Merge ba076766a5 into fb4c82b643

```
In file included from ../src/nsresourced/nsresourced-manager.c:9:
../src/shared/bpf-link.h:5:10: fatal error: bpf/libbpf.h: No such file or directory
    5 | #include <bpf/libbpf.h>
      |          ^~~~~~~~~~~~~~
```

Follow-up for 46718d344f

hwdb.d/60-sensor.hwdb

@@ -760,8 +760,9 @@ sensor:modalias:i2c:bmc150_accel:dmi:*:svnLENOVO:*:pvrLenovoYoga300-11IBR:*
 sensor:modalias:acpi:ACCL0001*:dmi:*:svnLENOVO:pn60072:pvr851*:*
  ACCEL_MOUNT_MATRIX=0, 1, 0; -1, 0, 0; 0, 0, 1
 
-# IdeaPad Duet 3 10IGL5 (82AT)
+# IdeaPad Duet 3 10IGL5 (82AT) and 10IGL5-LTE (82HK)
 sensor:modalias:acpi:SMO8B30*:dmi:*:svnLENOVO*:pn82AT:*
+sensor:modalias:acpi:SMO8B30*:dmi:*:svnLENOVO*:pn82HK:*
  ACCEL_MOUNT_MATRIX=0, 1, 0; -1, 0, 0; 0, 0, 1
 
 #########################################

man/repart.d.xml

@@ -922,9 +922,9 @@
         target for some other supplement definition. A target cannot have more than one supplement partition
         associated with it.</para>
 
-        <para>For example, distributions can use this to implement <variable>$BOOT</variable> as defined in
+        <para>For example, distributions can use this to implement <varname>$BOOT</varname> as defined in
         the <ulink url="https://uapi-group.org/specifications/specs/boot_loader_specification/">Boot Loader
-        Specification</ulink>. Distributions may prefer to use the ESP as <variable>$BOOT</variable> whenever
+        Specification</ulink>. Distributions may prefer to use the ESP as <varname>$BOOT</varname> whenever
         possible, but to adhere to the spec XBOOTLDR must sometimes be used instead. So, they should create
         two definitions: the first defining an ESP big enough to hold just the bootloader, and a second for
         the XBOOTLDR that's sufficiently large to hold kernels and configured as a supplement for the ESP.

src/nsresourced/nsresourced-manager.c

@@ -6,7 +6,9 @@
 #include "sd-daemon.h"
 
 #include "bpf-dlopen.h"
+#if HAVE_VMLINUX_H
 #include "bpf-link.h"
+#endif
 #include "build-path.h"
 #include "common-signal.h"
 #include "env-util.h"

src/partition/repart.c

@@ -304,19 +304,6 @@ static SubvolumeFlags subvolume_flags_from_string(const char *s) {
         return flags;
 }
 
-static char* subvolume_flags_to_string(SubvolumeFlags flags) {
-        const char *l[CONST_LOG2U(_SUBVOLUME_FLAGS_MASK + 1) + 1]; /* one string per known flag at most */
-        size_t m = 0;
-
-        if (FLAGS_SET(flags, SUBVOLUME_RO))
-                l[m++] = "ro";
-
-        assert(m < ELEMENTSOF(l));
-        l[m] = NULL;
-
-        return strv_join((char**) l, ",");
-}
-
 typedef struct Subvolume {
         char *path;
         SubvolumeFlags flags;
@@ -2438,6 +2425,14 @@ static int partition_read_definition(Partition *p, const char *path, const char
                                   "SizeMinBytes=/SizeMaxBytes= cannot be used with Verity=%s.",
                                   verity_mode_to_string(p->verity));
 
+        if (!ordered_hashmap_isempty(p->subvolumes) && arg_offline > 0)
+                return log_syntax(NULL, LOG_ERR, path, 1, SYNTHETIC_ERRNO(EOPNOTSUPP),
+                                  "Subvolumes= cannot be used with --offline=yes.");
+
+        if (p->default_subvolume && arg_offline > 0)
+                return log_syntax(NULL, LOG_ERR, path, 1, SYNTHETIC_ERRNO(EOPNOTSUPP),
+                                  "DefaultSubvolume= cannot be used with --offline=yes.");
+
         if (p->default_subvolume && !ordered_hashmap_contains(p->subvolumes, p->default_subvolume))
                 return log_syntax(NULL, LOG_ERR, path, 1, SYNTHETIC_ERRNO(EINVAL),
                                   "DefaultSubvolume= must be one of the paths in Subvolumes=.");
@@ -4286,7 +4281,7 @@ static int prepare_temporary_file(Context *context, PartitionTarget *t, uint64_t
 
 static bool loop_device_error_is_fatal(const Partition *p, int r) {
         assert(p);
-        return arg_offline == 0 || (r != -ENOENT && !ERRNO_IS_PRIVILEGE(r));
+        return arg_offline == 0 || (r != -ENOENT && !ERRNO_IS_PRIVILEGE(r)) || !ordered_hashmap_isempty(p->subvolumes) || p->default_subvolume;
 }
 
 static int partition_target_prepare(
@@ -5793,38 +5788,6 @@ static int partition_populate_filesystem(Context *context, Partition *p, const c
         return 0;
 }
 
