networkd: reduce the IPv4 DAD timeout to 200ms

The original timeout of 7 seconds is very long for today's networks. Reduce it
to 200ms. Note that this change also affects IPv4 link-local addressing.

.github/workflows/coverage.yml

@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-      - uses: systemd/mkosi@7e4ec15aee6b98300b2ee14265bc647a716a9f8a
+      - uses: systemd/mkosi@dbb4020beee2cdf250f93a425794f1cf8b0fe693
 
       # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
       # immediately, we remove the files in the background. However, we first move them to a different location
@@ -90,7 +90,6 @@ jobs:
           sudo mkosi sandbox -- \
             meson setup \
             --buildtype=debugoptimized \
-            -Dintegration-tests=true \
             build
 
       - name: Build image
@@ -120,7 +119,8 @@ jobs:
             meson test \
             -C build \
             --no-rebuild \
-            --suite integration-tests \
+            --setup=integration \
+            --suite=integration-tests \
             --print-errorlogs \
             --no-stdsplit \
             --num-processes "$(($(nproc) - 1))" \

.github/workflows/mkosi.yml

@@ -120,7 +120,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-      - uses: systemd/mkosi@7e4ec15aee6b98300b2ee14265bc647a716a9f8a
+      - uses: systemd/mkosi@dbb4020beee2cdf250f93a425794f1cf8b0fe693
 
       # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
       # immediately, we remove the files in the background. However, we first move them to a different location
@@ -197,7 +197,6 @@ jobs:
           sudo mkosi sandbox -- \
             meson setup \
             --buildtype=debugoptimized \
-            -Dintegration-tests=true \
             -Dbpf-framework=disabled \
             build
 
@@ -233,7 +232,8 @@ jobs:
             meson test \
             -C build \
             --no-rebuild \
-            --suite integration-tests \
+            --setup=integration \
+            --suite=integration-tests \
             --print-errorlogs \
             --no-stdsplit \
             --num-processes "$(($(nproc) - 1))" \

NEWS

@@ -489,10 +489,10 @@ CHANGES WITH 257:
           existing interfaces, and invoke 'networkctl reload' or restart
           systemd-networkd.
 
-        * The timeout for IPv4 Duplicate Address Detection can now be
+        * systemd-networkd now supports configuring the timeout for IPv4
-          configured via a new IPv4DuplicateAddressDetectionTimeout=
+          Duplicate Address Detection via a new setting
-          setting. The default timeout value has been changed from 7 seconds to
+          IPv4DuplicateAddressDetectionTimeout=. The default timeout value has
-          200 milliseconds.
+          been changed from 7 seconds to 200 milliseconds.
 
         systemd-boot, systemd-stub, and related tools:
 

man/systemd.network.xml

@@ -1749,8 +1749,10 @@ NFTSet=prefix:netdev:filter:eth_ipv4_prefix</programlisting>
         <term><varname>FirewallMark=</varname></term>
         <listitem>
           <para>Specifies the iptables firewall mark value to match (a number in the range
-          1…4294967295). Optionally, the firewall mask (also a number between 1…4294967295) can be
+          0…4294967295). Optionally, the firewall mask (also a number between 0…4294967295) can be
-          suffixed with a slash (<literal>/</literal>), e.g., <literal>7/255</literal>.</para>
+          suffixed with a slash (<literal>/</literal>), e.g., <literal>7/255</literal>. When the
+          mark value is non-zero and no mask is explicitly specified, all bits of the mark are
+          compared. </para>
 
           <xi:include href="version-info.xml" xpointer="v235"/>
         </listitem>

meson.build

@@ -13,6 +13,12 @@ project('systemd', 'c',
         meson_version : '>= 0.62.0',
 )
 
