]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/network/networkd-sysctl.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #18851 from yuwata/dissect-try-to-find-partition-on-timeout
[thirdparty/systemd.git] / src / network / networkd-sysctl.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <netinet/in.h>
4 #include <linux/if.h>
5
6 #include "missing_network.h"
7 #include "networkd-link.h"
8 #include "networkd-network.h"
9 #include "networkd-sysctl.h"
10 #include "socket-util.h"
11 #include "string-table.h"
12 #include "sysctl-util.h"
13
14 #define STABLE_SECRET_APP_ID_1 SD_ID128_MAKE(aa,05,1d,94,43,68,45,07,b9,73,f1,e8,e4,b7,34,52)
15 #define STABLE_SECRET_APP_ID_2 SD_ID128_MAKE(52,c4,40,a0,9f,2f,48,58,a9,3a,f6,29,25,ba,7a,7d)
16
17 static int link_update_ipv6_sysctl(Link *link) {
18 assert(link);
19
20 if (link->flags & IFF_LOOPBACK)
21 return 0;
22
23 if (!link_ipv6_enabled(link))
24 return 0;
25
26 return sysctl_write_ip_property_boolean(AF_INET6, link->ifname, "disable_ipv6", false);
27 }
28
29 static int link_set_proxy_arp(Link *link) {
30 assert(link);
31
32 if (link->flags & IFF_LOOPBACK)
33 return 0;
34
35 if (!link->network)
36 return 0;
37
38 if (link->network->proxy_arp < 0)
39 return 0;
40
41 return sysctl_write_ip_property_boolean(AF_INET, link->ifname, "proxy_arp", link->network->proxy_arp > 0);
42 }
43
44 static bool link_ip_forward_enabled(Link *link, int family) {
45 assert(link);
46 assert(IN_SET(family, AF_INET, AF_INET6));
47
48 if (family == AF_INET6 && !socket_ipv6_is_supported())
49 return false;
50
51 if (link->flags & IFF_LOOPBACK)
52 return false;
53
54 if (!link->network)
55 return false;
56
57 return link->network->ip_forward & (family == AF_INET ? ADDRESS_FAMILY_IPV4 : ADDRESS_FAMILY_IPV6);
58 }
59
60 static int link_set_ipv4_forward(Link *link) {
61 assert(link);
62
63 if (!link_ip_forward_enabled(link, AF_INET))
64 return 0;
65
66 /* We propagate the forwarding flag from one interface to the
67 * global setting one way. This means: as long as at least one
68 * interface was configured at any time that had IP forwarding
69 * enabled the setting will stay on for good. We do this
70 * primarily to keep IPv4 and IPv6 packet forwarding behaviour
71 * somewhat in sync (see below). */
72
73 return sysctl_write_ip_property(AF_INET, NULL, "ip_forward", "1");
74 }
75
76 static int link_set_ipv6_forward(Link *link) {
77 assert(link);
78
79 if (!link_ip_forward_enabled(link, AF_INET6))
80 return 0;
81
82 /* On Linux, the IPv6 stack does not know a per-interface
83 * packet forwarding setting: either packet forwarding is on
84 * for all, or off for all. We hence don't bother with a
85 * per-interface setting, but simply propagate the interface
86 * flag, if it is set, to the global flag, one-way. Note that
87 * while IPv4 would allow a per-interface flag, we expose the
88 * same behaviour there and also propagate the setting from
89 * one to all, to keep things simple (see above). */
90
91 return sysctl_write_ip_property(AF_INET6, "all", "forwarding", "1");
92 }
93
94 static int link_set_ipv6_privacy_extensions(Link *link) {
95 assert(link);
96
97 if (!socket_ipv6_is_supported())
98 return 0;
99
100 if (link->flags & IFF_LOOPBACK)
101 return 0;
102
103 if (!link->network)
104 return 0;
105
106 // this is the special "kernel" value
107 if (link->network->ipv6_privacy_extensions == _IPV6_PRIVACY_EXTENSIONS_INVALID)
108 return 0;
109
110 return sysctl_write_ip_property_int(AF_INET6, link->ifname, "use_tempaddr", (int) link->network->ipv6_privacy_extensions);
111 }
112
113 static int link_set_ipv6_accept_ra(Link *link) {
114 assert(link);
115
116 /* Make this a NOP if IPv6 is not available */
117 if (!socket_ipv6_is_supported())
118 return 0;
119
120 if (link->flags & IFF_LOOPBACK)
121 return 0;
122
123 if (!link->network)
124 return 0;
125
126 return sysctl_write_ip_property(AF_INET6, link->ifname, "accept_ra", "0");
127 }
128
129 static int link_set_ipv6_dad_transmits(Link *link) {
130 assert(link);
131
132 /* Make this a NOP if IPv6 is not available */
