From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Wed, 17 Feb 2021 07:17:37 +0000 (+0900)
Subject: network: warn when any positive boolean string is specified for IPMasquerade=
X-Git-Tag: v248-rc1~40^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F18646%2Fhead;p=thirdparty%2Fsystemd.git

network: warn when any positive boolean string is specified for IPMasquerade=

Previously, any positive boolean string for IPMasquerade= enables only IPv4
masquerade. The commit 48ed276647c754bfb3ed5c6c5af9404e073ffe54 adds
IPv6 masquerade support. However, only "yes" is handled as "ipv4", and other
positive boolean strings are handled as "both".

This makes all positive boolean strings considered as "ipv4", warn that they
are deprecated, and suggest to use "ipv4" or "both".

Follow-up for 48ed276647c754bfb3ed5c6c5af9404e073ffe54.
---

diff --git a/man/systemd.network.xml b/man/systemd.network.xml
index d0bd0c57d45..610799724b6 100644
--- a/man/systemd.network.xml
+++ b/man/systemd.network.xml
@@ -735,17 +735,15 @@ IPv6Token=prefixstable:2002:da8:1::</programlisting></para>
         </varlistentry>
         <varlistentry>
           <term><varname>IPMasquerade=</varname></term>
-          <listitem><para>Configures IP masquerading for the network
-          interface. If enabled, packets forwarded from the network
-          interface will be appear as coming from the local host.
-          Takes one of <literal>ipv4</literal>, <literal>ipv6</literal>,
-          <literal>both</literal>, <literal>no</literal>.
-          The setting <literal>yes</literal> is the same as <literal>ipv4</literal> and not as
-          <literal>both</literal>!
-          Defaults to <literal>no</literal>.
-          If enabled, this automatically sets <varname>IPForward</varname> to one of
-          <literal>ipv4</literal>, <literal>ipv6</literal> or <literal>both</literal>.
-          </para></listitem>
+          <listitem><para>Configures IP masquerading for the network interface. If enabled, packets
+          forwarded from the network interface will be appear as coming from the local host. Takes one
+          of <literal>ipv4</literal>, <literal>ipv6</literal>, <literal>both</literal>, or
+          <literal>no</literal>. Defaults to <literal>no</literal>. If enabled, this automatically sets
+          <varname>IPForward=</varname> to one of <literal>ipv4</literal>, <literal>ipv6</literal> or
+          <literal>yes</literal>.</para>
+          <para>Note. Any positive boolean values such as <literal>yes</literal> or
+          <literal>true</literal> are now deprecated. Please use one of the values in the above.</para>
+          </listitem>
         </varlistentry>
         <varlistentry>
           <term><varname>IPv6PrivacyExtensions=</varname></term>
diff --git a/src/network/networkd-network-gperf.gperf b/src/network/networkd-network-gperf.gperf
index 60ac30fbce6..e7e51e2f19c 100644
--- a/src/network/networkd-network-gperf.gperf
+++ b/src/network/networkd-network-gperf.gperf
@@ -111,7 +111,7 @@ Network.DNSSEC,                              config_parse_dnssec_mode,
 Network.DNSSECNegativeTrustAnchors,          config_parse_dnssec_negative_trust_anchors,               0,                             0
 Network.NTP,                                 config_parse_ntp,                                         0,                             offsetof(Network, ntp)
 Network.IPForward,                           config_parse_address_family_with_kernel,                  0,                             offsetof(Network, ip_forward)
-Network.IPMasquerade,                        config_parse_address_family_compat,                       0,                             offsetof(Network, ip_masquerade)
+Network.IPMasquerade,                        config_parse_ip_masquerade,                               0,                             offsetof(Network, ip_masquerade)
 Network.IPv6PrivacyExtensions,               config_parse_ipv6_privacy_extensions,                     0,                             offsetof(Network, ipv6_privacy_extensions)
 Network.IPv6AcceptRA,                        config_parse_tristate,                                    0,                             offsetof(Network, ipv6_accept_ra)
 Network.IPv6AcceptRouterAdvertisements,      config_parse_tristate,                                    0,                             offsetof(Network, ipv6_accept_ra)
diff --git a/src/network/networkd-util.c b/src/network/networkd-util.c
index 52f4e9dbb56..a9dd6d45eb6 100644
--- a/src/network/networkd-util.c
+++ b/src/network/networkd-util.c
@@ -40,6 +40,13 @@ static const char* const dhcp_deprecated_address_family_table[_ADDRESS_FAMILY_MA
         [ADDRESS_FAMILY_IPV6] = "v6",
 };
 
