Unverified Commit f64dff69 authored by Thomas Haller's avatar Thomas Haller
Browse files

all: drop various NMMptcpFlags

The default behavior might be sufficient. Drop those flags for now,
and figure out a good solution when we have an actual use-case.
parent eb083eec
Pipeline #659566 passed with stages
in 33 minutes and 32 seconds
......@@ -4218,11 +4218,8 @@ _rp_filter_update(NML3Cfg *self, gboolean reapply)
* While we only have one "connection.mptcp-flags=enabled" property, whether
* we handle MPTCP is still tracked per AF. In particular, with "enabled-on-global-iface"
* flag, which honors the AF-specific default route. */
if (self->priv.p->mptcp_set_4 && self->priv.p->combined_l3cd_commited
&& !NM_FLAGS_HAS(nm_l3_config_data_get_mptcp_flags(self->priv.p->combined_l3cd_commited),
NM_MPTCP_FLAGS_NO_RELAX_RP_FILTER)) {
if (self->priv.p->mptcp_set_4)
rp_filter_relax = TRUE;
}
if (!rp_filter_relax) {
if (self->priv.p->rp_filter_handled) {
......@@ -4368,32 +4365,17 @@ _l3_commit_mptcp_af(NML3Cfg *self,
* the address. */
switch (nm_platform_ip_address_get_scope(addr_family, addr->ax.address_ptr)) {
case RT_SCOPE_HOST:
if (!NM_FLAGS_ANY(mptcp_flags,
IS_IPv4 ? NM_MPTCP_FLAGS_WITH_LOOPBACK_4
: NM_MPTCP_FLAGS_WITH_LOOPBACK_6))
goto skip_addr;
break;
goto skip_addr;
case RT_SCOPE_LINK:
if (!NM_FLAGS_ANY(mptcp_flags,
IS_IPv4 ? NM_MPTCP_FLAGS_WITH_LINK_LOCAL_4
: NM_MPTCP_FLAGS_WITH_LINK_LOCAL_6))
goto skip_addr;
break;
goto skip_addr;
default:
if (IS_IPv4) {
if (nm_utils_ip_is_site_local(AF_INET, &addr->a4.address)) {
/* By default we take rfc1918 private addresses, unless there
* is a flag to opt-out. */
if (NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_SKIP_SITE_LOCAL_4))
goto skip_addr;
} else {
/* other addresses we take. */
}
/* We take all addresses, including rfc1918 private addresses
* (nm_utils_ip_is_site_local()). */
} else {
if (nm_utils_ip6_is_ula(&addr->a6.address)) {
/* Special treatment for unique local IPv6 addresses fc00::/7. */
if (!NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_WITH_SITE_LOCAL_6))
goto skip_addr;
/* Exclude unique local IPv6 addresses fc00::/7. */
goto skip_addr;
} else {
/* We take all other addresses, including deprecated IN6_IS_ADDR_SITELOCAL()
* (fec0::/10). */
......
......@@ -272,11 +272,7 @@ gpointer _nm_connection_new_setting(NMConnection *connection, GType gtype);
#define _NM_MPTCP_FLAGS_ALL \
((NMMptcpFlags) (NM_MPTCP_FLAGS_DISABLED | NM_MPTCP_FLAGS_ENABLED_ON_GLOBAL_IFACE \
| NM_MPTCP_FLAGS_ENABLED | NM_MPTCP_FLAGS_SIGNAL | NM_MPTCP_FLAGS_SUBFLOW \
| NM_MPTCP_FLAGS_BACKUP | NM_MPTCP_FLAGS_FULLMESH \
| NM_MPTCP_FLAGS_WITH_LOOPBACK_4 | NM_MPTCP_FLAGS_WITH_LINK_LOCAL_4 \
| NM_MPTCP_FLAGS_SKIP_SITE_LOCAL_4 | NM_MPTCP_FLAGS_WITH_LOOPBACK_6 \
| NM_MPTCP_FLAGS_WITH_LINK_LOCAL_6 | NM_MPTCP_FLAGS_WITH_SITE_LOCAL_6 \
| NM_MPTCP_FLAGS_NO_RELAX_RP_FILTER))
| NM_MPTCP_FLAGS_BACKUP | NM_MPTCP_FLAGS_FULLMESH))
#define _NM_MPTCP_FLAGS_DEFAULT \
((NMMptcpFlags) (NM_MPTCP_FLAGS_ENABLED_ON_GLOBAL_IFACE | NM_MPTCP_FLAGS_SUBFLOW))
......
