1. 17 Sep, 2018 1 commit
  2. 15 Sep, 2018 1 commit
  3. 06 Sep, 2018 1 commit
  4. 04 Sep, 2018 3 commits
    • Thomas Haller's avatar
      ifcfg-rh: don't use 802-1x certifcate setter functions · e3ac45c0
      Thomas Haller authored
      The certificate setter function like nm_setting_802_1x_set_ca_cert()
      actually load the file from disk, and validate whether it is a valid
      certificate. That is very wrong to do.
      For one, the certificates are external files, which are not embedded
      into the NMConnection. That means, strongly validating the files while
      loading the ifcfg files, is wrong because:
       - if validation fails, loading the file fails in its entirety with
         a warning in the log. That is not helpful to the user, who now
         can no longer use nmcli to fix the path of the certificate (because
         the profile failed to load in the first place).
       - even if the certificate is valid at load-time, there is no guarantee
         that it is valid later on, when we actually try to use the file. What
         good does such a validation do? nm_setting_802_1x_set_ca_cert() might
         make sense during nmcli_connection_modify(). At the moment when we
         create or update the profile, we do want to validate the input and
         be helpful to the user. Validating the file later on, when reloading
         the profile from disk seems undesirable.
       - note how keyfile also does not perform such validations (for good
         reasons, I presume).
      Also, there is so much wrong with how ifcfg reader handles EAP files.
      There is a lot of duplication, and trying to be too smart. I find it
      wrong how the "eap_readers" are nested. E.g. both eap_peap_reader() and
      "tls" method call to eap_tls_reader(), making it look like that
      NMSetting8021x can handle multiple EAP profiles separately. But it cannot. The
      802-1x profile is a flat set of properties like ca-cert and others. All
      EAP methods share these properties, so having this complex parsing
      is not only complicated, but also wrong. The reader should simply parse
      the shell variables, and let NMSetting8021x::verify() handle validation
      of the settings. Anyway, the patch does not address that.
      Also, the setting of the likes of NM_SETTING_802_1X_CLIENT_CERT_PASSWORD was
      awkwardly only done when
           privkey_format != NM_SETTING_802_1X_CK_FORMAT_PKCS12
        && scheme == NM_SETTING_802_1X_CK_SCHEME_PKCS11
      It is too smart. Just read it from file, if it contains invalid data, let
      verify() reject it. That is only partly addressed.
      Also note, how writer never actually writes the likes of
      IEEE_8021X_CLIENT_CERT_PASSWORD. That is another bug and not fixed
    • Thomas Haller's avatar
      ifcfg-rh: rework parsing secrets · 6b763af1
      Thomas Haller authored
      - rename secret related functions to have a "_secret" prefix.
        Also, rename read_8021x_password() because it's not only useful
        for 802-1x.
      - In particular, this patch adds _secret_read_ifcfg() helper (formerly
        read_8021x_password()), which is smart enough to obtain secrets from
        the keys ifcfg file. We have other places where we don't get this
      - on a minor note, the patch also makes an effort to clear passwords
        and certifcate data from memory. Yes, there are countless places
        where we don't do that, but in this case, it's done and is as simple
        as replacing gs_free with nm_auto_free_secret, etc.
    • Thomas Haller's avatar
      ifcfg-rh/trivial: rename variable for ifcfg keys file · 4b6aa207
      Thomas Haller authored
      The term "keys" is used ambigiously. Rename occurances which reference
      the "keys" ifcfg-rh file.
      While at it, rename the file "parsed" to "main_ifcfg". It follows the
      same pattern as the "keys_ifcfg" name.
  5. 22 Aug, 2018 1 commit
    • Thomas Haller's avatar
      wifi: don't use GBytesArray for NMWifiAP's ssid · 5cd4e6f3
      Thomas Haller authored
      GBytes makes more sense, because it's immutable.
      Also, since at other places we use GBytes, having
      different types is combersome and requires needless
      - avoid nm_utils_escape_ssid() instead of _nm_utils_ssid_to_string().
        We use nm_utils_escape_ssid() when we want to log the SSID. However, it
        does not escape newlines, which is bad.
      - also no longer use nm_utils_same_ssid(). Since it no longer
        treated trailing NUL special, it is not different from
      - also, don't use nm_utils_ssid_to_utf8() for logging anymore.
        For logging, _nm_utils_ssid_escape_utf8safe() is better because
        it is loss-less escaping which can be unambigously reverted.
  6. 11 Aug, 2018 2 commits
  7. 10 Aug, 2018 2 commits
    • Thomas Haller's avatar
      libnm, cli, ifcfg-rh: add NMSettingEthtool setting · df30651b
      Thomas Haller authored
      Note that in NetworkManager API (D-Bus, libnm, and nmcli),
      the features are called "feature-xyz". The "feature-" prefix
      is used, because NMSettingEthtool possibly will gain support
      for options that are not only -K|--offload|--features, for
      example -C|--coalesce.
