Vincent Bernat [Fri, 30 Nov 2018 21:48:36 +0000 (22:48 +0100)]
daemon: don't enable ProtectSystem by default
If the chroot is in `/usr` (like `/usr/local/var/run/lldpd` which is
the default), neither systemd nor lldpd will be able to create and
write to it. This may be solved with `ReadWritePaths` (unsure if it
would create the directory), but this doesn't exist in older versions
of systemd.
Just comment the directive to let people know it exists and should
work in most cases.
Vincent Bernat [Wed, 28 Nov 2018 13:56:47 +0000 (14:56 +0100)]
interfaces: remove specific handling for bonds except with --enable-oldies
Starting from Linux 4.19, LLDP packets are transmitted back to the
bond devices and it seems the original interface is lost in the
process. Therefore, packets are duplicated to both members. Upstream
commit is:
bonding: pass link-local packets to bonding master also.
Commit b89f04c61efe ("bonding: deliver link-local packets with
skb->dev set to link that packets arrived on") changed the behavior
of how link-local-multicast packets are processed. The change in
the behavior broke some legacy use cases where these packets are
expected to arrive on bonding master device also.
This patch passes the packet to the stack with the link it arrived
on as well as passes to the bonding-master device to preserve the
legacy use case.
Fixes: b89f04c61efe ("bonding: deliver link-local packets with skb->dev set to link that packets arrived on") Reported-by: Michal Soltys <soltys@ziu.info> Signed-off-by: Mahesh Bandewar <maheshb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
The code to handle bond devices is not needed since Linux 2.6.27.
Therefore, move it to the `--enable-oldies` option.
Vincent Bernat [Tue, 2 Oct 2018 18:36:37 +0000 (20:36 +0200)]
daemon: do not explicitely inline functions
As we are using `-Winline`, if it fails, we get a warning. Let the
compiler decide if something has to be inlined. As we use only static
functions, it should be easy to inline if possible.
Vincent Bernat [Wed, 8 Aug 2018 21:06:39 +0000 (23:06 +0200)]
daemon: implement mkdir -p directly in lldpd
It's difficult to know the path to mkdir. If we use the one from
autoconf (@mkdir_p@), we get the path from the host, not the target.
If we hardcode `/bin/mkdir`, we may not work on platforms like NixOS.
See https://github.com/NixOS/nixpkgs/issues/44507.
Gustav Wiklander [Thu, 21 Jun 2018 08:49:37 +0000 (10:49 +0200)]
Add support for PD PoE negotiation.
Power requests refer to the power at the PSE.
Thus the loss offset caused by the cable has to be added
to the power request. Also the power received from the PSE
must subtract the cable loss to be compatible with lldp.
There are three TLVs for CDPv2 PoE negotiation.
Power Consumption: Current maximum power consumption of PD.
Power Request: Wanted maximum power consumption of PD.
Power Available: Power output from PSE.
Only used if lldp PoE is not supported by switch.
A cisco switch which does support both lldp and cdp will
use the protocol which is first to transmit a package.
Vincent Bernat [Sat, 16 Jun 2018 15:59:32 +0000 (17:59 +0200)]
tests: request CAP_DAC_OVERRIDE
CAP_FOWNER is for being able to use chown/chmod. The permission we
need to ignore permissions is CAP_DAC_OVERRIDE. It is quite a large
permission, unfortunately.
Vincent Bernat [Sat, 16 Jun 2018 15:53:33 +0000 (17:53 +0200)]
priv: always request CAP_FOWNER
While setting ifalias has some additional checks to ensure we can do
that with CAP_NET_ADMIN, we also need CAP_FOWNER to pass the sysfs
owner check. And we have to have both as the other test still needs to
pass.
Vincent Bernat [Tue, 12 Jun 2018 21:17:21 +0000 (23:17 +0200)]
priv: drop most privileges in monitor, only keep CAP_NET_RAW/ADMIN
On Linux, we mostly rely on CAP_NET_RAW. Only keep that one. However,
we also write to ifalias, which needs CAP_NET_ADMIN. We could let user
choose at runtime if they want to grant this capability or not.
Currently, a user can turn it on/off at any time.
Access to SNMP socket may also be problematic. We need some solid
solution about that before merging.
Is it safe to use the same UID for the monitored and the unprivileged
process? Signals are mostly harmless. As for ptrace, since the
monitored process as more capabilities, this will not be allowed by
Linux.
