diff options
| author | Thomas Haller <thaller@redhat.com> | 2022-08-25 09:40:46 +0200 |
|---|---|---|
| committer | Thomas Haller <thaller@redhat.com> | 2022-08-25 21:31:45 +0200 |
| commit | c00873e08f4d0bc4a3f0b8a93beb793fcab78afa (patch) | |
| tree | d70247c5c764dca7660539cc6c9574dbc9f6e73a | |
| parent | 04a97e4e854c7d77aced2716f58b7d4e0777f016 (diff) | |
| download | NetworkManager-c00873e08f4d0bc4a3f0b8a93beb793fcab78afa.tar.gz | |
mptcp: rework "connection.mptcp-flags" for enabling MPTCP
1) The "enabled-on-global-iface" flag was odd. Instead, have only
and "enabled" flag and skip (by default) endpoints on interface
that have no default route. With the new flag "also-without-default-route",
this can be overruled. So previous "enabled-on-global-default" now is
the same as "enabled", and "enabled" from before behaves now like
"enabled,also-without-default-route".
2) What was also odd, as that the fallback default value for the flags
depends on "/proc/sys/net/mptcp/enabled". There was not one fixed
fallback default, instead the used fallback value was either
"enabled-on-global-iface,subflow" or "disabled".
Usually that is not a problem (e.g. the default value for
"ipv6.ip6-privacy" also depends on use_tempaddr sysctl). In this case
it is a problem, because the mptcp-flags (for better or worse) encode
different things at the same time.
Consider that the mptcp-flags can also have their default configured in
"NetworkManager.conf", a user who wants to switch the address flags
could previously do:
[connection.mptcp]
connection.mptcp-flags=0x32 # enabled-on-global-iface,signal,subflow
but then the global toggle "/proc/sys/net/mptcp/enabled" was no longer
honored. That means, MPTCP handling was always on, even if the sysctl was
disabled. Now, "enabled" means that it's only enabled if the sysctl
is enabled too. Now the user could write to "NetworkManager.conf"
[connection.mptcp]
connection.mptcp-flags=0x32 # enabled,signal,subflow
and MPTCP handling would still be disabled unless the sysctl
is enabled.
There is now also a new flag "also-without-sysctl", so if you want
to really enable MPTCP handling regardless of the sysctl, you can.
The point of that might be, that we still can configure endpoints,
even if kernel won't do anything with them. Then you could just flip
the sysctl, and it would start working (as NetworkManager configured
the endpoints already).
Fixes: eb083eece5a2 ('all: add NMMptcpFlags and connection.mptcp-flags property')
| -rw-r--r-- | man/NetworkManager.conf.xml | 2 | ||||
| -rw-r--r-- | src/core/devices/nm-device.c | 47 | ||||
| -rw-r--r-- | src/core/nm-l3cfg.c | 8 | ||||
| -rw-r--r-- | src/libnm-core-aux-intern/nm-libnm-core-utils.c | 10 | ||||
| -rw-r--r-- | src/libnm-core-aux-intern/nm-libnm-core-utils.h | 12 | ||||
| -rw-r--r-- | src/libnm-core-impl/nm-setting-connection.c | 47 | ||||
| -rw-r--r-- | src/libnm-core-public/nm-dbus-interface.h | 27 | ||||
| -rw-r--r-- | src/libnmc-setting/settings-docs.h.in | 2 | ||||
| -rw-r--r-- | src/nmcli/generate-docs-nm-settings-nmcli.xml.in | 2 |
9 files changed, 85 insertions, 72 deletions
