mirror of
https://github.com/systemd/systemd.git
synced 2025-02-28 05:57:33 +03:00
Merge pull request #19310 from yuwata/network-dhcp-anonymize
network: dhcp4: several fixes and cleanups for Anonymize=
This commit is contained in:
Zbigniew Jędrzejewski-Szmek
GitHub
commit
b7c3447a2f
@ -1651,26 +1651,24 @@ IPv6Token=prefixstable:2002:da8:1::</programlisting></para>
|
||||
<varlistentry>
|
||||
<term><varname>Anonymize=</varname></term>
|
||||
<listitem>
|
||||
<para>Takes a boolean. When true, the options sent to the DHCP server will
|
||||
follow the <ulink url="https://tools.ietf.org/html/rfc7844">RFC 7844</ulink>
|
||||
(Anonymity Profiles for DHCP Clients) to minimize disclosure of identifying information.
|
||||
Defaults to false.</para>
|
||||
<para>Takes a boolean. When true, the options sent to the DHCP server will follow the
|
||||
<ulink url="https://tools.ietf.org/html/rfc7844">RFC 7844</ulink> (Anonymity Profiles for
|
||||
DHCP Clients) to minimize disclosure of identifying information. Defaults to false.</para>
|
||||
|
||||
<para>This option should only be set to true when
|
||||
<varname>MACAddressPolicy=</varname> is set to <literal>random</literal>
|
||||
(see <citerefentry
|
||||
project='man-pages'><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry>).</para>
|
||||
<para>This option should only be set to true when <varname>MACAddressPolicy=</varname> is
|
||||
set to <literal>random</literal> (see
|
||||
<citerefentry project='man-pages'><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
|
||||
</para>
|
||||
|
||||
<para>Note that this configuration will overwrite others.
|
||||
In concrete, the following variables will be ignored:
|
||||
<varname>SendHostname=</varname>, <varname>ClientIdentifier=</varname>,
|
||||
<varname>UseRoutes=</varname>, <varname>UseMTU=</varname>,
|
||||
<varname>VendorClassIdentifier=</varname>, <varname>UseTimezone=</varname>.</para>
|
||||
<para>When true, <varname>SendHostname=</varname>, <varname>ClientIdentifier=</varname>,
|
||||
<varname>VendorClassIdentifier=</varname>, <varname>UserClass=</varname>,
|
||||
<varname>RequestOptions=</varname>, <varname>SendOption=</varname>,
|
||||
<varname>SendVendorOption=</varname>, and <varname>MUDURL=</varname> are ignored.</para>
|
||||
|
||||
<para>With this option enabled DHCP requests will mimic those generated by Microsoft Windows, in
|
||||
order to reduce the ability to fingerprint and recognize installations. This means DHCP request
|
||||
sizes will grow and lease data will be more comprehensive than normally, though most of the
|
||||
requested data is not actually used.</para>
|
||||
<para>With this option enabled DHCP requests will mimic those generated by Microsoft
|
||||
Windows, in order to reduce the ability to fingerprint and recognize installations. This
|
||||
means DHCP request sizes will grow and lease data will be more comprehensive than normally,
|
||||
though most of the requested data is not actually used.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
|
||||
@ -57,6 +57,8 @@ void network_adjust_dhcp(Network *network) {
|
||||
"Disabling DHCPv6 client.", network->filename);
|
||||
SET_FLAG(network->dhcp, ADDRESS_FAMILY_IPV6, false);
|
||||
}
|
||||
|
||||
network_adjust_dhcp4(network);
|
||||
}
|
||||
|
||||
static struct DUID fallback_duid = { .type = DUID_TYPE_EN };
|
||||
|
||||
@ -26,6 +26,31 @@
|
||||
static int dhcp4_update_address(Link *link, bool announce);
|
||||
static int dhcp4_remove_all(Link *link);
|
||||
|
||||
void network_adjust_dhcp4(Network *network) {
|
||||
assert(network);
|
||||
|
||||
if (!FLAGS_SET(network->dhcp, ADDRESS_FAMILY_IPV4))
|
||||
return;
|
||||
|
||||
if (network->dhcp_use_gateway < 0)
