delta/NetworkManager.git/src/devices/nm-device-wireguard.c, branch th/fix-python-test gitlab.freedesktop.org: NetworkManager/NetworkManager.git all: SPDX header conversion 2019-09-10T09:19:56+00:00 Lubomir Rintel lkundrak@v3.sk 2019-09-10T09:19:01+00:00 24028a22467275671df71cc6a8054036b37d8f03 $ find * -type f |xargs perl contrib/scripts/spdx.pl $ git rm contrib/scripts/spdx.pl 
  $ find * -type f |xargs perl contrib/scripts/spdx.pl
  $ git rm contrib/scripts/spdx.pl
device: let devices call stage1 again after being ready to proceed 2019-08-28T14:27:00+00:00 Thomas Haller thaller@redhat.com 2019-08-22T08:43:22+00:00 29562a9751d97eb56bb5b56f3d36a96345559a5f I am about to change the when stage1 gets postponed, then the way to proceed it is to schedule stage1 again (instead of scheduling stage2). The reason is that stage1 handling should be reentrant and we should keep entering it until there is no more reason to postpone it. If a subclass postpones stage1 and then later progresses it by directly scheduling stage2, then only the subclass is in control over postponing stage 2. Instead, anybody should be able to delay stage2 independently. That can only work if everybody signals readyness to proceed by scheduling stage1 again. 
I am about to change the when stage1 gets postponed, then the way to
proceed it is to schedule stage1 again (instead of scheduling stage2).

The reason is that stage1 handling should be reentrant and we should
keep entering it until there is no more reason to postpone it. If
a subclass postpones stage1 and then later progresses it by directly
scheduling stage2, then only the subclass is in control over postponing
stage 2.

Instead, anybody should be able to delay stage2 independently. That can
only work if everybody signals readyness to proceed by scheduling stage1
again.
device/wireguard: drop act_stage1_prepare() implementation 2019-08-28T14:27:00+00:00 Thomas Haller thaller@redhat.com 2019-08-22T05:41:09+00:00 cc4d69c1c3629ba3322cae7d4f03cc136d063c8a act_stage1_prepare() should become re-entrant. That means, we should not clear the state there. Instead, we clear it where necessary or on deactivate (which we do already). 
act_stage1_prepare() should become re-entrant. That means, we should not clear the state
there. Instead, we clear it where necessary or on deactivate (which we do already).
wireguard: fix use-after free in _peers_remove() 2019-08-03T10:28:33+00:00 Thomas Haller thaller@redhat.com 2019-08-03T10:27:57+00:00 a3f9ab473b17d2b41f36dfed56e7fb93aafb9e9b (cherry picked from commit 85c26341a280b1234cf73c6537b0bae55fb3adbf) 
(cherry picked from commit 85c26341a280b1234cf73c6537b0bae55fb3adbf)
device/wireguard: fix explicit_bzero() call on peers buffer in link_config() 2019-08-02T09:10:51+00:00 Thomas Haller thaller@redhat.com 2019-08-02T07:16:34+00:00 e4001e50da5739f66bdf376c98a3414b094e61a7 Correctly warned by coverity. (cherry picked from commit 458a2edbb24061bfd9532594e447da2e23819092) 
Correctly warned by coverity.

(cherry picked from commit 458a2edbb24061bfd9532594e447da2e23819092)
wireguard: use fixed fwmark/rule-priority for auto-default-route 2019-07-31T08:44:38+00:00 Thomas Haller thaller@redhat.com 2019-07-31T08:01:04+00:00 ed22b45450a71278587daca3d4833e4133db6270 With "wireguard.ip4-auto-default-route" and "wireguard.ip6-auto-default-route", NetworkManager automatically adds policy routing rules for the default route. For that, it needs to pick (up to) two numbers: - the fwmark. This is used both for WireGuard's fwmark setting and is also the number of the routing table where the default-route is added. - the rule priority. NetworkManager adds two policy routing rules, and we need to place them somewhere before the default rules (at 32766). Previously, we looked at exiting platform configuration and picked numbers that were not yet used. However, during restart of NetworkManager, we leave the interface up and after restart we will take over the previous configuration. At that point, we need to choose the same fwmark/priority, otherwise the configuration changes. But since we picked numbers that were not yet used, we would always choose different numbers. For routing rules that meant that after restart a second pair of rules was added. We possibly could store this data in the device's state-file. But that is complex. Instead, just pick numbers deterministically based on the connection's UUID. If the picked numbers are not suitable, then the user can still work around that: - for fwmark, the user can explicitly configure wireguard.fwmark setting. - for the policy routes, the user can explicitly add the rules with the desired priorirites (arguably, currently the default-route cannot be added like a regular route, so the table cannot be set. Possibly the user would have to add two /1 routes instead with suppress_prefixlength=1). (cherry picked from commit cfb497e49936d36867ae3175537c7d4f77259655) 
With "wireguard.ip4-auto-default-route" and "wireguard.ip6-auto-default-route",
NetworkManager automatically adds policy routing rules for the default
route.