133 if (!socket_ipv6_is_supported())
134 return 0;
135
136 if (link->flags & IFF_LOOPBACK)
137 return 0;
138
139 if (!link->network)
140 return 0;
141
142 if (link->network->ipv6_dad_transmits < 0)
143 return 0;
144
145 return sysctl_write_ip_property_int(AF_INET6, link->ifname, "dad_transmits", link->network->ipv6_dad_transmits);
146 }
147
148 static int link_set_ipv6_hop_limit(Link *link) {
149 assert(link);
150
151 /* Make this a NOP if IPv6 is not available */
152 if (!socket_ipv6_is_supported())
153 return 0;
154
155 if (link->flags & IFF_LOOPBACK)
156 return 0;
157
158 if (!link->network)
159 return 0;
160
161 if (link->network->ipv6_hop_limit < 0)
162 return 0;
163
164 return sysctl_write_ip_property_int(AF_INET6, link->ifname, "hop_limit", link->network->ipv6_hop_limit);
165 }
166
167 static int link_set_ipv6_proxy_ndp(Link *link) {
168 bool v;
169
170 assert(link);
171
172 if (!socket_ipv6_is_supported())
173 return 0;
174
175 if (link->flags & IFF_LOOPBACK)
176 return 0;
177
178 if (!link->network)
179 return 0;
180
181 if (link->network->ipv6_proxy_ndp >= 0)
182 v = link->network->ipv6_proxy_ndp;
183 else
184 v = !set_isempty(link->network->ipv6_proxy_ndp_addresses);
185
186 return sysctl_write_ip_property_boolean(AF_INET6, link->ifname, "proxy_ndp", v);
187 }
188
189 int link_set_ipv6_mtu(Link *link) {
190 uint32_t mtu;
191
192 assert(link);
193
194 /* Make this a NOP if IPv6 is not available */
195 if (!socket_ipv6_is_supported())
196 return 0;
197
198 if (link->flags & IFF_LOOPBACK)
199 return 0;
200
201 if (!link->network)
202 return 0;
203
204 if (link->network->ipv6_mtu == 0)
205 return 0;
206
207 mtu = link->network->ipv6_mtu;
208 if (mtu > link->max_mtu) {
209 log_link_warning(link, "Reducing requested IPv6 MTU %"PRIu32" to the interface's maximum MTU %"PRIu32".",
210 mtu, link->max_mtu);
211 mtu = link->max_mtu;
212 }
213
214 return sysctl_write_ip_property_uint32(AF_INET6, link->ifname, "mtu", mtu);
215 }
216
217 static int link_set_ipv6ll_stable_secret(Link *link) {
218 _cleanup_free_ char *str = NULL;
219 struct in6_addr a;
220 int r;
221
222 assert(link);
223 assert(link->network);
224
225 if (link->network->ipv6ll_address_gen_mode != IPV6_LINK_LOCAL_ADDRESSS_GEN_MODE_STABLE_PRIVACY)
226 return 0;
227
228 if (in6_addr_is_set(&link->network->ipv6ll_stable_secret))
229 a = link->network->ipv6ll_stable_secret;
230 else {
231 sd_id128_t key;
232 le64_t v;
233
234 /* Generate a stable secret address from machine-ID and the interface name. */
235
236 r = sd_id128_get_machine_app_specific(STABLE_SECRET_APP_ID_1, &key);
237 if (r < 0)
238 return log_link_debug_errno(link, r, "Failed to generate key: %m");
239
240 v = htole64(siphash24_string(link->ifname, key.bytes));
241 memcpy(a.s6_addr, &v, sizeof(v));
242
243 r = sd_id128_get_machine_app_specific(STABLE_SECRET_APP_ID_2, &key);
244 if (r < 0)
245 return log_link_debug_errno(link, r, "Failed to generate key: %m");
246
247 v = htole64(siphash24_string(link->ifname, key.bytes));
248 assert_cc(sizeof(v) * 2 == sizeof(a.s6_addr));
249 memcpy(a.s6_addr + sizeof(v), &v, sizeof(v));
250 }
251
252 r = in6_addr_to_string(&a, &str);
253 if (r < 0)
254 return r;
255
256 return sysctl_write_ip_property(AF_INET6, link->ifname, "stable_secret", str);
257 }
258
259 static int link_set_ipv4_accept_local(Link *link) {
260 assert(link);
261
262 if (link->flags & IFF_LOOPBACK)
263 return 0;
264
265 if (link->network->ipv4_accept_local < 0)
266 return 0;
267
268 return sysctl_write_ip_property_boolean(AF_INET, link->ifname, "accept_local", link->network->ipv4_accept_local > 0);
269 }
270
271 static int link_set_ipv4_route_localnet(Link *link) {
272 assert(link);
273
274 if (link->flags & IFF_LOOPBACK)
275 return 0;
276
277 if (link->network->ipv4_route_localnet < 0)
278 return 0;
279
280 return sysctl_write_ip_property_boolean(AF_INET, link->ifname, "route_localnet", link->network->ipv4_route_localnet > 0);
281 }
282
283 int link_set_sysctl(Link *link) {
284 int r;
285
286 assert(link);
287
288 /* If IPv6 configured that is static IPv6 address and IPv6LL autoconfiguration is enabled