|
||||
network->dhcp_use_gateway = network->dhcp_use_routes;
|
||||
|
||||
/* RFC7844 section 3.: MAY contain the Client Identifier option
|
||||
* Section 3.5: clients MUST use client identifiers based solely on the link-layer address
|
||||
* NOTE: Using MAC, as it does not reveal extra information, and some servers might not answer
|
||||
* if this option is not sent */
|
||||
if (network->dhcp_anonymize &&
|
||||
network->dhcp_client_identifier >= 0 &&
|
||||
network->dhcp_client_identifier != DHCP_CLIENT_ID_MAC) {
|
||||
log_warning("%s: ClientIdentifier= is set, although Anonymize=yes. Using ClientIdentifier=mac.",
|
||||
network->filename);
|
||||
network->dhcp_client_identifier = DHCP_CLIENT_ID_MAC;
|
||||
}
|
||||
|
||||
if (network->dhcp_client_identifier < 0)
|
||||
network->dhcp_client_identifier = network->dhcp_anonymize ? DHCP_CLIENT_ID_MAC : DHCP_CLIENT_ID_DUID;
|
||||
}
|
||||
|
||||
static int dhcp4_release_old_lease(Link *link) {
|
||||
Route *route;
|
||||
int k, r = 0;
|
||||
@ -1329,96 +1354,93 @@ int dhcp4_configure(Link *link) {
|
||||
return log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set MTU: %m");
|
||||
}
|
||||
|
||||
if (link->network->dhcp_use_mtu) {
|
||||
r = sd_dhcp_client_set_request_option(link->dhcp_client, SD_DHCP_OPTION_INTERFACE_MTU);
|
||||
if (!link->network->dhcp_anonymize) {
|
||||
if (link->network->dhcp_use_mtu) {
|
||||
r = sd_dhcp_client_set_request_option(link->dhcp_client, SD_DHCP_OPTION_INTERFACE_MTU);
|
||||
if (r < 0)
|
||||
return log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set request flag for MTU: %m");
|
||||
}
|
||||
|
||||
if (link->network->dhcp_use_routes) {
|
||||
r = sd_dhcp_client_set_request_option(link->dhcp_client, SD_DHCP_OPTION_STATIC_ROUTE);
|
||||
if (r < 0)
|
||||
return log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set request flag for static route: %m");
|
||||
|
||||
r = sd_dhcp_client_set_request_option(link->dhcp_client, SD_DHCP_OPTION_CLASSLESS_STATIC_ROUTE);
|
||||
if (r < 0)
|
||||
return log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set request flag for classless static route: %m");
|
||||
}
|
||||
|
||||
if (link->network->dhcp_use_domains != DHCP_USE_DOMAINS_NO) {
|
||||
r = sd_dhcp_client_set_request_option(link->dhcp_client, SD_DHCP_OPTION_DOMAIN_SEARCH_LIST);
|
||||
if (r < 0)
|
||||
return log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set request flag for domain search list: %m");
|
||||
}
|
||||
|
||||
if (link->network->dhcp_use_ntp) {
|
||||
r = sd_dhcp_client_set_request_option(link->dhcp_client, SD_DHCP_OPTION_NTP_SERVER);
|
||||
if (r < 0)
|
||||
return log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set request flag for NTP server: %m");
|
||||
}
|
||||
|
||||
if (link->network->dhcp_use_sip) {
|
||||
r = sd_dhcp_client_set_request_option(link->dhcp_client, SD_DHCP_OPTION_SIP_SERVER);
|
||||
if (r < 0)
|
||||
return log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set request flag for SIP server: %m");
|
||||
}
|
||||
|
||||
if (link->network->dhcp_use_timezone) {
|
||||
r = sd_dhcp_client_set_request_option(link->dhcp_client, SD_DHCP_OPTION_NEW_TZDB_TIMEZONE);
|
||||
if (r < 0)
|
||||
return log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set request flag for timezone: %m");
|
||||
}
|
||||
|
||||
SET_FOREACH(request_options, link->network->dhcp_request_options) {
|
||||
uint32_t option = PTR_TO_UINT32(request_options);
|
||||
|
||||
r = sd_dhcp_client_set_request_option(link->dhcp_client, option);
|
||||
if (r < 0)
|
||||
return log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set request flag for '%u': %m", option);
|
||||
}
|
||||
|
||||