......@@ -2568,9 +2568,6 @@ nm_setting_connection_class_init(NMSettingConnectionClass *klass)
* the interface has a default route.
* - "signal", "subflow", "backup", "fullmesh": the endpoint flags
* that are used.
* - "with-loopback-4", "with-*", ..., "skip-site-local-4": to include/exclude addresses,
* which should be configured as endpoints.
* - "no-relax-rp-filter": controls whether to (not) change rp_filter.
*
* The reason is, that it is useful to have one "connection.mptcp-flags"
* property, that can express various aspects at once. The alternatives
......@@ -2586,7 +2583,7 @@ nm_setting_connection_class_init(NMSettingConnectionClass *klass)
* that otherwise would not be configured as endpoints.
*
* "connection.mptcp-flags" applies to all addresses on the interface (minus the ones
* that are not included via "with-*" and "skip-*" flags). The idea is that in the future we could have
* that are not included by default). The idea is that in the future we could have
* more properties like "ipv4.dhcp-mptcp-flags=subflow", "ipv6.link-local-mptcp-flags=disabled",
* "ipv4.addresses='192.168.1.5/24 mptcp-flags=signal,backup'", which can overwrite the
* flags on a per-address basis.
......@@ -2600,8 +2597,13 @@ nm_setting_connection_class_init(NMSettingConnectionClass *klass)
*
* Whether to configure MPTCP endpoints and the address flags.
* If MPTCP is enabled in NetworkManager, it will configure the
* addresses of the interface as MPTCP endpoints. The supported
* flags are as follows.
* addresses of the interface as MPTCP endpoints. Note that
* IPv4 loopback addresses (127.0.0.0/8), IPv4 link local
* addresses (169.254.0.0/16), the IPv6 loopback address (::1),
* IPv6 link local addresses (fe80::/10), IPv6 unique
* local addresses (ULA, fc00::/7) and IPv6 privacy extension addresses
* (rfc3041, ipv6.ip6-privacy) will be excluded from being
* configured as endpoints.
*
* If "disabled" (0x1), MPTCP handling for the interface is disabled and
* no endpoints are registered.
......@@ -2618,26 +2620,6 @@ nm_setting_connection_class_init(NMSettingConnectionClass *klass)
* with the specified address flags "signal" (0x10), "subflow" (0x20), "backup" (0x40),
* "fullmesh" (0x80). See ip-mptcp(8) manual for additional information about the flags.
*
* The flag "with-loopback-4" (0x100) indicates that NetworkManager will
* also configure MPTCP endpoints for IPv4 loopback addresses 127.0.0.0/8.
* Likewise, the flag "with-link-local-4" (0x200) includes IPv4 link local
* addresses 169.254.0.0/16.
*
* The "skip-site-local-4" (0x400) flag indicates to exclude rfc1918 private addresses
* (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
*
* The flags "with-loopback-6" (0x1000), "with-link-local-6" (0x2000)
* and "with-site-local-6" (0x4000) apply to the IPv6 loopback address (::1),
* IPv6 link local addresses (fe80::/10) and IPv6 unique local addresses (ULA, fc00::/7),
* respectively. IPv6 privacy addresses (rfc3041, ipv6.ip6-privacy) are excluded
* from MPTCP configuration.
*
* The flag "no-relax-rp-filter" (0x10000) causes NetworkManager to not touch
* IPv4 rp_filter. Strict reverse path filtering (rp_filter) breaks many MPTCP
* use cases, so when MPTCP handling on the interface is enabled, NetworkManager would
* loosen the strict reverse path filtering (1) to the loose setting (2).
* This flag prevents that.
