Merge pull request #15942 from poettering/pass-pktinfo

disable PassCredentials= on networkd netlink socket, enable NETLINK_PKTINFO instead
2025-03-31 14:50:15 +03:00 · 2020-05-29 15:23:15 +09:00 · 2020-05-29 15:23:15 +09:00 · 27cd09442f
commit 27cd09442f
parent cfbee85ce2 08ab18618e
13 changed files with 54 additions and 7 deletions
--- a/docs/TRANSIENT-SETTINGS.md
+++ b/docs/TRANSIENT-SETTINGS.md
@ -429,6 +429,7 @@ Most socket unit settings are available to transient units.
 ✓ Broadcast=
 ✓ PassCredentials=
 ✓ PassSecurity=
+✓ PassPacketInfo=
 ✓ TCPCongestion=
 ✓ ReusePort=
 ✓ MessageQueueMaxMessages=
--- a/man/systemd.socket.xml
+++ b/man/systemd.socket.xml
@ -709,6 +709,15 @@
        Defaults to <option>false</option>.</para></listitem>
      </varlistentry>

+      <varlistentry>
+        <term><varname>PassPacketInfo=</varname></term>
+        <listitem><para>Takes a boolean value. This controls the <constant>IP_PKTINFO</constant>,
+        <constant>IPV6_RECVPKTINFO</constant> and <constant>NETLINK_PKTINFO</constant> socket options, which
+        enable reception of additional per-packet metadata as ancillary message, on
+        <constant>AF_INET</constant>, <constant>AF_INET6</constant> and <constant>AF_UNIX</constant> sockets.
+        Defaults to <option>false</option>.</para></listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><varname>TCPCongestion=</varname></term>
        <listitem><para>Takes a string value. Controls the TCP
--- a/src/basic/socket-util.c
+++ b/src/basic/socket-util.c
@ -1174,5 +1174,27 @@ ssize_t recvmsg_safe(int sockfd, struct msghdr *msg, int flags) {
        }

        return n;
-
+}
+
+int socket_pass_pktinfo(int fd, bool b) {
+        int af;
+        socklen_t sl = sizeof(af);
+
+        if (getsockopt(fd, SOL_SOCKET, SO_DOMAIN, &af, &sl) < 0)
+                return -errno;
+
+        switch (af) {
+
+        case AF_INET:
+                return setsockopt_int(fd, IPPROTO_IP, IP_PKTINFO, b);
+
+        case AF_INET6:
+                return setsockopt_int(fd, IPPROTO_IPV6, IPV6_RECVPKTINFO, b);
+
+        case AF_NETLINK:
+                return setsockopt_int(fd, SOL_NETLINK, NETLINK_PKTINFO, b);
+
+        default:
+                return -EAFNOSUPPORT;
+        }
 }
--- a/src/basic/socket-util.h
+++ b/src/basic/socket-util.h
@ -220,3 +220,5 @@ int socket_bind_to_ifname(int fd, const char *ifname);
 int socket_bind_to_ifindex(int fd, int ifindex);

 ssize_t recvmsg_safe(int sockfd, struct msghdr *msg, int flags);
+
+int socket_pass_pktinfo(int fd, bool b);
--- a/src/core/dbus-socket.c
+++ b/src/core/dbus-socket.c
@ -104,6 +104,7 @@ const sd_bus_vtable bus_socket_vtable[] = {
        SD_BUS_PROPERTY("Broadcast", "b", bus_property_get_bool, offsetof(Socket, broadcast), SD_BUS_VTABLE_PROPERTY_CONST),
        SD_BUS_PROPERTY("PassCredentials", "b", bus_property_get_bool, offsetof(Socket, pass_cred), SD_BUS_VTABLE_PROPERTY_CONST),
        SD_BUS_PROPERTY("PassSecurity", "b", bus_property_get_bool, offsetof(Socket, pass_sec), SD_BUS_VTABLE_PROPERTY_CONST),
+        SD_BUS_PROPERTY("PassPacketInfo", "b", bus_property_get_bool, offsetof(Socket, pass_pktinfo), SD_BUS_VTABLE_PROPERTY_CONST),
        SD_BUS_PROPERTY("RemoveOnStop", "b", bus_property_get_bool, offsetof(Socket, remove_on_stop), SD_BUS_VTABLE_PROPERTY_CONST),
        SD_BUS_PROPERTY("Listen", "a(ss)", property_get_listen, 0, SD_BUS_VTABLE_PROPERTY_CONST),
        SD_BUS_PROPERTY("Symlinks", "as", NULL, offsetof(Socket, symlinks), SD_BUS_VTABLE_PROPERTY_CONST),
@ -202,6 +203,9 @@ static int bus_socket_set_transient_property(
        if (streq(name, "PassSecurity"))
                return bus_set_transient_bool(u, name, &s->pass_sec, message, flags, error);

+        if (streq(name, "PassPacketInfo"))
+                return bus_set_transient_bool(u, name, &s->pass_pktinfo, message, flags, error);
+
        if (streq(name, "ReusePort"))
                return bus_set_transient_bool(u, name, &s->reuse_port, message, flags, error);

