18066640619

Committed 27 Sep 2025 03:25PM UTC coverage: 72.087% (-0.1%) from 72.224%

Build # 18066640619

Build Type

push

github

Committed by

yuwata

Commit Message

vmspawn: try to set up swtpm state for 4K RSA keys support

The next version of swtpm will support RSA4096, but it needs to be called
with a new parameter in order to do so. Try with it first, and if
execution fails, fallback to running without it.

This is especially needed for OBS builds, as the signing key is RSA4096
and cannot be changed by users, so the generated UKIs have RSA4096 signatures
for the pcrsig sections, and swtpm refuses them without the new support.

Run Details

0 of 11 new or added lines in 1 file covered. (0.0%)

1438 existing lines in 37 files now uncovered.

302728 of 419948 relevant lines covered (72.09%)

1152870.99 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

81.73

/src/network/networkd-sysctl.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <linux/if_arp.h>

#include "sd-messages.h"

#include "af-list.h"
#include "conf-parser.h"
#include "alloc-util.h"
#include "cgroup-util.h"
#include "errno-util.h"
#include "event-util.h"
#include "fd-util.h"
#include "format-util.h"
#include "hashmap.h"
#include "networkd-link.h"
#include "networkd-lldp-tx.h"
#include "networkd-manager.h"
#include "networkd-ndisc.h"
#include "networkd-network.h"
#include "networkd-sysctl.h"
#include "path-util.h"
#include "set.h"
#include "socket-util.h"
#include "string-table.h"
#include "string-util.h"
#include "sysctl-util.h"

#if ENABLE_SYSCTL_BPF

#include "bpf-link.h"
#include "bpf/sysctl-monitor/sysctl-monitor-skel.h"
#include "bpf/sysctl-monitor/sysctl-write-event.h"

static struct sysctl_monitor_bpf* sysctl_monitor_bpf_free(struct sysctl_monitor_bpf *obj) {
        sysctl_monitor_bpf__destroy(obj);
        return NULL;
}

DEFINE_TRIVIAL_CLEANUP_FUNC(struct sysctl_monitor_bpf *, sysctl_monitor_bpf_free);

static int sysctl_event_handler(void *ctx, void *data, size_t data_sz) {
        struct sysctl_write_event *we = ASSERT_PTR(data);
        Hashmap **sysctl_shadow = ASSERT_PTR(ctx);
        _cleanup_free_ char *path = NULL;
        char *value;

        /* Returning a negative value interrupts the ring buffer polling,
         * so do it only in case of a fatal error like a version mismatch. */
        if (we->version != 1)
                return log_warning_errno(SYNTHETIC_ERRNO(EINVAL),
                                         "Unexpected sysctl event, disabling sysctl monitoring: %d", we->version);

        if (we->errorcode != 0) {
                log_warning_errno(we->errorcode, "Sysctl monitor BPF returned error: %m");
                return 0;
        }

        path = path_join("/proc/sys", we->path);
        if (!path) {
                log_oom_warning();
                return 0;
        }

        /* If we never managed this handle, ignore it. */
        value = hashmap_get(*sysctl_shadow, path);
        if (!value)
                return 0;

        if (!strneq(value, we->newvalue, sizeof(we->newvalue)))
                log_struct(LOG_WARNING,
                           LOG_MESSAGE_ID(SD_MESSAGE_SYSCTL_CHANGED_STR),
                           LOG_ITEM("OBJECT_PID=" PID_FMT, we->pid),
                           LOG_ITEM("OBJECT_COMM=%s", we->comm),
                           LOG_ITEM("SYSCTL=%s", path),
                           LOG_ITEM("OLDVALUE=%s", we->current),
                           LOG_ITEM("NEWVALUE=%s", we->newvalue),
                           LOG_ITEM("OURVALUE=%s", value),
                           LOG_MESSAGE("Foreign process '%s[" PID_FMT "]' changed sysctl '%s' from '%s' to '%s', conflicting with our setting to '%s'.",
                                       we->comm, we->pid, path, we->current, we->newvalue, value));