*
* If the flags are zero, the global connection default from NetworkManager.conf is
* honored. If still unspecified, the fallback is either "disabled" or
* "enabled-on-global-iface,subflow" depending on "/proc/sys/net/mptcp/enabled".
......@@ -2646,6 +2628,10 @@ nm_setting_connection_class_init(NMSettingConnectionClass *klass)
* "/proc/sys/net/mptcp/enabled". That is a host configuration which the
* admin can change via sysctl and ip-mptcp.
*
* Strict reverse path filtering (rp_filter) breaks many MPTCP use cases, so when
* MPTCP handling for IPv4 addresses on the interface is enabled, NetworkManager would
* loosen the strict reverse path filtering (1) to the loose setting (2).
*
* Since: 1.40
**/
/* ---ifcfg-rh---
......
......@@ -1344,14 +1344,6 @@ typedef enum /*< flags >*/ {
* any additional addresses using the MPTCP ADD_ADDR sub-option, this will behave the same
* as a plain subflow endpoint. When the peer does announce addresses, each received ADD_ADDR
* sub-option will trigger creation of an additional subflow to generate a full mesh topology.
* @NM_MPTCP_FLAGS_WITH_LOOPBACK_4: Also configure MPTCP endpoints for IPv4 addresses 127.0.0.0/8 with scope "host".
* @NM_MPTCP_FLAGS_WITH_LOOPBACK_6: Also configure MPTCP endpoints for the IPv6 address ::1 with scope "host".
* @NM_MPTCP_FLAGS_WITH_LINK_LOCAL_4: Also configure MPTCP endpoints for IPv4 addresses 169.254.0.0/16 with scope "link".
* @NM_MPTCP_FLAGS_WITH_LINK_LOCAL_6: Also configure MPTCP endpoints for IPv6 addresses fe80::/10 with scope "link".
* @NM_MPTCP_FLAGS_SKIP_SITE_LOCAL_4: Don't configure MPTCP endpoints for site local IPv4 addresses (RFC1918, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
* @NM_MPTCP_FLAGS_WITH_SITE_LOCAL_6: Also configure MPTCP endpoints for unique local IPv6 addresses (ULA, fc00::/7).
* @NM_MPTCP_FLAGS_NO_RELAX_RP_FILTER: When configure MPTCP on an interface, NetworkManager will
* loosen a strict rp_filter source validation. This flag prevents changing rp_filter.
*
* Since: 1.40
*/
......@@ -1366,15 +1358,6 @@ typedef enum /*< flags >*/ {
NM_MPTCP_FLAGS_SUBFLOW = 0x20,
NM_MPTCP_FLAGS_BACKUP = 0x40,
NM_MPTCP_FLAGS_FULLMESH = 0x80,
NM_MPTCP_FLAGS_WITH_LOOPBACK_4 = 0x0100,
NM_MPTCP_FLAGS_WITH_LINK_LOCAL_4 = 0x0200,
NM_MPTCP_FLAGS_SKIP_SITE_LOCAL_4 = 0x0400,
NM_MPTCP_FLAGS_WITH_LOOPBACK_6 = 0x1000,
NM_MPTCP_FLAGS_WITH_LINK_LOCAL_6 = 0x2000,
NM_MPTCP_FLAGS_WITH_SITE_LOCAL_6 = 0x4000,
NM_MPTCP_FLAGS_NO_RELAX_RP_FILTER = 0x10000,
} NMMptcpFlags;
#endif /* __NM_DBUS_INTERFACE_H__ */
......@@ -14,7 +14,7 @@
#define DESCRIBE_DOC_NM_SETTING_CONNECTION_MASTER N_("Interface name of the master device or UUID of the master connection.")
#define DESCRIBE_DOC_NM_SETTING_CONNECTION_MDNS N_("Whether mDNS is enabled for the connection. The permitted values are: \"yes\" (2) register hostname and resolving for the connection, \"no\" (0) disable mDNS for the interface, \"resolve\" (1) do not register hostname but allow resolving of mDNS host names and \"default\" (-1) to allow lookup of a global default in NetworkManager.conf. If unspecified, \"default\" ultimately depends on the DNS plugin (which for systemd-resolved currently means \"no\"). This feature requires a plugin which supports mDNS. Otherwise, the setting has no effect. One such plugin is dns-systemd-resolved.")