For that, it needs to pick (up to) two numbers:

- the fwmark. This is used both for WireGuard's fwmark setting and
  is also the number of the routing table where the default-route is
  added.

- the rule priority. NetworkManager adds two policy routing rules, and
  we need to place them somewhere before the default rules (at 32766).

Previously, we looked at exiting platform configuration and picked
numbers that were not yet used. However, during restart of
NetworkManager, we leave the interface up and after restart we will
take over the previous configuration. At that point, we need to choose
the same fwmark/priority, otherwise the configuration changes.

But since we picked numbers that were not yet used, we would always choose
different numbers. For routing rules that meant that after restart a second
pair of rules was added.

We possibly could store this data in the device's state-file. But that
is complex. Instead, just pick numbers deterministically based on the
connection's UUID.

If the picked numbers are not suitable, then the user can still work
around that:

- for fwmark, the user can explicitly configure wireguard.fwmark
  setting.

- for the policy routes, the user can explicitly add the rules with
  the desired priorirites (arguably, currently the default-route cannot
  be added like a regular route, so the table cannot be set. Possibly
  the user would have to add two /1 routes instead with
  suppress_prefixlength=1).

(cherry picked from commit cfb497e49936d36867ae3175537c7d4f77259655)
wireguard: clear cached auto-default-route setting in act_stage1_prepare() 2019-07-31T08:44:38+00:00 Thomas Haller thaller@redhat.com 2019-07-30T16:50:15+00:00 93300c13201cfea0011aa46d5601ebbe4afe201c We call _auto_default_route_init() at various places, for example during coerce_route_table(). We cannot be sure that we don't call it before activation starts (before stage1) or after device-cleanup. That means, upon activation, we need to clear the state first. Do that in act_stage1_prepare(). (cherry picked from commit dc219662fa31b6bc453c177c10e03442483de21e) 
We call _auto_default_route_init() at various places, for example during
coerce_route_table(). We cannot be sure that we don't call it before
activation starts (before stage1) or after device-cleanup.

That means, upon activation, we need to clear the state first. Do that in
act_stage1_prepare().