diff --git a/man/NetworkManager.conf.xml b/man/NetworkManager.conf.xml index 6a0fd7b1c1..301172e4cc 100644 --- a/man/NetworkManager.conf.xml +++ b/man/NetworkManager.conf.xml @@ -868,7 +868,7 @@ ipv6.ip6-privacy=0 </varlistentry> <varlistentry> <term><varname>connection.mptcp-flags</varname></term> - <listitem><para>If unspecified, the fallback is either 0 (<literal>"disabled"</literal>) or 0x22 (<literal>"enabled-on-global-iface,subflow"</literal>), depending on <literal>/proc/sys/net/mptcp/enabled</literal>.</para></listitem> + <listitem><para>If unspecified, the fallback is 0x22 (<literal>"enabled,subflow"</literal>). Note that if sysctl <literal>/proc/sys/net/mptcp/enabled</literal> is disabled, NetworkManager will still not configure endpoints.</para></listitem> </varlistentry> <varlistentry> <term><varname>connection.dns-over-tls</varname></term> diff --git a/src/core/devices/nm-device.c b/src/core/devices/nm-device.c index 0635d14431..aa7481c71e 100644 --- a/src/core/devices/nm-device.c +++ b/src/core/devices/nm-device.c @@ -1410,8 +1410,6 @@ _prop_get_connection_mptcp_flags(NMDevice *self) if (connection) { mptcp_flags = nm_setting_connection_get_mptcp_flags(nm_connection_get_setting_connection(connection)); - if (mptcp_flags != NM_MPTCP_FLAGS_NONE) - mptcp_flags = nm_mptcp_flags_normalize(mptcp_flags); } if (mptcp_flags == NM_MPTCP_FLAGS_NONE) { @@ -1423,28 +1421,39 @@ _prop_get_connection_mptcp_flags(NMDevice *self) 0, G_MAXINT64, NM_MPTCP_FLAGS_NONE); - /* We filter out all invalid settings and accept it. Somewhat intentionally, we don't do a - * strict parsing of the value to support forward compatibility. */ - if (v != NM_MPTCP_FLAGS_NONE) - mptcp_flags = nm_mptcp_flags_normalize(v); + if (v != NM_MPTCP_FLAGS_NONE) { + /* We silently ignore all invalid flags (and will normalize them away below). */ + mptcp_flags = (NMMptcpFlags) v; + if (mptcp_flags == NM_MPTCP_FLAGS_NONE) + mptcp_flags = NM_MPTCP_FLAGS_ENABLED; + } } - if (mptcp_flags == NM_MPTCP_FLAGS_NONE) { - gint32 v; - - v = nm_platform_sysctl_get_int32(nm_device_get_platform(self), - NMP_SYSCTL_PATHID_ABSOLUTE("/proc/sys/net/mptcp/enabled"), - -1); - if (v > 0) { - /* if MPTCP is enabled via the sysctl, we use the default. */ - mptcp_flags = _NM_MPTCP_FLAGS_DEFAULT; + if (mptcp_flags == NM_MPTCP_FLAGS_NONE) + mptcp_flags = _NM_MPTCP_FLAGS_DEFAULT; + + mptcp_flags = nm_mptcp_flags_normalize(mptcp_flags); + + if (!NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_DISABLED)) { + if (!NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_ALSO_WITHOUT_SYSCTL)) { + guint32 v; + + /* If enabled, but without "also-without-sysctl", then MPTCP is still + * disabled, if the sysctl says so... + * + * We evaluate this here. The point is that the decision is then cached + * until deactivation/reapply. The user can toggle the sysctl any time, + * but we only pick it up at certain moments (now). */ + v = nm_platform_sysctl_get_int32( + nm_device_get_platform(self), + NMP_SYSCTL_PATHID_ABSOLUTE("/proc/sys/net/mptcp/enabled"), + -1); + if (v <= 0) + mptcp_flags = NM_MPTCP_FLAGS_DISABLED; } else - mptcp_flags = NM_MPTCP_FLAGS_DISABLED; + mptcp_flags = NM_FLAGS_UNSET(mptcp_flags, NM_MPTCP_FLAGS_ALSO_WITHOUT_SYSCTL); } - nm_assert(mptcp_flags != NM_MPTCP_FLAGS_NONE - && mptcp_flags == nm_mptcp_flags_normalize(mptcp_flags)); - return mptcp_flags; } diff --git a/src/core/nm-l3cfg.c b/src/core/nm-l3cfg.c index 3c054b9ef8..963e381b14 100644 --- a/src/core/nm-l3cfg.c +++ b/src/core/nm-l3cfg.c @@ -4307,13 +4307,13 @@ _l3_commit_mptcp_af(NML3Cfg *self, if (mptcp_flags == NM_MPTCP_FLAGS_NONE || NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_DISABLED)) mptcp_flags = NM_MPTCP_FLAGS_DISABLED; - else if (NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_ENABLED_ON_GLOBAL_IFACE)) { - /* Whether MPTCP is enabled/disabled, depends on whether we have a unicast default - * route (in the main routing table). */ + else if (!NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_ALSO_WITHOUT_DEFAULT_ROUTE)) { + /* Whether MPTCP is enabled/disabled (per address family), depends