-static int append_btrfs_subvols(char ***l, OrderedHashmap *subvolumes, const char *default_subvolume) {
-        Subvolume *subvolume;
-        int r;
-
-        assert(l);
-
-        ORDERED_HASHMAP_FOREACH(subvolume, subvolumes) {
-                _cleanup_free_ char *s = NULL, *f = NULL;
-
-                s = strdup(subvolume->path);
-                if (!s)
-                        return log_oom();
-
-                f = subvolume_flags_to_string(subvolume->flags);
-                if (!f)
-                        return log_oom();
-
-                if (streq_ptr(subvolume->path, default_subvolume) &&
-                    !strextend_with_separator(&f, ",", "default"))
-                        return log_oom();
-
-                if (!isempty(f) && !strextend_with_separator(&s, ":", f))
-                        return log_oom();
-
-                r = strv_extend_many(l, "--subvol", s);
-                if (r < 0)
-                        return log_oom();
-        }
-
-        return 0;
-}
-
 static int finalize_extra_mkfs_options(const Partition *p, const char *root, char ***ret) {
         _cleanup_strv_free_ char **sv = NULL;
         int r;
@@ -5838,18 +5801,6 @@ static int finalize_extra_mkfs_options(const Partition *p, const char *root, cha
                                        "Failed to determine mkfs command line options for '%s': %m",
                                        p->format);
 
-        if (partition_needs_populate(p) && root && streq(p->format, "btrfs")) {
-                r = append_btrfs_subvols(&sv, p->subvolumes, p->default_subvolume);
-                if (r < 0)
-                        return r;
-
-                if (p->suppressing) {
-                        r = append_btrfs_subvols(&sv, p->suppressing->subvolumes, NULL);
-                        if (r < 0)
-                                return r;
-                }
-        }
-
         *ret = TAKE_PTR(sv);
         return 0;
 }

src/resolve/resolved-manager.c

@@ -960,9 +960,9 @@ int manager_recv(Manager *m, int fd, DnsProtocol protocol, DnsPacket **ret) {
                         p->ifindex = manager_find_ifindex(m, p->family, &p->destination);
         }
 
-        log_debug("Received %s UDP packet of size %zu, ifindex=%i, ttl=%u, fragsize=%zu, sender=%s, destination=%s",
+        log_debug("Received %s UDP packet of size %zu, ifindex=%i, ttl=%u, fragsize=%zu, sender=%s, sender_port=%u, destination=%s",
                   dns_protocol_to_string(protocol), p->size, p->ifindex, p->ttl, p->fragsize,
-                  IN_ADDR_TO_STRING(p->family, &p->sender),
+                  IN_ADDR_TO_STRING(p->family, &p->sender), p->sender_port,
                   IN_ADDR_TO_STRING(p->family, &p->destination));
 
         *ret = TAKE_PTR(p);

src/resolve/resolved-mdns.c

@@ -386,10 +386,7 @@ static int on_mdns_packet(sd_event_source *s, int fd, uint32_t revents, void *us
         if (r <= 0)
                 return r;
 
-        /* Refuse traffic from the local host, to avoid query loops. However, allow legacy mDNS
-         * unicast queries through anyway (we never send those ourselves, hence no risk).
-         * i.e. check for the source port nr. */
-        if (p->sender_port == MDNS_PORT && manager_packet_from_local_address(m, p))
+        if (manager_packet_from_local_address(m, p))
                 return 0;
 
         scope = manager_find_scope(m, p);
@@ -401,6 +398,15 @@ static int on_mdns_packet(sd_event_source *s, int fd, uint32_t revents, void *us
         if (dns_packet_validate_reply(p) > 0) {
                 DnsResourceRecord *rr;
 
+                /* RFC 6762 section 6:
+                 * The source UDP port in all Multicast DNS responses MUST be 5353 (the well-known port
+                 * assigned to mDNS). Multicast DNS implementations MUST silently ignore any Multicast DNS
+                 * responses they receive where the source UDP port is not 5353. */
+                if (p->sender_port != MDNS_PORT) {
+                        log_debug("Received mDNS reply packet from port %u (not %i), ignoring.", p->sender_port, MDNS_PORT);
+                        return 0;
+                }
+
                 log_debug("Got mDNS reply packet");
 
                 /*

test/units/TEST-75-RESOLVED.sh

@@ -985,6 +985,87 @@ testcase_12_resolvectl2() {
     restart_resolved
 }
 
+testcase_mdns() {
+    # For issue #32990 and #33806
+
+    # Cleanup
+    # shellcheck disable=SC2317
+    cleanup() {
+        rm -f /run/systemd/resolved.conf.d/enable-mdns.conf
+        rm -rf /run/systemd/dnssd
+        ip link del veth99 || :
+        ip netns del ns99 || :
+    }
+
+    trap cleanup RETURN
+
+    mkdir -p /run/systemd/resolved.conf.d
+    cat >/run/systemd/resolved.conf.d/enable-mdns.conf <<EOF
+[Resolve]
+MulticastDNS=yes
+EOF
+
+    mkdir -p /run/systemd/dnssd
+    cat >/run/systemd/dnssd/ssh.dnssd <<EOF
+[Service]
+Name=%H
+Type=_ssh._tcp
+Port=22
+TxtText=hogehogehoge
+Priority=42
+Weight=13
+EOF
+
+    ip netns add ns99
+    ip link add veth99 type veth peer name veth-peer
+    ip link set veth-peer netns ns99
+    ip link set veth99 up
+    ip netns exec ns99 ip link set veth-peer up
+    ip link set veth99 multicast on
+    ip address add 192.168.0.12/24 dev veth99
+    ip netns exec ns99 ip address add 192.168.0.10/24 dev veth-peer
+    assert_in '192.168.0.12/24' "$(ip address show dev veth99)"
+    assert_in '192.168.0.10/24' "$(ip netns exec ns99 ip address show dev veth-peer)"
+
+    # make sure networkd is not running.
+    systemctl stop systemd-networkd.socket
+    systemctl stop systemd-networkd.service
+
+    # restart resolved and enable mdns on interface veth99
+    restart_resolved
+    resolvectl mdns veth99 yes
+    resolvectl domain veth99 local
+    assert_in 'Global: yes' "$(resolvectl mdns)"
+    assert_in 'yes' "$(resolvectl mdns veth99)"
+    assert_in 'local' "$(resolvectl domain veth99)"
+
+    run ip netns exec ns99 dig -p 5353 "ns1.local" @192.168.0.12
+    grep -qE "ns1\.local\.\s+[0-9]+\s+IN\s+A\s+192\.168\.0\.12" "$RUN_OUT"
+
+    run ip netns exec ns99 dig -p 5353 -t SRV "ns1._ssh._tcp.local" @192.168.0.12
+    grep -qE "ns1\._ssh\._tcp\.local\.\s+[0-9]+\s+IN\s+SRV\s+42\s+13\s+22\s+ns1\.local\." "$RUN_OUT"
+
+    run ip netns exec ns99 dig -p 5353 -t TXT "ns1._ssh._tcp.local" @192.168.0.12
+    grep -qE "ns1\._ssh\._tcp\.local\.\s+[0-9]+\s+IN\s+TXT\s+\"hogehogehoge\"" "$RUN_OUT"
+
+    run resolvectl query "ns1.local" || :
+    grep -qE "ns1.local: " "$RUN_OUT"
+    grep -qE ".*192\.168\.0\.12\s+-- link: veth99" "$RUN_OUT"
+
+    run resolvectl query -t SRV "ns1._ssh._tcp.local" || :
+    grep -qE "ns1\._ssh\._tcp\.local IN SRV 42 13 22 ns1\.local\s+-- link: veth99" "$RUN_OUT"
+
+    run resolvectl query -t TXT "ns1._ssh._tcp.local" || :
+    grep -qE "ns1\._ssh\._tcp\.local IN TXT \"hogehogehoge\"\s+-- link: veth99" "$RUN_OUT"
+
+    run resolvectl service "ns1._ssh._tcp.local" || :
+    grep -qE "ns1\._ssh\._tcp\.local: ns1\.local:22 \[priority=42, weight=13\]" "$RUN_OUT"
+
+    # refuse queries from a local address. See issue #32990 and the comment:
+    # https://github.com/systemd/systemd/pull/34141#discussion_r1736318656
+    (! dig -p 5353 "ns1.local" @192.168.0.12)
+}
+
 # PRE-SETUP
 systemctl unmask systemd-resolved.service
 systemctl enable --now systemd-resolved.service