networkd: Tunnel allows tunnel traffic on ip6tnl devices (#7756)

where the remote endpoint is a local host address.

diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml
index b9647a2f7a54e21cff964e2198556af9931fad0e..8f8d54a8eb3e2932ebcf2a45f392fdc10eeec136 100644 (file)
--- a/man/systemd.netdev.xml
+++ b/man/systemd.netdev.xml
@@ -889,6 +889,14 @@
           </para>
         </listitem>
       </varlistentry>
+      <varlistentry>
+        <term><varname>AllowLocalRemote=</varname></term>
+        <listitem>
+          <para>A boolean. When true allows tunnel traffic on <varname>ip6tnl</varname> devices where the remote endpoint is a local host address.
+          Defaults to unset.
+          </para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
   <refsect1>

diff --git a/src/network/netdev/netdev-gperf.gperf b/src/network/netdev/netdev-gperf.gperf
index 03b86619574339af75be0e2c556ec5b7ca6da341..1b4cb5a60c239b980a51dd5e4dab164a4959ebbd 100644 (file)
--- a/src/network/netdev/netdev-gperf.gperf
+++ b/src/network/netdev/netdev-gperf.gperf
@@ -63,6 +63,7 @@ Tunnel.IPv6FlowLabel,        config_parse_ipv6_flowlabel,          0,
 Tunnel.CopyDSCP,             config_parse_bool,                    0,                             offsetof(Tunnel, copy_dscp)
 Tunnel.EncapsulationLimit,   config_parse_encap_limit,             0,                             offsetof(Tunnel, encap_limit)
 Tunnel.Independent,          config_parse_bool,                    0,                             offsetof(Tunnel, independent)
+Tunnel.AllowLocalRemote,     config_parse_tristate,                0,                             offsetof(Tunnel, allow_localremote)
 Peer.Name,                   config_parse_ifname,                  0,                             offsetof(Veth, ifname_peer)
 Peer.MACAddress,             config_parse_hwaddr,                  0,                             offsetof(Veth, mac_peer)
 VXCAN.Peer,                  config_parse_ifname,                  0,                             offsetof(VxCan, ifname_peer)

diff --git a/src/network/netdev/tunnel.c b/src/network/netdev/tunnel.c
index 8d6d54d5679dc8bb074cc441fd6c1013d12bbf10..bbc6dca53bca2dcb28002e3fc9521cb4ea7e5a42 100644 (file)
--- a/src/network/netdev/tunnel.c
+++ b/src/network/netdev/tunnel.c
@@ -37,6 +37,7 @@
 
 #define DEFAULT_TNL_HOP_LIMIT   64
 #define IP6_FLOWINFO_FLOWLABEL  htobe32(0x000FFFFF)
+#define IP6_TNL_F_ALLOW_LOCAL_REMOTE 0x40
 
 static const char* const ip6tnl_mode_table[_NETDEV_IP6_TNL_MODE_MAX] = {
         [NETDEV_IP6_TNL_MODE_IP6IP6] = "ip6ip6",
@@ -336,6 +337,9 @@ static int netdev_ip6tnl_fill_message_create(NetDev *netdev, Link *link, sd_netl
         if (t->copy_dscp)
                 t->flags |= IP6_TNL_F_RCV_DSCP_COPY;
 
+        if (t->allow_localremote != -1)
+                SET_FLAG(t->flags, IP6_TNL_F_ALLOW_LOCAL_REMOTE, t->allow_localremote);
+
         if (t->encap_limit != IPV6_DEFAULT_TNL_ENCAP_LIMIT) {
                 r = sd_netlink_message_append_u8(m, IFLA_IPTUN_ENCAP_LIMIT, t->encap_limit);
                 if (r < 0)
@@ -682,6 +686,7 @@ static void ip6tnl_init(NetDev *n) {
         t->encap_limit = IPV6_DEFAULT_TNL_ENCAP_LIMIT;
         t->ip6tnl_mode = _NETDEV_IP6_TNL_MODE_INVALID;
         t->ipv6_flowlabel = _NETDEV_IPV6_FLOWLABEL_INVALID;
+        t->allow_localremote = -1;
 }
 
 const NetDevVTable ipip_vtable = {

diff --git a/src/network/netdev/tunnel.h b/src/network/netdev/tunnel.h
index 67f8fe35c759ddcf659b9cdf77f61cb59bcbca02..7ffafe9e9814179c1af5a9a640d3e7ab5dc240ad 100644 (file)
--- a/src/network/netdev/tunnel.h
+++ b/src/network/netdev/tunnel.h
@@ -45,6 +45,7 @@ typedef struct Tunnel {
 
         int family;
         int ipv6_flowlabel;
+        int allow_localremote;
 
         unsigned ttl;
         unsigned tos;