on whether we have a unicast + * default route (in the main routing table). */ if (self->priv.p->combined_l3cd_commited && nm_l3_config_data_get_best_default_route(self->priv.p->combined_l3cd_commited, addr_family)) - mptcp_flags = NM_FLAGS_UNSET(mptcp_flags, NM_MPTCP_FLAGS_ENABLED_ON_GLOBAL_IFACE) + mptcp_flags = NM_FLAGS_UNSET(mptcp_flags, NM_MPTCP_FLAGS_ALSO_WITHOUT_DEFAULT_ROUTE) | NM_MPTCP_FLAGS_ENABLED; else mptcp_flags = NM_MPTCP_FLAGS_DISABLED; diff --git a/src/libnm-core-aux-intern/nm-libnm-core-utils.c b/src/libnm-core-aux-intern/nm-libnm-core-utils.c index 4fdf9d6d4e..1febe5dfd8 100644 --- a/src/libnm-core-aux-intern/nm-libnm-core-utils.c +++ b/src/libnm-core-aux-intern/nm-libnm-core-utils.c @@ -512,14 +512,8 @@ nm_mptcp_flags_normalize(NMMptcpFlags flags) /* Clear all unknown flags. */ flags &= _NM_MPTCP_FLAGS_ALL; - /* We must either set "enabled-on-global-iface" or "enabled". The - * former takes precedence, if they are both set. - * - * If neither is set, we default to "enabled". */ - if (NM_FLAGS_HAS(flags, NM_MPTCP_FLAGS_ENABLED_ON_GLOBAL_IFACE)) - flags = NM_FLAGS_UNSET(flags, NM_MPTCP_FLAGS_ENABLED); - else - flags = NM_FLAGS_SET(flags, NM_MPTCP_FLAGS_ENABLED); + /* Not disabled means enabled. */ + flags |= NM_MPTCP_FLAGS_ENABLED; if (NM_FLAGS_ALL(flags, NM_MPTCP_FLAGS_SIGNAL | NM_MPTCP_FLAGS_FULLMESH)) flags = NM_FLAGS_UNSET(flags, NM_MPTCP_FLAGS_FULLMESH); diff --git a/src/libnm-core-aux-intern/nm-libnm-core-utils.h b/src/libnm-core-aux-intern/nm-libnm-core-utils.h index 5c827c01b5..0208bfdb24 100644 --- a/src/libnm-core-aux-intern/nm-libnm-core-utils.h +++ b/src/libnm-core-aux-intern/nm-libnm-core-utils.h @@ -269,13 +269,13 @@ gpointer _nm_connection_new_setting(NMConnection *connection, GType gtype); /*****************************************************************************/ -#define _NM_MPTCP_FLAGS_ALL \ - ((NMMptcpFlags) (NM_MPTCP_FLAGS_DISABLED | NM_MPTCP_FLAGS_ENABLED_ON_GLOBAL_IFACE \ - | NM_MPTCP_FLAGS_ENABLED | NM_MPTCP_FLAGS_SIGNAL | NM_MPTCP_FLAGS_SUBFLOW \ - | NM_MPTCP_FLAGS_BACKUP | NM_MPTCP_FLAGS_FULLMESH)) +#define _NM_MPTCP_FLAGS_ALL \ + ((NMMptcpFlags) (NM_MPTCP_FLAGS_DISABLED | NM_MPTCP_FLAGS_ENABLED \ + | NM_MPTCP_FLAGS_ALSO_WITHOUT_SYSCTL \ + | NM_MPTCP_FLAGS_ALSO_WITHOUT_DEFAULT_ROUTE | NM_MPTCP_FLAGS_SIGNAL \ + | NM_MPTCP_FLAGS_SUBFLOW | NM_MPTCP_FLAGS_BACKUP | NM_MPTCP_FLAGS_FULLMESH)) -#define _NM_MPTCP_FLAGS_DEFAULT \ - ((NMMptcpFlags) (NM_MPTCP_FLAGS_ENABLED_ON_GLOBAL_IFACE | NM_MPTCP_FLAGS_SUBFLOW)) +#define _NM_MPTCP_FLAGS_DEFAULT ((NMMptcpFlags) (NM_MPTCP_FLAGS_ENABLED | NM_MPTCP_FLAGS_SUBFLOW)) NMMptcpFlags nm_mptcp_flags_normalize(NMMptcpFlags flags); diff --git a/src/libnm-core-impl/nm-setting-connection.c b/src/libnm-core-impl/nm-setting-connection.c index 0d307be399..cbce1c121d 100644 --- a/src/libnm-core-impl/nm-setting-connection.c +++ b/src/libnm-core-impl/nm-setting-connection.c @@ -1402,19 +1402,6 @@ after_interface_name: } else { guint32 f; - if (NM_FLAGS_ALL(priv->mptcp_flags, - NM_MPTCP_FLAGS_ENABLED_ON_GLOBAL_IFACE | NM_MPTCP_FLAGS_ENABLED)) { - g_set_error_literal( - error, - NM_CONNECTION_ERROR, - NM_CONNECTION_ERROR_INVALID_PROPERTY, - _("\"enabled\" and \"enabled-on-global-iface\" flag cannot be set together")); - g_prefix_error(error, - "%s.