+add_test_setup(
+        'default',
+        exclude_suites : ['integration-tests'],
+        is_default : true,
+)
+
 project_major_version = meson.project_version().split('.')[0].split('~')[0]
 if meson.project_version().contains('.')
         project_minor_version = meson.project_version().split('.')[-1].split('~')[0]
@@ -339,7 +345,6 @@ meson_build_sh = find_program('tools/meson-build.sh')
 want_tests = get_option('tests')
 want_slow_tests = want_tests != 'false' and get_option('slow-tests')
 want_fuzz_tests = want_tests != 'false' and get_option('fuzz-tests')
-want_integration_tests = want_tests != 'false' and get_option('integration-tests')
 install_tests = want_tests != 'false' and get_option('install-tests')
 
 if add_languages('cpp', native : false, required : fuzzer_build)
@@ -2661,10 +2666,6 @@ endif
 #####################################################################
 
 mkosi = find_program('mkosi', required : false)
-if want_integration_tests and not mkosi.found()
-        error('Could not find mkosi which is required to run the integration tests')
-endif
-
 mkosi_depends = public_programs
 
 foreach executable : ['systemd-journal-remote', 'systemd-sbsign', 'systemd-keyutil']

meson_options.txt

@@ -509,7 +509,7 @@ option('install-tests', type : 'boolean', value : false,
        description : 'install test executables')
 option('log-message-verification', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
        description : 'do fake printf() calls to verify format strings')
-option('integration-tests', type : 'boolean', value : false,
+option('integration-tests', type : 'boolean', value : false, deprecated : true,
        description : 'run the integration tests')
 
 option('ok-color', type : 'combo',

mkosi/mkosi.conf

@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
 [Config]
-MinimumVersion=commit:7e4ec15aee6b98300b2ee14265bc647a716a9f8a
+MinimumVersion=commit:dbb4020beee2cdf250f93a425794f1cf8b0fe693
 Dependencies=
         exitrd
         initrd
@@ -78,8 +78,7 @@ KernelCommandLine=
         oops=panic
         panic=-1
         softlockup_panic=1
-        # Disabled due to BTRFS issue, waiting for the fix to become available
+        panic_on_warn=1
-        panic_on_warn=0
         psi=1
         mitigations=off
 

mkosi/mkosi.conf.d/arch/mkosi.conf

@@ -4,6 +4,7 @@
 Distribution=arch
 
 [Content]
+PrepareScripts=systemd.prepare
 VolatilePackages=
         systemd
         systemd-libs

mkosi/mkosi.conf.d/centos-fedora/mkosi.conf

@@ -5,6 +5,7 @@ Distribution=|centos
 Distribution=|fedora
 
 [Content]
+PrepareScripts=systemd.prepare
 VolatilePackages=
         systemd
         systemd-boot

mkosi/mkosi.conf.d/debian-ubuntu/mkosi.conf

@@ -5,6 +5,7 @@ Distribution=|debian
 Distribution=|ubuntu
 
 [Content]
+PrepareScripts=systemd.prepare
 VolatilePackages=
         libnss-myhostname
         libnss-mymachines

mkosi/mkosi.conf.d/opensuse/mkosi.conf

@@ -11,6 +11,7 @@ Repositories=non-oss
 SandboxTrees=macros.db_backend:/etc/rpm/macros.db_backend
 
 [Content]
+PrepareScripts=systemd.prepare
 VolatilePackages=
         libsystemd0
         libudev1

mkosi/mkosi.images/exitrd/mkosi.conf.d/arch.conf

@@ -4,7 +4,7 @@
 Distribution=arch
 
 [Content]
-PrepareScripts=%D/mkosi/mkosi.conf.d/arch/mkosi.prepare
+PrepareScripts=%D/mkosi/mkosi.conf.d/arch/systemd.prepare
 VolatilePackages=
         systemd
         systemd-libs

mkosi/mkosi.images/exitrd/mkosi.conf.d/centos-fedora.conf

@@ -5,6 +5,6 @@ Distribution=|centos
 Distribution=|fedora
 
 [Content]
-PrepareScripts=%D/mkosi/mkosi.conf.d/centos-fedora/mkosi.prepare
+PrepareScripts=%D/mkosi/mkosi.conf.d/centos-fedora/systemd.prepare
 VolatilePackages=
         systemd-standalone-shutdown