ORDERED_HASHMAP_FOREACH(send_option, link->network->dhcp_client_send_options) {
|
||||
r = sd_dhcp_client_add_option(link->dhcp_client, send_option);
|
||||
if (r == -EEXIST)
|
||||
continue;
|
||||
if (r < 0)
|
||||
return log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set send option: %m");
|
||||
}
|
||||
|
||||
ORDERED_HASHMAP_FOREACH(send_option, link->network->dhcp_client_send_vendor_options) {
|
||||
r = sd_dhcp_client_add_vendor_option(link->dhcp_client, send_option);
|
||||
if (r == -EEXIST)
|
||||
continue;
|
||||
if (r < 0)
|
||||
return log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set send option: %m");
|
||||
}
|
||||
|
||||
r = dhcp4_set_hostname(link);
|
||||
if (r < 0)
|
||||
return log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set request flag for MTU: %m");
|
||||
}
|
||||
return r;
|
||||
|
||||
/* NOTE: even if this variable is called "use", it also "sends" PRL
|
||||
* options, maybe there should be a different configuration variable
|
||||
* to send or not route options?. */
|
||||
/* NOTE: when using Anonymize=yes, routes PRL options are sent
|
||||
* by default, so they don't need to be added here. */
|
||||
if (link->network->dhcp_use_routes && !link->network->dhcp_anonymize) {
|
||||
r = sd_dhcp_client_set_request_option(link->dhcp_client, SD_DHCP_OPTION_STATIC_ROUTE);
|
||||
if (r < 0)
|
||||
return log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set request flag for static route: %m");
|
||||
if (link->network->dhcp_vendor_class_identifier) {
|
||||
r = sd_dhcp_client_set_vendor_class_identifier(link->dhcp_client,
|
||||
link->network->dhcp_vendor_class_identifier);
|
||||
if (r < 0)
|
||||
return log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set vendor class identifier: %m");
|
||||
}
|
||||
|
||||
r = sd_dhcp_client_set_request_option(link->dhcp_client, SD_DHCP_OPTION_CLASSLESS_STATIC_ROUTE);
|
||||
if (r < 0)
|
||||
return log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set request flag for classless static route: %m");
|
||||
}
|
||||
if (link->network->dhcp_mudurl) {
|
||||
r = sd_dhcp_client_set_mud_url(link->dhcp_client, link->network->dhcp_mudurl);
|
||||
if (r < 0)
|
||||
return log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set MUD URL: %m");
|
||||
}
|
||||
|
||||
if (link->network->dhcp_use_domains != DHCP_USE_DOMAINS_NO && !link->network->dhcp_anonymize) {
|
||||
r = sd_dhcp_client_set_request_option(link->dhcp_client, SD_DHCP_OPTION_DOMAIN_SEARCH_LIST);
|
||||
if (r < 0)
|
||||
return log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set request flag for domain search list: %m");
|
||||
}
|
||||
|
||||
if (link->network->dhcp_use_ntp) {
|
||||
r = sd_dhcp_client_set_request_option(link->dhcp_client, SD_DHCP_OPTION_NTP_SERVER);
|
||||
if (r < 0)
|
||||
return log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set request flag for NTP server: %m");
|
||||
}
|
||||
|
||||
if (link->network->dhcp_use_sip) {
|
||||
r = sd_dhcp_client_set_request_option(link->dhcp_client, SD_DHCP_OPTION_SIP_SERVER);
|
||||
if (r < 0)
|
||||
return log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set request flag for SIP server: %m");
|
||||
}
|
||||
|
||||
if (link->network->dhcp_use_timezone) {
|
||||
r = sd_dhcp_client_set_request_option(link->dhcp_client, SD_DHCP_OPTION_NEW_TZDB_TIMEZONE);
|
||||
if (r < 0)
|
||||
return log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set request flag for timezone: %m");
|
||||
}
|
||||
|
||||
SET_FOREACH(request_options, link->network->dhcp_request_options) {
|
||||
uint32_t option = PTR_TO_UINT32(request_options);
|
||||
|
||||
r = sd_dhcp_client_set_request_option(link->dhcp_client, option);
|