(cherry picked from commit dc219662fa31b6bc453c177c10e03442483de21e)
wireguard: fix crash in _auto_default_route_init() 2019-07-31T08:44:38+00:00 Thomas Haller thaller@redhat.com 2019-07-30T16:38:48+00:00 327a92ae2b6c18a9cc438f276012279c63a07899 #3 0x00007fb0aa9e7d3d in g_return_if_fail_warning (log_domain=log_domain@entry=0x562295fd5ee3 "libnm", pretty_function=pretty_function@entry=0x562295fd71d0 <__func__.35180> "_connection_get_setting_check", expression=expression@entry=0x562295f8edf7 "NM_IS_CONNECTION (connection)") at ../glib/gmessages.c:2767 #4 0x0000562295df151a in _connection_get_setting_check (connection=0x0, setting_type=0x562297b17050 [NMSettingWireGuard/NMSetting]) at libnm-core/nm-connection.c:207 #5 0x0000562295df151a in _connection_get_setting_check (connection=0x0, setting_type=0x562297b17050 [NMSettingWireGuard/NMSetting]) at libnm-core/nm-connection.c:205 #6 0x0000562295ef132a in _nm_connection_get_setting (type=<optimized out>, connection=0x0) at ./libnm-core/nm-core-internal.h:483 #7 0x0000562295ef132a in _auto_default_route_init (self=self@entry=0x562297bf82b0 [NMDeviceWireGuard]) at src/devices/nm-device-wireguard.c:443 #8 0x0000562295ef1b98 in coerce_route_table (device=0x562297bf82b0 [NMDeviceWireGuard], addr_family=2, route_table=0, is_user_config=<optimized out>) at src/devices/nm-device-wireguard.c:565 #9 0x0000562295ea42ae in _get_route_table (self=self@entry=0x562297bf82b0 [NMDeviceWireGuard], addr_family=addr_family@entry=2) at src/devices/nm-device.c:2311 #10 0x0000562295ea4593 in nm_device_get_route_table (self=0x562297bf82b0 [NMDeviceWireGuard], addr_family=2) at src/devices/nm-device.c:2338 #11 0x0000562295eabde0 in ip_config_merge_and_apply (self=0x562297bf82b0 [NMDeviceWireGuard], addr_family=2, commit=1) at src/devices/nm-device.c:7590 #12 0x0000562295ed2f0b in device_link_changed (self=self@entry=0x562297bf82b0 [NMDeviceWireGuard]) at src/devices/nm-device.c:3939 #13 0x00007fb0aa9dc7db in g_idle_dispatch (source=source@entry=0x562297bf0b30, callback=0x562295ed2880 <device_link_changed>, user_data=0x562297bf82b0) at ../glib/gmain.c:5627 #14 0x00007fb0aa9dfedd in g_main_dispatch (context=0x562297a28090) at ../glib/gmain.c:3189 #15 0x00007fb0aa9dfedd in g_main_context_dispatch (context=context@entry=0x562297a28090) at ../glib/gmain.c:3854 #16 0x00007fb0aa9e0270 in g_main_context_iterate (context=0x562297a28090, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:3927 #17 0x00007fb0aa9e05a3 in g_main_loop_run (loop=0x562297a0b380) at ../glib/gmain.c:4123 #18 0x0000562295d0b147 in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:465 https://bugzilla.redhat.com/show_bug.cgi?id=1734383 (cherry picked from commit 47fc1a4293437a88adfd247734e32fa1b86ca7a9) 
    #3  0x00007fb0aa9e7d3d in g_return_if_fail_warning
        (log_domain=log_domain@entry=0x562295fd5ee3 "libnm", pretty_function=pretty_function@entry=0x562295fd71d0 <__func__.35180> "_connection_get_setting_check", expression=expression@entry=0x562295f8edf7 "NM_IS_CONNECTION (connection)") at ../glib/gmessages.c:2767
    #4  0x0000562295df151a in _connection_get_setting_check (connection=0x0, setting_type=0x562297b17050 [NMSettingWireGuard/NMSetting]) at libnm-core/nm-connection.c:207
    #5  0x0000562295df151a in _connection_get_setting_check (connection=0x0, setting_type=0x562297b17050 [NMSettingWireGuard/NMSetting]) at libnm-core/nm-connection.c:205
    #6  0x0000562295ef132a in _nm_connection_get_setting (type=<optimized out>, connection=0x0) at ./libnm-core/nm-core-internal.h:483
    #7  0x0000562295ef132a in _auto_default_route_init (self=self@entry=0x562297bf82b0 [NMDeviceWireGuard]) at src/devices/nm-device-wireguard.c:443
    #8  0x0000562295ef1b98 in coerce_route_table (device=0x562297bf82b0 [NMDeviceWireGuard], addr_family=2, route_table=0, is_user_config=<optimized out>)
        at src/devices/nm-device-wireguard.c:565
    #9  0x0000562295ea42ae in _get_route_table (self=self@entry=0x562297bf82b0 [NMDeviceWireGuard], addr_family=addr_family@entry=2) at src/devices/nm-device.c:2311
    #10 0x0000562295ea4593 in nm_device_get_route_table (self=0x562297bf82b0 [NMDeviceWireGuard], addr_family=2) at src/devices/nm-device.c:2338
    #11 0x0000562295eabde0 in ip_config_merge_and_apply (self=0x562297bf82b0 [NMDeviceWireGuard], addr_family=2, commit=1) at src/devices/nm-device.c:7590
    #12 0x0000562295ed2f0b in device_link_changed (self=self@entry=0x562297bf82b0 [NMDeviceWireGuard]) at src/devices/nm-device.c:3939
    #13 0x00007fb0aa9dc7db in g_idle_dispatch (source=source@entry=0x562297bf0b30, callback=0x562295ed2880 <device_link_changed>, user_data=0x562297bf82b0) at ../glib/gmain.c:5627
    #14 0x00007fb0aa9dfedd in g_main_dispatch (context=0x562297a28090) at ../glib/gmain.c:3189
    #15 0x00007fb0aa9dfedd in g_main_context_dispatch (context=context@entry=0x562297a28090) at ../glib/gmain.c:3854
    #16 0x00007fb0aa9e0270 in g_main_context_iterate (context=0x562297a28090, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:3927
    #17 0x00007fb0aa9e05a3 in g_main_loop_run (loop=0x562297a0b380) at ../glib/gmain.c:4123
    #18 0x0000562295d0b147 in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:465