        return 0;
}

static int on_ringbuf_io(sd_event_source *s, int fd, uint32_t revents, void *userdata) {
        struct ring_buffer *rb = ASSERT_PTR(userdata);
        int r;

        r = sym_ring_buffer__poll(rb, /* timeout_msec= */ 0);
        if (r < 0 && errno != EINTR)
                log_error_errno(errno, "Error polling ring buffer: %m");

        return 0;
}

int manager_install_sysctl_monitor(Manager *manager) {
        _cleanup_(sysctl_monitor_bpf_freep) struct sysctl_monitor_bpf *obj = NULL;
        _cleanup_(bpf_link_freep) struct bpf_link *sysctl_link = NULL;
        _cleanup_(bpf_ring_buffer_freep) struct ring_buffer *sysctl_buffer = NULL;
        _cleanup_close_ int cgroup_fd = -EBADF, root_cgroup_fd = -EBADF;
        _cleanup_free_ char *cgroup = NULL;
        int idx = 0, r, fd;

        assert(manager);

        r = dlopen_bpf();
        if (ERRNO_IS_NEG_NOT_SUPPORTED(r))
                return log_debug_errno(r, "sysctl monitor disabled, as BPF support is not available.");
        if (r < 0)
                return log_warning_errno(r, "Failed to load libbpf, not installing sysctl monitor: %m");

        r = cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, 0, &cgroup);
        if (r < 0)
                return log_warning_errno(r, "Failed to get cgroup path, ignoring: %m.");

        root_cgroup_fd = cg_path_open(SYSTEMD_CGROUP_CONTROLLER, "/");
        if (root_cgroup_fd < 0)
                return log_warning_errno(root_cgroup_fd, "Failed to open cgroup, ignoring: %m");

        obj = sysctl_monitor_bpf__open_and_load();
        if (!obj)
                return log_full_errno(errno == EINVAL ? LOG_DEBUG : LOG_INFO, errno,
                                      "Unable to load sysctl monitor BPF program, ignoring: %m");

        cgroup_fd = cg_path_open(SYSTEMD_CGROUP_CONTROLLER, cgroup);
        if (cgroup_fd < 0)
                return log_warning_errno(cgroup_fd, "Failed to open cgroup: %m");

        if (sym_bpf_map_update_elem(sym_bpf_map__fd(obj->maps.cgroup_map), &idx, &cgroup_fd, BPF_ANY))
                return log_warning_errno(errno, "Failed to update cgroup map: %m");

        sysctl_link = sym_bpf_program__attach_cgroup(obj->progs.sysctl_monitor, root_cgroup_fd);
        r = bpf_get_error_translated(sysctl_link);
        if (r < 0)
                return log_warning_errno(r, "Unable to attach sysctl monitor BPF program to cgroup, ignoring: %m");

        fd = sym_bpf_map__fd(obj->maps.written_sysctls);
        if (fd < 0)
                return log_warning_errno(fd, "Failed to get fd of sysctl maps: %m");

        sysctl_buffer = sym_ring_buffer__new(fd, sysctl_event_handler, &manager->sysctl_shadow, NULL);
        if (!sysctl_buffer)
                return log_warning_errno(errno, "Failed to create ring buffer: %m");

        fd = sym_ring_buffer__epoll_fd(sysctl_buffer);
        if (fd < 0)
                return log_warning_errno(fd, "Failed to get poll fd of ring buffer: %m");

        r = sd_event_add_io(manager->event, &manager->sysctl_event_source,
                            fd, EPOLLIN, on_ringbuf_io, sysctl_buffer);
        if (r < 0)
                return log_warning_errno(r, "Failed to watch sysctl event ringbuffer: %m");

        manager->sysctl_link = TAKE_PTR(sysctl_link);
        manager->sysctl_skel = TAKE_PTR(obj);
        manager->sysctl_buffer = TAKE_PTR(sysctl_buffer);
        manager->cgroup_fd = TAKE_FD(cgroup_fd);

        return 0;
}

void manager_remove_sysctl_monitor(Manager *manager) {
        assert(manager);