mkosi/mkosi.images/exitrd/mkosi.conf.d/debian.conf

@@ -4,6 +4,6 @@
 Distribution=debian
 
 [Content]
-PrepareScripts=%D/mkosi/mkosi.conf.d/debian-ubuntu/mkosi.prepare
+PrepareScripts=%D/mkosi/mkosi.conf.d/debian-ubuntu/systemd.prepare
 VolatilePackages=
         systemd-standalone-shutdown

mkosi/mkosi.images/exitrd/mkosi.conf.d/opensuse.conf

@@ -4,7 +4,7 @@
 Distribution=opensuse
 
 [Content]
-PrepareScripts=%D/mkosi/mkosi.conf.d/opensuse/mkosi.prepare
+PrepareScripts=%D/mkosi/mkosi.conf.d/opensuse/systemd.prepare
 Packages=
         diffutils
         grep

mkosi/mkosi.images/exitrd/mkosi.conf.d/ubuntu.conf

@@ -4,7 +4,7 @@
 Distribution=ubuntu
 
 [Content]
-PrepareScripts=%D/mkosi/mkosi.conf.d/debian-ubuntu/mkosi.prepare
+PrepareScripts=%D/mkosi/mkosi.conf.d/debian-ubuntu/systemd.prepare
 VolatilePackages=
         libsystemd-shared
         libsystemd0

mkosi/mkosi.images/initrd/mkosi.conf.d/arch.conf

@@ -4,7 +4,7 @@
 Distribution=arch
 
 [Content]
-PrepareScripts=%D/mkosi/mkosi.conf.d/arch/mkosi.prepare
+PrepareScripts=%D/mkosi/mkosi.conf.d/arch/systemd.prepare
 Packages=
         btrfs-progs
         tpm2-tools

mkosi/mkosi.images/initrd/mkosi.conf.d/centos-fedora.conf

@@ -5,7 +5,7 @@ Distribution=|centos
 Distribution=|fedora
 
 [Content]
-PrepareScripts=%D/mkosi/mkosi.conf.d/centos-fedora/mkosi.prepare
+PrepareScripts=%D/mkosi/mkosi.conf.d/centos-fedora/systemd.prepare
 Packages=
         tpm2-tools
 

mkosi/mkosi.images/initrd/mkosi.conf.d/debian-ubuntu.conf

@@ -5,7 +5,7 @@ Distribution=|debian
 Distribution=|ubuntu
 
 [Content]
-PrepareScripts=%D/mkosi/mkosi.conf.d/debian-ubuntu/mkosi.prepare
+PrepareScripts=%D/mkosi/mkosi.conf.d/debian-ubuntu/systemd.prepare
 Packages=
         btrfs-progs
         tpm2-tools

mkosi/mkosi.images/initrd/mkosi.conf.d/opensuse.conf

@@ -4,7 +4,7 @@
 Distribution=opensuse
 
 [Content]
-PrepareScripts=%D/mkosi/mkosi.conf.d/opensuse/mkosi.prepare
+PrepareScripts=%D/mkosi/mkosi.conf.d/opensuse/systemd.prepare
 Packages=
         btrfs-progs
         kmod

mkosi/mkosi.images/minimal-base/mkosi.conf.d/arch.conf

@@ -4,7 +4,7 @@
 Distribution=arch
 
 [Content]
-PrepareScripts=%D/mkosi/mkosi.conf.d/arch/mkosi.prepare
+PrepareScripts=%D/mkosi/mkosi.conf.d/arch/systemd.prepare
 Packages=
         inetutils
         iproute

mkosi/mkosi.images/minimal-base/mkosi.conf.d/centos-fedora.conf

@@ -5,7 +5,7 @@ Distribution=|centos
 Distribution=|fedora
 
 [Content]
-PrepareScripts=%D/mkosi/mkosi.conf.d/centos-fedora/mkosi.prepare
+PrepareScripts=%D/mkosi/mkosi.conf.d/centos-fedora/systemd.prepare
 Packages=
         hostname
         iproute