%s: ", - NM_SETTING_CONNECTION_SETTING_NAME, - NM_SETTING_CONNECTION_MPTCP_FLAGS); - return FALSE; - } if (NM_FLAGS_ALL(priv->mptcp_flags, NM_MPTCP_FLAGS_SIGNAL | NM_MPTCP_FLAGS_FULLMESH)) { g_set_error_literal(error, NM_CONNECTION_ERROR, @@ -1426,8 +1413,7 @@ after_interface_name: NM_SETTING_CONNECTION_MPTCP_FLAGS); return FALSE; } - f = NM_FLAGS_UNSET(priv->mptcp_flags, NM_MPTCP_FLAGS_ENABLED_ON_GLOBAL_IFACE) - | ((guint32) NM_MPTCP_FLAGS_ENABLED); + f = priv->mptcp_flags | ((guint32) NM_MPTCP_FLAGS_ENABLED); if (f != nm_mptcp_flags_normalize(f)) { g_set_error(error, NM_CONNECTION_ERROR, @@ -2608,21 +2594,30 @@ nm_setting_connection_class_init(NMSettingConnectionClass *klass) * If "disabled" (0x1), MPTCP handling for the interface is disabled and * no endpoints are registered. * - * The flag "enabled-on-global-iface" (0x2) means that MPTCP handling is enabled - * if the interface configures a default route in the main routing table. - * This choice is per-address family, for example if there is an IPv4 default route - * 0.0.0.0/0, IPv4 endpoints are configured. - * - * The "enabled" (0x4) flag means that MPTCP handling is explicitly enabled. + * The "enabled" (0x2) flag means that MPTCP handling is enabled. * This flag can also be implied from the presence of other flags. * - * If MPTCP handling is enabled, then endpoints will be configured - * with the specified address flags "signal" (0x10), "subflow" (0x20), "backup" (0x40), + * Even when enabled, MPTCP handling will by default still be disabled + * unless "/proc/sys/net/mptcp/enabled" sysctl is on. NetworkManager + * does not change the sysctl and this is up to the administrator + * or distribution. To configure endpoints even if the sysctl is + * disabled, "also-without-sysctl" (0x4) flag can be used. In that case, + * NetworkManager doesn't look at the sysctl and configures endpoints + * regardless. + * + * Even when enabled, NetworkManager will only configure MPTCP endpoints + * for a certain address family, if there is a unicast default route (0.0.0.0/0 + * or ::/0) in the main routing table. The flag "also-without-default-route" + * (0x8) can override that. + * + * When MPTCP handling is enabled then endpoints are configured with + * the specified address flags "signal" (0x10), "subflow" (0x20), "backup" (0x40), * "fullmesh" (0x80). See ip-mptcp(8) manual for additional information about the flags. * - * If the flags are zero, the global connection default from NetworkManager.conf is - * honored. If still unspecified, the fallback is either "disabled" or - * "enabled-on-global-iface,subflow" depending on "/proc/sys/net/mptcp/enabled". + * If the flags are zero (0x0), the global connection default from NetworkManager.conf is + * honored. If still unspecified, the fallback is "enabled,subflow". + * Note that this means that MPTCP is by default done depending on the + * "/proc/sys/net/mptcp/enabled" sysctl. * * NetworkManager does not change the MPTCP limits nor enable MPTCP via * "/proc/sys/net/mptcp/enabled". That is a host configuration which the diff --git a/src/libnm-core-public/nm-dbus-interface.h b/src/libnm-core-public/nm-dbus-interface.h index a980f5aaa9..4557dde0fb 100644 --- a/src/libnm-core-public/nm-dbus-interface.h +++ b/src/libnm-core-public/nm-dbus-interface.h @@ -1319,12 +1319,25 @@ typedef enum /*< flags >*/ { * NMMptcpFlags: * @NM_MPTCP_FLAGS_NONE: The default, meaning that no MPTCP flags are set. * @NM_MPTCP_FLAGS_DISABLED: don't configure MPTCP endpoints on the device. - * @NM_MPTCP_FLAGS_ENABLED_ON_GLOBAL_IFACE: MPTCP handling is enabled - * or disabled depending on whether a /0 default route (either IPv4 or IPv6) is - * configured in the main routing table. * @NM_MPTCP_FLAGS_ENABLED: MPTCP is enabled and endpoints will be configured. * This flag is implied if any of the other flags indicate that * MPTCP is enabled and therefore in most cases unnecessary. + * Note that if "/proc/sys/net/mptcp/enabled" sysctl is disabled, MPTCP + * handling is disabled despite this flag. This can be overruled with the + * "also-without-sysctl" flag. + * Note that by default interfaces that don't have a default route are + * excluded from having MPTCP endpoints configured. This can be overruled + * with the "also-without-default-route" and this affects endpoints + * per address family. + * @NM_MPTCP_FLAGS_ALSO_WITHOUT_SYSCTL: even if MPTCP handling is enabled + * via the "enabled" flag, it is ignored unless "/proc/sys/net/mptcp/enabled" + * is on. With this flag, MPTCP endpoints will be configured regardless + * of the sysctl setting. + * @NM_MPTCP_FLAGS_ALSO_WITHOUT_DEFAULT_ROUTE: even if MPTCP handling is enabled + * via the "enabled" flag, it is ignored per-address family unless NetworkManager + * configures a default route. With this flag, NetworkManager will also configure + * MPTCP endpoints if there is no default route. This takes effect per-address + * family. * @NM_MPTCP_FLAGS_SIGNAL: Flag for the MPTCP endpoint. The endpoint will be * announced/signaled to each peer via an MPTCP ADD_ADDR sub-option. * @NM_MPTCP_FLAGS_SUBFLOW: Flag for the MPTCP endpoint. If additional subflow creation @@ -1350,9 +1363,11 @@ typedef enum /*< flags >*/ { typedef enum /*< flags >*/ { NM_MPTCP_FLAGS_NONE = 0, - NM_MPTCP_FLAGS_DISABLED = 0x1, - NM_MPTCP_FLAGS_ENABLED_ON_GLOBAL_IFACE = 0x2, - NM_MPTCP_FLAGS_ENABLED = 0x4, + NM_MPTCP_FLAGS_DISABLED = 0x1, + NM_MPTCP_FLAGS_ENABLED = 0x2, + + NM_MPTCP_FLAGS_ALSO_WITHOUT_SYSCTL = 0x4, + NM_MPTCP_FLAGS_ALSO_WITHOUT_DEFAULT_ROUTE = 0x8, NM_MPTCP_FLAGS_SIGNAL = 0x10, NM_MPTCP_FLAGS_SUBFLOW = 0x20, diff --git a/src/libnmc-setting/settings-docs.h.in b/src/libnmc-setting/settings-docs.h.in index 2a2ec2eea2..1ed2f13419 100644 --- a/src/libnmc-setting/settings-docs.h.in +++ b/src/libnmc-setting/settings-docs.h.in @@ -14,7 +14,7 @@ #define DESCRIBE_DOC_NM_SETTING_CONNECTION_MASTER N_("Interface name of the master device or UUID of the master connection.") #define DESCRIBE_DOC_NM_SETTING_CONNECTION_MDNS N_("Whether mDNS is enabled for the connection. The permitted values are: \"yes\" (2) register hostname and resolving for the connection, \"no\" (0) disable mDNS for the interface, \"resolve\" (1) do not register hostname but allow resolving of mDNS host names and \"default\" (-1) to allow lookup of a global default in NetworkManager.conf. If unspecified, \"default\" ultimately depends on the DNS plugin (which for systemd-resolved currently means \"no\"). This feature requires a plugin which supports mDNS. Otherwise, the setting has no effect. One such plugin is dns-systemd-resolved.") #define DESCRIBE_DOC_NM_SETTING_CONNECTION_METERED N_("Whether the connection is metered. When updating this property on a currently activated connection, the change takes effect immediately.") -#define DESCRIBE_DOC_NM_SETTING_CONNECTION_MPTCP_FLAGS N_("Whether to configure MPTCP endpoints and the address flags. If MPTCP is enabled in NetworkManager, it will configure the addresses of the interface as MPTCP endpoints. Note that IPv4 loopback addresses (127.0.0.0/8), IPv4 link local addresses (169.254.0.0/16), the IPv6 loopback address (::1), IPv6 link local addresses (fe80::/10), IPv6 unique local addresses (ULA, fc00::/7) and IPv6 privacy extension addresses (rfc3041, ipv6.ip6-privacy) will be excluded from being configured as endpoints. If \"disabled\" (0x1), MPTCP handling for the interface is disabled and no endpoints are registered. The flag \"enabled-on-global-iface\" (0x2) means that MPTCP handling is enabled if the