#define DESCRIBE_DOC_NM_SETTING_CONNECTION_METERED N_("Whether the connection is metered. When updating this property on a currently activated connection, the change takes effect immediately.")
#define DESCRIBE_DOC_NM_SETTING_CONNECTION_MPTCP_FLAGS N_("Whether to configure MPTCP endpoints and the address flags. If MPTCP is enabled in NetworkManager, it will configure the addresses of the interface as MPTCP endpoints. The supported flags are as follows. If \"disabled\" (0x1), MPTCP handling for the interface is disabled and no endpoints are registered. The flag \"enabled-on-global-iface\" (0x2) means that MPTCP handling is enabled if the interface configures a default route in the main routing table. This choice is per-address family, for example if there is an IPv4 default route 0.0.0.0/0, IPv4 endpoints are configured. The \"enabled\" (0x4) flag means that MPTCP handling is explicitly enabled. This flag can also be implied from the presence of other flags. If MPTCP handling is enabled, then endpoints will be configured with the specified address flags \"signal\" (0x10), \"subflow\" (0x20), \"backup\" (0x40), \"fullmesh\" (0x80). See ip-mptcp(8) manual for additional information about the flags. The flag \"with-loopback-4\" (0x100) indicates that NetworkManager will also configure MPTCP endpoints for IPv4 loopback addresses 127.0.0.0/8. Likewise, the flag \"with-link-local-4\" (0x200) includes IPv4 link local addresses 169.254.0.0/16. The \"skip-site-local-4\" (0x400) flag indicates to exclude rfc1918 private addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). The flags \"with-loopback-6\" (0x1000), \"with-link-local-6\" (0x2000) and \"with-site-local-6\" (0x4000) apply to the IPv6 loopback address (::1), IPv6 link local addresses (fe80::/10) and IPv6 unique local addresses (ULA, fc00::/7), respectively. IPv6 privacy addresses (rfc3041, ipv6.ip6-privacy) are excluded from MPTCP configuration. The flag \"no-relax-rp-filter\" (0x10000) causes NetworkManager to not touch IPv4 rp_filter. Strict reverse path filtering (rp_filter) breaks many MPTCP use cases, so when MPTCP handling on the interface is enabled, NetworkManager would loosen the strict reverse path filtering (1) to the loose setting (2). This flag prevents that. If the flags are zero, the global connection default from NetworkManager.conf is honored. If still unspecified, the fallback is either \"disabled\" or \"enabled-on-global-iface,subflow\" depending on \"/proc/sys/net/mptcp/enabled\". NetworkManager does not change the MPTCP limits nor enable MPTCP via \"/proc/sys/net/mptcp/enabled\". That is a host configuration which the admin can change via sysctl and ip-mptcp.")
#define DESCRIBE_DOC_NM_SETTING_CONNECTION_MPTCP_FLAGS N_("Whether to configure MPTCP endpoints and the address flags. If MPTCP is enabled in NetworkManager, it will configure the addresses of the interface as MPTCP endpoints. Note that IPv4 loopback addresses (127.0.0.0/8), IPv4 link local addresses (169.254.0.0/16), the IPv6 loopback address (::1), IPv6 link local addresses (fe80::/10), IPv6 unique local addresses (ULA, fc00::/7) and IPv6 privacy extension addresses (rfc3041, ipv6.ip6-privacy) will be excluded from being configured as endpoints. If \"disabled\" (0x1), MPTCP handling for the interface is disabled and no endpoints are registered. The flag \"enabled-on-global-iface\" (0x2) means that MPTCP handling is enabled if the interface configures a default route in the main routing table. This choice is per-address family, for example if there is an IPv4 default route 0.0.0.0/0, IPv4 endpoints are configured. The \"enabled\" (0x4) flag means that MPTCP handling is explicitly enabled. This flag can also be implied from the presence of other flags. If MPTCP handling is enabled, then endpoints will be configured with the specified address flags \"signal\" (0x10), \"subflow\" (0x20), \"backup\" (0x40), \"fullmesh\" (0x80). See ip-mptcp(8) manual for additional information about the flags. If the flags are zero, the global connection default from NetworkManager.conf is honored. If still unspecified, the fallback is either \"disabled\" or \"enabled-on-global-iface,subflow\" depending on \"/proc/sys/net/mptcp/enabled\". NetworkManager does not change the MPTCP limits nor enable MPTCP via \"/proc/sys/net/mptcp/enabled\". That is a host configuration which the admin can change via sysctl and ip-mptcp. Strict reverse path filtering (rp_filter) breaks many MPTCP use cases, so when MPTCP handling for IPv4 addresses on the interface is enabled, NetworkManager would loosen the strict reverse path filtering (1) to the loose setting (2).")