mkosi/mkosi.images/minimal-base/mkosi.conf.d/debian-ubuntu.conf

@@ -5,7 +5,7 @@ Distribution=|debian
 Distribution=|ubuntu
 
 [Content]
-PrepareScripts=%D/mkosi/mkosi.conf.d/debian-ubuntu/mkosi.prepare
+PrepareScripts=%D/mkosi/mkosi.conf.d/debian-ubuntu/systemd.prepare
 Packages=
         hostname
         iproute2

mkosi/mkosi.images/minimal-base/mkosi.conf.d/opensuse.conf

@@ -4,7 +4,7 @@
 Distribution=opensuse
 
 [Content]
-PrepareScripts=%D/mkosi/mkosi.conf.d/opensuse/mkosi.prepare
+PrepareScripts=%D/mkosi/mkosi.conf.d/opensuse/systemd.prepare
 Packages=
         diffutils
         grep

src/libsystemd-network/sd-ipv4acd.c

@@ -30,7 +30,7 @@
 #define PROBE_MIN 1U
 #define PROBE_MAX 2U
 #define ANNOUNCE_WAIT 2U
-#define TOTAL_TIMEOUT 7U
+#define TOTAL_TIME_UNITS 7U
 
 /* Intervals from the RFC not adjusted to the time unit */
 #define ANNOUNCE_INTERVAL_USEC (2U * USEC_PER_SEC)
@@ -162,7 +162,7 @@ int sd_ipv4acd_new(sd_ipv4acd **ret) {
         *acd = (sd_ipv4acd) {
                 .n_ref = 1,
                 .state = IPV4ACD_STATE_INIT,
-                .time_unit = TIMEOUT_DEFAULT_USEC / TOTAL_TIMEOUT,
+                .time_unit = TIMEOUT_DEFAULT_USEC / TOTAL_TIME_UNITS,
                 .ifindex = -1,
                 .fd = -EBADF,
         };
@@ -232,9 +232,9 @@ static int ipv4acd_on_timeout(sd_event_source *s, uint64_t usec, void *userdata)
                 acd->defend_window = 0;
 
                 log_ipv4acd(acd,
-                            "Started on address " IPV4_ADDRESS_FMT_STR " with a max timeout of %" PRIu64 "msec",
+                            "Started on address " IPV4_ADDRESS_FMT_STR " with a max timeout of %s",
                             IPV4_ADDRESS_FMT_VAL(acd->address),
-                            (acd->time_unit * TOTAL_TIMEOUT + (USEC_PER_MSEC - 1)) / USEC_PER_MSEC);
+                            FORMAT_TIMESPAN(acd->time_unit * TOTAL_TIME_UNITS, USEC_PER_MSEC));
 
                 ipv4acd_set_state(acd, IPV4ACD_STATE_WAITING_PROBE, true);
 
@@ -471,7 +471,8 @@ int sd_ipv4acd_set_timeout(sd_ipv4acd *acd, uint64_t timeout_usec) {
                 timeout_usec = TIMEOUT_DEFAULT_USEC;
 
         /* Clamp the total duration to a value between 1ms and 1 minute */
-        acd->time_unit = CLAMP(timeout_usec, 1U * USEC_PER_MSEC, 60U * USEC_PER_SEC) / TOTAL_TIMEOUT;
+        acd->time_unit = DIV_ROUND_UP(
+                        CLAMP(timeout_usec, 1U * USEC_PER_MSEC, 1U * USEC_PER_MINUTE), TOTAL_TIME_UNITS);
 
         return 0;
 }

src/libsystemd/sd-netlink/netlink-socket.c

@@ -161,12 +161,13 @@ static int socket_recv_message(int fd, void *buf, size_t buf_size, uint32_t *ret
         assert(fd >= 0);
         assert(peek || (buf && buf_size > 0));
 
