From 669e69316967a9b62ec0313b7c4ee4bd39df229a Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Mon, 23 Oct 2017 09:22:24 +0200
Subject: ifcfg-rh: don't allow policy routing mixed with an existing rule file

Eventually, we want to fully implement policy routing and
handle rules as well. When that happens, we will use the
route-table setting to tell NetworkManager to handle the
rule file as well.

Since we currently don't yet support that, we should reject
configuring a non-zero routing table combined with a rule file,
because later we will change behavior in that case.
---
 .../plugins/ifcfg-rh/nms-ifcfg-rh-reader.c         | 26 ++++++++++++++++++----
 .../plugins/ifcfg-rh/nms-ifcfg-rh-writer.c         |  9 ++++++++
 2 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
index 0433e6f6c4..9dca4fb83f 100644
--- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
+++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
@@ -1197,6 +1197,7 @@ make_ip4_setting (shvarFile *ifcfg,
 	gint priority;
 	char inet_buf[NM_UTILS_INET_ADDRSTRLEN];
 	const char *const *item;
+	guint32 route_table;
 
 	nm_assert (out_has_defroute && !*out_has_defroute);
 
@@ -1282,6 +1283,15 @@ make_ip4_setting (shvarFile *ifcfg,
 		return NULL;
 	}
 
+	/* the route table (policy routing) is ignored if we don't handle routes. */
+	route_table = svGetValueInt64 (ifcfg, "IPV4_ROUTE_TABLE", 10,
+	                               0, G_MAXUINT32, 0);
+	if (   route_table != 0
+	    && !routes_read) {
+		PARSE_WARNING ("'rule-' or 'rule6-' files are present; Policy routing (IPV4_ROUTE_TABLE) is ignored");
+		route_table = 0;
+	}
+
 	g_object_set (s_ip4,
 	              NM_SETTING_IP_CONFIG_METHOD, method,
 	              NM_SETTING_IP_CONFIG_IGNORE_AUTO_DNS, !svGetValueBoolean (ifcfg, "PEERDNS", TRUE),
@@ -1290,8 +1300,7 @@ make_ip4_setting (shvarFile *ifcfg,
 	              NM_SETTING_IP_CONFIG_MAY_FAIL, !svGetValueBoolean (ifcfg, "IPV4_FAILURE_FATAL", FALSE),
 	              NM_SETTING_IP_CONFIG_ROUTE_METRIC, svGetValueInt64 (ifcfg, "IPV4_ROUTE_METRIC", 10,
 	                                                                  -1, G_MAXUINT32, -1),
-	              NM_SETTING_IP_CONFIG_ROUTE_TABLE, (guint) svGetValueInt64 (ifcfg, "IPV4_ROUTE_TABLE", 10,
-	                                                                         0, G_MAXUINT32, 0),
+	              NM_SETTING_IP_CONFIG_ROUTE_TABLE, (guint) route_table,
 	              NULL);
 
 	if (strcmp (method, NM_SETTING_IP4_CONFIG_METHOD_DISABLED) == 0)
@@ -1614,6 +1623,7 @@ make_ip6_setting (shvarFile *ifcfg,
 	gboolean never_default = FALSE;
 	gboolean ip6_privacy = FALSE, ip6_privacy_prefer_public_ip;
 	NMSettingIP6ConfigPrivacy ip6_privacy_val;
+	guint32 route_table;
 
 	s_ip6 = (NMSettingIPConfig *) nm_setting_ip6_config_new ();
 
@@ -1715,6 +1725,15 @@ make_ip6_setting (shvarFile *ifcfg,
 	                      NM_SETTING_IP6_CONFIG_PRIVACY_UNKNOWN;
 	g_free (str_value);
 
+	/* the route table (policy routing) is ignored if we don't handle routes. */
+	route_table = svGetValueInt64 (ifcfg, "IPV6_ROUTE_TABLE", 10,
+	                               0, G_MAXUINT32, 0);
+	if (   route_table != 0
+	    && !routes_read) {
+		PARSE_WARNING ("'rule-' or 'rule6-' files are present; Policy routing (IPV6_ROUTE_TABLE) is ignored");
+		route_table = 0;
+	}
+
 	g_object_set (s_ip6,
 	              NM_SETTING_IP_CONFIG_METHOD, method,
 	              NM_SETTING_IP_CONFIG_IGNORE_AUTO_DNS, !svGetValueBoolean (ifcfg, "IPV6_PEERDNS", TRUE),
@@ -1723,8 +1742,7 @@ make_ip6_setting (shvarFile *ifcfg,
 	              NM_SETTING_IP_CONFIG_MAY_FAIL, !svGetValueBoolean (ifcfg, "IPV6_FAILURE_FATAL", FALSE),
 	              NM_SETTING_IP_CONFIG_ROUTE_METRIC, svGetValueInt64 (ifcfg, "IPV6_ROUTE_METRIC", 10,
 	                                                                  -1, G_MAXUINT32, -1),
-	              NM_SETTING_IP_CONFIG_ROUTE_TABLE, (guint) svGetValueInt64 (ifcfg, "IPV6_ROUTE_TABLE", 10,
-	                                                                         0, G_MAXUINT32, 0),
+	              NM_SETTING_IP_CONFIG_ROUTE_TABLE, (guint) route_table,
 	              NM_SETTING_IP6_CONFIG_IP6_PRIVACY, ip6_privacy_val,
 	              NULL);
 
diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
index ccb8e72ac3..a51a6f5079 100644
--- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
+++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
@@ -2884,6 +2884,15 @@ nms_ifcfg_rh_writer_write_connection (NMConnection *connection,
 			             has_complex_routes_v4 ? "" : "6");
 			return FALSE;
 		}
+		if (   (   s_ip4
+		        && nm_setting_ip_config_get_route_table (s_ip4) != 0)
+		    || (   s_ip6
+		        && nm_setting_ip_config_get_route_table (s_ip6) != 0)) {
+			g_set_error (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_FAILED,
+			             "Cannot configure a route table for policy routing on a connection that has an associated 'rule%s-' file",
+			             has_complex_routes_v4 ? "" : "6");
+			return FALSE;
+		}
 		route_ignore = TRUE;
 	}
 
-- 
cgit v1.2.1