nm-secret-agent-old: allow dbus requests from "networkmanager" user

this allows one to (optionally) run NetworkManager as a user named
"networkmanager" instead of root without breaking NM-initiated polkit
queries. dbus interactions for an operation like
`nmcli device wifi rescan` look like this:

```
nmcli device wifi rescan
(sent from pid=1234, uid=1000)
  |
  v
org.freedesktop.NetworkManager.Device.Wireless.RequestScan { }
(fielded by NetworkManager.service)
  |
  v
org.freedesktop.PolicyKit1.Authority.CheckAuthorization {
  pid = 1234
  start-time = ...;
  uid = 1000;
  "org.freedesktop.NetworkManager.wifi.scan"
}
(fielded by polkit.service)
```

ordinarily, polkit will check the details of whoever invoked `nmcli`
against its database and tell NetworkManager whether the request is
authorized or not. however if NetworkManager isn't running as root then
polkit will instead reply with:

> ErrorName=org.freedesktop.PolicyKit1.Error.NotAuthorized
> "Only trusted callers (e.g. uid 0 or an action owner) can use
> CheckAuthorization() for subjects belonging to other identities"

to solve this we encode the action owner into the policy so that when
polkit sees the CheckAuthorization message, it knows the caller is
allowed to ask for that.

running NetworkManager as root is unaffected by this patch.

.gitlab-ci.yml

@@ -57,11 +57,11 @@ variables:
   #
   # This is done by running `ci-fairy generate-template` and possibly bumping
   # ".default_tag".
-  ALPINE_TAG:  'tag-ec0f564800e3'
-  CENTOS_TAG:  'tag-b114f45d4a4e'
-  DEBIAN_TAG:  'tag-318ea804326f'
-  FEDORA_TAG:  'tag-b114f45d4a4e'
-  UBUNTU_TAG:  'tag-318ea804326f'
+  ALPINE_TAG:  'tag-4e88b0485a0b'
+  CENTOS_TAG:  'tag-49333ce03178'
+  DEBIAN_TAG:  'tag-40fb807bf9e5'
+  FEDORA_TAG:  'tag-49333ce03178'
+  UBUNTU_TAG:  'tag-40fb807bf9e5'
 
   ALPINE_EXEC: 'bash .gitlab-ci/alpine-install.sh'
   CENTOS_EXEC: 'bash .gitlab-ci/fedora-install.sh'
@@ -552,7 +552,7 @@ check-tree:
     - date '+%Y%m%d-%H%M%S'; git ls-files -z -- 'po/*.po' | xargs -0 -n1 msgfmt -vc
     - date '+%Y%m%d-%H%M%S'; contrib/scripts/nm-code-format.sh -n
     - date '+%Y%m%d-%H%M%S'; ci-fairy generate-template && git diff --exit-code
-    - date '+%Y%m%d-%H%M%S'; ./autogen.sh && [ "$(LANG=C make -C po update-po 2>&1 1>/dev/null | grep -c 'warning:')" = 0 ]
+    - date '+%Y%m%d-%H%M%S'; ./autogen.sh --disable-autotools-deprecation && [ "$(LANG=C make -C po update-po 2>&1 1>/dev/null | grep -c 'warning:')" = 0 ]
 
 pages:
   stage: deploy

.gitlab-ci/ci.template

@@ -211,7 +211,7 @@ check-tree:
     - date '+%Y%m%d-%H%M%S'; git ls-files -z -- 'po/*.po' | xargs -0 -n1 msgfmt -vc
     - date '+%Y%m%d-%H%M%S'; contrib/scripts/nm-code-format.sh -n
     - date '+%Y%m%d-%H%M%S'; ci-fairy generate-template && git diff --exit-code
-    - date '+%Y%m%d-%H%M%S'; ./autogen.sh && [ "$(LANG=C make -C po update-po 2>&1 1>/dev/null | grep -c 'warning:')" = 0 ]
+    - date '+%Y%m%d-%H%M%S'; ./autogen.sh --disable-autotools-deprecation && [ "$(LANG=C make -C po update-po 2>&1 1>/dev/null | grep -c 'warning:')" = 0 ]
 
 pages:
   stage: deploy

Makefile.am

@@ -159,6 +159,7 @@ DISTCHECK_CONFIGURE_FLAGS = \
 	--enable-ifcfg-rh \
 	--enable-ifupdown \
 	--disable-dependency-tracking \
+	--disable-autotools-deprecation \
 	$(NULL)
 
 dist-configure-check:

NEWS

@@ -3,11 +3,11 @@ NetworkManager-1.48
 Overview of changes since NetworkManager-1.46
 =============================================
 
-This is a snapshot of NetworkManager development. The API is
-subject to change and not guaranteed to be compatible with
-the later release.
-USE AT YOUR OWN RISK.  NOT RECOMMENDED FOR PRODUCTION USE!
-
+* Building with autotools is now deprecated and will be completely removed
+  in the next development cycle. We recommend using meson to build
+  NetworkManager -- for basic setup, see the CONTRIBUTING.md file.
+  To ignore this deprecation and still build with Autotools, you can specify
+  the '--disable-autotools-deprecation' argument when configuring.
 * Support changing the OpenSSL ciphers for 802.1X authentication via
   connection property "802-1x.openssl-ciphers".
 * The reason why a device is unmanaged is now properly set in the
@@ -22,6 +22,11 @@ USE AT YOUR OWN RISK.  NOT RECOMMENDED FOR PRODUCTION USE!
   when IPv6 device address was not explicitly passed on by ModemManager
 * Fix a performance issue that was leading to 100% CPU usage by NetworkManager
   if external programs were doing a big amount of routes updates.
+* Patch-level development releases (i.e. 1.48.1-dev) won't be used anymore.
+  From now on, all the patch releases whithin a stable branch will be normal
+  releases, like 1.48.0, 1.48.1, 1.48.2, 1.48.3 and so on.
+  Odd numbers in the minor version number still indicates if it's a development
+  branch like 1.49 or a stable one like 1.48.
 
 =============================================
 NetworkManager-1.46

configure.ac

@@ -7,8 +7,8 @@ dnl  - add corresponding NM_VERSION_x_y_z macros in
 dnl    "shared/nm-version-macros.h.in"
 dnl  - update number in meson.build
 m4_define([nm_major_version], [1])
-m4_define([nm_minor_version], [47])
-m4_define([nm_micro_version], [90])
+m4_define([nm_minor_version], [48])
+m4_define([nm_micro_version], [0])
 m4_define([nm_version],
           [nm_major_version.nm_minor_version.nm_micro_version])
 
@@ -16,6 +16,20 @@ AC_INIT([NetworkManager], [nm_version],
         [http://bugzilla.gnome.org/enter_bug.cgi?product=NetworkManager],
         [NetworkManager])
 
+deprecation_message() {
+    echo "Building with Autotools is deprecated; meson is the recommended way to build NetworkManager."
+    echo "To learn more, see the CONTRIBUTING.md file."
+    echo "To ignore this, pass '--disable-autotools-deprecation' when configuring."
+    exit 1
+}
+
+AC_ARG_ENABLE([autotools-deprecation],
+    AS_HELP_STRING([--disable-autotools-deprecation],
+                   [Building with autotools is deprecated, passing this argument overrides this error.]),
+    [ test "$enableval" != "no" && deprecation_message ],
+    [ deprecation_message ]
+)
+
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
 AC_CONFIG_AUX_DIR([build-aux])

contrib/fedora/rpm/NetworkManager.spec

@@ -918,7 +918,8 @@ autoreconf --install --force
 	--with-resolvconf=no \
 	--with-netconfig=no \
 	--with-config-dns-rc-manager-default=%{dns_rc_manager_default} \
-	--with-config-logging-backend-default=%{logging_backend_default}
+	--with-config-logging-backend-default=%{logging_backend_default} \
+	--disable-autotools-deprecation
 