interface configures a default route in the main routing table. This choice is per-address family, for example if there is an IPv4 default route 0.0.0.0/0, IPv4 endpoints are configured. The \"enabled\" (0x4) flag means that MPTCP handling is explicitly enabled. This flag can also be implied from the presence of other flags. If MPTCP handling is enabled, then endpoints will be configured with the specified address flags \"signal\" (0x10), \"subflow\" (0x20), \"backup\" (0x40), \"fullmesh\" (0x80). See ip-mptcp(8) manual for additional information about the flags. If the flags are zero, the global connection default from NetworkManager.conf is honored. If still unspecified, the fallback is either \"disabled\" or \"enabled-on-global-iface,subflow\" depending on \"/proc/sys/net/mptcp/enabled\". NetworkManager does not change the MPTCP limits nor enable MPTCP via \"/proc/sys/net/mptcp/enabled\". That is a host configuration which the admin can change via sysctl and ip-mptcp. Strict reverse path filtering (rp_filter) breaks many MPTCP use cases, so when MPTCP handling for IPv4 addresses on the interface is enabled, NetworkManager would loosen the strict reverse path filtering (1) to the loose setting (2).") +#define DESCRIBE_DOC_NM_SETTING_CONNECTION_MPTCP_FLAGS N_("Whether to configure MPTCP endpoints and the address flags. If MPTCP is enabled in NetworkManager, it will configure the addresses of the interface as MPTCP endpoints. Note that IPv4 loopback addresses (127.0.0.0/8), IPv4 link local addresses (169.254.0.0/16), the IPv6 loopback address (::1), IPv6 link local addresses (fe80::/10), IPv6 unique local addresses (ULA, fc00::/7) and IPv6 privacy extension addresses (rfc3041, ipv6.ip6-privacy) will be excluded from being configured as endpoints. If \"disabled\" (0x1), MPTCP handling for the interface is disabled and no endpoints are registered. The \"enabled\" (0x2) flag means that MPTCP handling is enabled. This flag can also be implied from the presence of other flags. Even when enabled, MPTCP handling will by default still be disabled unless \"/proc/sys/net/mptcp/enabled\" sysctl is on. NetworkManager does not change the sysctl and this is up to the administrator or distribution. To configure endpoints even if the sysctl is disabled, \"also-without-sysctl\" (0x4) flag can be used. In that case, NetworkManager doesn't look at the sysctl and configures endpoints regardless. Even when enabled, NetworkManager will only configure MPTCP endpoints for a certain address family, if there is a unicast default route (0.0.0.0/0 or ::/0) in the main routing table. The flag \"also-without-default-route\" (0x8) can override that. When MPTCP handling is enabled then endpoints are configured with the specified address flags \"signal\" (0x10), \"subflow\" (0x20), \"backup\" (0x40), \"fullmesh\" (0x80). See ip-mptcp(8) manual for additional information about the flags. If the flags are zero (0x0), the global connection default from NetworkManager.conf is honored. If still unspecified, the fallback is \"enabled,subflow\". Note that this means that MPTCP is by default done depending on the \"/proc/sys/net/mptcp/enabled\" sysctl. NetworkManager does not change the MPTCP limits nor enable MPTCP via \"/proc/sys/net/mptcp/enabled\". That is a host configuration which the admin can change via sysctl and ip-mptcp. Strict reverse path filtering (rp_filter) breaks many MPTCP use cases, so when MPTCP handling for IPv4 addresses on the interface is enabled, NetworkManager would loosen the strict reverse path filtering (1) to the loose setting (2).") #define DESCRIBE_DOC_NM_SETTING_CONNECTION_MUD_URL N_("If configured, set to a Manufacturer Usage Description (MUD) URL that points to manufacturer-recommended network policies for IoT devices. It is transmitted as a DHCPv4 or DHCPv6 option. The value must be a valid URL starting with \"https://\". The special value \"none\" is allowed to indicate that no MUD URL is used. If the per-profile value is unspecified (the default), a global connection default gets consulted. If still unspecified, the ultimate default is \"none\".") #define DESCRIBE_DOC_NM_SETTING_CONNECTION_MULTI_CONNECT N_("Specifies whether the profile can be active multiple times at a particular moment. The value is of type NMConnectionMultiConnect.") #define DESCRIBE_DOC_NM_SETTING_CONNECTION_PERMISSIONS N_("An array of strings defining what access a given user has to this connection. If this is NULL or empty, all users are allowed to access this connection; otherwise users are allowed if and only if they are in this list. When this is not empty, the connection can be active only when one of the specified users is logged into an active session. Each entry is of the form \"[type]:[id]:[reserved]\"; for example, \"user:dcbw:blah\". At this time only the \"user\" [type] is allowed. Any other values are ignored and reserved for future use. [id] is the username that this permission refers to, which may not contain the \":\" character. Any [reserved] information present must be ignored and is reserved for future use. All of [type], [id], and [reserved] must be valid UTF-8.") diff --git a/src/nmcli/generate-docs-nm-settings-nmcli.xml.in b/src/nmcli/generate-docs-nm-settings-nmcli.xml.in index e203316ebf..371081b0e0 100644 --- a/src/nmcli/generate-docs-nm-settings-nmcli.xml.in +++ b/src/nmcli/generate-docs-nm-settings-nmcli.xml.in @@ -420,7 +420,7 @@ <property name="dns-over-tls" description="Whether DNSOverTls (dns-over-tls) is enabled for the connection. DNSOverTls is a technology which uses TLS to encrypt dns traffic. The permitted values are: "yes" (2) use DNSOverTls and disabled fallback, "opportunistic" (1) use DNSOverTls but allow fallback to unencrypted resolution, "no" (0) don't ever use DNSOverTls. If unspecified "default" depends on the plugin used. Systemd-resolved uses global setting. This feature requires a plugin which supports DNSOverTls. Otherwise, the setting has no effect. One such plugin is dns-systemd-resolved." /> <property name="mptcp-flags" - description="Whether to configure MPTCP endpoints and the address flags. If MPTCP is enabled in NetworkManager, it will configure the addresses of the interface as MPTCP endpoints. Note that IPv4 loopback addresses (127.0.0.0/8), IPv4 link local addresses (169.254.0.0/16), the IPv6 loopback address (::1), IPv6 link local addresses (fe80::/10), IPv6 unique local addresses (ULA, fc00::/7) and IPv6 privacy extension addresses (rfc3041, ipv6.ip6-privacy) will be excluded from being configured as endpoints. If "disabled" (0x1), MPTCP handling for the interface is disabled and no endpoints are registered. The flag "enabled-on-global-iface" (0x2) means that MPTCP handling is enabled if the interface configures a default route in the main routing table. This choice is per-address family, for example if there is an IPv4 default route 0.0.0.0/0, IPv4 endpoints are configured. The "enabled" (0x4) flag means that MPTCP handling is explicitly enabled. This flag can also be implied from the presence of other flags. If MPTCP handling is enabled, then endpoints will be configured with the specified address flags "signal" (0x10), "subflow" (0x20), "backup" (0x40), "fullmesh" (0x80). See ip-mptcp(8) manual for additional information about the flags. If the flags are zero, the global connection default from NetworkManager.conf is honored. If still unspecified, the fallback is either "disabled" or "enabled-on-global-iface,subflow" depending on "/proc/sys/net/mptcp/enabled". NetworkManager does not change the MPTCP limits nor enable MPTCP via "/proc/sys/net/mptcp/enabled". That is a host configuration which the admin can change via sysctl and ip-mptcp. Strict reverse path filtering (rp_filter) breaks many MPTCP use cases, so when MPTCP handling for IPv4 addresses on the interface is enabled, NetworkManager would loosen the strict reverse path filtering (1) to the loose setting (2)." /> + description="Whether to configure MPTCP endpoints and the address flags. If MPTCP is enabled in NetworkManager, it will configure the addresses of the interface as MPTCP endpoints. Note that IPv4 loopback addresses (127.0.0.0/8), IPv4 link local addresses (169.254.0.0/16), the IPv6 loopback address (::1), IPv6 link local addresses (fe80::/10), IPv6 unique local addresses (ULA, fc00::/7) and IPv6 privacy extension addresses (rfc3041, ipv6.ip6-privacy) will be excluded from being configured as endpoints. If "disabled" (0x1), MPTCP handling for the interface is disabled and no endpoints are registered. The "enabled" (0x2) flag means that MPTCP handling is enabled. This flag can also be implied from the presence of other flags. Even when enabled, MPTCP handling will by default still be disabled unless "/proc/sys/net/mptcp/enabled" sysctl is on. NetworkManager does not change the sysctl and this is up to the administrator or distribution. To configure endpoints even if the sysctl is disabled, "also-without-sysctl" (0x4) flag can be used. In that case, NetworkManager doesn't look at the sysctl and configures endpoints regardless. Even when enabled, NetworkManager will only configure MPTCP endpoints for a certain address family, if there is a unicast default route (0.0.0.0/0 or ::/0) in the main routing table. The flag "also-without-default-route" (0x8) can override that. When MPTCP handling is enabled then endpoints are configured with the specified address flags "signal" (0x10), "subflow" (0x20), "backup" (0x40), "fullmesh" (0x80). See ip-mptcp(8) manual for additional information about the flags. If the flags are zero (0x0), the global connection default from NetworkManager.conf is honored. If still unspecified, the fallback is "enabled,subflow". Note that this means that MPTCP is by default done depending on the "/proc/sys/net/mptcp/enabled" sysctl. NetworkManager does not change the MPTCP limits nor enable MPTCP via "/proc/sys/net/mptcp/enabled". That is a host configuration which the admin can change via sysctl and ip-mptcp. Strict reverse path filtering (rp_filter) breaks many MPTCP use cases, so when MPTCP handling for IPv4 addresses on the interface is enabled, NetworkManager would loosen the strict reverse path filtering (1) to the loose setting (2)." /> <property name="mud-url" description="If configured, set to a Manufacturer Usage Description (MUD) URL that points to manufacturer-recommended network policies for IoT devices. It is transmitted as a DHCPv4 or DHCPv6 option. The value must be a valid URL starting with "https://". The special value "none" is allowed to indicate that no MUD URL is used. If the per-profile value is unspecified (the default), a global connection default gets consulted. If still unspecified, the ultimate default is "none"." /> <property name="wait-device-timeout" |