dhcp: make connection.mud-url configurable as global connection default

Conceptionally, the MUD URL really depends on the device, and not so
much the connection profile. That is, when you have a specific IoT
device, then this device probably should use the same MUD URL for all
profiles (at least by default).

We already have a mechanism for that: global connection defaults. Use
that. This allows a vendor drop pre-install a file
"/usr/lib/NetworkManager/conf.d/10-mud-url.conf" with

  [connection-10-mud-url]
  connection.mud-url=https://example.com

Note that we introduce the special "connection.mud-url" value "none", to
indicate not to use a MUD URL (but also not to consult the global connection
default).

7 files changed, 67 insertions, 17 deletions

diff --git a/clients/common/settings-docs.h.in b/clients/common/settings-docs.h.in
index 0bb88c6973..c9667b47c8 100644
--- a/clients/common/settings-docs.h.in
+++ b/clients/common/settings-docs.h.in
@@ -152,7 +152,7 @@
 #define DESCRIBE_DOC_NM_SETTING_CONNECTION_MASTER N_("Interface name of the master device or UUID of the master connection.")
 #define DESCRIBE_DOC_NM_SETTING_CONNECTION_MDNS N_("Whether mDNS is enabled for the connection. The permitted values are: \"yes\" (2) register hostname and resolving for the connection, \"no\" (0) disable mDNS for the interface, \"resolve\" (1) do not register hostname but allow resolving of mDNS host names and \"default\" (-1) to allow lookup of a global default in NetworkManager.conf. If unspecified, \"default\" ultimately depends on the DNS plugin (which for systemd-resolved currently means \"no\"). This feature requires a plugin which supports mDNS. Otherwise the setting has no effect. One such plugin is dns-systemd-resolved.")
 #define DESCRIBE_DOC_NM_SETTING_CONNECTION_METERED N_("Whether the connection is metered. When updating this property on a currently activated connection, the change takes effect immediately.")
-#define DESCRIBE_DOC_NM_SETTING_CONNECTION_MUD_URL N_("If configured, set to a Manufacturer Usage Description (MUD) URL that points to manufacturer-recommended network policies for IoT devices. It is transmitted as a DHCPv4 or DHCPv6 option.")
+#define DESCRIBE_DOC_NM_SETTING_CONNECTION_MUD_URL N_("If configured, set to a Manufacturer Usage Description (MUD) URL that points to manufacturer-recommended network policies for IoT devices. It is transmitted as a DHCPv4 or DHCPv6 option. The value must be a valid URL starting with \"https://\". The special value \"none\" is allowed to indicate that no MUD URL is used. If the per-profile value is unspecified (the default), a global connection default gets consulted. If still unspecified, the ultimate default is \"none\".")
 #define DESCRIBE_DOC_NM_SETTING_CONNECTION_MULTI_CONNECT N_("Specifies whether the profile can be active multiple times at a particular moment. The value is of type NMConnectionMultiConnect.")
 #define DESCRIBE_DOC_NM_SETTING_CONNECTION_PERMISSIONS N_("An array of strings defining what access a given user has to this connection.  If this is NULL or empty, all users are allowed to access this connection; otherwise users are allowed if and only if they are in this list.  When this is not empty, the connection can be active only when one of the specified users is logged into an active session.  Each entry is of the form \"[type]:[id]:[reserved]\"; for example, \"user:dcbw:blah\". At this time only the \"user\" [type] is allowed.  Any other values are ignored and reserved for future use.  [id] is the username that this permission refers to, which may not contain the \":\" character. Any [reserved] information present must be ignored and is reserved for future use.  All of [type], [id], and [reserved] must be valid UTF-8.")
 #define DESCRIBE_DOC_NM_SETTING_CONNECTION_READ_ONLY N_("FALSE if the connection can be modified using the provided settings service's D-Bus interface with the right privileges, or TRUE if the connection is read-only and cannot be modified.")
diff --git a/libnm-core/nm-setting-connection.c b/libnm-core/nm-setting-connection.c
index c47b461a9a..018129bef2 100644
--- a/libnm-core/nm-setting-connection.c
+++ b/libnm-core/nm-setting-connection.c
@@ -8,6 +8,7 @@
 
 #include "nm-setting-connection.h"
 