 %make_build
 

contrib/fedora/rpm/build_clean.sh

@@ -272,6 +272,7 @@ if [[ $NO_DIST != 1 ]]; then
             \
             --with-iptables=/usr/sbin/iptables \
             --with-nft=/usr/sbin/nft \
+            --disable-autotools-deprecation \
             \
             || die "Error autogen.sh"
         if [[ $QUICK == 1 ]]; then

contrib/fedora/rpm/configure-for-system.sh

@@ -514,6 +514,7 @@ else
         --with-netconfig=no \
         --with-config-dns-rc-manager-default="$P_DNS_RC_MANAGER_DEFAULT" \
         --with-config-logging-backend-default="$P_LOGGING_BACKEND_DEFAULT" \
+        --disable-autotools-deprecation \
         ;
 fi
 

contrib/fedora/rpm/release.sh

@@ -14,12 +14,11 @@
 #  - "rc"    : further release candidates on RC branch (e.g. from "nm-1-26" branch
 #              tag "1.26-rc2" with version number 1.25.91).
 #  - "major" : on stable branch do a major release (e.g. on "nm-1-26" branch
-#              release "1.26.0", followed by "1.26.1-dev").
+#              release "1.26.0").
 #              You should do a "major-post" release right a "major" release.
 #  - "major-post": after a "major" release, merge the release branch with main and
 #              do another devel snapshot on main (e.g. do "1.27.1-dev" release).
-#  - "minor" : on a stable branch do a minor release (e.g. "1.26.4" on "nm-1-26"
-#              branch and bump to "1.26.5-dev").
+#  - "minor" : on a stable branch do a minor release (e.g. "1.26.4" on "nm-1-26").
 #
 # Requisites:
 #
@@ -296,8 +295,7 @@ RC_VERSION=
 RELEASE_BRANCH=
 case "$RELEASE_MODE" in
     minor)
-        number_is_even "${VERSION_ARR[1]}" &&
-        number_is_odd  "${VERSION_ARR[2]}" || die "cannot do minor release on top of version $VERSION_STR"
+        number_is_even "${VERSION_ARR[1]}" || die "cannot do minor release on top of version $VERSION_STR"
         [ "$CUR_BRANCH" != main ] || die "cannot do a minor release on main"
         ;;
     devel)
@@ -431,19 +429,13 @@ case "$RELEASE_MODE" in
     minor)
         set_version_number "${VERSION_ARR[0]}" "${VERSION_ARR[1]}" $(("${VERSION_ARR[2]}" + 1))
         git commit -m "release: bump version to ${VERSION_ARR[0]}.${VERSION_ARR[1]}.$(("${VERSION_ARR[2]}" + 1))" -a || die "failed to commit release"
-        set_version_number "${VERSION_ARR[0]}" "${VERSION_ARR[1]}" $(("${VERSION_ARR[2]}" + 2))
-        git commit -m "release: bump version to ${VERSION_ARR[0]}.${VERSION_ARR[1]}.$(("${VERSION_ARR[2]}" + 2)) (development)" -a || die "failed to commit devel version bump"
 
         b="${VERSION_ARR[0]}.${VERSION_ARR[1]}.$(("${VERSION_ARR[2]}" + 1))"
-        git tag -s -a -m "Tag $b" "$b" HEAD~ || die "failed to tag release"
+        git tag -s -a -m "Tag $b" "$b" HEAD || die "failed to tag release"
         BRANCHES+=("$b")
         CLEANUP_REFS+=("refs/tags/$b")
         BUILD_TAG="$b"
-        b="${VERSION_ARR[0]}.${VERSION_ARR[1]}.$(("${VERSION_ARR[2]}" + 2))"
-        git tag -s -a -m "Tag $b (development)" "$b-dev" HEAD || die "failed to tag devel version"
-        BRANCHES+=("$b-dev")
-        CLEANUP_REFS+=("refs/tags/$b-dev")
-        TAR_VERSION="$BUILD_TAG"
+        TAR_VERSION="$b"
         ;;
     devel)
         set_version_number "${VERSION_ARR[0]}" "${VERSION_ARR[1]}" $(("${VERSION_ARR[2]}" + 1))
@@ -482,20 +474,12 @@ case "$RELEASE_MODE" in
         ;;
     major)
         b="${VERSION_ARR[0]}.$((${VERSION_ARR[1]} + 1)).0"
-        b2="${VERSION_ARR[0]}.$((${VERSION_ARR[1]} + 1)).1"
-
         set_version_number "${VERSION_ARR[0]}" "$((${VERSION_ARR[1]} + 1))" 0
         git commit -m "release: bump version to $b" -a || die "failed to commit major version bump"
+
         git tag -s -a -m "Tag $b" "$b" HEAD || die "failed to tag release"
         BRANCHES+=("$b")
         CLEANUP_REFS+=("refs/tags/$b")
-
-        set_version_number "${VERSION_ARR[0]}" "$((${VERSION_ARR[1]} + 1))" 1
-        git commit -m "release: bump version to $b2 (development)" -a || die "failed to commit another bump after major version bump"
-        git tag -s -a -m "Tag $b (development)" "$b2-dev" HEAD || die "failed to tag release"
-        BRANCHES+=("$b2-dev")
-        CLEANUP_REFS+=("refs/tags/$b2-dev")
-
         BUILD_TAG="$b"
         TAR_VERSION="$b"
         ;;

contrib/scripts/nm-ci-run.sh

@@ -188,6 +188,7 @@ run_autotools() {
             \
             --enable-ifcfg-rh=yes \
             --enable-ifupdown=yes \
+            --disable-autotools-deprecation \
             \
             #end
 