+        /* Note: this might return successfully, but with a zero size under some transient conditions, such
+         * as the reception of a non-kernel message. In such a case the passed buffer might or might not be
+         * modified. Caller must treat a zero return as "no message, but also not an error". */
+
         n = recvmsg_safe(fd, &msg, peek ? (MSG_PEEK|MSG_TRUNC) : 0);
-        if (ERRNO_IS_NEG_TRANSIENT(n)) {
+        if (ERRNO_IS_NEG_TRANSIENT(n))
-                if (ret_mcast_group)
+                goto transient;
-                        *ret_mcast_group = 0;
-                return 0;
-        }
         if (n == -ENOBUFS)
                 return log_debug_errno(n, "sd-netlink: kernel receive buffer overrun");
         if (n == -ECHRNG)
@@ -181,15 +182,16 @@ static int socket_recv_message(int fd, void *buf, size_t buf_size, uint32_t *ret
                 log_debug("sd-netlink: ignoring message from PID %"PRIu32, sender.nl.nl_pid);
 
                 if (peek) {
-                        /* drop the message */
+                        /* Drop the message. Note that we ignore ECHRNG/EXFULL errors here, which
+                         * recvmsg_safe() returns in case the payload or cdata is truncated. Given we just
+                         * want to drop the message we also don't care if its payload or cdata was
+                         * truncated. */
                         n = recvmsg_safe(fd, &msg, 0);
-                        if (n < 0)
+                        if (n < 0 && !IN_SET(n, -ECHRNG, -EXFULL))
                                 return (int) n;
                 }
 
-                if (ret_mcast_group)
+                goto transient;
-                        *ret_mcast_group = 0;
-                return 0;
         }
 
         if (ret_mcast_group) {
@@ -203,6 +205,12 @@ static int socket_recv_message(int fd, void *buf, size_t buf_size, uint32_t *ret
         }
 
         return (int) n;
+
+transient:
+        if (ret_mcast_group)
+                *ret_mcast_group = 0;
+
+        return 0;
 }
 
 DEFINE_PRIVATE_HASH_OPS_WITH_VALUE_DESTRUCTOR(

src/network/networkd-routing-policy-rule.c

@@ -615,7 +615,7 @@ static int routing_policy_rule_set_netlink_message(const RoutingPolicyRule *rule
         if (r < 0)
                 return r;
 
-        if (rule->fwmark > 0) {
+        if (rule->fwmark > 0 || rule->fwmask > 0) {
                 r = sd_netlink_message_append_u32(m, FRA_FWMARK, rule->fwmark);
                 if (r < 0)
                         return r;
@@ -1315,14 +1315,12 @@ static int parse_fwmark_fwmask(const char *s, uint32_t *ret_fwmark, uint32_t *re
         if (r < 0)
                 return r;
 
-        if (fwmark > 0) {
+        if (slash) {
-                if (slash) {
+                r = safe_atou32(slash + 1, &fwmask);
-                        r = safe_atou32(slash + 1, &fwmask);
+                if (r < 0)
-                        if (r < 0)
+                        return r;
-                                return r;
+        } else if (fwmark > 0)
-                } else
+                fwmask = UINT32_MAX;
-                        fwmask = UINT32_MAX;
-        }
 
         *ret_fwmark = fwmark;
         *ret_fwmask = fwmask;

test/integration-tests/README.md

@@ -38,14 +38,14 @@ directory (`OutputDirectory=`) to point to the other directory using `mkosi/mkos
 After the image has been built, the integration tests can be run with:
 
 ```shell
-$ env SYSTEMD_INTEGRATION_TESTS=1 mkosi -f sandbox -- meson test -C build --suite integration-tests --num-processes "$(($(nproc) / 4))"
+$ mkosi -f sandbox -- meson test -C build --setup=integration --suite integration-tests --num-processes "$(($(nproc) / 4))"
 ```
 
 As usual, specific tests can be run in meson by appending the name of the test
 which is usually the name of the directory e.g.
 
 ```shell
-$ env SYSTEMD_INTEGRATION_TESTS=1 mkosi -f sandbox -- meson test -C build -v TEST-01-BASIC
+$ mkosi -f sandbox -- meson test -C build --setup=integration -v TEST-01-BASIC
 ```
 