||||
if (r < 0)
|
||||
return log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set request flag for '%u': %m", option);
|
||||
}
|
||||
|
||||
ORDERED_HASHMAP_FOREACH(send_option, link->network->dhcp_client_send_options) {
|
||||
r = sd_dhcp_client_add_option(link->dhcp_client, send_option);
|
||||
if (r == -EEXIST)
|
||||
continue;
|
||||
if (r < 0)
|
||||
return log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set send option: %m");
|
||||
}
|
||||
|
||||
ORDERED_HASHMAP_FOREACH(send_option, link->network->dhcp_client_send_vendor_options) {
|
||||
r = sd_dhcp_client_add_vendor_option(link->dhcp_client, send_option);
|
||||
if (r == -EEXIST)
|
||||
continue;
|
||||
if (r < 0)
|
||||
return log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set send option: %m");
|
||||
}
|
||||
|
||||
r = dhcp4_set_hostname(link);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
if (link->network->dhcp_vendor_class_identifier) {
|
||||
r = sd_dhcp_client_set_vendor_class_identifier(link->dhcp_client,
|
||||
link->network->dhcp_vendor_class_identifier);
|
||||
if (r < 0)
|
||||
return log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set vendor class identifier: %m");
|
||||
}
|
||||
|
||||
if (link->network->dhcp_mudurl) {
|
||||
r = sd_dhcp_client_set_mud_url(link->dhcp_client, link->network->dhcp_mudurl);
|
||||
if (r < 0)
|
||||
return log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set MUD URL: %m");
|
||||
}
|
||||
|
||||
if (link->network->dhcp_user_class) {
|
||||
r = sd_dhcp_client_set_user_class(link->dhcp_client, link->network->dhcp_user_class);
|
||||
if (r < 0)
|
||||
return log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set user class: %m");
|
||||
if (link->network->dhcp_user_class) {
|
||||
r = sd_dhcp_client_set_user_class(link->dhcp_client, link->network->dhcp_user_class);
|
||||
if (r < 0)
|
||||
return log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set user class: %m");
|
||||
}
|
||||
}
|
||||
|
||||
if (link->network->dhcp_client_port > 0) {
|
||||
|
||||
@ -17,6 +17,7 @@ typedef enum DHCPClientIdentifier {
|
||||
_DHCP_CLIENT_ID_INVALID = -EINVAL,
|
||||
} DHCPClientIdentifier;
|
||||
|
||||
void network_adjust_dhcp4(Network *network);
|
||||
int dhcp4_configure(Link *link);
|
||||
int dhcp4_update_mac(Link *link);
|
||||
|
||||
|
||||
@ -41,45 +41,6 @@
|
||||
/* Let's assume that anything above this number is a user misconfiguration. */
|
||||
#define MAX_NTP_SERVERS 128
|
||||
|
||||
/* Set defaults following RFC7844 */
|
||||
void network_apply_anonymize_if_set(Network *network) {
|
||||
if (!network->dhcp_anonymize)
|
||||
return;
|
||||
/* RFC7844 3.7
|
||||
SHOULD NOT send the Host Name option */
|
||||
network->dhcp_send_hostname = false;
|
||||
/* RFC7844 section 3.:
|
||||
MAY contain the Client Identifier option
|
||||
Section 3.5:
|
||||
clients MUST use client identifiers based solely
|
||||
on the link-layer address */
|
||||
/* NOTE: Using MAC, as it does not reveal extra information,
|
||||
* and some servers might not answer if this option is not sent */
|
||||
network->dhcp_client_identifier = DHCP_CLIENT_ID_MAC;
|
||||
/* RFC 7844 3.10:
|
||||
SHOULD NOT use the Vendor Class Identifier option */
|
||||
network->dhcp_vendor_class_identifier = mfree(network->dhcp_vendor_class_identifier);
|
||||
/* RFC7844 section 3.6.:
|
||||
The client intending to protect its privacy SHOULD only request a
|
||||
minimal number of options in the PRL and SHOULD also randomly shuffle
|
||||
the ordering of option codes in the PRL. If this random ordering
|
||||
cannot be implemented, the client MAY order the option codes in the
|
||||
PRL by option code number (lowest to highest).