--- a/src/core/load-fragment-gperf.gperf.m4
+++ b/src/core/load-fragment-gperf.gperf.m4
@ -396,6 +396,7 @@ Socket.Transparent,              config_parse_bool,                  0,
 Socket.Broadcast,                config_parse_bool,                  0,                             offsetof(Socket, broadcast)
 Socket.PassCredentials,          config_parse_bool,                  0,                             offsetof(Socket, pass_cred)
 Socket.PassSecurity,             config_parse_bool,                  0,                             offsetof(Socket, pass_sec)
+Socket.PassPacketInfo,           config_parse_bool,                  0,                             offsetof(Socket, pass_pktinfo)
 Socket.TCPCongestion,            config_parse_string,                0,                             offsetof(Socket, tcp_congestion)
 Socket.ReusePort,                config_parse_bool,                  0,                             offsetof(Socket, reuse_port)
 Socket.MessageQueueMaxMessages,  config_parse_long,                  0,                             offsetof(Socket, mq_maxmsg)
--- a/src/core/socket.c
+++ b/src/core/socket.c
@ -635,6 +635,7 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
                "%sBroadcast: %s\n"
                "%sPassCredentials: %s\n"
                "%sPassSecurity: %s\n"
+                "%sPassPacketInfo: %s\n"
                "%sTCPCongestion: %s\n"
                "%sRemoveOnStop: %s\n"
                "%sWritable: %s\n"
@ -654,6 +655,7 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
                prefix, yes_no(s->broadcast),
                prefix, yes_no(s->pass_cred),
                prefix, yes_no(s->pass_sec),
+                prefix, yes_no(s->pass_pktinfo),
                prefix, strna(s->tcp_congestion),
                prefix, yes_no(s->remove_on_stop),
                prefix, yes_no(s->writable),
@ -1070,6 +1072,12 @@ static void socket_apply_socket_options(Socket *s, int fd) {
                        log_unit_warning_errno(UNIT(s), r, "SO_PASSSEC failed: %m");
        }

+        if (s->pass_pktinfo) {
+                r = socket_pass_pktinfo(fd, true);
+                if (r < 0)
+                        log_unit_warning_errno(UNIT(s), r, "Failed to enable packet info socket option: %m");
+        }
+
        if (s->priority >= 0) {
                r = setsockopt_int(fd, SOL_SOCKET, SO_PRIORITY, s->priority);
                if (r < 0)
--- a/src/core/socket.h
+++ b/src/core/socket.h
@ -121,6 +121,7 @@ struct Socket {
        bool broadcast;
        bool pass_cred;
        bool pass_sec;
+        bool pass_pktinfo;

        /* Only for INET6 sockets: issue IPV6_V6ONLY sockopt */
        SocketAddressBindIPv6Only bind_ipv6_only;
--- a/src/libsystemd/sd-netlink/netlink-socket.c
+++ b/src/libsystemd/sd-netlink/netlink-socket.c
@ -16,10 +16,6 @@
 #include "socket-util.h"
 #include "util.h"

-/* For some reason we need some extra cmsg space on some kernels. It's not clear why, and one of those days
- * we need to track this down. See: https://github.com/systemd/systemd/pull/15457 */
-#define EXTRA_CMSG_SPACE 1024
-
 int socket_open(int family) {
        int fd;

@ -244,7 +240,7 @@ int socket_write_message(sd_netlink *nl, sd_netlink_message *m) {

 static int socket_recv_message(int fd, struct iovec *iov, uint32_t *ret_mcast_group, bool peek) {
        union sockaddr_union sender;
-        CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(struct nl_pktinfo)) + EXTRA_CMSG_SPACE) control;
+        CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(struct nl_pktinfo))) control;
        struct msghdr msg = {
                .msg_iov = iov,
                .msg_iovlen = 1,
--- a/src/resolve/resolved-dns-stream.c
+++ b/src/resolve/resolved-dns-stream.c
@ -88,6 +88,7 @@ static int dns_stream_complete(DnsStream *s, int error) {

 static int dns_stream_identify(DnsStream *s) {
        CMSG_BUFFER_TYPE(CMSG_SPACE(MAXSIZE(struct in_pktinfo, struct in6_pktinfo))
+                         + CMSG_SPACE(int) + /* for the TTL */
                         + EXTRA_CMSG_SPACE /* kernel appears to require extra space */) control;
        struct msghdr mh = {};
        struct cmsghdr *cmsg;
--- a/src/shared/bus-unit-util.c
+++ b/src/shared/bus-unit-util.c
@ -1632,6 +1632,7 @@ static int bus_append_socket_property(sd_bus_message *m, const char *field, cons
                              "Broadcast",
                              "PassCredentials",
                              "PassSecurity",
+                              "PassPacketInfo",
                              "ReusePort",
                              "RemoveOnStop",
                              "SELinuxContextFromNet"))
--- a/test/fuzz/fuzz-unit-file/directives.service
+++ b/test/fuzz/fuzz-unit-file/directives.service
@ -164,6 +164,7 @@ PIDFile=
 PartOf=
 PassCredentials=
 PassSecurity=
+PassPacketInfo=
 PathChanged=
 PathExists=
 PathExistsGlob=
--- a/units/systemd-networkd.socket
+++ b/units/systemd-networkd.socket
@ -17,7 +17,7 @@ Before=sockets.target
 [Socket]
 ReceiveBuffer=128M
 ListenNetlink=route 1361
-PassCredentials=yes
+PassPacketInfo=yes

 [Install]
 WantedBy=sockets.target