        manager->sysctl_event_source = sd_event_source_disable_unref(manager->sysctl_event_source);
        manager->sysctl_buffer = bpf_ring_buffer_free(manager->sysctl_buffer);
        manager->sysctl_link = bpf_link_free(manager->sysctl_link);
        manager->sysctl_skel = sysctl_monitor_bpf_free(manager->sysctl_skel);
        manager->cgroup_fd = safe_close(manager->cgroup_fd);
        manager->sysctl_shadow = hashmap_free(manager->sysctl_shadow);
}

int link_clear_sysctl_shadows(Link *link) {
        _cleanup_free_ char *ipv4 = NULL, *ipv6 = NULL;
        char *key = NULL, *value = NULL;

        assert(link);
        assert(link->manager);

        ipv4 = path_join("/proc/sys/net/ipv4/conf", link->ifname);
        if (!ipv4)
                return log_oom();

        ipv6 = path_join("/proc/sys/net/ipv6/conf", link->ifname);
        if (!ipv6)
                return log_oom();

        HASHMAP_FOREACH_KEY(value, key, link->manager->sysctl_shadow)
                if (path_startswith(key, ipv4) || path_startswith(key, ipv6)) {
                        assert_se(hashmap_remove_value(link->manager->sysctl_shadow, key, value));
                        free(key);
                        free(value);
                }

        return 0;
}
#endif

static void manager_set_ip_forwarding(Manager *manager, int family) {
        int r, t;

        assert(manager);
        assert(IN_SET(family, AF_INET, AF_INET6));

        if (family == AF_INET6 && !socket_ipv6_is_supported())
                return;

        t = manager->ip_forwarding[family == AF_INET6];
        if (t < 0)
                return; /* keep */

        /* First, set the default value. */
        r = sysctl_write_ip_property_boolean(family, "default", "forwarding", t, manager_get_sysctl_shadow(manager));
        if (r < 0)
                log_warning_errno(r, "Failed to %s the default %s forwarding: %m",
                                  enable_disable(t), af_to_ipv4_ipv6(family));

        /* Then, set the value to all interfaces. */
        r = sysctl_write_ip_property_boolean(family, "all", "forwarding", t, manager_get_sysctl_shadow(manager));
        if (r < 0)
                log_warning_errno(r, "Failed to %s %s forwarding for all interfaces: %m",
                                  enable_disable(t), af_to_ipv4_ipv6(family));
}

void manager_set_sysctl(Manager *manager) {
        assert(manager);
        assert(!manager->test_mode);

        manager_set_ip_forwarding(manager, AF_INET);
        manager_set_ip_forwarding(manager, AF_INET6);
}

static bool link_is_configured_for_family(Link *link, int family) {
        assert(link);

        if (!link->network)
                return false;

        if (link->flags & IFF_LOOPBACK)
                return false;

        /* CAN devices do not support IP layer. Most of the functions below are never called for CAN devices,
         * but link_set_ipv6_mtu() may be called after setting interface MTU, and warn about the failure. For
         * safety, let's unconditionally check if the interface is not a CAN device. */
        if (IN_SET(family, AF_INET, AF_INET6, AF_MPLS) && link->iftype == ARPHRD_CAN)
                return false;

        if (family == AF_INET6 && !socket_ipv6_is_supported())
                return false;

        return true;
}

static int link_update_ipv6_sysctl(Link *link) {
        assert(link);
        assert(link->manager);

        if (!link_is_configured_for_family(link, AF_INET6))
                return 0;

        if (!link_ipv6_enabled(link))
                return 0;

        return sysctl_write_ip_property_boolean(AF_INET6, link->ifname, "disable_ipv6", false, manager_get_sysctl_shadow(link->manager));
}

static int link_set_proxy_arp(Link *link) {
        assert(link);
        assert(link->manager);

        if (!link_is_configured_for_family(link, AF_INET))
                return 0;

        if (link->network->proxy_arp < 0)
                return 0;

        return sysctl_write_ip_property_boolean(AF_INET, link->ifname, "proxy_arp", link->network->proxy_arp > 0, manager_get_sysctl_shadow(link->manager));
}

static int link_set_proxy_arp_pvlan(Link *link) {
        assert(link);
        assert(link->manager);

        if (!link_is_configured_for_family(link, AF_INET))
                return 0;

        if (link->network->proxy_arp_pvlan < 0)
                return 0;

        return sysctl_write_ip_property_boolean(AF_INET, link->ifname, "proxy_arp_pvlan", link->network->proxy_arp_pvlan > 0, manager_get_sysctl_shadow(link->manager));
}

int link_get_ip_forwarding(Link *link, int family) {
        assert(link);
        assert(link->manager);
        assert(link->network);
        assert(IN_SET(family, AF_INET, AF_INET6));