data/org.freedesktop.NetworkManager.policy.in.in

@@ -16,6 +16,7 @@
       <allow_inactive>no</allow_inactive>
       <allow_active>yes</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.reload">
@@ -26,6 +27,7 @@
       <allow_inactive>auth_admin_keep</allow_inactive>
       <allow_active>auth_admin_keep</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.sleep-wake">
@@ -35,6 +37,7 @@
       <allow_inactive>no</allow_inactive>
       <allow_active>no</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.enable-disable-wifi">
@@ -44,6 +47,7 @@
       <allow_inactive>no</allow_inactive>
       <allow_active>yes</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.enable-disable-wwan">
@@ -53,6 +57,7 @@
       <allow_inactive>no</allow_inactive>
       <allow_active>yes</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.enable-disable-wimax">
@@ -62,6 +67,7 @@
       <allow_inactive>no</allow_inactive>
       <allow_active>yes</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.network-control">
@@ -72,6 +78,7 @@
       <allow_inactive>yes</allow_inactive>
       <allow_active>yes</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.wifi.scan">
@@ -82,6 +89,7 @@
       <allow_inactive>yes</allow_inactive>
       <allow_active>yes</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.wifi.share.protected">
@@ -91,6 +99,7 @@
       <allow_inactive>no</allow_inactive>
       <allow_active>yes</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.wifi.share.open">
@@ -100,6 +109,7 @@
       <allow_inactive>no</allow_inactive>
       <allow_active>yes</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.settings.modify.own">
@@ -110,6 +120,7 @@
       <allow_inactive>yes</allow_inactive>
       <allow_active>yes</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.settings.modify.system">
@@ -120,6 +131,7 @@
       <allow_inactive>@NM_MODIFY_SYSTEM_POLICY@</allow_inactive>
       <allow_active>@NM_MODIFY_SYSTEM_POLICY@</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.settings.modify.hostname">
@@ -130,6 +142,7 @@
       <allow_inactive>auth_admin_keep</allow_inactive>
       <allow_active>auth_admin_keep</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.settings.modify.global-dns">
@@ -140,6 +153,7 @@
       <allow_inactive>auth_admin_keep</allow_inactive>
       <allow_active>auth_admin_keep</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.checkpoint-rollback">
@@ -150,6 +164,7 @@
       <allow_inactive>auth_admin_keep</allow_inactive>
       <allow_active>auth_admin_keep</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.enable-disable-statistics">
@@ -159,6 +174,7 @@
       <allow_inactive>no</allow_inactive>
       <allow_active>yes</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
   <action id="org.freedesktop.NetworkManager.enable-disable-connectivity-check">
@@ -168,6 +184,7 @@
       <allow_inactive>no</allow_inactive>
       <allow_active>yes</allow_active>
     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:networkmanager</annotate>
   </action>
 
 </policyconfig>

man/NetworkManager.conf.xml

@@ -1023,23 +1023,20 @@ ipv6.ip6-privacy=0
         </varlistentry>
         <varlistentry>
           <term><varname>ipv6.ip6-privacy</varname></term>
-          <listitem><para>If <literal>ipv6.ip6-privacy</literal> is unset, fall back to the original
-            value of "/proc/sys/net/ipv6/conf/&lt;iface&gt;/use_tempaddr" from before NetworkManager
-            started.
+          <listitem><para>If <literal>ipv6.ip6-privacy</literal> is unset, use the content of
+            "/proc/sys/net/ipv6/conf/default/use_tempaddr" as last fallback.
           </para></listitem>
         </varlistentry>
         <varlistentry>
           <term><varname>ipv6.temp-valid-lifetime</varname></term>
-          <listitem><para>If <literal>ipv6.temp-valid-lifetime</literal> is unset, fall back to the
-            original value of "/proc/sys/net/ipv6/conf/&lt;iface&gt;/temp_valid_lft" from before
-            NetworkManager started.
+          <listitem><para>If <literal>ipv6.temp-valid-lifetime</literal> is unset, use the
+            content of "/proc/sys/net/ipv6/conf/default/temp_valid_lft" as last fallback.
           </para></listitem>
         </varlistentry>
         <varlistentry>
           <term><varname>ipv6.temp-preferred-lifetime</varname></term>
-          <listitem><para>If <literal>ipv6.temp-preferred-lifetime</literal> is unset, fall back to
-            the original value of "/proc/sys/net/ipv6/conf/&lt;iface&gt;/temp_prefered_lft" from
-            before NetworkManager started.
+          <listitem><para>If <literal>ipv6.temp-preferred-lifetime</literal> is unset, use
+            the content of "/proc/sys/net/ipv6/conf/default/temp_prefered_lft" as last fallback.
           </para></listitem>
         </varlistentry>
         <varlistentry>

meson.build

@@ -6,7 +6,7 @@ project(
 #  - add corresponding NM_VERSION_x_y_z macros in
 #    "src/libnm-core-public/nm-version-macros.h.in"
 #  - update number in configure.ac
-  version: '1.47.90',
+  version: '1.48.0',
   license: 'GPL2+',
   default_options: [
     'buildtype=debugoptimized',

po/POTFILES.in

@@ -89,6 +89,7 @@ src/libnm-core-impl/nm-setting-cdma.c
 src/libnm-core-impl/nm-setting-connection.c
 src/libnm-core-impl/nm-setting-dcb.c
 src/libnm-core-impl/nm-setting-ethtool.c
+src/libnm-core-impl/nm-setting-generic.c
 src/libnm-core-impl/nm-setting-gsm.c
 src/libnm-core-impl/nm-setting-hsr.c
 src/libnm-core-impl/nm-setting-infiniband.c

src/core/devices/nm-device.c

@@ -2273,7 +2273,6 @@ _prop_get_ipv4_dhcp_vendor_class_identifier(NMDevice *self, NMSettingIP4Config *
 static NMSettingIP6ConfigPrivacy
 _prop_get_ipv6_ip6_privacy(NMDevice *self)
 {
-    NMDevicePrivate          *priv = NM_DEVICE_GET_PRIVATE(self);
     NMSettingIP6ConfigPrivacy ip6_privacy;
     NMConnection             *connection;
 
@@ -2307,22 +2306,23 @@ _prop_get_ipv6_ip6_privacy(NMDevice *self)
     if (!nm_device_get_ip_ifindex(self))
         return NM_SETTING_IP6_CONFIG_PRIVACY_UNKNOWN;
 
-    /* 3.) No valid default value configured. Fall back to the original value
-     * from before NM started. */
-    return _ip6_privacy_clamp(_nm_utils_ascii_str_to_int64(
-        g_hash_table_lookup(priv->ip6_saved_properties, "use_tempaddr"),
-        10,
-        G_MININT32,
-        G_MAXINT32,
-        NM_SETTING_IP6_CONFIG_PRIVACY_UNKNOWN));
+    /* 3.) No valid default-value configured. Fallback to reading sysctl.
+     *
+     * Instead of reading static config files in /etc, just read the current sysctl value.
+     * This works as NM only writes to "/proc/sys/net/ipv6/conf/IFNAME/use_tempaddr", but leaves
+     * the "default" entry untouched. */
+    ip6_privacy = nm_platform_sysctl_get_int32(
+        nm_device_get_platform(self),
+        NMP_SYSCTL_PATHID_ABSOLUTE("/proc/sys/net/ipv6/conf/default/use_tempaddr"),
+        NM_SETTING_IP6_CONFIG_PRIVACY_UNKNOWN);
+    return _ip6_privacy_clamp(ip6_privacy);
 }
 
 static gint32
 _prop_get_ipv6_temp_valid_lifetime(NMDevice *self)
 {
-    NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE(self);
-    gint32           temp_valid_lifetime;
-    NMConnection    *connection;
+    gint32        temp_valid_lifetime;
+    NMConnection *connection;
 
     g_return_val_if_fail(self, 0);
 
@@ -2350,22 +2350,25 @@ _prop_get_ipv6_temp_valid_lifetime(NMDevice *self)
     if (temp_valid_lifetime)
         return temp_valid_lifetime;
 
