: add veth test
26a737b42 tests/veth: add helper for adding IP addresses to child device
e73a37a11 probe: store a userdata pointer in the probe object
327e82625 test: introduce loopback helper
0682b15f8 acd: reduce default map size
afead881f tests: reinstate loopback test
4527d2f71 BPF: move and document the eBPF helpers
88bacc022 socket filter: move to the new eBPF helpers
245104d5c tests: skip tests if lacking permissions
195d9ff5a n-acd: rework API to support many probes on a context
ab440eb99 eBPF: never return packets that userspace should unconditionally drop
ac933f412 eBPF: add eBPF helper functions
git-subtree-dir: shared/n-acd
git-subtree-split: a40949267923c45cb232fa4c1d60eafacee4b36e
The assertion fails in nmtui's ip_route_transform_from_dest_string(),
which does not initialize the address output argument to %NULL.
There are three possibilities how the API could work:
- assert/require the user to pass in arguments which pre-initialized
to NULL or unset.
- always set the output arguments, even if the function fails.
- don't bother and leave output values untouched, if function fails.
It's not clear which approach is the best. Not to bother possibliy
leaves uninitialized values, which could be error prone. Still, do
just that.
Fixes: 0b3197a3fd
libcurl does not allow removing easy-handles from within a curl
callback.
That was already partly avoided for one handle alone. That is, when
a handle completed inside a libcurl callback, it would only invoke the
callback, but not yet delete it. However, that is not enough, because
from within a callback another handle can be cancelled, leading to
the removal of (the other) handle and a crash:
==24572== at 0x40319AB: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==24572== by 0x52DDAE5: Curl_close (url.c:392)
==24572== by 0x52EC02C: curl_easy_cleanup (easy.c:825)
==24572== by 0x5FDCD2: cb_data_free (nm-connectivity.c:215)
==24572== by 0x5FF6DE: nm_connectivity_check_cancel (nm-connectivity.c:585)
==24572== by 0x55F7F9: concheck_handle_complete (nm-device.c:2601)
==24572== by 0x574C12: concheck_cb (nm-device.c:2725)
==24572== by 0x5FD887: cb_data_invoke_callback (nm-connectivity.c:167)
==24572== by 0x5FD959: easy_header_cb (nm-connectivity.c:435)
==24572== by 0x52D73CB: chop_write (sendf.c:612)
==24572== by 0x52D73CB: Curl_client_write (sendf.c:668)
==24572== by 0x52D54ED: Curl_http_readwrite_headers (http.c:3904)
==24572== by 0x52E9EA7: readwrite_data (transfer.c:548)
==24572== by 0x52E9EA7: Curl_readwrite (transfer.c:1161)
==24572== by 0x52F4193: multi_runsingle (multi.c:1915)
==24572== by 0x52F5531: multi_socket (multi.c:2607)
==24572== by 0x52F5804: curl_multi_socket_action (multi.c:2771)
Fix that, by never invoking any callbacks when we are inside a libcurl
callback. Instead, the handle is marked for completion and queued. Later,
we complete all queue handles separately.
While at it, drop the @error argument from NMConnectivityCheckCallback.
It was only used to signal cancellation. Let's instead signal that via
status NM_CONNECTIVITY_CANCELLED.
https://bugzilla.gnome.org/show_bug.cgi?id=797136https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1792745https://bugzilla.opensuse.org/show_bug.cgi?id=1107197https://github.com/NetworkManager/NetworkManager/pull/207
Fixes: d8a31794c8
As we accept addr_family %AF_UNSPEC to detect the address family,
we also need to return it. Just returning the binary address without
the address family makes no sense.
After 1.14.0 is released, merge it back into master so that
1.14.0 is part of the history of master. That means,
$ git log --first-parent master
will also traverse 1.14.0 and 1.14-rc*.
Also bump the micro version to 1.15.1-dev to indicate that this is
after 1.14.0 is out.
The new hash table should destroy elements stolen from the hash table
returned by nm_utils_parse_variant_attributes().
Fixes: d094914120
(cherry picked from commit 31bda1b837)
Note that NMSettingEthtool and NMSettingMatch don't have such
functions either.
We have API
nm_connection_get_setting (NMConnection *, GType)
nm_connection_get_setting_by_name (NMConnection *, const char *)
which can be used generically, meaning: the requested setting type
is an argument to the function. That is generally more useful and
flexible.
Don't add API which duplicates existing functionality and is (arguably)
inferiour. Drop it now. This is an ABI/API break for the current development
cycle where the 1.14.0 API is still unstable. Indeed it's already after
1.14-rc1, which is ugly. But it's also unlikely that somebody already uses
this API/ABI and is badly impacted by this change.
Note that nm_connection_get_setting() and nm_connection_get_setting_by_name()
are slightly inconvenient in C still, because they usually require a cast.
We should fix that by changing the return type to "void *". Such
a change may be possibly any time without breaking API/ABI (almost, it'd
be an API change when taking a function pointer without casting).
(cherry picked from commit a10156f516)
Note that NMSettingEthtool and NMSettingMatch don't have such
functions either.
We have API
nm_connection_get_setting (NMConnection *, GType)
nm_connection_get_setting_by_name (NMConnection *, const char *)
which can be used generically, meaning: the requested setting type
is an argument to the function. That is generally more useful and
flexible.
Don't add API which duplicates existing functionality and is (arguably)
inferiour. Drop it now. This is an ABI/API break for the current development
cycle where the 1.14.0 API is still unstable. Indeed it's already after
1.14-rc1, which is ugly. But it's also unlikely that somebody already uses
this API/ABI and is badly impacted by this change.
Note that nm_connection_get_setting() and nm_connection_get_setting_by_name()
are slightly inconvenient in C still, because they usually require a cast.
We should fix that by changing the return type to "void *". Such
a change may be possibly any time without breaking API/ABI (almost, it'd
be an API change when taking a function pointer without casting).
We cannot be sure who holds a reference to the proxy, and
who is gonna call us back after the VPN connection instance
is destroyed.
(cherry picked from commit 6ebb9091d2)
Got this assertion:
NetworkManager[12939]: <debug> [1536917977.4868] active-connection[0x563d8fd34540]: set state deactivated (was deactivating)
...
NetworkManager[12939]: nm-openvpn[1106] <info> openvpn[1132]: send SIGTERM
NetworkManager[12939]: nm-openvpn[1106] <info> wait for 1 openvpn processes to terminate...
NetworkManager[12939]: nm-openvpn[1106] <warn> openvpn[1132] exited with error code 1
NetworkManager[12939]: <info> [1536917977.5035] vpn-connection[0x563d8fd34540,2fdeaea3-975f-4325-8305-83ebca5eaa26,"my-openvpn-Red-Hat",0]: VPN plugin: requested secrets; state disconnected (9)
NetworkManager[12939]: plugin_interactive_secrets_required: assertion 'priv->vpn_state == STATE_CONNECT || priv->vpn_state == STATE_NEED_AUTH' failed
Meaning. We should either ensure that secrets_required_cb() signal callback
is disconnected from proxy's signal, or we gracefully handle callbacks at
unexpected moments. Do the latter.
(cherry picked from commit 92344dd084)
Got this assertion:
NetworkManager[12939]: <debug> [1536917977.4868] active-connection[0x563d8fd34540]: set state deactivated (was deactivating)
...
NetworkManager[12939]: nm-openvpn[1106] <info> openvpn[1132]: send SIGTERM
NetworkManager[12939]: nm-openvpn[1106] <info> wait for 1 openvpn processes to terminate...
NetworkManager[12939]: nm-openvpn[1106] <warn> openvpn[1132] exited with error code 1
NetworkManager[12939]: <info> [1536917977.5035] vpn-connection[0x563d8fd34540,2fdeaea3-975f-4325-8305-83ebca5eaa26,"my-openvpn-Red-Hat",0]: VPN plugin: requested secrets; state disconnected (9)
NetworkManager[12939]: plugin_interactive_secrets_required: assertion 'priv->vpn_state == STATE_CONNECT || priv->vpn_state == STATE_NEED_AUTH' failed
Meaning. We should either ensure that secrets_required_cb() signal callback
is disconnected from proxy's signal, or we gracefully handle callbacks at
unexpected moments. Do the latter.
