From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Mon, 8 Jun 2020 04:48:14 +0000 (+0900)
Subject: network: introduce IPv4AcceptLocal= setting
X-Git-Tag: v246-rc1~199^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=94d76d071e8d742c82e0793d35015673715dacee;p=thirdparty%2Fsystemd.git

network: introduce IPv4AcceptLocal= setting

Closes #16090.
---

diff --git a/man/systemd.network.xml b/man/systemd.network.xml
index d23e8a548c1..ae93a39eb46 100644
--- a/man/systemd.network.xml
+++ b/man/systemd.network.xml
@@ -672,6 +672,13 @@
           When unset, the kernel's default will be used.
         </para></listitem>
         </varlistentry>
+        <varlistentry>
+          <term><varname>IPv4AcceptLocal=</varname></term>
+          <listitem><para>Takes a boolean. Accept packets with local source addresses. In combination
+          with suitable routing, this can be used to direct packets between two local interfaces over
+          the wire and have them accepted properly. When unset, the kernel's default will be used.
+          </para></listitem>
+        </varlistentry>
         <varlistentry>
           <term><varname>IPv4ProxyARP=</varname></term>
           <listitem><para>Takes a boolean. Configures proxy ARP for IPv4. Proxy ARP is the technique in which one host,
diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
index 805aff3ab1d..31ffc8b4886 100644
--- a/src/network/networkd-link.c
+++ b/src/network/networkd-link.c
@@ -2532,6 +2532,22 @@ static int link_set_ipv6_mtu(Link *link) {
         return 0;
 }
 
+static int link_set_ipv4_accept_local(Link *link) {
+        int r;
+
+        if (link->flags & IFF_LOOPBACK)
+                return 0;
+
+        if (link->network->ipv4_accept_local < 0)
+                return 0;
+
+        r = sysctl_write_ip_property_boolean(AF_INET, link->ifname, "accept_local", link->network->ipv4_accept_local);
+        if (r < 0)
+                log_link_warning_errno(link, r, "Cannot set IPv4 accept_local flag for interface: %m");
+
+        return 0;
+}
+
 static bool link_is_static_address_configured(Link *link, Address *address) {
         Address *net_address;
 
@@ -2871,6 +2887,10 @@ static int link_configure(Link *link) {
         if (r < 0)
                 return r;
 
+        r = link_set_ipv4_accept_local(link);
+        if (r < 0)
+                return r;
+
         r = link_set_flags(link);
         if (r < 0)
                 return r;
diff --git a/src/network/networkd-network-gperf.gperf b/src/network/networkd-network-gperf.gperf
index 39188906648..5c2a4d36a11 100644
--- a/src/network/networkd-network-gperf.gperf
+++ b/src/network/networkd-network-gperf.gperf
@@ -96,6 +96,7 @@ Network.IPv6DuplicateAddressDetection,       config_parse_int,
 Network.IPv6HopLimit,                        config_parse_int,                                         0,                             offsetof(Network, ipv6_hop_limit)
 Network.IPv6ProxyNDP,                        config_parse_tristate,                                    0,                             offsetof(Network, ipv6_proxy_ndp)
 Network.IPv6MTUBytes,                        config_parse_mtu,                                         AF_INET6,                      offsetof(Network, ipv6_mtu)
+Network.IPv4AcceptLocal,                     config_parse_tristate,                                    0,                             offsetof(Network, ipv4_accept_local)
 Network.ActiveSlave,                         config_parse_bool,                                        0,                             offsetof(Network, active_slave)
 Network.PrimarySlave,                        config_parse_bool,                                        0,                             offsetof(Network, primary_slave)
 Network.IPv4ProxyARP,                        config_parse_tristate,                                    0,                             offsetof(Network, proxy_arp)
diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c
index 124c570b0e4..bbecd706ce9 100644
--- a/src/network/networkd-network.c
+++ b/src/network/networkd-network.c
@@ -450,6 +450,8 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi
                 /* If LinkLocalAddressing= is not set, then set to ADDRESS_FAMILY_IPV6 later. */
                 .link_local = _ADDRESS_FAMILY_INVALID,
 
+                .ipv4_accept_local = -1,
+
                 .ipv6_privacy_extensions = IPV6_PRIVACY_EXTENSIONS_NO,
                 .ipv6_accept_ra = -1,
                 .ipv6_dad_transmits = -1,
diff --git a/src/network/networkd-network.h b/src/network/networkd-network.h
index 934a33ac943..59016228622 100644
--- a/src/network/networkd-network.h
+++ b/src/network/networkd-network.h
@@ -237,6 +237,7 @@ struct Network {
 
         AddressFamily ip_forward;
         bool ip_masquerade;
+        int ipv4_accept_local;
 
         int ipv6_accept_ra;
         int ipv6_dad_transmits;
diff --git a/test/fuzz/fuzz-network-parser/directives.network b/test/fuzz/fuzz-network-parser/directives.network
index 7cade0e9edc..478b574418e 100644
--- a/test/fuzz/fuzz-network-parser/directives.network
+++ b/test/fuzz/fuzz-network-parser/directives.network
@@ -153,6 +153,7 @@ Address=
 IPv6ProxyNDPAddress=
 IPv6AcceptRA=
 IPv6AcceptRouterAdvertisements=
+IPv4AcceptLocal=
 DNSSECNegativeTrustAnchors=
 MACVTAP=
 IPv6PrivacyExtensions=