-    /* 3.) No valid default value configured. Fall back to the original value
-     * from before NM started. */
-    return _nm_utils_ascii_str_to_int64(
-        g_hash_table_lookup(priv->ip6_saved_properties, "temp_valid_lft"),
+    /* 3.) No valid default-value configured. Fallback to reading sysctl.
+     *
+     * Instead of reading static config files in /etc, just read the current sysctl value.
+     * This works as NM only writes to "/proc/sys/net/ipv6/conf/IFNAME/temp_valid_lft",
+     * but leaves the "default" entry untouched. */
+    return nm_platform_sysctl_get_int_checked(
+        nm_device_get_platform(self),
+        NMP_SYSCTL_PATHID_ABSOLUTE("/proc/sys/net/ipv6/conf/default/temp_valid_lft"),
         10,
         0,
         G_MAXINT32,
-        SECONDS_PER_WEEK /* final hardcoded fallback: 1 week */);
+        SECONDS_PER_WEEK);
 }
 
 static gint32
 _prop_get_ipv6_temp_preferred_lifetime(NMDevice *self)
 {
-    NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE(self);
-    gint32           temp_preferred_lifetime;
-    NMConnection    *connection;
+    gint32        temp_preferred_lifetime;
+    NMConnection *connection;
 
     g_return_val_if_fail(self, 0);
 
@@ -2393,14 +2396,18 @@ _prop_get_ipv6_temp_preferred_lifetime(NMDevice *self)
     if (temp_preferred_lifetime)
         return temp_preferred_lifetime;
 
-    /* 3.) No valid default value configured. Fall back to the original value
-     * from before NM started. */
-    return _nm_utils_ascii_str_to_int64(
-        g_hash_table_lookup(priv->ip6_saved_properties, "temp_prefered_lft"),
+    /* 3.) No valid default-value configured. Fallback to reading sysctl.
+     *
+     * Instead of reading static config files in /etc, just read the current sysctl value.
+     * This works as NM only writes to "/proc/sys/net/ipv6/conf/IFNAME/temp_prefered_lft",
+     * but leaves the "default" entry untouched. */
+    return nm_platform_sysctl_get_int_checked(
+        nm_device_get_platform(self),
+        NMP_SYSCTL_PATHID_ABSOLUTE("/proc/sys/net/ipv6/conf/default/temp_prefered_lft"),
         10,
         0,
         G_MAXINT32,
-        SECONDS_PER_DAY /* final hardcoded fallback: 1 day */);
+        SECONDS_PER_DAY);
 }
 
 static NMSettingIP6ConfigAddrGenMode

src/core/nm-config-data.c

@@ -849,7 +849,7 @@ nm_config_data_log(const NMConfigData  *self,
                     /* We require that the default values are grouped by their "group".
                      * That is, all default values for a certain "group" are close to
                      * each other in the list. Assert for that. */
-                    for (g2 = g + 1; g2 < groups_full->len; g2++) {
+                    for (g2 = g + 1; g2 < G_N_ELEMENTS(default_values); g2++) {
                         nm_assert(!nm_streq(default_values[g - 1].group, default_values[g2].group));
                     }
                 }

src/core/nm-l3-config-data.c

@@ -157,8 +157,8 @@ struct _NML3ConfigData {
     bool has_routes_with_type_local_6_set : 1;
     bool has_routes_with_type_local_4_val : 1;
     bool has_routes_with_type_local_6_val : 1;
-    bool dhcp_enabled_4 : 1;
-    bool dhcp_enabled_6 : 1;
+    bool allow_routes_without_address_4 : 1;
+    bool allow_routes_without_address_6 : 1;
 
     bool ndisc_hop_limit_set : 1;
     bool ndisc_reachable_time_msec_set : 1;
@@ -678,26 +678,28 @@ nm_l3_config_data_new(NMDedupMultiIndex *multi_idx, int ifindex, NMIPConfigSourc
 
     self  = g_slice_new(NML3ConfigData);
     *self = (NML3ConfigData){
-        .ref_count                     = 1,
-        .ifindex                       = ifindex,
-        .multi_idx                     = nm_dedup_multi_index_ref(multi_idx),
-        .mdns                          = NM_SETTING_CONNECTION_MDNS_DEFAULT,
-        .llmnr                         = NM_SETTING_CONNECTION_LLMNR_DEFAULT,
-        .dns_over_tls                  = NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT,
-        .flags                         = NM_L3_CONFIG_DAT_FLAGS_NONE,
-        .metered                       = NM_TERNARY_DEFAULT,
-        .proxy_browser_only            = NM_TERNARY_DEFAULT,
-        .proxy_method                  = NM_PROXY_CONFIG_METHOD_UNKNOWN,
-        .route_table_sync_4            = NM_IP_ROUTE_TABLE_SYNC_MODE_NONE,
-        .route_table_sync_6            = NM_IP_ROUTE_TABLE_SYNC_MODE_NONE,
-        .never_default_6               = NM_OPTION_BOOL_DEFAULT,
-        .never_default_4               = NM_OPTION_BOOL_DEFAULT,
-        .source                        = source,
-        .ip6_privacy                   = NM_SETTING_IP6_CONFIG_PRIVACY_UNKNOWN,
-        .mptcp_flags                   = NM_MPTCP_FLAGS_NONE,
-        .ndisc_hop_limit_set           = FALSE,
-        .ndisc_reachable_time_msec_set = FALSE,
-        .ndisc_retrans_timer_msec_set  = FALSE,
+        .ref_count                      = 1,
+        .ifindex                        = ifindex,
+        .multi_idx                      = nm_dedup_multi_index_ref(multi_idx),
+        .mdns                           = NM_SETTING_CONNECTION_MDNS_DEFAULT,
+        .llmnr                          = NM_SETTING_CONNECTION_LLMNR_DEFAULT,
+        .dns_over_tls                   = NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT,
+        .flags                          = NM_L3_CONFIG_DAT_FLAGS_NONE,
+        .metered                        = NM_TERNARY_DEFAULT,
+        .proxy_browser_only             = NM_TERNARY_DEFAULT,
+        .proxy_method                   = NM_PROXY_CONFIG_METHOD_UNKNOWN,
+        .route_table_sync_4             = NM_IP_ROUTE_TABLE_SYNC_MODE_NONE,
+        .route_table_sync_6             = NM_IP_ROUTE_TABLE_SYNC_MODE_NONE,
+        .never_default_6                = NM_OPTION_BOOL_DEFAULT,
+        .never_default_4                = NM_OPTION_BOOL_DEFAULT,
+        .source                         = source,
+        .ip6_privacy                    = NM_SETTING_IP6_CONFIG_PRIVACY_UNKNOWN,
+        .mptcp_flags                    = NM_MPTCP_FLAGS_NONE,
+        .ndisc_hop_limit_set            = FALSE,
+        .ndisc_reachable_time_msec_set  = FALSE,
+        .ndisc_retrans_timer_msec_set   = FALSE,
+        .allow_routes_without_address_4 = TRUE,
+        .allow_routes_without_address_6 = TRUE,
     };
 
     _idx_type_init(&self->idx_addresses_4, NMP_OBJECT_TYPE_IP4_ADDRESS);
@@ -1936,15 +1938,30 @@ nm_l3_config_data_set_mptcp_flags(NML3ConfigData *self, NMMptcpFlags mptcp_flags
 }
 
 gboolean
-nm_l3_config_data_get_dhcp_enabled(const NML3ConfigData *self, int addr_family)
+nm_l3_config_data_get_allow_routes_without_address(const NML3ConfigData *self, int addr_family)
 {
     const int IS_IPv4 = NM_IS_IPv4(addr_family);
 
     nm_assert(_NM_IS_L3_CONFIG_DATA(self, TRUE));
     if (IS_IPv4) {
-        return self->dhcp_enabled_4;
+        return self->allow_routes_without_address_4;
     } else {
-        return self->dhcp_enabled_6;
+        return self->allow_routes_without_address_6;
+    }
+}
+
+void
+nm_l3_config_data_set_allow_routes_without_address(NML3ConfigData *self,
+                                                   int             addr_family,
+                                                   gboolean        value)
+{
+    const int IS_IPv4 = NM_IS_IPv4(addr_family);
+
+    nm_assert(_NM_IS_L3_CONFIG_DATA(self, FALSE));
+    if (IS_IPv4) {
+        self->allow_routes_without_address_4 = value;
+    } else {
+        self->allow_routes_without_address_6 = value;
     }
 }
 