      The "xzy" suffix is either how ethtool utility calls the feature
      ("tso", "rx"). Or, if ethtool utility specifies no alias for that
      feature, it's the name from kernel's ETH_SS_FEATURES ("tx-tcp6-segmentation").
      If possible, we prefer ethtool utility's naming.
      Also note, how the features "feature-sg", "feature-tso", and
      "feature-tx" actually refer to multiple underlying kernel features
      at once. This too follows what ethtool utility does.
      The functionality is not yet implemented server-side.
    • Thomas Haller's avatar
      ifcfg-rh: refactor parsing in parse_ethtool_option() to not call helper functions · bcbea6fe
      Thomas Haller authored
      Parsing can be complicated enough. It's simpler to just work
      top-to-bottom, without calling various helper functions. This was,
      you can see all the code in one place, without need to jump to
      the helper function to see what it is doing.
      In general, a static function that is only called once, does sometimes
      not simplify but obfuscate the code.
  8. 08 Aug, 2018 1 commit
    • Thomas Haller's avatar
      all: add connection.multi-connect property for wildcard profiles · 55ae6923
      Thomas Haller authored
      Add a new option that allows to activate a profile multiple times
      (at the same time). Previoulsy, all profiles were implicitly
      NM_SETTING_CONNECTION_MULTI_CONNECT_SINGLE, meaning, that activating
      a profile that is already active will deactivate it first.
      This will make more sense, as we also add more match-options how
      profiles can be restricted to particular devices. We already have
      connection.type, connection.interface-name, and (ethernet|wifi).mac-address
      to restrict a profile to particular devices. For example, it is however
      not possible to specify a wildcard like "eth*" to match a profile to
      a set of devices by interface-name. That is another missing feature,
      and once we extend the matching capabilities, it makes more sense to
      activate a profile multiple times.
      See also https://bugzilla.redhat.com/show_bug.cgi?id=997998, which
      previously changed that a connection is restricted to a single activation
      at a time. This work relaxes that again.
      This only adds the new property, it is not used nor implemented yet.
  9. 11 Jul, 2018 3 commits
    • Beniamino Galvani's avatar
      ifcfg-rh: SR-IOV support · c02d1c48
      Beniamino Galvani authored
    • Beniamino Galvani's avatar
      ifcfg-rh: add @match_key_type argument to svGetKeys() · 347e0d8b
      Beniamino Galvani authored
      Add a @match_key_type to svGetKeys() to filter the keys to be returned.
    • Thomas Haller's avatar
      all: don't use gchar/gshort/gint/glong but C types · e1c7a2b5
      Thomas Haller authored
      We commonly don't use the glib typedefs for char/short/int/long,
      but their C types directly.
          $ git grep '\<g\(char\|short\|int\|long\|float\|double\)\>' | wc -l
          $ git grep '\<\(char\|short\|int\|long\|float\|double\)\>' | wc -l
      One could argue that using the glib typedefs is preferable in
      public API (of our glib based libnm library) or where it clearly
      is related to glib, like during
        g_object_set (obj, PROPERTY, (gint) value, NULL);
      However, that argument does not seem strong, because in practice we don't
      follow that argument today, and seldomly use the glib typedefs.
      Also, the style guide for this would be hard to formalize, because
      "using them where clearly related to a glib" is a very loose suggestion.
      Also note that glib typedefs will always just be typedefs of the
      underlying C types. There is no danger of glib changing the meaning
      of these typedefs (because that would be a major API break of glib).
      A simple style guide is instead: don't use these typedefs.
      No manual actions, I only ran the bash script:
        FILES=($(git ls-files '*.[hc]'))
        sed -i \
            -e 's/\<g\(char\|short\|int\|long\|float\|double\)\>\( [^ ]\)/\1\2/g' \
            -e 's/\<g\(char\|short\|int\|long\|float\|double\)\>  /\1   /g' \
            -e 's/\<g\(char\|short\|int\|long\|float\|double\)\>/\1/g' \
  10. 15 Jun, 2018 1 commit
  11. 09 Jun, 2018 3 commits
  12. 10 May, 2018 2 commits
    • Lubomir Rintel's avatar
      all: use the elvis operator wherever possible · e69d3869
      Lubomir Rintel authored
        expression a, b;
        -a ? a : b
        +a ?: b
      Applied with:
        spatch --sp-file ternary.cocci --in-place --smpl-spacing --dir .
      With some manual adjustments on spots that Cocci didn't catch for
      reasons unknown.
      Thanks to the marvelous effort of the GNU compiler developer we can now
      spare a couple of bits that could be used for more important things,
      like this commit message. Standards commitees yet have to catch up.
    • Lubomir Rintel's avatar
      all: add and utilize nm_utils_is_separator() · f0c1efbf
      Lubomir Rintel authored
      It is meant to be rather similar in nature to isblank() or
      Sadly, isblank() is locale dependent while g_ascii_isspace() also considers
      vertical whitespace as a space. That's no good for configuration files that
      are strucutured into lines, which happens to be a pretty common case.
  13. 30 Apr, 2018 1 commit
  14. 21 Apr, 2018 1 commit
  15. 18 Apr, 2018 1 commit
  16. 05 Apr, 2018 2 commits
    • Thomas Haller's avatar
      ifcfg-rh: suppress warning about NM_CONTROLLED=no without restricting profile to device · 3f969d3b
      Thomas Haller authored
      NM_CONTROLLED=no has the primary use of marking devices as unmanaged.
      For that to work, the ifcfg file must contain either a MAC address,
      an interface-name, or s390-subchannels that match a device.
      In case the profile doesn't contain such specifiers, the profile
      is ignored and a warning was logged:
          <warn>  [1522849679.7866] ifcfg-rh: loading "/etc/sysconfig/network-scripts/ifcfg-ens99" fails: NM_CONTROLLED was false but device was not uniquely identified; device will be managed
      Downgrade this warning to a debug message. It's not unreasonable
      that a user marks a ifcfg file with NM_CONTROLLED=no, to avoid
      NetworkManager handling it. Yes, that way, the user did not explicitly
      mark a device as unmanaged. But NetworkManager will ignore the profile,
      as the user might resonably desire. No need to warn about that.
    • Thomas Haller's avatar
      ifcfg-rh: minor cleanup setting out_ignore_error in connection_from_file_full() · 95d24929
      Thomas Haller authored
      - ensure that out_ignore_error is always initialized. Though,
        in practice all callers already made sure of that.
      - use NM_SET_OUT() macro.
  17. 28 Feb, 2018 2 commits
  18. 23 Jan, 2018 1 commit
  19. 18 Jan, 2018 1 commit
  20. 16 Jan, 2018 1 commit
    • Masashi Honma's avatar
      wifi: add support for FILS · b4bbe517
      Masashi Honma authored
      The FILS(Fast Initial Link Setup) is a specification defined by IEEE 802.11ai to
      speed up roaming. This patch adds support of it.
      I have tested with these cases.
      | STA |            AP           |                |
      |FILS |         key-mgmt        |     result     |
      |  1  | WPA-EAP                 |       O        |
      |  1  | WPA-EAP-SHA256          |       O        |
      |  1  | FILS-SHA256             |       X        |
      |  1  | FILS-SHA384             |       X        |
      |  1  | WPA-EAP WPA-EAP-SHA256  |       O        |
      |     | FILS-SHA256 FILS-SHA384 | WPA-EAP-SHA256 |
      |  2  | WPA-EAP                 |       O        |
      |  2  | WPA-EAP-SHA256          |       O        |
      |  2  | FILS-SHA256             |       O        |
      |  2  | FILS-SHA384             |       O        |
      |  2  | WPA-EAP WPA-EAP-SHA256  |       O        |
      |     | FILS-SHA256 FILS-SHA384 | FILS-SHA384    |
      |  3  | WPA-EAP                 |       X        |
      |  3  | WPA-EAP-SHA256          |       X        |
      |  3  | FILS-SHA256             |       O        |
      |  3  | FILS-SHA384             |       O        |
      |  3  | WPA-EAP WPA-EAP-SHA256  |       O        |
      |     | FILS-SHA256 FILS-SHA384 | FILS-SHA384    |
      Signed-off-by: default avatarMasashi Honma <masashi.honma@gmail.com>
  21. 09 Jan, 2018 2 commits
    • Thomas Haller's avatar
      libnm: rename MDns flag UNKNOWN to DEFAULT · 9d92848a
      Thomas Haller authored
      "UNKNOWN" is not a good name. If you don't set the property
      in the connection explicitly, it should be "DEFAULT".
      Also, make "DEFAULT" -1. For one, that ensures that the enum's
      underlying integer type is signed. Otherwise, it's cumbersome
      to test "if (mdns >= DEFAULT)" because in case of unsigned types,
      the compiler will warn about the check always being true.
      Also, it allows for "NO" to be zero. These are no strong reasons,
      but I tend to think this is better.
      Also, don't make the property of NMSettingConnection a CONSTRUCT property.
      Initialize the default manually in the init function.
      Also, order the numeric values so that DEFAULT < NO < RESOLVE < YES with
      YES being largest because it enables *the most*.
    • Ismo Puustinen's avatar
      mdns: add new connection property. · 2e2ff6f2
      Ismo Puustinen authored
      Add support for mDNS as a connection-level property. Update ifcfg-rh and
      keyfile plugins to support it.
  22. 18 Dec, 2017 1 commit
  23. 11 Dec, 2017 2 commits
  24. 07 Dec, 2017 1 commit
  25. 04 Dec, 2017 3 commits