https://bugzilla.redhat.com/show_bug.cgi?id=1734383
(cherry picked from commit 47fc1a4293437a88adfd247734e32fa1b86ca7a9)
wireguard: support configuring policy routing to avoid routing loops 2019-07-29T18:45:49+00:00 Thomas Haller thaller@redhat.com 2019-04-30T15:48:46+00:00 10e05bf8ab0460cef84cc7315533765384440007 For WireGuard (like for all IP-tunnels and IP-based VPNs), the IP addresses of the peers must be reached outside the tunnel/VPN itself. For VPN connections, NetworkManager usually adds a direct /32 route to the external VPN gateway to the underlying device. For WireGuard that is not done, because injecting a route to another device is ugly and error prone. Worse: WireGuard with automatic roaming and multiple peers makes this more complicated. This is commonly a problem when setting the default-route via the VPN, but there are also other subtle setups where special care must be taken to prevent such routing loops. WireGuard's wg-quick provides a simple, automatic solution by adding two policy routing rules and relying on the WireGuard packets having a fwmark set (see [1]). Let's also do that. Add new properties "wireguard.ip4-auto-default-route" and "wireguard.ip6-auto-default-route" to enable/disable this. Note that the default value lets NetworkManager automatically choose whether to enable it (depending on whether there are any peers that have a default route). This means, common scenarios should now work well without additional configuration. Note that this is also a change in behavior and upon package upgrade NetworkManager may start adding policy routes (if there are peers that have a default-route). This is a change in behavior, as the user already clearly had this setup working and configured some working solution already. The new automatism picks the rule priority automatically and adds the default-route to the routing table that has the same number as the fwmark. If any of this is unsuitable, then the user is free to disable this automatism. Note that since 1.18.0 NetworkManager supports policy routing (*). That means, what this automatism does can be also achieved via explicit configuration of the profile, which gives the user more flexibility to adjust all parameters explicitly). (*) but only since 1.20.0 NetworkManager supports the "suppress_prefixlength" rule attribute, which makes it impossible to configure exactly this rule-based solution with 1.18.0 NetworkManager. [1] https://www.wireguard.com/netns/#improved-rule-based-routing 
For WireGuard (like for all IP-tunnels and IP-based VPNs), the IP addresses of
the peers must be reached outside the tunnel/VPN itself.

For VPN connections, NetworkManager usually adds a direct /32 route to
the external VPN gateway to the underlying device. For WireGuard that is
not done, because injecting a route to another device is ugly and error
prone. Worse: WireGuard with automatic roaming and multiple peers makes this
more complicated.

This is commonly a problem when setting the default-route via the VPN,
but there are also other subtle setups where special care must be taken
to prevent such routing loops.

WireGuard's wg-quick provides a simple, automatic solution by adding two policy
routing rules and relying on the WireGuard packets having a fwmark set (see [1]).

Let's also do that. Add new properties "wireguard.ip4-auto-default-route"
and "wireguard.ip6-auto-default-route" to enable/disable this. Note that
the default value lets NetworkManager automatically choose whether to
enable it (depending on whether there are any peers that have a default
route). This means, common scenarios should now work well without additional
configuration.

Note that this is also a change in behavior and upon package upgrade
NetworkManager may start adding policy routes (if there are peers that
have a default-route). This is a change in behavior, as the user already
clearly had this setup working and configured some working solution
already.

The new automatism picks the rule priority automatically and adds the
default-route to the routing table that has the same number as the fwmark.
If any of this is unsuitable, then the user is free to disable this
automatism. Note that since 1.18.0 NetworkManager supports policy routing (*).
That means, what this automatism does can be also achieved via explicit
configuration of the profile, which gives the user more flexibility to
adjust all parameters explicitly).

(*) but only since 1.20.0 NetworkManager supports the "suppress_prefixlength"
rule attribute, which makes it impossible to configure exactly this rule-based
solution with 1.18.0 NetworkManager.

[1] https://www.wireguard.com/netns/#improved-rule-based-routing
wireguard: refactor cleanup of NMDeviceWireGuard on disconnect/dispose 2019-07-29T16:39:49+00:00 Thomas Haller thaller@redhat.com 2019-07-29T12:37:29+00:00 79f6d4ad181c3d7d18f5cd97d9123efa4ff68d6c