@@ -2758,18 +2775,18 @@ _init_from_connection_ip(NML3ConfigData *self, int addr_family, NMConnection *co
     method = nm_setting_ip_config_get_method(s_ip);
     if (IS_IPv4) {
         if (nm_streq(method, NM_SETTING_IP4_CONFIG_METHOD_AUTO)) {
-            self->dhcp_enabled_4 = TRUE;
+            self->allow_routes_without_address_4 = FALSE;
         } else {
-            self->dhcp_enabled_4 = FALSE;
+            self->allow_routes_without_address_4 = TRUE;
         }
     } else {
         method = nm_setting_ip_config_get_method(s_ip);
         if (NM_IN_STRSET(method,
                          NM_SETTING_IP6_CONFIG_METHOD_AUTO,
                          NM_SETTING_IP6_CONFIG_METHOD_DHCP)) {
-            self->dhcp_enabled_6 = TRUE;
+            self->allow_routes_without_address_6 = FALSE;
         } else {
-            self->dhcp_enabled_6 = FALSE;
+            self->allow_routes_without_address_6 = TRUE;
         }
     }
 
@@ -3456,11 +3473,11 @@ nm_l3_config_data_merge(NML3ConfigData       *self,
         self->dhcp_lease_x[0] = nm_dhcp_lease_ref(self->dhcp_lease_x[0]);
         self->dhcp_lease_x[1] = nm_dhcp_lease_ref(self->dhcp_lease_x[1]);
     }
-    if (src->dhcp_enabled_4)
-        self->dhcp_enabled_4 = TRUE;
+    if (!src->allow_routes_without_address_4)
+        self->allow_routes_without_address_4 = FALSE;
 
-    if (src->dhcp_enabled_6)
-        self->dhcp_enabled_6 = TRUE;
+    if (!src->allow_routes_without_address_6)
+        self->allow_routes_without_address_6 = FALSE;
 }
 
 NML3ConfigData *

src/core/nm-l3-config-data.h

@@ -554,7 +554,12 @@ NMSettingIP6ConfigPrivacy nm_l3_config_data_get_ip6_privacy(const NML3ConfigData
 gboolean nm_l3_config_data_set_ip6_privacy(NML3ConfigData           *self,
                                            NMSettingIP6ConfigPrivacy ip6_privacy);
 
-gboolean nm_l3_config_data_get_dhcp_enabled(const NML3ConfigData *self, int addr_family);
+gboolean nm_l3_config_data_get_allow_routes_without_address(const NML3ConfigData *self,
+                                                            int                   addr_family);
+
+void nm_l3_config_data_set_allow_routes_without_address(NML3ConfigData *self,
+                                                        int             addr_family,
+                                                        gboolean        value);
 
 NMProxyConfigMethod nm_l3_config_data_get_proxy_method(const NML3ConfigData *self);
 

src/core/nm-l3cfg.c

@@ -1301,7 +1301,6 @@ _commit_collect_routes(NML3Cfg          *self,
     const int                    IS_IPv4 = NM_IS_IPv4(addr_family);
     const NMDedupMultiHeadEntry *head_entry;
     const NMDedupMultiEntry     *entry;
-    gboolean                     is_dhcp_enabled;
 
     nm_assert(routes && !*routes);
     nm_assert(routes_nodev && !*routes_nodev);
@@ -1321,10 +1320,10 @@ _commit_collect_routes(NML3Cfg          *self,
         else {
             nm_assert(NMP_OBJECT_CAST_IP_ROUTE(obj)->ifindex == self->priv.ifindex);
 
-            is_dhcp_enabled =
-                nm_l3_config_data_get_dhcp_enabled(self->priv.p->combined_l3cd_commited,
-                                                   addr_family);
-            if (!any_addrs && is_dhcp_enabled) {
+            if (!any_addrs
+                && !nm_l3_config_data_get_allow_routes_without_address(
+                    self->priv.p->combined_l3cd_commited,
+                    addr_family)) {
                 /* This is a unicast route (or a similar route, which has an
                  * ifindex).
                  *

src/core/vpn/nm-vpn-connection.c

@@ -1433,6 +1433,10 @@ _check_complete(NMVpnConnection *self, gboolean success)
     l3cd = nm_l3_config_data_new_from_connection(nm_netns_get_multi_idx(priv->netns),
                                                  nm_vpn_connection_get_ip_ifindex(self, TRUE),
                                                  connection);
+
+    nm_l3_config_data_set_allow_routes_without_address(l3cd, AF_INET, TRUE);
+    nm_l3_config_data_set_allow_routes_without_address(l3cd, AF_INET6, TRUE);
+
     _l3cfg_l3cd_set(self, L3CD_TYPE_STATIC, l3cd);
 
     _l3cfg_l3cd_gw_extern_update(self);
@@ -1988,6 +1992,12 @@ _dbus_signal_ip_config_cb(NMVpnConnection *self, int addr_family, GVariant *dict
 
     nm_l3_config_data_set_dns_priority(l3cd, AF_INET, NM_DNS_PRIORITY_DEFAULT_VPN);
 
+    _vardict_to_addr(addr_family,
+                     dict,
+                     IS_IPv4 ? NM_VPN_PLUGIN_IP4_CONFIG_INT_GATEWAY
+                             : NM_VPN_PLUGIN_IP6_CONFIG_INT_GATEWAY,
+                     &priv->ip_data_x[IS_IPv4].gw_internal);
+
     if (IS_IPv4) {
         address.a4 = (NMPlatformIP4Address){
             .plen = 24,
@@ -1998,16 +2008,17 @@ _dbus_signal_ip_config_cb(NMVpnConnection *self, int addr_family, GVariant *dict
         };
     }
 
-    _vardict_to_addr(addr_family,
-                     dict,
-                     IS_IPv4 ? NM_VPN_PLUGIN_IP4_CONFIG_INT_GATEWAY
-                             : NM_VPN_PLUGIN_IP6_CONFIG_INT_GATEWAY,
-                     &priv->ip_data_x[IS_IPv4].gw_internal);
-
-    _vardict_to_addr(addr_family,
-                     dict,
-                     IS_IPv4 ? NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS : NM_VPN_PLUGIN_IP6_CONFIG_ADDRESS,
-                     address.ax.address_ptr);
+    if (_vardict_to_addr(addr_family,
+                         dict,
+                         IS_IPv4 ? NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS
+                                 : NM_VPN_PLUGIN_IP6_CONFIG_ADDRESS,
+                         address.ax.address_ptr)
+        && nm_ip_addr_is_null(addr_family, &address.ax.address_ptr)) {
+        _LOGW("invalid IP%c config received: address is zero",
+              nm_utils_addr_family_to_char(addr_family));
+        _check_complete(self, FALSE);
+        return;
+    }
 
     if (!_vardict_to_addr(addr_family,
                           dict,
@@ -2024,17 +2035,20 @@ _dbus_signal_ip_config_cb(NMVpnConnection *self, int addr_family, GVariant *dict
                          &u32))
         address.ax.plen = u32;
 
-    if (address.ax.plen > 0 && address.ax.plen <= (IS_IPv4 ? 32 : 128)
-        && !nm_ip_addr_is_null(addr_family, &address.ax.address_ptr)) {
-        address.ax.addr_source = NM_IP_CONFIG_SOURCE_VPN;
-        nm_l3_config_data_add_address(l3cd, addr_family, NULL, &address.ax);
-    } else {
-        _LOGW("invalid IP%c config received: no valid IP address/prefix",
-              nm_utils_addr_family_to_char(addr_family));
+    if (!nm_ip_addr_is_null(addr_family, &address.ax.address_ptr)
+        && (address.ax.plen == 0 || address.ax.plen > (IS_IPv4 ? 32 : 128))) {
+        _LOGW("invalid IP%c config received: invalid prefix %u",
+              nm_utils_addr_family_to_char(addr_family),
+              address.ax.plen);
         _check_complete(self, FALSE);
         return;
     }
 
+    if (!nm_ip_addr_is_null(addr_family, &address.ax.address_ptr)) {
+        address.ax.addr_source = NM_IP_CONFIG_SOURCE_VPN;
+        nm_l3_config_data_add_address(l3cd, addr_family, NULL, &address.ax);
+    }
+
     if (IS_IPv4) {
         if (g_variant_lookup(dict, NM_VPN_PLUGIN_IP4_CONFIG_DNS, "au", &var_iter)) {
             while (g_variant_iter_next(var_iter, "u", &u32))

src/libnm-client-impl/nm-secret-agent-old.c

@@ -1214,17 +1214,24 @@ _get_connection_unix_user_cb(GObject *source, GAsyncResult *result, gpointer use
             "register: peer %s is owned by user %d for session bus. Validated to accept requests.",
             priv->name_owner_curr->str,
             sender_uid);
-    } else {
-        /* the peer is not validated. We don't actually register. */
-        if (ret)
+    } else if (ret) {
+        gs_free char *name = nm_utils_uid_to_name(sender_uid);
+        if (nm_streq0(name, "networkmanager"))
+            _LOGT("register: peer %s is owned by user %u. Validated to accept requests.",
+                  priv->name_owner_curr->str,
+                  sender_uid);
+        else {
             _LOGT("register: peer %s is owned by user %u. Not validated as NetworkManager service.",
                   priv->name_owner_curr->str,
                   sender_uid);
-        else
-            _LOGT("register: failed to get user id for peer %s: %s. Not validated as "
-                  "NetworkManager service.",
-                  priv->name_owner_curr->str,
-                  error->message);
+            return;
+        }
+    } else {
+        /* the peer is not validated. We don't actually register. */
+        _LOGT("register: failed to get user id for peer %s: %s. Not validated as "
+              "NetworkManager service.",
+              priv->name_owner_curr->str,
+              error->message);
 
         /* we actually don't do anything and keep the agent unregistered.
          *

src/libnm-core-impl/nm-setting-ip6-config.c

@@ -963,11 +963,9 @@ nm_setting_ip6_config_class_init(NMSettingIP6ConfigClass *klass)
      * 0: disabled, 1: enabled (prefer public address), 2: enabled (prefer temporary
      * addresses).
      *
-     * If set to "-1" (unknown) for a connection, the value is taken from the
-     * global "ipv6.ip6-privacy" setting. If the global setting is unspecified
-     * or also set to "-1", the value is set from the original value of
-     * "/proc/sys/net/ipv6/conf/<iface>/use_tempaddr" from before NetworkManager
-     * started.
+     * Having a per-connection setting set to "-1" (default) means fallback to
+     * global configuration "ipv6.ip6-privacy". If it's also unspecified or set
+     * to "-1", fallback to read "/proc/sys/net/ipv6/conf/default/use_tempaddr".
      *
      * Note that this setting is distinct from the Stable Privacy addresses
      * that can be enabled with the "addr-gen-mode" property's "stable-privacy"
@@ -999,11 +997,10 @@ nm_setting_ip6_config_class_init(NMSettingIP6ConfigClass *klass)
      *
      * The valid lifetime of autogenerated temporary addresses, in seconds.
      *
-     * If set to "0" (unknown) for a connection, the value is taken from the
-     * global "ipv6.temp-valid-lifetime" setting. If the global setting is
-     * unspecified or also set to "0", the value is set from the original value
-     * of "/proc/sys/net/ipv6/conf/<iface>/temp_valid_lft" from before
-     * NetworkManager started.
+     * Having a per-connection setting set to "0" (default) means fallback to
+     * global configuration "ipv6.temp-valid-lifetime" setting". If it's also
+     * unspecified or set to "0", fallback to read
+     * "/proc/sys/net/ipv6/conf/default/temp_valid_lft".
      *
      * Since: 1.48
      **/
@@ -1023,11 +1020,10 @@ nm_setting_ip6_config_class_init(NMSettingIP6ConfigClass *klass)
      *
      * The preferred lifetime of autogenerated temporary addresses, in seconds.
      *
-     * If set to "0" (unknown) for a connection, the value is taken from the
-     * global "ipv6.temp-preferred-lifetime" setting. If the global setting is
-     * unspecified or also set to "0", the value is set from the original value
-     * of "/proc/sys/net/ipv6/conf/<iface>/temp_prefered_lft" from before
-     * NetworkManager started.
+     * Having a per-connection setting set to "0" (default) means fallback to
+     * global configuration "ipv6.temp-preferred-lifetime" setting". If it's also
+     * unspecified or set to "0", fallback to read
+     * "/proc/sys/net/ipv6/conf/default/temp_prefered_lft".
      *
      * Since: 1.48
      **/

src/libnmc-setting/nm-meta-setting-desc.c

@@ -6620,7 +6620,17 @@ static const NMMetaPropertyInfo *const property_infos_IP6_CONFIG[] = {
     PROPERTY_INFO_WITH_DESC (NM_SETTING_IP6_CONFIG_IP6_PRIVACY,
         .property_type =                &_pt_gobject_enum,
         .property_typ_data = DEFINE_PROPERTY_TYP_DATA_SUBTYPE (gobject_enum,
+            .value_infos =              ENUM_VALUE_INFOS(
+                {
+                    .value = NM_SETTING_IP6_CONFIG_PRIVACY_UNKNOWN,
+                    .nick = "default",
+                },
+            ),
             .value_infos_get =          ENUM_VALUE_INFOS (
+                {
+                    .value = NM_SETTING_IP6_CONFIG_PRIVACY_UNKNOWN,
+                    .nick = "default",
+                },
                 {
                     .value = NM_SETTING_IP6_CONFIG_PRIVACY_PREFER_PUBLIC_ADDR,
                     .nick = "enabled, prefer public IP",
@@ -6634,9 +6644,25 @@ static const NMMetaPropertyInfo *const property_infos_IP6_CONFIG[] = {
     ),
     PROPERTY_INFO_WITH_DESC (NM_SETTING_IP6_CONFIG_TEMP_VALID_LIFETIME,
         .property_type =                &_pt_gobject_int,
+        .property_typ_data = DEFINE_PROPERTY_TYP_DATA_SUBTYPE(gobject_int,
+            .value_infos =              INT_VALUE_INFOS(
+                {
+                    .value.i64 = 0,
+                    .nick = "default"
+                },
+            ),
+        ),
     ),
     PROPERTY_INFO_WITH_DESC (NM_SETTING_IP6_CONFIG_TEMP_PREFERRED_LIFETIME,
         .property_type =                &_pt_gobject_int,
+        .property_typ_data = DEFINE_PROPERTY_TYP_DATA_SUBTYPE(gobject_int,
+            .value_infos =              INT_VALUE_INFOS(
+                {
+                    .value.i64 = 0,
+                    .nick = "default"
+                },
+            ),
+        ),
     ),
     PROPERTY_INFO_WITH_DESC (NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE,
         .property_type =                &_pt_gobject_enum,