        /* If it is explicitly specified, then honor the setting. */
        int t = link->network->ip_forwarding[family == AF_INET6];
        if (t >= 0)
                return t;

        /* If IPMasquerade= is enabled, also enable IP forwarding. */
        if (FLAGS_SET(link->network->ip_masquerade, AF_TO_ADDRESS_FAMILY(family)))
                return true;

        /* If IPv6SendRA= is enabled, also enable IPv6 forwarding. */
        if (family == AF_INET6 && link_radv_enabled(link))
                return true;

        /* Otherwise, use the global setting. */
        return link->manager->ip_forwarding[family == AF_INET6];
}

static int link_set_ip_forwarding_impl(Link *link, int family) {
        int r, t;

        assert(link);
        assert(link->manager);
        assert(IN_SET(family, AF_INET, AF_INET6));

        if (!link_is_configured_for_family(link, family))
                return 0;

        t = link_get_ip_forwarding(link, family);
        if (t < 0)
                return 0; /* keep */

        r = sysctl_write_ip_property_boolean(family, link->ifname, "forwarding", t, manager_get_sysctl_shadow(link->manager));
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to %s %s forwarding, ignoring: %m",
                                              enable_disable(t), af_to_ipv4_ipv6(family));

        return 0;
}

static int link_reapply_ip_forwarding(Link *link, int family) {
        int r, ret = 0;

        assert(link);
        assert(IN_SET(family, AF_INET, AF_INET6));

        if (!IN_SET(link->state, LINK_STATE_CONFIGURING, LINK_STATE_CONFIGURED))
                return 0;

        (void) link_set_ip_forwarding_impl(link, family);

        r = link_lldp_tx_update_capabilities(link);
        if (r < 0)
                RET_GATHER(ret, log_link_warning_errno(link, r, "Could not update LLDP capabilities, ignoring: %m"));

        if (family == AF_INET6 && !link_ndisc_enabled(link)) {
                r = ndisc_stop(link);
                if (r < 0)
                        RET_GATHER(ret, log_link_warning_errno(link, r, "Could not stop IPv6 Router Discovery, ignoring: %m"));

                ndisc_flush(link);
        }

        return ret;
}

static int link_set_ip_forwarding(Link *link, int family) {
        int r;

        assert(link);
        assert(link->manager);
        assert(link->network);
        assert(IN_SET(family, AF_INET, AF_INET6));

        if (!link_is_configured_for_family(link, family))
                return 0;

        /* When IPMasquerade= is enabled and the global setting is unset, enable _global_ IP forwarding, and
         * re-apply per-link setting for all links. */
        if (FLAGS_SET(link->network->ip_masquerade, AF_TO_ADDRESS_FAMILY(family)) &&
            link->manager->ip_forwarding[family == AF_INET6] < 0) {

                link->manager->ip_forwarding[family == AF_INET6] = true;
                manager_set_ip_forwarding(link->manager, family);

                Link *other;
                HASHMAP_FOREACH(other, link->manager->links_by_index) {
                        r = link_reapply_ip_forwarding(other, family);
                        if (r < 0)
                                link_enter_failed(other);
                }

                return 0;
        }

        /* Otherwise, apply per-link setting for _this_ link. */
        return link_set_ip_forwarding_impl(link, family);
}

static int link_set_ipv4_rp_filter(Link *link) {
        assert(link);
        assert(link->manager);

        if (!link_is_configured_for_family(link, AF_INET))
                return 0;

        if (link->network->ipv4_rp_filter < 0)
                return 0;