+static const char* const ip_masquerade_address_family_table[_ADDRESS_FAMILY_MAX] = {
+        [ADDRESS_FAMILY_NO]   = "no",
+        [ADDRESS_FAMILY_YES]  = "both",
+        [ADDRESS_FAMILY_IPV4] = "ipv4",
+        [ADDRESS_FAMILY_IPV6] = "ipv6",
+};
+
 static const char* const dhcp_lease_server_type_table[_SD_DHCP_LEASE_SERVER_TYPE_MAX] = {
         [SD_DHCP_LEASE_DNS]  = "DNS servers",
         [SD_DHCP_LEASE_NTP]  = "NTP servers",
@@ -65,18 +72,9 @@ DEFINE_STRING_TABLE_LOOKUP(duplicate_address_detection_address_family, AddressFa
 DEFINE_CONFIG_PARSE_ENUM(config_parse_link_local_address_family, link_local_address_family,
                          AddressFamily, "Failed to parse option");
 DEFINE_STRING_TABLE_LOOKUP_FROM_STRING(dhcp_deprecated_address_family, AddressFamily);
+DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING(ip_masquerade_address_family, AddressFamily);
 DEFINE_STRING_TABLE_LOOKUP(dhcp_lease_server_type, sd_dhcp_lease_server_type_t);
 
-static AddressFamily address_family_compat_from_string(const char *s) {
-        if (streq_ptr(s, "yes"))         /* compat name */
-                return ADDRESS_FAMILY_IPV4;
-        if (streq_ptr(s, "both"))
-                return ADDRESS_FAMILY_YES;
-        return address_family_from_string(s);
-}
-DEFINE_CONFIG_PARSE_ENUM(config_parse_address_family_compat, address_family_compat,
-                         AddressFamily, "Failed to parse option");
-
 int config_parse_address_family_with_kernel(
                 const char* unit,
                 const char *filename,
@@ -119,6 +117,49 @@ int config_parse_address_family_with_kernel(
         return 0;
 }
 
+int config_parse_ip_masquerade(
+                const char *unit,
+                const char *filename,
+                unsigned line,
+                const char *section,
+                unsigned section_line,
+                const char *lvalue,
+                int ltype,
+                const char *rvalue,
+                void *data,
+                void *userdata) {
+
+        AddressFamily a, *ret = data;
+        int r;
+
+        if (isempty(rvalue)) {
+                *ret = ADDRESS_FAMILY_NO;
+                return 0;
+        }
+
+        r = parse_boolean(rvalue);
+        if (r >= 0) {
+                if (r)
+                        log_syntax(unit, LOG_WARNING, filename, line, 0,
+                                   "IPMasquerade=%s is deprecated, and it is handled as \"ipv4\" instead of \"both\". "
+                                   "Please use \"ipv4\" or \"both\".",
+                                   rvalue);
+
+                *ret = r ? ADDRESS_FAMILY_IPV4 : ADDRESS_FAMILY_NO;
+                return 0;
+        }
+
+        a = ip_masquerade_address_family_from_string(rvalue);
+        if (a < 0) {
+                log_syntax(unit, LOG_WARNING, filename, line, a,
+                           "Failed to parse IPMasquerade= setting, ignoring assignment: %s", rvalue);
+                return 0;
+        }
+
+        *ret = a;
+        return 0;
+}
+
 /* Router lifetime can be set with netlink interface since kernel >= 4.5
  * so for the supported kernel we don't need to expire routes in userspace */
 int kernel_route_expiration_supported(void) {
diff --git a/src/network/networkd-util.h b/src/network/networkd-util.h
index e70df0528e3..01675e8b5c5 100644
--- a/src/network/networkd-util.h
+++ b/src/network/networkd-util.h
@@ -28,7 +28,7 @@ typedef struct NetworkConfigSection {
 
 CONFIG_PARSER_PROTOTYPE(config_parse_link_local_address_family);
 CONFIG_PARSER_PROTOTYPE(config_parse_address_family_with_kernel);
-CONFIG_PARSER_PROTOTYPE(config_parse_address_family_compat);
+CONFIG_PARSER_PROTOTYPE(config_parse_ip_masquerade);
 
 const char *address_family_to_string(AddressFamily b) _const_;
 AddressFamily address_family_from_string(const char *s) _pure_;