src/libnmc-setting/settings-docs.h.in

@@ -216,7 +216,7 @@
 #define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_GATEWAY N_("The gateway associated with this configuration. This is only meaningful if \"addresses\" is also set. Setting the gateway causes NetworkManager to configure a standard default route with the gateway as next hop. This is ignored if \"never-default\" is set. An alternative is to configure the default route explicitly with a manual route and /0 as prefix length. Note that the gateway usually conflicts with routing that NetworkManager configures for WireGuard interfaces, so usually it should not be set in that case. See \"ip4-auto-default-route\".")
 #define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_IGNORE_AUTO_DNS N_("When \"method\" is set to \"auto\" and this property to TRUE, automatically configured name servers and search domains are ignored and only name servers and search domains specified in the \"dns\" and \"dns-search\" properties, if any, are used.")
 #define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_IGNORE_AUTO_ROUTES N_("When \"method\" is set to \"auto\" and this property to TRUE, automatically configured routes are ignored and only routes specified in the \"routes\" property, if any, are used.")
-#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_IP6_PRIVACY N_("Configure IPv6 Privacy Extensions for SLAAC, described in RFC4941.  If enabled, it makes the kernel generate a temporary IPv6 address in addition to the public one generated from MAC address via modified EUI-64.  This enhances privacy, but could cause problems in some applications, on the other hand.  The permitted values are: -1: unknown, 0: disabled, 1: enabled (prefer public address), 2: enabled (prefer temporary addresses). If set to \"-1\" (unknown) for a connection, the value is taken from the global \"ipv6.ip6-privacy\" setting. If the global setting is unspecified or also set to \"-1\", the value is set from the original value of \"/proc/sys/net/ipv6/conf/<iface>/use_tempaddr\" from before NetworkManager started. Note that this setting is distinct from the Stable Privacy addresses that can be enabled with the \"addr-gen-mode\" property's \"stable-privacy\" setting as another way of avoiding host tracking with IPv6 addresses.")
+#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_IP6_PRIVACY N_("Configure IPv6 Privacy Extensions for SLAAC, described in RFC4941.  If enabled, it makes the kernel generate a temporary IPv6 address in addition to the public one generated from MAC address via modified EUI-64.  This enhances privacy, but could cause problems in some applications, on the other hand.  The permitted values are: -1: unknown, 0: disabled, 1: enabled (prefer public address), 2: enabled (prefer temporary addresses). Having a per-connection setting set to \"-1\" (default) means fallback to global configuration \"ipv6.ip6-privacy\". If it's also unspecified or set to \"-1\", fallback to read \"/proc/sys/net/ipv6/conf/default/use_tempaddr\". Note that this setting is distinct from the Stable Privacy addresses that can be enabled with the \"addr-gen-mode\" property's \"stable-privacy\" setting as another way of avoiding host tracking with IPv6 addresses.")
 #define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_MAY_FAIL N_("If TRUE, allow overall network configuration to proceed even if the configuration specified by this property times out.  Note that at least one IP configuration must succeed or overall network configuration will still fail.  For example, in IPv6-only networks, setting this property to TRUE on the NMSettingIP4Config allows the overall network configuration to succeed if IPv4 configuration fails but IPv6 configuration completes successfully.")
 #define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_METHOD N_("The IPv6 connection method.")
 #define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_MTU N_("Maximum transmission unit size, in bytes. If zero (the default), the MTU is set automatically from router advertisements or is left equal to the link-layer MTU. If greater than the link-layer MTU, or greater than zero but less than the minimum IPv6 MTU of 1280, this value has no effect.")
@@ -228,8 +228,8 @@
 #define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_ROUTE_TABLE N_("Enable policy routing (source routing) and set the routing table used when adding routes. This affects all routes, including device-routes, IPv4LL, DHCP, SLAAC, default-routes and static routes. But note that static routes can individually overwrite the setting by explicitly specifying a non-zero routing table. If the table setting is left at zero, it is eligible to be overwritten via global configuration. If the property is zero even after applying the global configuration value, policy routing is disabled for the address family of this connection. Policy routing disabled means that NetworkManager will add all routes to the main table (except static routes that explicitly configure a different table). Additionally, NetworkManager will not delete any extraneous routes from tables except the main table. This is to preserve backward compatibility for users who manage routing tables outside of NetworkManager.")
 #define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_ROUTES N_("Array of IP routes.")
 #define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_ROUTING_RULES N_("A comma separated list of routing rules for policy routing.")
-#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_TEMP_PREFERRED_LIFETIME N_("The preferred lifetime of autogenerated temporary addresses, in seconds. If set to \"0\" (unknown) for a connection, the value is taken from the global \"ipv6.temp-preferred-lifetime\" setting. If the global setting is unspecified or also set to \"0\", the value is set from the original value of \"/proc/sys/net/ipv6/conf/<iface>/temp_prefered_lft\" from before NetworkManager started.")
-#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_TEMP_VALID_LIFETIME N_("The valid lifetime of autogenerated temporary addresses, in seconds. If set to \"0\" (unknown) for a connection, the value is taken from the global \"ipv6.temp-valid-lifetime\" setting. If the global setting is unspecified or also set to \"0\", the value is set from the original value of \"/proc/sys/net/ipv6/conf/<iface>/temp_valid_lft\" from before NetworkManager started.")
+#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_TEMP_PREFERRED_LIFETIME N_("The preferred lifetime of autogenerated temporary addresses, in seconds. Having a per-connection setting set to \"0\" (default) means fallback to global configuration \"ipv6.temp-preferred-lifetime\" setting\". If it's also unspecified or set to \"0\", fallback to read \"/proc/sys/net/ipv6/conf/default/temp_prefered_lft\".")
+#define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_TEMP_VALID_LIFETIME N_("The valid lifetime of autogenerated temporary addresses, in seconds. Having a per-connection setting set to \"0\" (default) means fallback to global configuration \"ipv6.temp-valid-lifetime\" setting\". If it's also unspecified or set to \"0\", fallback to read \"/proc/sys/net/ipv6/conf/default/temp_valid_lft\".")
 #define DESCRIBE_DOC_NM_SETTING_IP6_CONFIG_TOKEN N_("Configure the token for draft-chown-6man-tokenised-ipv6-identifiers-02 IPv6 tokenized interface identifiers. Useful with eui64 addr-gen-mode. When set, the token is used as IPv6 interface identifier instead of the hardware address. This only applies to addresses from stateless autoconfiguration, not to IPv6 link local addresses.")
 #define DESCRIBE_DOC_NM_SETTING_IP_TUNNEL_ENCAPSULATION_LIMIT N_("How many additional levels of encapsulation are permitted to be prepended to packets. This property applies only to IPv6 tunnels. To disable this option, add 0x1 (ip6-ign-encap-limit) to ip-tunnel flags.")
 #define DESCRIBE_DOC_NM_SETTING_IP_TUNNEL_FLAGS N_("Tunnel flags. Currently, the following values are supported: 0x1 (ip6-ign-encap-limit), 0x2 (ip6-use-orig-tclass), 0x4 (ip6-use-orig-flowlabel), 0x8 (ip6-mip6-dev), 0x10 (ip6-rcv-dscp-copy) and 0x20 (ip6-use-orig-fwmark). They are valid only for IPv6 tunnels.")