        return sysctl_write_ip_property_int(AF_INET, link->ifname, "rp_filter", link->network->ipv4_rp_filter, manager_get_sysctl_shadow(link->manager));
}

static int link_set_ipv4_force_igmp_version(Link *link) {
        assert(link);

        if (!link_is_configured_for_family(link, AF_INET))
                return 0;

        if (link->network->ipv4_force_igmp_version < 0)
                return 0;

        return sysctl_write_ip_property_int(AF_INET, link->ifname, "force_igmp_version", link->network->ipv4_force_igmp_version, manager_get_sysctl_shadow(link->manager));
}

static int link_set_ipv6_privacy_extensions(Link *link) {
        IPv6PrivacyExtensions val;

        assert(link);
        assert(link->manager);

        if (!link_is_configured_for_family(link, AF_INET6))
                return 0;

        val = link->network->ipv6_privacy_extensions;
        if (val < 0) /* If not specified, then use the global setting. */
                val = link->manager->ipv6_privacy_extensions;

        /* When "kernel", do not update the setting. */
        if (val == IPV6_PRIVACY_EXTENSIONS_KERNEL)
                return 0;

        return sysctl_write_ip_property_int(AF_INET6, link->ifname, "use_tempaddr", (int) val, manager_get_sysctl_shadow(link->manager));
}

static int link_set_ipv6_accept_ra(Link *link) {
        assert(link);
        assert(link->manager);

        if (!link_is_configured_for_family(link, AF_INET6))
                return 0;

        return sysctl_write_ip_property(AF_INET6, link->ifname, "accept_ra", "0", manager_get_sysctl_shadow(link->manager));
}

static int link_set_ipv6_dad_transmits(Link *link) {
        assert(link);
        assert(link->manager);

        if (!link_is_configured_for_family(link, AF_INET6))
                return 0;

        if (link->network->ipv6_dad_transmits < 0)
                return 0;

        return sysctl_write_ip_property_int(AF_INET6, link->ifname, "dad_transmits", link->network->ipv6_dad_transmits, manager_get_sysctl_shadow(link->manager));
}

static int link_set_ipv6_hop_limit(Link *link) {
        assert(link);
        assert(link->manager);

        if (!link_is_configured_for_family(link, AF_INET6))
                return 0;

        if (link->network->ipv6_hop_limit <= 0)
                return 0;

        return sysctl_write_ip_property_int(AF_INET6, link->ifname, "hop_limit", link->network->ipv6_hop_limit, manager_get_sysctl_shadow(link->manager));
}

static int link_set_ipv6_retransmission_time(Link *link) {
        usec_t retrans_time_ms;

        assert(link);
        assert(link->manager);

        if (!link_is_configured_for_family(link, AF_INET6))
                return 0;

        if (!timestamp_is_set(link->network->ipv6_retransmission_time))
                return 0;

        retrans_time_ms = DIV_ROUND_UP(link->network->ipv6_retransmission_time, USEC_PER_MSEC);
         if (retrans_time_ms <= 0 || retrans_time_ms > UINT32_MAX)
                return 0;

        return sysctl_write_ip_neighbor_property_uint32(AF_INET6, link->ifname, "retrans_time_ms", retrans_time_ms, manager_get_sysctl_shadow(link->manager));
}

static int link_set_ipv6_proxy_ndp(Link *link) {
        bool v;

        assert(link);
        assert(link->manager);

        if (!link_is_configured_for_family(link, AF_INET6))
                return 0;

        if (link->network->ipv6_proxy_ndp >= 0)
                v = link->network->ipv6_proxy_ndp;
        else
                v = !set_isempty(link->network->ipv6_proxy_ndp_addresses);

        return sysctl_write_ip_property_boolean(AF_INET6, link->ifname, "proxy_ndp", v, manager_get_sysctl_shadow(link->manager));
}

int link_set_ipv6_mtu(Link *link, int log_level) {
        uint32_t mtu = 0;
        int r;

        assert(link);
        assert(link->manager);

        if (!link_is_configured_for_family(link, AF_INET6))
                return 0;