 See `mkosi -f sandbox -- meson introspect build --tests` for a list of tests.
@@ -55,7 +55,7 @@ To interactively debug a failing integration test, the `--interactive` option
 newer:
 
 ```shell
-$ env SYSTEMD_INTEGRATION_TESTS=1 mkosi -f sandbox -- meson test -C build -i TEST-01-BASIC
+$ mkosi -f sandbox -- meson test -C build --setup=integration -i TEST-01-BASIC
 ```
 
 Due to limitations in meson, the integration tests do not yet depend on the
@@ -64,7 +64,7 @@ running the integration tests. To rebuild the image and rerun a test, the
 following command can be used:
 
 ```shell
-$ mkosi -f sandbox -- meson compile -C build mkosi && env SYSTEMD_INTEGRATION_TESTS=1 mkosi -f sandbox -- meson test -C build -v TEST-01-BASIC
+$ mkosi -f sandbox -- meson compile -C build mkosi && mkosi -f sandbox -- meson test -C build --setup=integration -v TEST-01-BASIC
 ```
 
 The integration tests use the same mkosi configuration that's used when you run
@@ -78,7 +78,7 @@ To iterate on an integration test, let's first get a shell in the integration te
 the following:
 
 ```shell
-$ mkosi -f sandbox -- meson compile -C build mkosi && env SYSTEMD_INTEGRATION_TESTS=1 TEST_SHELL=1 mkosi -f sandbox -- meson test -C build -i TEST-01-BASIC
+$ mkosi -f sandbox -- meson compile -C build mkosi && mkosi -f sandbox -- meson test -C build --setup=shell -i TEST-01-BASIC
 ```
 
 This will get us a shell in the integration test environment after booting the machine without running the
@@ -107,7 +107,7 @@ re-running the test will first install the new packages we just built, make a ne
 the test again. You can keep running the loop of `mkosi -R`, `systemctl soft-reboot` and
 `systemctl start ...` until the changes to the integration test are working.
 
-If you're debugging a failing integration test (running `meson test --interactive` without `TEST_SHELL`),
+If you're debugging a failing integration test (running `meson test --interactive`),
 there's no need to run `systemctl start ...`, running `systemctl soft-reboot` on its own is sufficient to
 rerun the test.
 
@@ -120,10 +120,6 @@ rerun the test.
 `TEST_NO_KVM=1`: Disable qemu KVM auto-detection (may be necessary when you're
 trying to run the *vanilla* qemu and have both qemu and qemu-kvm installed)
 
-`TEST_SHELL=1`: Configure the machine to be more *user-friendly* for
-interactive debugging (e.g. by setting a usable default terminal, suppressing
-the shutdown after the test, etc.).
-
 `TEST_MATCH_SUBTEST=subtest`:  If the test makes use of `run_subtests` use this
 variable to provide a POSIX extended regex to run only subtests matching the
 expression.

test/integration-tests/integration-test-wrapper.py

@@ -361,7 +361,7 @@ def statfs(path: Path) -> str:
 
 def main() -> None:
     parser = argparse.ArgumentParser(description=__doc__)
-    parser.add_argument('--mkosi', required=True)
+    parser.add_argument('--mkosi', default=None)
     parser.add_argument('--meson-source-dir', required=True, type=Path)
     parser.add_argument('--meson-build-dir', required=True, type=Path)
     parser.add_argument('--name', required=True)
@@ -379,6 +379,12 @@ def main() -> None:
     parser.add_argument('mkosi_args', nargs='*')
     args = parser.parse_args()
 
+    if not args.mkosi:
+        args.mkosi = shutil.which('mkosi')
+        if not args.mkosi:
+            print('Could not find mkosi which is required to run the integration tests', file=sys.stderr)
+            sys.exit(1)
+
     # The meson source directory can either be the top-level repository directory or the
     # test/integration-tests/standalone subdirectory in the repository directory. The mkosi configuration
     # will always be a parent directory of one of these directories and at most 4 levels upwards, so don't
@@ -395,13 +401,6 @@ def main() -> None:
         )
         exit(1)
 