src/nmcli/gen-metadata-nm-settings-nmcli.xml.in

@@ -1454,17 +1454,19 @@
                   values="-1 - 2147483647"
                   special-values="default (-1), infinity (2147483647)" />
         <property name="ip6-privacy"
-                  nmcli-description="Configure IPv6 Privacy Extensions for SLAAC, described in RFC4941.  If enabled, it makes the kernel generate a temporary IPv6 address in addition to the public one generated from MAC address via modified EUI-64.  This enhances privacy, but could cause problems in some applications, on the other hand.  The permitted values are: -1: unknown, 0: disabled, 1: enabled (prefer public address), 2: enabled (prefer temporary addresses). If set to &quot;-1&quot; (unknown) for a connection, the value is taken from the global &quot;ipv6.ip6-privacy&quot; setting. If the global setting is unspecified or also set to &quot;-1&quot;, the value is set from the original value of &quot;/proc/sys/net/ipv6/conf/&lt;iface&gt;/use_tempaddr&quot; from before NetworkManager started. Note that this setting is distinct from the Stable Privacy addresses that can be enabled with the &quot;addr-gen-mode&quot; property&apos;s &quot;stable-privacy&quot; setting as another way of avoiding host tracking with IPv6 addresses."
+                  nmcli-description="Configure IPv6 Privacy Extensions for SLAAC, described in RFC4941.  If enabled, it makes the kernel generate a temporary IPv6 address in addition to the public one generated from MAC address via modified EUI-64.  This enhances privacy, but could cause problems in some applications, on the other hand.  The permitted values are: -1: unknown, 0: disabled, 1: enabled (prefer public address), 2: enabled (prefer temporary addresses). Having a per-connection setting set to &quot;-1&quot; (default) means fallback to global configuration &quot;ipv6.ip6-privacy&quot;. If it&apos;s also unspecified or set to &quot;-1&quot;, fallback to read &quot;/proc/sys/net/ipv6/conf/default/use_tempaddr&quot;. Note that this setting is distinct from the Stable Privacy addresses that can be enabled with the &quot;addr-gen-mode&quot; property&apos;s &quot;stable-privacy&quot; setting as another way of avoiding host tracking with IPv6 addresses."
                   format="choice (NMSettingIP6ConfigPrivacy)"
-                  values="unknown (-1), disabled (0), prefer-public-addr (1), prefer-temp-addr (2)" />
+                  values="unknown/default (-1), disabled (0), prefer-public-addr (1), prefer-temp-addr (2)" />
         <property name="temp-valid-lifetime"
-                  nmcli-description="The valid lifetime of autogenerated temporary addresses, in seconds. If set to &quot;0&quot; (unknown) for a connection, the value is taken from the global &quot;ipv6.temp-valid-lifetime&quot; setting. If the global setting is unspecified or also set to &quot;0&quot;, the value is set from the original value of &quot;/proc/sys/net/ipv6/conf/&lt;iface&gt;/temp_valid_lft&quot; from before NetworkManager started."
+                  nmcli-description="The valid lifetime of autogenerated temporary addresses, in seconds. Having a per-connection setting set to &quot;0&quot; (default) means fallback to global configuration &quot;ipv6.temp-valid-lifetime&quot; setting&quot;. If it&apos;s also unspecified or set to &quot;0&quot;, fallback to read &quot;/proc/sys/net/ipv6/conf/default/temp_valid_lft&quot;."
                   format="integer"
-                  values="0 - 2147483647" />
+                  values="0 - 2147483647"
+                  special-values="default (0)" />
         <property name="temp-preferred-lifetime"
-                  nmcli-description="The preferred lifetime of autogenerated temporary addresses, in seconds. If set to &quot;0&quot; (unknown) for a connection, the value is taken from the global &quot;ipv6.temp-preferred-lifetime&quot; setting. If the global setting is unspecified or also set to &quot;0&quot;, the value is set from the original value of &quot;/proc/sys/net/ipv6/conf/&lt;iface&gt;/temp_prefered_lft&quot; from before NetworkManager started."
+                  nmcli-description="The preferred lifetime of autogenerated temporary addresses, in seconds. Having a per-connection setting set to &quot;0&quot; (default) means fallback to global configuration &quot;ipv6.temp-preferred-lifetime&quot; setting&quot;. If it&apos;s also unspecified or set to &quot;0&quot;, fallback to read &quot;/proc/sys/net/ipv6/conf/default/temp_prefered_lft&quot;."
                   format="integer"
-                  values="0 - 2147483647" />
+                  values="0 - 2147483647"
+                  special-values="default (0)" />
         <property name="addr-gen-mode"
                   nmcli-description="Configure method for creating the IPv6 interface identifer of addresses with RFC4862 IPv6 Stateless Address Autoconfiguration and Link Local addresses. The permitted values are: &quot;eui64&quot; (0), &quot;stable-privacy&quot; (1), &quot;default&quot; (3) or &quot;default-or-eui64&quot; (2). If the property is set to &quot;eui64&quot;, the addresses will be generated using the interface token derived from hardware address. This makes the host part of the address to stay constant, making it possible to track the host&apos;s presence when it changes networks. The address changes when the interface hardware is replaced. If a duplicate address is detected, there is also no fallback to generate another address. When configured, the &quot;ipv6.token&quot; is used instead of the MAC address to generate addresses for stateless autoconfiguration. If the property is set to &quot;stable-privacy&quot;, the interface identifier is generated as specified by RFC7217. This works by hashing a host specific key (see NetworkManager(8) manual), the interface name, the connection&apos;s &quot;connection.stable-id&quot; property and the address prefix.  This improves privacy by making it harder to use the address to track the host&apos;s presence and the address is stable when the network interface hardware is replaced. The special values &quot;default&quot; and &quot;default-or-eui64&quot; will fallback to the global connection default as documented in the NetworkManager.conf(5) manual. If the global default is not specified, the fallback value is &quot;stable-privacy&quot; or &quot;eui64&quot;, respectively. If not specified, when creating a new profile the default is &quot;default&quot;. Note that this setting is distinct from the Privacy Extensions as configured by &quot;ip6-privacy&quot; property and it does not affect the temporary addresses configured with this option."
                   format="choice (NMSettingIP6ConfigAddrGenMode)"

tools/create-exports-NetworkManager.sh

@@ -26,7 +26,8 @@ _build() {
                  --with-modem-manager-1 \
                  --with-ofono \
                  --with-more-asserts \
-                 --with-more-logging
+                 --with-more-logging \
+                 --disable-autotools-deprecation
     make -j20
 }