#define DESCRIBE_DOC_NM_SETTING_CONNECTION_MUD_URL N_("If configured, set to a Manufacturer Usage Description (MUD) URL that points to manufacturer-recommended network policies for IoT devices. It is transmitted as a DHCPv4 or DHCPv6 option. The value must be a valid URL starting with \"https://\". The special value \"none\" is allowed to indicate that no MUD URL is used. If the per-profile value is unspecified (the default), a global connection default gets consulted. If still unspecified, the ultimate default is \"none\".")
#define DESCRIBE_DOC_NM_SETTING_CONNECTION_MULTI_CONNECT N_("Specifies whether the profile can be active multiple times at a particular moment. The value is of type NMConnectionMultiConnect.")
#define DESCRIBE_DOC_NM_SETTING_CONNECTION_PERMISSIONS N_("An array of strings defining what access a given user has to this connection. If this is NULL or empty, all users are allowed to access this connection; otherwise users are allowed if and only if they are in this list. When this is not empty, the connection can be active only when one of the specified users is logged into an active session. Each entry is of the form \"[type]:[id]:[reserved]\"; for example, \"user:dcbw:blah\". At this time only the \"user\" [type] is allowed. Any other values are ignored and reserved for future use. [id] is the username that this permission refers to, which may not contain the \":\" character. Any [reserved] information present must be ignored and is reserved for future use. All of [type], [id], and [reserved] must be valid UTF-8.")
......
......@@ -420,7 +420,7 @@
<property name="dns-over-tls"
description="Whether DNSOverTls (dns-over-tls) is enabled for the connection. DNSOverTls is a technology which uses TLS to encrypt dns traffic. The permitted values are: &quot;yes&quot; (2) use DNSOverTls and disabled fallback, &quot;opportunistic&quot; (1) use DNSOverTls but allow fallback to unencrypted resolution, &quot;no&quot; (0) don&apos;t ever use DNSOverTls. If unspecified &quot;default&quot; depends on the plugin used. Systemd-resolved uses global setting. This feature requires a plugin which supports DNSOverTls. Otherwise, the setting has no effect. One such plugin is dns-systemd-resolved." />
<property name="mptcp-flags"
description="Whether to configure MPTCP endpoints and the address flags. If MPTCP is enabled in NetworkManager, it will configure the addresses of the interface as MPTCP endpoints. The supported flags are as follows. If &quot;disabled&quot; (0x1), MPTCP handling for the interface is disabled and no endpoints are registered. The flag &quot;enabled-on-global-iface&quot; (0x2) means that MPTCP handling is enabled if the interface configures a default route in the main routing table. This choice is per-address family, for example if there is an IPv4 default route 0.0.0.0/0, IPv4 endpoints are configured. The &quot;enabled&quot; (0x4) flag means that MPTCP handling is explicitly enabled. This flag can also be implied from the presence of other flags. If MPTCP handling is enabled, then endpoints will be configured with the specified address flags &quot;signal&quot; (0x10), &quot;subflow&quot; (0x20), &quot;backup&quot; (0x40), &quot;fullmesh&quot; (0x80). See ip-mptcp(8) manual for additional information about the flags. The flag &quot;with-loopback-4&quot; (0x100) indicates that NetworkManager will also configure MPTCP endpoints for IPv4 loopback addresses 127.0.0.0/8. Likewise, the flag &quot;with-link-local-4&quot; (0x200) includes IPv4 link local addresses 169.254.0.0/16. The &quot;skip-site-local-4&quot; (0x400) flag indicates to exclude rfc1918 private addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). The flags &quot;with-loopback-6&quot; (0x1000), &quot;with-link-local-6&quot; (0x2000) and &quot;with-site-local-6&quot; (0x4000) apply to the IPv6 loopback address (::1), IPv6 link local addresses (fe80::/10) and IPv6 unique local addresses (ULA, fc00::/7), respectively. IPv6 privacy addresses (rfc3041, ipv6.ip6-privacy) are excluded from MPTCP configuration. The flag &quot;no-relax-rp-filter&quot; (0x10000) causes NetworkManager to not touch IPv4 rp_filter. Strict reverse path filtering (rp_filter) breaks many MPTCP use cases, so when MPTCP handling on the interface is enabled, NetworkManager would loosen the strict reverse path filtering (1) to the loose setting (2). This flag prevents that. If the flags are zero, the global connection default from NetworkManager.conf is honored. If still unspecified, the fallback is either &quot;disabled&quot; or &quot;enabled-on-global-iface,subflow&quot; depending on &quot;/proc/sys/net/mptcp/enabled&quot;. NetworkManager does not change the MPTCP limits nor enable MPTCP via &quot;/proc/sys/net/mptcp/enabled&quot;. That is a host configuration which the admin can change via sysctl and ip-mptcp." />
description="Whether to configure MPTCP endpoints and the address flags. If MPTCP is enabled in NetworkManager, it will configure the addresses of the interface as MPTCP endpoints. Note that IPv4 loopback addresses (127.0.0.0/8), IPv4 link local addresses (169.254.0.0/16), the IPv6 loopback address (::1), IPv6 link local addresses (fe80::/10), IPv6 unique local addresses (ULA, fc00::/7) and IPv6 privacy extension addresses (rfc3041, ipv6.ip6-privacy) will be excluded from being configured as endpoints. If &quot;disabled&quot; (0x1), MPTCP handling for the interface is disabled and no endpoints are registered. The flag &quot;enabled-on-global-iface&quot; (0x2) means that MPTCP handling is enabled if the interface configures a default route in the main routing table. This choice is per-address family, for example if there is an IPv4 default route 0.0.0.0/0, IPv4 endpoints are configured. The &quot;enabled&quot; (0x4) flag means that MPTCP handling is explicitly enabled. This flag can also be implied from the presence of other flags. If MPTCP handling is enabled, then endpoints will be configured with the specified address flags &quot;signal&quot; (0x10), &quot;subflow&quot; (0x20), &quot;backup&quot; (0x40), &quot;fullmesh&quot; (0x80). See ip-mptcp(8) manual for additional information about the flags. If the flags are zero, the global connection default from NetworkManager.conf is honored. If still unspecified, the fallback is either &quot;disabled&quot; or &quot;enabled-on-global-iface,subflow&quot; depending on &quot;/proc/sys/net/mptcp/enabled&quot;. NetworkManager does not change the MPTCP limits nor enable MPTCP via &quot;/proc/sys/net/mptcp/enabled&quot;. That is a host configuration which the admin can change via sysctl and ip-mptcp. Strict reverse path filtering (rp_filter) breaks many MPTCP use cases, so when MPTCP handling for IPv4 addresses on the interface is enabled, NetworkManager would loosen the strict reverse path filtering (1) to the loose setting (2)." />
<property name="mud-url"
description="If configured, set to a Manufacturer Usage Description (MUD) URL that points to manufacturer-recommended network policies for IoT devices. It is transmitted as a DHCPv4 or DHCPv6 option. The value must be a valid URL starting with &quot;https://&quot;. The special value &quot;none&quot; is allowed to indicate that no MUD URL is used. If the per-profile value is unspecified (the default), a global connection default gets consulted. If still unspecified, the ultimate default is &quot;none&quot;." />
<property name="wait-device-timeout"
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment