Commit aacb3c4f authored by Thomas Haller's avatar Thomas Haller

connectivity: merge branch 'th/connectivity-rp-filter'

parents bba33ba2 983b4300
Pipeline #18242 passed with stages
in 36 minutes and 16 seconds
# Enable connectivity checking for NetworkManager.
# See `man NetworkManager.conf`.
#
# Note that connectivity checking works badly with rp_filter set to
# strict. Check "/proc/sys/net/ipv4/conf/*/rp_filter".
[connectivity]
uri=http://fedoraproject.org/static/hotspot.txt
response=OK
......
# Enable connectivity checking for NetworkManager.
# See `man NetworkManager.conf`.
#
# Note that connectivity checking works badly with rp_filter set to
# strict. Check "/proc/sys/net/ipv4/conf/*/rp_filter".
[connectivity]
uri=http://static.redhat.com/test/rhel-networkmanager.txt
response=OK
......
......@@ -1056,10 +1056,12 @@ managed=1
<refsect1>
<title><literal>connectivity</literal> section</title>
<para>This section controls NetworkManager's optional connectivity
checking functionality. This allows NetworkManager to detect
whether or not the system can actually access the internet or
whether it is behind a captive portal.</para>
<para>Connectivity checking serves two purposes. For one, it exposes
a connectivity state on D-Bus, which other applications may use. For example,
Gnome's portal helper uses this as signal to show a captive portal login
......@@ -1070,6 +1072,12 @@ managed=1
when being connected to WWAN and to a Wi-Fi network which is behind a captive
portal, WWAN still gets preferred until login.</para>
<para>Note that your distribution might set <literal>/proc/sys/net/ipv4/conf/*/rp_filter</literal> to
strict filtering. That works badly with per-device connectivity checking,
which uses SO_BINDDEVICE to send requests on all devices. A strict rp_filter
setting will reject any response and the connectivity check on all but the
best route will fail.</para>
<para>
<variablelist>
<varlistentry>
......
......@@ -397,6 +397,8 @@ typedef struct _NMDevicePrivate {
bool ndisc_started:1;
bool device_link_changed_down:1;
bool concheck_rp_filter_checked:1;
/* Generic DHCP stuff */
char * dhcp_anycast_address;
......@@ -3042,6 +3044,7 @@ concheck_start (NMDevice *self,
static guint64 seq_counter = 0;
NMDevicePrivate *priv;
NMDeviceConnectivityHandle *handle;
const char *ifname;
g_return_val_if_fail (NM_IS_DEVICE (self), NULL);
......@@ -3064,6 +3067,39 @@ concheck_start (NMDevice *self,
(long long unsigned) handle->seq,
is_periodic ? ", periodic-check" : "");
if ( addr_family == AF_INET
&& !priv->concheck_rp_filter_checked) {
if ((ifname = nm_device_get_ip_iface_from_platform (self))) {
int val, val_all;
val = nm_platform_sysctl_ip_conf_get_int_checked (nm_device_get_platform (self),
AF_INET,
ifname,
"rp_filter",
10, 0, 2, 3);
if (val < 2) {
val_all = nm_platform_sysctl_ip_conf_get_int_checked (nm_device_get_platform (self),
AF_INET,
"all",
"rp_filter",
10, 0, 2, val);
if (val_all > val) {
val = val_all;
ifname = "all";
}
}
if (val == 1) {
_LOGW (LOGD_CONCHECK, "connectivity: \"/proc/sys/net/ipv4/conf/%s/rp_filter\" is set to \"1\". "
"This might break connectivity checking for IPv4 on this device", ifname);
}
}
/* we only check once per device. It's a warning after all. */
priv->concheck_rp_filter_checked = TRUE;
}
handle->c_handle = nm_connectivity_check_start (concheck_get_mgr (self),
handle->addr_family,
nm_device_get_ip_ifindex (self),
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment