1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-31 16:21:26 +03:00
Commit Graph

49564 Commits

Author SHA1 Message Date
Susant Sahani
176321cb95 network: DHCP option- use correct byteorder 2021-02-17 23:15:26 +01:00
Lennart Poettering
07335f7f1f
Merge pull request #18656 from yuwata/network-nexthop-tiny-cleanups
network: nexthop: tiny cleanups
2021-02-17 23:14:12 +01:00
Lennart Poettering
6e825539d2 hwdb: fix indentation
a bunch of entries use 2ch instead of 1ch indentation. Fix that.
2021-02-17 23:13:45 +01:00
Lennart Poettering
2840d6f61d
Merge pull request #18662 from yuwata/in-addr-is-set
in-addr-util: introduce in_addr_is_set() or friends
2021-02-17 23:13:27 +01:00
Zbigniew Jędrzejewski-Szmek
42a033f784 sysctl: downgrade warning about excluded keys
Our own config generates logs like this:
systemd-sysctl[1280]: Not setting net/ipv4/conf/all/rp_filter (explicit setting exists).
systemd-sysctl[1280]: Not setting net/ipv4/conf/default/rp_filter (explicit setting exists).
systemd-sysctl[1280]: Not setting net/ipv4/conf/all/accept_source_route (explicit setting exists).
systemd-sysctl[1280]: Not setting net/ipv4/conf/default/accept_source_route (explicit setting exists).
systemd-sysctl[1280]: Not setting net/ipv4/conf/all/promote_secondaries (explicit setting exists).
systemd-sysctl[1280]: Not setting net/ipv4/conf/default/promote_secondaries (explicit setting exists).

There is no error and nothing really to see.
2021-02-17 23:13:01 +01:00
Yu Watanabe
ccbd74f602 network: NHA_ID should be always set 2021-02-18 03:56:26 +09:00
Yu Watanabe
c004cd2bbe network: constify arguments 2021-02-18 03:54:50 +09:00
Yu Watanabe
56223d926d network: introduce log_nexthop_debug() 2021-02-18 03:54:50 +09:00
Lennart Poettering
6283e71ba8
Merge pull request #18640 from poettering/resolved-dnssec-retry-harder
resolved: two dnssec retry/downgrade tweaks
2021-02-17 19:50:58 +01:00
Yu Watanabe
c633628daf tree-wide: constify variables if possible 2021-02-18 03:48:07 +09:00
Yu Watanabe
94af46fc66 network: use temporary buffer for safety 2021-02-18 03:48:07 +09:00
Yu Watanabe
5380707aba network: use in_addr_prefix_to_string() 2021-02-18 03:48:07 +09:00
Yu Watanabe
b1dea5cffa resolve: use sockaddr_in_addr() 2021-02-18 03:48:07 +09:00
Yu Watanabe
bb3b08ad98 resolve: make manager_find_ifindex() or friends return earlier 2021-02-18 03:48:07 +09:00
Yu Watanabe
94876904bb tree-wide: use in_addr_is_set() or friends 2021-02-18 03:48:07 +09:00
Yu Watanabe
275468c033 network: assign values after all checks are passed 2021-02-18 03:48:07 +09:00
Yu Watanabe
fa55043450 in-addr-util: introduce in6_addr_equal() 2021-02-18 03:48:06 +09:00
Yu Watanabe
1235befadd in-addr-util: introduce in6_addr_is_link_local() 2021-02-18 03:48:06 +09:00
Yu Watanabe
7653dcc328 in-addr-util: introduce in_addr_is_set() or friends 2021-02-18 03:48:06 +09:00
Yu Watanabe
0c0585ca25 network: enumerate nexthops before routes
Preparation for the later commits.
Routes may have RTA_NH_ID attribute. To resolve the nexthop ID, all
nexthops must be enumerated earlier.
2021-02-17 19:40:02 +01:00
Yu Watanabe
055e4909de network: nexthop: first create nexthops with ID
Otherwise, an ID-less nexthop may conflict with a later nexthop with ID.
2021-02-17 19:39:37 +01:00
Lennart Poettering
e30a62bfe6 resolved: see if it's worth retrying a lookup on "failed-auxiliary" DNSSEC error
Maybe we learnt something about the server feature set, let's hence
retry.