        if (!IN_SET(link->state, LINK_STATE_CONFIGURING, LINK_STATE_CONFIGURED))
                return 0;

        if (sd_event_source_get_enabled(link->ipv6_mtu_wait_synced_event_source, /* ret = */ NULL) > 0) {
                log_link_debug(link, "Waiting for IPv6 MTU is synced to link MTU, delaying to set IPv6 MTU.");
                return 0;
        }

        assert(link->network);

        if (link->network->ndisc_use_mtu)
                mtu = link->ndisc_mtu;
        if (mtu == 0)
                mtu = link->network->ipv6_mtu;
        if (mtu == 0)
                return 0;

        if (mtu > link->mtu) {
                log_link_full(link, log_level,
                              "Reducing requested IPv6 MTU %"PRIu32" to the interface's maximum MTU %"PRIu32".",
                              mtu, link->mtu);
                mtu = link->mtu;
        }

        r = sysctl_write_ip_property_uint32(AF_INET6, link->ifname, "mtu", mtu, manager_get_sysctl_shadow(link->manager));
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to set IPv6 MTU to %"PRIu32": %m", mtu);

        return 0;
}

static int ipv6_mtu_wait_synced_handler(sd_event_source *s, uint64_t usec, void *userdata);

static int link_set_ipv6_mtu_async_impl(Link *link) {
        uint32_t current_mtu;
        int r;

        assert(link);

        /* When the link MTU is updated, it seems that the kernel IPv6 MTU of the interface is asynchronously
         * reset to the link MTU. Hence, we need to check if it is already reset, and wait for a while if not. */

        if (++link->ipv6_mtu_wait_trial_count >= 10) {
                log_link_debug(link, "Timed out waiting for IPv6 MTU being synced to link MTU, proceeding anyway.");
                r = link_set_ipv6_mtu(link, LOG_INFO);
                if (r < 0)
                        return r;

                return 1; /* done */
        }

        /* Check if IPv6 MTU is synced. */
        r = sysctl_read_ip_property_uint32(AF_INET6, link->ifname, "mtu", &current_mtu);
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to read IPv6 MTU: %m");

        if (current_mtu == link->mtu) {
                /* Already synced. Update IPv6 MTU now. */
                r = link_set_ipv6_mtu(link, LOG_INFO);
                if (r < 0)
                        return r;

                return 1; /* done */
        }

        /* If not, set up a timer event source. */
        r = event_reset_time_relative(
                        link->manager->event, &link->ipv6_mtu_wait_synced_event_source,
                        CLOCK_BOOTTIME, 100 * USEC_PER_MSEC, 0,
                        ipv6_mtu_wait_synced_handler, link,
                        /* priority = */ 0, "ipv6-mtu-wait-synced", /* force_reset = */ true);
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to configure timer event source for waiting for IPv6 MTU being synced: %m");

        /* Check again. */
        r = sysctl_read_ip_property_uint32(AF_INET6, link->ifname, "mtu", &current_mtu);
        if (r < 0)
                return log_link_warning_errno(link, r, "Failed to read IPv6 MTU: %m");

        if (current_mtu == link->mtu) {
                /* Synced while setting up the timer event source. Disable it and update IPv6 MTU now. */
                r = sd_event_source_set_enabled(link->ipv6_mtu_wait_synced_event_source, SD_EVENT_OFF);
                if (r < 0)
                        log_link_debug_errno(link, r, "Failed to disable timer event source for IPv6 MTU, ignoring: %m");

                r = link_set_ipv6_mtu(link, LOG_INFO);
                if (r < 0)
                        return r;

                return 1; /* done */
        }

        log_link_debug(link, "IPv6 MTU is not synced to the link MTU after it is changed. Waiting for a while.");
        return 0; /* waiting */
}

static int ipv6_mtu_wait_synced_handler(sd_event_source *s, uint64_t usec, void *userdata) {
        (void) link_set_ipv6_mtu_async_impl(ASSERT_PTR(userdata));
        return 0;
}

int link_set_ipv6_mtu_async(Link *link) {
        assert(link);

        link->ipv6_mtu_wait_trial_count = 0;
        return link_set_ipv6_mtu_async_impl(link);
}