|
||||
*/
|
||||
/* NOTE: dhcp_use_mtu is false by default,
|
||||
* though it was not initiallized to any value in network_load_one.
|
||||
* Maybe there should be another var called *send*?
|
||||
* (to use the MTU sent by the server but to do not send
|
||||
* the option in the PRL). */
|
||||
network->dhcp_use_mtu = false;
|
||||
/* NOTE: when Anonymize=yes, the PRL route options are sent by default,
|
||||
* but this is needed to use them. */
|
||||
network->dhcp_use_routes = true;
|
||||
/* RFC7844 section 3.6.
|
||||
* same comments as previous option */
|
||||
network->dhcp_use_timezone = false;
|
||||
}
|
||||
|
||||
static int network_resolve_netdev_one(Network *network, const char *name, NetDevKind kind, NetDev **ret_netdev) {
|
||||
const char *kind_string;
|
||||
NetDev *netdev;
|
||||
@ -223,9 +184,6 @@ int network_verify(Network *network) {
|
||||
network->dhcp_use_mtu = false;
|
||||
}
|
||||
|
||||
if (network->dhcp_use_gateway < 0)
|
||||
network->dhcp_use_gateway = network->dhcp_use_routes;
|
||||
|
||||
if (network->dhcp_critical >= 0) {
|
||||
if (network->keep_configuration >= 0)
|
||||
log_warning("%s: Both KeepConfiguration= and deprecated CriticalConnection= are set. "
|
||||
@ -340,11 +298,9 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi
|
||||
.allmulticast = -1,
|
||||
.promiscuous = -1,
|
||||
|
||||
.configure_without_carrier = false,
|
||||
.ignore_carrier_loss = -1,
|
||||
.keep_configuration = _KEEP_CONFIGURATION_INVALID,
|
||||
|
||||
.dhcp = ADDRESS_FAMILY_NO,
|
||||
.duid.type = _DUID_TYPE_INVALID,
|
||||
.dhcp_critical = -1,
|
||||
.dhcp_use_ntp = true,
|
||||
@ -353,20 +309,11 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi
|
||||
.dhcp_use_hostname = true,
|
||||
.dhcp_use_routes = true,
|
||||
.dhcp_use_gateway = -1,
|
||||
/* NOTE: this var might be overwritten by network_apply_anonymize_if_set */
|
||||
.dhcp_send_hostname = true,
|
||||
.dhcp_send_release = true,
|
||||
/* To enable/disable RFC7844 Anonymity Profiles */
|
||||
.dhcp_anonymize = false,
|
||||
.dhcp_route_metric = DHCP_ROUTE_METRIC,
|
||||
/* NOTE: this var might be overwritten by network_apply_anonymize_if_set */
|
||||
.dhcp_client_identifier = DHCP_CLIENT_ID_DUID,
|
||||
.dhcp_client_identifier = _DHCP_CLIENT_ID_INVALID,
|
||||
.dhcp_route_table = RT_TABLE_MAIN,
|
||||
.dhcp_route_table_set = false,
|
||||
/* NOTE: from man: UseMTU=... Defaults to false*/
|
||||
.dhcp_use_mtu = false,
|
||||
/* NOTE: from man: UseTimezone=... Defaults to "no".*/
|
||||
.dhcp_use_timezone = false,
|
||||
.dhcp_ip_service_type = -1,
|
||||
|
||||
.dhcp6_use_address = true,
|
||||
@ -432,7 +379,6 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi
|
||||
.ipv6_accept_ra_use_autonomous_prefix = true,
|
||||
.ipv6_accept_ra_use_onlink_prefix = true,
|
||||
.ipv6_accept_ra_route_table = RT_TABLE_MAIN,
|
||||
.ipv6_accept_ra_route_table_set = false,
|
||||
.ipv6_accept_ra_start_dhcp6_client = IPV6_ACCEPT_RA_START_DHCP6_CLIENT_YES,
|
||||
|
||||
.can_triple_sampling = -1,
|
||||
@ -505,8 +451,6 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
network_apply_anonymize_if_set(network);
|
||||
|
||||
r = network_add_ipv4ll_route(network);
|
||||
if (r < 0)
|
||||
log_warning_errno(r, "%s: Failed to add IPv4LL route, ignoring: %m", network->filename);
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user