Fixes: #11102
2021-02-17 19:25:13 +01:00
Lennart Poettering
d96275d8eb resolved: in DNSSEC permissive mode, check if DO bit wasn't copied from request to response
If the server doesn't copy the DO bit from request to response, this is
a very early and easy indication that it doesn#t support DNSSEC
properly. Hence, let's immediately downgrade to non-DNSSEC mode if we
see this – if permissive mode is on and this is allowed.
2021-02-17 19:25:13 +01:00
Luca Boccassi
0761da386a test: avoid leaking open loop devices
When a subshell is used ('make' or 'make all') the LOOPDEV environment
variable, which is used to store the opened loop device, is lost.
So the cleanup on trap/exit doesn't do anything, and the loop
device used to mount the test image is left around.

Avoid using a subshell to fix the issue.
2021-02-17 18:55:05 +01:00
Lennart Poettering
50fc7d7036
Merge pull request #18653 from yuwata/in-addr-prefix-nth
in-addr-util: fix in_addr_prefix_nth() and use the function to get ip address range in firewall-util
2021-02-17 18:52:24 +01:00
Lennart Poettering
1ed4e584f3 resolved: address DVE-2018-0001
This is an updated version of #8608 with more restrictive logic. To
quite the original bug:

    Some captive portals, lie and do not respond with the captive portal
    IP address, if the query is with EDNS0 enabled and D0 bit set to
    zero. Thus retry "secure" domain name look ups with less secure
    methods, upon NXDOMAIN.

https://github.com/dns-violations/dns-violations/blob/master/2018/DVE-2018-0001.md

Yes, this fix sucks hard, but I guess this is what we need to do to make
sure resolved works IRL.

Heavily based on the original patch from Dimitri John Ledkov, and I
copied the commentary verbatim.

Replaces: #8608
2021-02-17 18:06:13 +01:00
Frantisek Sumsal
98f6d5769f ci: enable DNS over TLS using OpenSSL in the build test
Prompted by:
    * https://github.com/systemd/systemd/pull/18641#issuecomment-780371055
    * https://github.com/systemd/systemd/issues/18639
2021-02-17 16:41:23 +01:00
Zbigniew Jędrzejewski-Szmek
faacac453d
Merge pull request #18632 from yuwata/network-nexthop-add-family
network: introduce Family= setting in [NextHop] section
2021-02-17 15:02:50 +01:00
Yu Watanabe
9997507421 firewall-util: replace nft_in6addr_to_range() with in_addr_prefix_range() 2021-02-17 22:57:37 +09:00
Yu Watanabe
1534c5791a in-addr-util: introduce in_addr_prefix_range()
This will replace nft_in6addr_to_range() in later commit.
2021-02-17 22:57:37 +09:00
Yu Watanabe
9164338b2e in-addr-util: make in_addr_prefix_nth() always return valid prefix
Previously, e.g. in_addr_prefix_nth(2400::1, prefixlen=32, nth=1)
does not return 2400:1:: but does 2400:1::1.
2021-02-17 22:57:37 +09:00
Yu Watanabe
7b6b05cff9 in-addr-util: make in_addr_prefix_nth() refuse prefixlen larger than maximum size 2021-02-17 22:57:37 +09:00
Yu Watanabe
518b6da5d3 in-addr-util: make in_addr_prefix_nth() returns 0 on success 2021-02-17 22:57:37 +09:00
Yu Watanabe
40785f53ba network: refuse IPv4 multipath route for IPv6 route 2021-02-17 22:08:15 +09:00
Yu Watanabe
35d39c94a9 network: Route::gw_family may be AF_UNSPEC 2021-02-17 21:11:13 +09:00
Vito Caputo
f82027042a logs-show: move show_journal_by_unit _BOOT_ID match
In scrutinizing the journal overhead of `systemctl status $service`
it became apparent that the matching engine was performing the unit
matches on every journal in my system, even ones containing nothing
relevant to the current boot.

This seemed strange and likely suboptimal to me, since there's likely
far more unit data to rifle through than boot IDs in any given
journal.  The _BOOT_ID match seemed like it should be serving as an
early exit match on irrelevant journals, but that wasn't what seemed
to be happening.

As a quick experiment to see if I could get the _BOOT_ID match to be
something along the lines of a higher priority when matching, and try
early exit on these unrelated journals, I moved add_match_this_boot()
to after the unit match adds, inserting a conjunction between them.

The end result seems to be a very substantial performance gain in my
simple uncached tests, and I still get the expected journal output
from the `systemctl status $service` command:

----------------------------------------------------------------------

Unmodified systemctl times:

 root@localhost:/# echo 2 > /proc/sys/vm/drop_caches
 root@localhost:/# time systemctl --no-pager status dbus
 ● dbus.service - D-Bus System Message Bus
    Loaded: loaded (/lib/systemd/system/dbus.service; static; vendor preset: enabled)
    Active: active (running) since Sun 2020-10-25 17:03:05 PDT; 1 day 6h ago
      Docs: man:dbus-daemon(1)
  Main PID: 572 (dbus-daemon)
    Memory: 2.8M
       CPU: 110ms
    CGroup: /system.slice/dbus.service
            └─572 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

 Oct 25 17:03:05 localhost systemd[1]: Started D-Bus System Message Bus.
 Oct 25 17:06:26 localhost dbus[572]: [system] Activating via systemd: service name='org.freedesktop.machine1' unit='dbus-org.freedesktop.machine1.service'
 Oct 25 17:06:26 localhost dbus[572]: [system] Successfully activated service 'org.freedesktop.machine1'

 real    0m0.695s
 user    0m0.005s
 sys     0m0.043s
 root@localhost:/# echo 2 > /proc/sys/vm/drop_caches
 root@localhost:/# time systemctl --no-pager status dbus
 ● dbus.service - D-Bus System Message Bus
    Loaded: loaded (/lib/systemd/system/dbus.service; static; vendor preset: enabled)
    Active: active (running) since Sun 2020-10-25 17:03:05 PDT; 1 day 6h ago
      Docs: man:dbus-daemon(1)
  Main PID: 572 (dbus-daemon)
    Memory: 2.8M
       CPU: 110ms
    CGroup: /system.slice/dbus.service
            └─572 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

 Oct 25 17:03:05 localhost systemd[1]: Started D-Bus System Message Bus.
 Oct 25 17:06:26 localhost dbus[572]: [system] Activating via systemd: service name='org.freedesktop.machine1' unit='dbus-org.freedesktop.machine1.service'
 Oct 25 17:06:26 localhost dbus[572]: [system] Successfully activated service 'org.freedesktop.machine1'

 real    0m0.696s
 user    0m0.003s
 sys     0m0.046s
 root@localhost:/# echo 2 > /proc/sys/vm/drop_caches
 root@localhost:/# time systemctl --no-pager status dbus
 ● dbus.service - D-Bus System Message Bus
    Loaded: loaded (/lib/systemd/system/dbus.service; static; vendor preset: enabled)
    Active: active (running) since Sun 2020-10-25 17:03:05 PDT; 1 day 6h ago
      Docs: man:dbus-daemon(1)
  Main PID: 572 (dbus-daemon)
    Memory: 2.8M
       CPU: 110ms
    CGroup: /system.slice/dbus.service
            └─572 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

 Oct 25 17:03:05 localhost systemd[1]: Started D-Bus System Message Bus.
 Oct 25 17:06:26 localhost dbus[572]: [system] Activating via systemd: service name='org.freedesktop.machine1' unit='dbus-org.freedesktop.machine1.service'
 Oct 25 17:06:26 localhost dbus[572]: [system] Successfully activated service 'org.freedesktop.machine1'

 real    0m0.694s
 user    0m0.006s
 sys     0m0.041s

----------------------------------------------------------------------

Modified systemctl including this commit:

 root@localhost:/home/vc/gh/systemd/build# echo 2 > /proc/sys/vm/drop_caches
 root@localhost:/home/vc/gh/systemd/build# time ./systemctl --no-pager status dbus
 ● dbus.service - D-Bus System Message Bus
      Loaded: loaded (/lib/systemd/system/dbus.service; static)
      Active: active (running) since Sun 2020-10-25 17:03:05 PDT; 1 day 6h ago
 TriggeredBy: ● dbus.socket
        Docs: man:dbus-daemon(1)
    Main PID: 572 (dbus-daemon)
      Memory: 2.8M
         CPU: 110ms
      CGroup: /system.slice/dbus.service
              └─572 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

 Oct 25 17:03:05 localhost systemd[1]: Started D-Bus System Message Bus.
 Oct 25 17:06:26 localhost dbus[572]: [system] Activating via systemd: service name='org.freedesktop.machine1' unit='dbus-org.freedesktop.machine1.service'
 Oct 25 17:06:26 localhost dbus[572]: [system] Successfully activated service 'org.freedesktop.machine1'

 real    0m0.168s
 user    0m0.003s
 sys     0m0.016s
 root@localhost:/home/vc/gh/systemd/build# echo 2 > /proc/sys/vm/drop_caches
 root@localhost:/home/vc/gh/systemd/build# time ./systemctl --no-pager status dbus
 ● dbus.service - D-Bus System Message Bus
      Loaded: loaded (/lib/systemd/system/dbus.service; static)
      Active: active (running) since Sun 2020-10-25 17:03:05 PDT; 1 day 6h ago
 TriggeredBy: ● dbus.socket
        Docs: man:dbus-daemon(1)
    Main PID: 572 (dbus-daemon)
      Memory: 2.8M
         CPU: 110ms
      CGroup: /system.slice/dbus.service
              └─572 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

 Oct 25 17:03:05 localhost systemd[1]: Started D-Bus System Message Bus.
 Oct 25 17:06:26 localhost dbus[572]: [system] Activating via systemd: service name='org.freedesktop.machine1' unit='dbus-org.freedesktop.machine1.service'
 Oct 25 17:06:26 localhost dbus[572]: [system] Successfully activated service 'org.freedesktop.machine1'

 real    0m0.167s
 user    0m0.005s
 sys     0m0.013s
 root@localhost:/home/vc/gh/systemd/build# echo 2 > /proc/sys/vm/drop_caches
 root@localhost:/home/vc/gh/systemd/build# time ./systemctl --no-pager status dbus
 ● dbus.service - D-Bus System Message Bus
      Loaded: loaded (/lib/systemd/system/dbus.service; static)
      Active: active (running) since Sun 2020-10-25 17:03:05 PDT; 1 day 6h ago
 TriggeredBy: ● dbus.socket
        Docs: man:dbus-daemon(1)
    Main PID: 572 (dbus-daemon)
      Memory: 2.8M
         CPU: 110ms
      CGroup: /system.slice/dbus.service
              └─572 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

 Oct 25 17:03:05 localhost systemd[1]: Started D-Bus System Message Bus.
 Oct 25 17:06:26 localhost dbus[572]: [system] Activating via systemd: service name='org.freedesktop.machine1' unit='dbus-org.freedesktop.machine1.service'
 Oct 25 17:06:26 localhost dbus[572]: [system] Successfully activated service 'org.freedesktop.machine1'

 real    0m0.170s
 user    0m0.005s
 sys     0m0.014s
2021-02-17 09:50:36 +01:00
Lennart Poettering
4a6eb82445 resolved: include NSID support to DNS stub
This adds minimal support for RFC5001 NSID to the stub resolver. This
useful to identify systemd-resolved when talking to the stub resolver,
and distuingishing the packets resolved answers itself (where NSID is
now set) from those which it proxies 1:1 upstream (where NSID will not
be set, or set to whatever the upstream server has it set to).

The NSID chosen consist of two parts:

1. The first part is derived from /etc/machine-id and identifies the
   resolved instance in a stable way.

2. The second part is the fixed string ".resolved.systemd.io".

This thus maybe used for a veriety of checks:

a. Am I talking to a resolved stub?
b. Am I talking to the same stub as last time?
c. Am I talking to the local resolved?

Given that the first part leaks the identity of the system in away two
protections are in place:

I) The NSID is only included on the main stub, not the extra stub. The
   main stub has with a TTL of 1 and other protections a lot of safety
   in place that the datagrams never leave the local system, thus the
   identifying info is only accessible to the local system — but
   /etc/machine-id is accessible to local software anyway.