Gustav Wiklander [Wed, 13 Jun 2018 09:35:15 +0000 (11:35 +0200)]
Read all notifications in lldpctl_recv.
Can otherwise lead to unbounded growth in input_buffer if
lldp devices send notifications simultaneously thus
a socket callback contains multiple notifications
and only the first one is cleared. This leads to continous
growth of the input buffer and will crash the system.
Vincent Bernat [Sun, 8 Apr 2018 17:26:43 +0000 (19:26 +0200)]
build: don't be picky about deprecated stuff in libevent
This should fix:
evutil_rand.c:177:2: error: 'arc4random_addrandom' is deprecated: first deprecated in macOS 10.12 - use arc4random_stir [-Werror,-Wdeprecated-declarations]
Vincent Bernat [Sat, 17 Mar 2018 15:28:31 +0000 (16:28 +0100)]
lldpd: add an option to keep some specified ports
A user can specify a pattern of ports to not delete even when they are
removed from the system. If a port is removed from the system and
match the pattern, it will be kept in memory.
Thomas Eliasson [Thu, 8 Mar 2018 14:34:17 +0000 (15:34 +0100)]
client: add alternative way to configure port description
The existing port description CLI command only allows user configured
description if setting port id subtype to local. This patch introduces
an subtype independent way to configure port description.
Signed-off-by: Jonas Johansson <jonas.johansson@westermo.se>
Thomas Eliasson [Thu, 8 Mar 2018 14:10:39 +0000 (15:10 +0100)]
handle lldpStatsRemTablesLastChangeTime correctly when items are removed
When a port is removed, the time has to be updated. The last removal time is
registered per local port, and this timestamp will be used as
lldpStatsRemTablesLastChangeTime if it is the latest timestamp.
Also, the lldpStatsRemTablesDeletes is always increased when an entry in the
table is deleted.
Signed-off-by: Jonas Johansson <jonas.johansson@westermo.se>
Vincent Bernat [Sun, 31 Dec 2017 11:57:52 +0000 (12:57 +0100)]
daemon: move vfork/fork handling directly in lldpd.c
This is not needed elsewhere. This way, we ensure redefinition of
vfork() to fork() through a define is working as expected, even when
some system headers may try to rename vfork too.
Damien Riegel [Mon, 18 Dec 2017 19:37:08 +0000 (14:37 -0500)]
configure: remove check on CXX compiler
lldpd fails to build if the toolchain doesn't have a C++ compiler
because configure fails with the following error:
checking how to run the C++ preprocessor... /lib/cpp
configure: error: in `/home/dkc/src/buildroot/build-zii/build/lldpd-0.9.4':
configure: error: C++ preprocessor "/lib/cpp" fails sanity check
Since "8d92800b: build: cleaner way to not alter CFLAGS/CPPFLAGS/LDFLAGS",
it seems that the dependency on C++ is not required anymore, so there
is no reason to keep this restriction. Dropping AC_PROG_CXX allows to
build with a toolchain that doesn't have C++ just fine.
Waldir Pimenta [Thu, 7 Dec 2017 18:51:39 +0000 (18:51 +0000)]
LICENSE: add title and copyright notice (#259)
* LICENSE: add title and copyright notice
The title is not legally mandated, but it's recommended in the license template text (see http://choosealicense.com/licenses/isc/ and https://opensource.org/licenses/isc-license).
Vincent Bernat [Sun, 19 Nov 2017 15:38:33 +0000 (16:38 +0100)]
dot3: as PD device, echo back PSE allocated value
Dot3 power TLV contains an allocated value and a requested value. When
PSE allocates some power and says so in its TLV, PD device is expected
to echo back (within 10 seconds) the received value in its own TLV. We
handle this part automatically.
Vincent Bernat [Sun, 22 Oct 2017 19:04:29 +0000 (21:04 +0200)]
priv: provide a simpler sig_chld when priv sep is disabled
We restore the original sig_chld() helper function when privilege
separation is enabled but we use a very simple one when not. This
should still fix the zombie issue.
Vincent Bernat [Mon, 2 Oct 2017 19:52:33 +0000 (21:52 +0200)]
daemon: don't fork at all when using upstart
It seems there is a bug in Upstart state machine. If the process fail
before daemonizing, Upstart says the process will be respawned but that's
not the case. Moreover, Upstart has difficulty to correctly track
daemonization of lldpd (it is confused by the additional process
spawning after initial daemonization, for some reason?).