+#include "nm-libnm-core-intern/nm-common-macros.h"
 #include "nm-utils.h"
 #include "nm-utils-private.h"
 #include "nm-core-enum-types.h"
@@ -1238,17 +1239,21 @@ after_interface_name:
 			g_prefix_error (error, "%s.%s: ", nm_setting_get_name (setting), NM_SETTING_CONNECTION_MUD_URL);
 			return FALSE;
 		}
-		if (strlen (priv->mud_url) > 255) {
-			g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY,
-			                     _("DHCP option cannot be longer than 255 characters"));
-			g_prefix_error (error, "%s.%s: ", nm_setting_get_name (setting), NM_SETTING_CONNECTION_MUD_URL);
-			return FALSE;
-		}
-		if (!nm_sd_http_url_is_valid_https (priv->mud_url)) {
-			g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY,
-			                     _("MUD URL is not a valid URL"));
-			g_prefix_error (error, "%s.%s: ", nm_setting_get_name (setting), NM_SETTING_CONNECTION_MUD_URL);
-			return FALSE;
+		if (nm_streq (priv->mud_url, NM_CONNECTION_MUD_URL_NONE)) {
+			/* pass */
+		} else {
+			if (strlen (priv->mud_url) > 255) {
+				g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY,
+				                     _("DHCP option cannot be longer than 255 characters"));
+				g_prefix_error (error, "%s.%s: ", nm_setting_get_name (setting), NM_SETTING_CONNECTION_MUD_URL);
+				return FALSE;
+			}
+			if (!nm_sd_http_url_is_valid_https (priv->mud_url)) {
+				g_set_error_literal (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_INVALID_PROPERTY,
+				                     _("MUD URL is not a valid URL"));
+				g_prefix_error (error, "%s.%s: ", nm_setting_get_name (setting), NM_SETTING_CONNECTION_MUD_URL);
+				return FALSE;
+			}
 		}
 	}
 
@@ -2341,7 +2346,12 @@ nm_setting_connection_class_init (NMSettingConnectionClass *klass)
 	 *
 	 * If configured, set to a Manufacturer Usage Description (MUD) URL that points
 	 * to manufacturer-recommended network policies for IoT devices. It is transmitted
-	 * as a DHCPv4 or DHCPv6 option.
+	 * as a DHCPv4 or DHCPv6 option. The value must be a valid URL starting with "https://".
+	 *
+	 * The special value "none" is allowed to indicate that no MUD URL is used.
+	 *
+	 * If the per-profile value is unspecified (the default), a global connection default gets
+	 * consulted. If still unspecified, the ultimate default is "none".
 	 *
 	 * Since: 1.26
 	 **/
diff --git a/man/NetworkManager.conf.xml b/man/NetworkManager.conf.xml
index 6aa0398e64..76a535fb5d 100644
--- a/man/NetworkManager.conf.xml
+++ b/man/NetworkManager.conf.xml
@@ -679,6 +679,10 @@ ipv6.ip6-privacy=0
           <term><varname>connection.autoconnect-slaves</varname></term>
         </varlistentry>
         <varlistentry>
+          <term><varname>connection.mud-url</varname></term>
+          <listitem><para>If unspecified, MUD URL defaults to <literal>"none"</literal>.</para></listitem>
+        </varlistentry>
+        <varlistentry>
           <term><varname>connection.lldp</varname></term>
         </varlistentry>
         <varlistentry>
diff --git a/shared/nm-libnm-core-intern/nm-common-macros.h b/shared/nm-libnm-core-intern/nm-common-macros.h
index 5f011efd64..fcfe6919b0 100644
--- a/shared/nm-libnm-core-intern/nm-common-macros.h
+++ b/shared/nm-libnm-core-intern/nm-common-macros.h
@@ -46,6 +46,8 @@ NM_CLONED_MAC_IS_SPECIAL (const char *str)
 #define NM_IAID_IFNAME             "ifname"
 #define NM_IAID_STABLE             "stable"
 
+#define NM_CONNECTION_MUD_URL_NONE "none"
+
 static inline gboolean
 NM_IAID_IS_SPECIAL (const char *str)
 {
diff --git a/src/devices/nm-device.c b/src/devices/nm-device.c
index 462620a5bd..d400d90617 100644
--- a/src/devices/nm-device.c
+++ b/src/devices/nm-device.c
@@ -24,6 +24,7 @@
 #include "nm-std-aux/unaligned.h"
 #include "nm-glib-aux/nm-dedup-multi.h"
 #include "nm-glib-aux/nm-random-utils.h"
+#include "systemd/nm-sd-utils-shared.h"
 
 #include "nm-libnm-core-intern/nm-ethtool-utils.h"
 #include "nm-libnm-core-intern/nm-common-macros.h"
@@ -8288,6 +8289,37 @@ get_dhcp_hostname_flags (NMDevice *self, int addr_family)
 		return NM_DHCP_HOSTNAME_FLAGS_FQDN_DEFAULT_IP6;
 }
 