289 * for this interface, then enable IPv6 */
290 r = link_update_ipv6_sysctl(link);
291 if (r < 0)
292 log_link_warning_errno(link, r, "Cannot enable IPv6, ignoring: %m");
293
294 r = link_set_proxy_arp(link);
295 if (r < 0)
296 log_link_warning_errno(link, r, "Cannot configure proxy ARP for interface, ignoring: %m");
297
298 r = link_set_ipv4_forward(link);
299 if (r < 0)
300 log_link_warning_errno(link, r, "Cannot turn on IPv4 packet forwarding, ignoring: %m");
301
302 r = link_set_ipv6_forward(link);
303 if (r < 0)
304 log_link_warning_errno(link, r, "Cannot configure IPv6 packet forwarding, ignoring: %m");;
305
306 r = link_set_ipv6_privacy_extensions(link);
307 if (r < 0)
308 log_link_warning_errno(link, r, "Cannot configure IPv6 privacy extensions for interface, ignoring: %m");
309
310 r = link_set_ipv6_accept_ra(link);
311 if (r < 0)
312 log_link_warning_errno(link, r, "Cannot disable kernel IPv6 accept_ra for interface, ignoring: %m");
313
314 r = link_set_ipv6_dad_transmits(link);
315 if (r < 0)
316 log_link_warning_errno(link, r, "Cannot set IPv6 dad transmits for interface, ignoring: %m");
317
318 r = link_set_ipv6_hop_limit(link);
319 if (r < 0)
320 log_link_warning_errno(link, r, "Cannot set IPv6 hop limit for interface, ignoring: %m");
321
322 r = link_set_ipv6_proxy_ndp(link);
323 if (r < 0)
324 log_link_warning_errno(link, r, "Cannot set IPv6 proxy NDP, ignoring: %m");
325
326 r = link_set_ipv6_mtu(link);
327 if (r < 0)
328 log_link_warning_errno(link, r, "Cannot set IPv6 MTU, ignoring: %m");
329
330 r = link_set_ipv6ll_stable_secret(link);
331 if (r < 0)
332 log_link_warning_errno(link, r, "Cannot set stable secret address for IPv6 link local address: %m");
333
334 r = link_set_ipv4_accept_local(link);
335 if (r < 0)
336 log_link_warning_errno(link, r, "Cannot set IPv4 accept_local flag for interface, ignoring: %m");
337
338 r = link_set_ipv4_route_localnet(link);
339 if (r < 0)
340 log_link_warning_errno(link, r, "Cannot set IPv4 route_localnet flag for interface, ignoring: %m");
341
342 /* If promote_secondaries is not set, DHCP will work only as long as the IP address does not
343 * changes between leases. The kernel will remove all secondary IP addresses of an interface
344 * otherwise. The way systemd-networkd works is that the new IP of a lease is added as a
345 * secondary IP and when the primary one expires it relies on the kernel to promote the
346 * secondary IP. See also https://github.com/systemd/systemd/issues/7163 */
347 r = sysctl_write_ip_property_boolean(AF_INET, link->ifname, "promote_secondaries", true);
348 if (r < 0)
349 log_link_warning_errno(link, r, "Cannot enable promote_secondaries for interface, ignoring: %m");
350
351 return 0;
352 }
353
354 static const char* const ipv6_privacy_extensions_table[_IPV6_PRIVACY_EXTENSIONS_MAX] = {
355 [IPV6_PRIVACY_EXTENSIONS_NO] = "no",
356 [IPV6_PRIVACY_EXTENSIONS_PREFER_PUBLIC] = "prefer-public",
357 [IPV6_PRIVACY_EXTENSIONS_YES] = "yes",
358 };
359
360 DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(ipv6_privacy_extensions, IPv6PrivacyExtensions,
361 IPV6_PRIVACY_EXTENSIONS_YES);
362
363 int config_parse_ipv6_privacy_extensions(
364 const char* unit,
365 const char *filename,
366 unsigned line,
367 const char *section,
368 unsigned section_line,
369 const char *lvalue,
370 int ltype,
371 const char *rvalue,
372 void *data,
373 void *userdata) {
374
375 IPv6PrivacyExtensions s, *ipv6_privacy_extensions = data;
376
377 assert(filename);
378 assert(lvalue);
379 assert(rvalue);
380 assert(ipv6_privacy_extensions);
381
382 s = ipv6_privacy_extensions_from_string(rvalue);
383 if (s < 0) {
384 if (streq(rvalue, "kernel"))
385 s = _IPV6_PRIVACY_EXTENSIONS_INVALID;
386 else {
387 log_syntax(unit, LOG_WARNING, filename, line, 0,
388 "Failed to parse IPv6 privacy extensions option, ignoring: %s", rvalue);
389 return 0;
390 }
391 }
392
393 *ipv6_privacy_extensions = s;
394
395 return 0;
396 }
Unnamed repository; edit this file 'description' to name the repository.