II) The NSID is hashed from /etc/machine-id in a non-invertable way, so
    that the machine ID itself isn't leaked, but only an identifier
    derived from it.

Example dig run:

```
$ dig +nsid localhost @127.0.0.53

; <<>> DiG 9.11.23-RedHat-9.11.23-1.fc33 <<>> +nsid localhost @127.0.0.53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46917
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
; NSID: 35 33 64 34 61 34 66 63 32 31 32 65 34 31 61 30 39 66 30 39 65 33 32 34 63 64 64 38 30 36 32 33 2e 72 65 73 6f 6c 76 65 64 2e 73 79 73 74 65 6d 64 2e 69 6f ("53d4a4fc212e41a09f09e324cdd80623.resolved.systemd.io")
;; QUESTION SECTION:
;localhost.			IN	A

;; ANSWER SECTION:
localhost.		0	IN	A	127.0.0.1

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Do Nov 12 20:57:16 CET 2020
;; MSG SIZE  rcvd: 110
```
2021-02-17 09:42:07 +01:00
Hans de Goede
9628ba7c6b hwdb: Add accel orientation quirk for the Trekstor Surftab Wintron 10.1 ST10432-3 tablet
Add a quirk to fix the accelerometer orientation on the
Trekstor Surftab Wintron 10.1 ST10432-3 tablet.
2021-02-17 08:47:15 +01:00
Zbigniew Jędrzejewski-Szmek
4c1ff29052
Merge pull request #18641 from benjarobin/fix-enum-invalid-val
Various follow-up: Fix build and EINVAL for _INVALID enum value
2021-02-17 08:46:09 +01:00
Yu Watanabe
6cd8f9b5f2 test-network: add tests for Family= in [NextHop] 2021-02-17 15:55:37 +09:00
Yu Watanabe
26ff450550 man: update explanations of settings in [NextHop] section 2021-02-17 15:55:37 +09:00
Yu Watanabe
acfd8491fb network: nexthop: refuse 0 id
We usually do not accept values which will be handled as unspecified.
Instead, this makes config_parse_nexthop_id() accept an empty string.
2021-02-17 15:55:37 +09:00
Yu Watanabe
f1923efccb network: nexthop: introduce Family= setting in [NextHop] section
This is an alias of `Gateway=0.0.0.0` or `Gateway=::`.
2021-02-17 15:55:37 +09:00
Yu Watanabe
e9c4253d47 network: allow to configure nexthop with null address
Closes #18446.
2021-02-17 15:55:37 +09:00
Yu Watanabe
0008b5aee2 network: nexthop: unset gateway when an empty string is assigned 2021-02-17 15:55:37 +09:00
Giedrius Statkevičius
68337e55f6 condition: add CPUFeature
Taking a stab at implementing #14479.

Add {Condition,Assert}CPUFeature to `systemd-analyze` & friends. Implement it
by executing the CPUID instruction. Add tables for common x86/i386
features.

Tested via unit tests + checked that commands such as:

```bash
systemd-analyze condition 'AssertCPUFeature = rdrand'
```

Succeed as expected and that commands such as

```bash
systemd-analyze condition 'AssertCPUFeature = foobar'
```

Fail as expected. Finally, I have amended the `systemd.unit` manual page
with the new condition and the list of all currently supported flags.
2021-02-17 15:31:29 +09:00
Benjamin Robin
0e2d092d43 resolve: Fix build for cleanup function (SSL_free + BIO_free)
Follow-up of #18616
2021-02-16 23:57:29 +01:00
Lennart Poettering
b1b4e9204c
Merge pull request #18007 from fw-strlen/ipv6_masq_and_dnat
Support ipv6 for masquerade and dnat in nspawn and networkd
2021-02-16 23:41:35 +01:00
Benjamin Robin
62875895fa shared: use -EINVAL for _NETDEV_BRIDGE_STATE_INVALID
Follow-up of #11484
2021-02-16 23:40:30 +01:00
Benjamin Robin
3de56f4712 portable: use -EINVAL for _PORTABLE_CHANGE_TYPE_INVALID
Follow-up of #11484
2021-02-16 23:40:30 +01:00