+static const char *
+connection_get_mud_url (NMDevice *self,
+                        NMSettingConnection *s_con,
+                        char **out_mud_url)
+{
+	const char *mud_url;
+	gs_free char *s = NULL;
+
+	nm_assert (out_mud_url && !*out_mud_url);
+
+	mud_url = nm_setting_connection_get_mud_url (s_con);
+
+	if (mud_url) {
+		if (nm_streq (mud_url, NM_CONNECTION_MUD_URL_NONE))
+			return NULL;
+		return mud_url;
+	}
+
+	s = nm_config_data_get_connection_default (NM_CONFIG_GET_DATA,
+	                                           NM_CON_DEFAULT ("connection.mud-url"),
+	                                           self);
+	if (s) {
+		if (nm_streq (s, NM_CONNECTION_MUD_URL_NONE))
+			return NULL;
+		if (nm_sd_http_url_is_valid_https (s))
+			return (*out_mud_url = g_steal_pointer (&s));
+	}
+
+	return NULL;
+}
+
 static GBytes *
 dhcp4_get_client_id (NMDevice *self,
                      NMConnection *connection,
@@ -8426,6 +8458,7 @@ dhcp4_start (NMDevice *self)
 	gs_unref_bytes GBytes *hwaddr = NULL;
 	gs_unref_bytes GBytes *bcast_hwaddr = NULL;
 	gs_unref_bytes GBytes *client_id = NULL;
+	gs_free char *mud_url_free = NULL;
 	NMConnection *connection;
 	NMSettingConnection *s_con;
 	GError *error = NULL;
@@ -8465,7 +8498,7 @@ dhcp4_start (NMDevice *self)
 	                                                      nm_setting_ip_config_get_dhcp_hostname (s_ip4),
 	                                                      nm_setting_ip4_config_get_dhcp_fqdn (NM_SETTING_IP4_CONFIG (s_ip4)),
 	                                                      get_dhcp_hostname_flags (self, AF_INET),
-	                                                      nm_setting_connection_get_mud_url (s_con),
+	                                                      connection_get_mud_url (self, s_con, &mud_url_free),
 	                                                      client_id,
 	                                                      get_dhcp_timeout (self, AF_INET),
 	                                                      priv->dhcp_anycast_address,
@@ -9213,6 +9246,7 @@ dhcp6_start_with_link_ready (NMDevice *self, NMConnection *connection)
 	gs_unref_bytes GBytes *duid = NULL;
 	gboolean enforce_duid = FALSE;
 	const NMPlatformLink *pllink;
+	gs_free char *mud_url_free = NULL;
 	GError *error = NULL;
 	guint32 iaid;
 	gboolean iaid_explicit;
@@ -9259,7 +9293,7 @@ dhcp6_start_with_link_ready (NMDevice *self, NMConnection *connection)
 	                                                      nm_setting_ip_config_get_dhcp_send_hostname (s_ip6),
 	                                                      nm_setting_ip_config_get_dhcp_hostname (s_ip6),
 	                                                      get_dhcp_hostname_flags (self, AF_INET6),
-	                                                      nm_setting_connection_get_mud_url (s_con),
+	                                                      connection_get_mud_url (self, s_con, &mud_url_free),
 	                                                      duid,
 	                                                      enforce_duid,
 	                                                      iaid,
diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
index ad5d45ac3a..db9d0d4c76 100644
--- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
+++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
@@ -583,7 +583,7 @@ make_connection_setting (const char *file,
 	}
 
 	nm_clear_g_free (&value);
-	v = svGetValueStr (ifcfg, "MUD_URL", &value);
+	v = svGetValue (ifcfg, "MUD_URL", &value);
 	if (v)
 		g_object_set (s_con, NM_SETTING_CONNECTION_MUD_URL, v, NULL);
 
diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
index 1fd29480d2..52d59ec33f 100644
--- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
+++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
@@ -1868,7 +1868,7 @@ write_connection_setting (NMSettingConnection *s_con, shvarFile *ifcfg)
 	svSetValueStr (ifcfg, "TEAM_MASTER", NULL);
 
 	mud_url = nm_setting_connection_get_mud_url (s_con);
-	svSetValueStr (ifcfg, "MUD_URL", mud_url);
+	svSetValue (ifcfg, "MUD_URL", mud_url);
 
 	master = nm_setting_connection_get_master (s_con);
 	if (master) {