-    if not bool(int(os.getenv('SYSTEMD_INTEGRATION_TESTS', '0'))):
-        print(
-            f'SYSTEMD_INTEGRATION_TESTS=1 not found in environment, skipping {args.name}',
-            file=sys.stderr,
-        )
-        exit(77)
-
     if args.slow and not bool(int(os.getenv('SYSTEMD_SLOW_TESTS', '0'))):
         print(
             f'SYSTEMD_SLOW_TESTS=1 not found in environment, skipping {args.name}',

test/integration-tests/meson.build

@@ -1,5 +1,9 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
+# We'd give these more descriptive names but only alphanumeric characters are allowed.
+add_test_setup('integration')
+add_test_setup('shell', env : {'TEST_SHELL' : '1'})
+
 integration_test_wrapper = find_program('integration-test-wrapper.py')
 integration_tests = []
 integration_test_template = {
@@ -129,11 +133,11 @@ foreach integration_test : integration_tests
                 integration_test_args += ['--skip']
         endif
 
-        if not mkosi.found()
+        if mkosi.found()
-                continue
+                integration_test_args += ['--mkosi', mkosi.full_path()]
         endif
 
-        integration_test_args += ['--mkosi', mkosi.full_path(), '--']
+        integration_test_args += ['--']
 
         if integration_test['cmdline'].length() > 0
                 integration_test_args += [
@@ -151,19 +155,12 @@ foreach integration_test : integration_tests
 
         integration_test_args += integration_test['mkosi-args']
 
-        integration_test_env = {}
-
-        if want_integration_tests
-                integration_test_env += {'SYSTEMD_INTEGRATION_TESTS': '1'}
-        endif
-
         # We don't explicitly depend on the "mkosi" target because that means the image is rebuilt on every
         # "ninja -C build". Instead, the mkosi target has to be rebuilt manually before running the
         # integration tests with mkosi.
         test(
                 integration_test['name'],
                 integration_test_wrapper,
-                env : integration_test_env,
                 args : integration_test_args,
                 timeout : integration_test['timeout'],
                 priority : integration_test['priority'],

test/integration-tests/standalone/meson.build

@@ -16,7 +16,6 @@ project('systemd-testsuite',
 
 fs = import('fs')
 mkosi = find_program('mkosi', required : true)
-want_integration_tests = true
 
 # meson refuses .. in subdir() so we use a symlink to trick it into accepting it anyway.
 subdir('integration-tests')

test/test-network/conf/25-routing-policy-rule-test1.network

@@ -48,6 +48,24 @@ From=10.1.0.0/16
 Priority=104
 Table=12
 
+[RoutingPolicyRule]
+IncomingInterface=test1
+FirewallMark=0/1
+Priority=200
+Table=20
+
+[RoutingPolicyRule]
+IncomingInterface=test1
+FirewallMark=7/255
+Priority=201
+Table=21
+
+[RoutingPolicyRule]
+IncomingInterface=test1
+FirewallMark=9999
+Priority=202
+Table=22
+
 # The four routing policy rules below intentionally have the same config
 # excepts for their To= addresses. See issue #35874.
 [RoutingPolicyRule]

test/test-network/systemd-networkd-tests.py

@@ -3890,6 +3890,18 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities):
         print(output)
         self.assertIn('104:	from 10.1.0.0/16 iif test1 lookup 12 nop', output)
 
+        output = check_output('ip rule list iif test1 priority 200')
+        print(output)
+        self.assertIn('200:	from all fwmark 0/0x1 iif test1 lookup 20', output)
+
+        output = check_output('ip rule list iif test1 priority 201')
+        print(output)
+        self.assertIn('201:	from all fwmark 0x7/0xff iif test1 lookup 21', output)
+
+        output = check_output('ip rule list iif test1 priority 202')
+        print(output)
+        self.assertIn('202:	from all fwmark 0x270f iif test1 lookup 22', output)
+
         output = check_output('ip rule list to 192.0.2.0/26')
         print(output)
         self.assertIn('to 192.0.2.0/26 lookup 1001', output)