static int link_set_ipv4_accept_local(Link *link) {
        assert(link);
        assert(link->manager);

        if (!link_is_configured_for_family(link, AF_INET))
                return 0;

        if (link->network->ipv4_accept_local < 0)
                return 0;

        return sysctl_write_ip_property_boolean(AF_INET, link->ifname, "accept_local", link->network->ipv4_accept_local > 0, manager_get_sysctl_shadow(link->manager));
}

static int link_set_ipv4_route_localnet(Link *link) {
        assert(link);
        assert(link->manager);

        if (!link_is_configured_for_family(link, AF_INET))
                return 0;

        if (link->network->ipv4_route_localnet < 0)
                return 0;

        return sysctl_write_ip_property_boolean(AF_INET, link->ifname, "route_localnet", link->network->ipv4_route_localnet > 0, manager_get_sysctl_shadow(link->manager));
}

static int link_set_ipv4_promote_secondaries(Link *link) {
        assert(link);
        assert(link->manager);

        if (!link_is_configured_for_family(link, AF_INET))
                return 0;

        /* If promote_secondaries is not set, DHCP will work only as long as the IP address does not
         * changes between leases. The kernel will remove all secondary IP addresses of an interface
         * otherwise. The way systemd-networkd works is that the new IP of a lease is added as a
         * secondary IP and when the primary one expires it relies on the kernel to promote the
         * secondary IP. See also https://github.com/systemd/systemd/issues/7163 */
        return sysctl_write_ip_property_boolean(AF_INET, link->ifname, "promote_secondaries", true, manager_get_sysctl_shadow(link->manager));
}

static int link_set_mpls_input(Link *link) {
        assert(link);
        assert(link->manager);

        if (!link_is_configured_for_family(link, AF_MPLS))
                return 0;

        if (link->network->mpls_input < 0)
                return 0;

        return sysctl_write_ip_property_boolean(AF_MPLS, link->ifname, "input", link->network->mpls_input > 0, manager_get_sysctl_shadow(link->manager));
}

int link_set_sysctl(Link *link) {
        int r;

        assert(link);

        /* If IPv6 configured that is static IPv6 address and IPv6LL autoconfiguration is enabled
         * for this interface, then enable IPv6 */
        r = link_update_ipv6_sysctl(link);
        if (r < 0)
                log_link_warning_errno(link, r, "Cannot enable IPv6, ignoring: %m");

        r = link_set_proxy_arp(link);
        if (r < 0)
               log_link_warning_errno(link, r, "Cannot configure proxy ARP for interface, ignoring: %m");

        r = link_set_proxy_arp_pvlan(link);
        if (r < 0)
                log_link_warning_errno(link, r, "Cannot configure proxy ARP private VLAN for interface, ignoring: %m");

        (void) link_set_ip_forwarding(link, AF_INET);
        (void) link_set_ip_forwarding(link, AF_INET6);

        r = link_set_ipv6_privacy_extensions(link);
        if (r < 0)
                log_link_warning_errno(link, r, "Cannot configure IPv6 privacy extensions for interface, ignoring: %m");

        r = link_set_ipv6_accept_ra(link);
        if (r < 0)
                log_link_warning_errno(link, r, "Cannot disable kernel IPv6 accept_ra for interface, ignoring: %m");

        r = link_set_ipv6_dad_transmits(link);
        if (r < 0)
                log_link_warning_errno(link, r, "Cannot set IPv6 dad transmits for interface, ignoring: %m");

        r = link_set_ipv6_hop_limit(link);
        if (r < 0)
                log_link_warning_errno(link, r, "Cannot set IPv6 hop limit for interface, ignoring: %m");

        r = link_set_ipv6_retransmission_time(link);
        if (r < 0)
                log_link_warning_errno(link, r, "Cannot set IPv6 retransmission time for interface, ignoring: %m");

        r = link_set_ipv6_proxy_ndp(link);
        if (r < 0)
                log_link_warning_errno(link, r, "Cannot set IPv6 proxy NDP, ignoring: %m");

        (void) link_set_ipv6_mtu(link, LOG_INFO);

        r = link_set_ipv6ll_stable_secret(link);
        if (r < 0)
                log_link_warning_errno(link, r, "Cannot set stable secret address for IPv6 link-local address: %m");

        r = link_set_ipv4_accept_local(link);
        if (r < 0)
                log_link_warning_errno(link, r, "Cannot set IPv4 accept_local flag for interface, ignoring: %m");

        r = link_set_ipv4_route_localnet(link);
        if (r < 0)
                log_link_warning_errno(link, r, "Cannot set IPv4 route_localnet flag for interface, ignoring: %m");

        r = link_set_ipv4_rp_filter(link);
        if (r < 0)
                log_link_warning_errno(link, r, "Cannot set IPv4 reverse path filtering for interface, ignoring: %m");

        r = link_set_ipv4_force_igmp_version(link);
        if (r < 0)
                log_link_warning_errno(link, r, "Cannot set IPv4 force igmp version, ignoring: %m");

        r = link_set_ipv4_promote_secondaries(link);
        if (r < 0)
                log_link_warning_errno(link, r, "Cannot enable promote_secondaries for interface, ignoring: %m");

        r = link_set_mpls_input(link);
        if (r < 0)
                log_link_warning_errno(link, r, "Cannot set MPLS input, ignoring: %m");

        return 0;
}

static const char* const ipv6_privacy_extensions_table[_IPV6_PRIVACY_EXTENSIONS_MAX] = {
        [IPV6_PRIVACY_EXTENSIONS_NO]            = "no",
        [IPV6_PRIVACY_EXTENSIONS_PREFER_PUBLIC] = "prefer-public",
        [IPV6_PRIVACY_EXTENSIONS_YES]           = "yes",
        [IPV6_PRIVACY_EXTENSIONS_KERNEL]        = "kernel",
};

DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(ipv6_privacy_extensions, IPv6PrivacyExtensions,
                                        IPV6_PRIVACY_EXTENSIONS_YES);
DEFINE_CONFIG_PARSE_ENUM(config_parse_ipv6_privacy_extensions, ipv6_privacy_extensions, IPv6PrivacyExtensions);

static const char* const ip_reverse_path_filter_table[_IP_REVERSE_PATH_FILTER_MAX] = {
        [IP_REVERSE_PATH_FILTER_NO]     = "no",
        [IP_REVERSE_PATH_FILTER_STRICT] = "strict",
        [IP_REVERSE_PATH_FILTER_LOOSE]  = "loose",
};

DEFINE_STRING_TABLE_LOOKUP(ip_reverse_path_filter, IPReversePathFilter);
DEFINE_CONFIG_PARSE_ENUM(config_parse_ip_reverse_path_filter, ip_reverse_path_filter, IPReversePathFilter);

int config_parse_ip_forward_deprecated(
                const char *unit,
                const char *filename,
                unsigned line,
                const char *section,
                unsigned section_line,
                const char *lvalue,
                int ltype,
                const char *rvalue,
                void *data,
                void *userdata) {

        assert(filename);

        log_syntax(unit, LOG_WARNING, filename, line, 0,
                   "IPForward= setting is deprecated. "
                   "Please use IPv4Forwarding= and/or IPv6Forwarding= in networkd.conf for global setting, "
                   "and the same settings in .network files for per-interface setting.");
        return 0;
}

static const char* const ipv4_force_igmp_version_table[_IPV4_FORCE_IGMP_VERSION_MAX] = {
        [IPV4_FORCE_IGMP_VERSION_NO] = "no",
        [IPV4_FORCE_IGMP_VERSION_1]  = "v1",
        [IPV4_FORCE_IGMP_VERSION_2]  = "v2",
        [IPV4_FORCE_IGMP_VERSION_3]  = "v3",
};

DEFINE_STRING_TABLE_LOOKUP(ipv4_force_igmp_version, IPv4ForceIgmpVersion);
DEFINE_CONFIG_PARSE_ENUM(config_parse_ipv4_force_igmp_version, ipv4_force_igmp_version, IPv4ForceIgmpVersion);

systemd / systemd / 18066640619

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous