Merge pull request #22331 from yuwata/network-xfrm-interface-id

network: xfrm: refuse zero interface ID

man/systemd.netdev.xml

@@ -1994,7 +1994,7 @@
         <term><varname>InterfaceId=</varname></term>
         <listitem>
           <para>Sets the ID/key of the xfrm interface which needs to be associated with a SA/policy.
-          Can be decimal or hexadecimal, valid range is 0-0xffffffff, defaults to 0.</para>
+          Can be decimal or hexadecimal, valid range is 1-0xffffffff. This is mandatory.</para>
         </listitem>
       </varlistentry>
       <varlistentry>

src/network/netdev/xfrm.c

@@ -14,6 +14,7 @@ static int xfrm_fill_message_create(NetDev *netdev, Link *link, sd_netlink_messa
 
         x = XFRM(netdev);
 
+        assert(x);
         assert(link || x->independent);
 
         r = sd_netlink_message_append_u32(message, IFLA_XFRM_LINK, link ? link->ifindex : LOOPBACK_IFINDEX);
@@ -27,10 +28,28 @@ static int xfrm_fill_message_create(NetDev *netdev, Link *link, sd_netlink_messa
         return 0;
 }
 
+static int xfrm_verify(NetDev *netdev, const char *filename) {
+        Xfrm *x;
+
+        assert(netdev);
+        assert(filename);
+
+        x = XFRM(netdev);
+
+        assert(x);
+
+        if (x->if_id == 0)
+                return log_netdev_warning_errno(netdev, SYNTHETIC_ERRNO(EINVAL),
+                                                "%s: Xfrm interface ID cannot be zero.", filename);
+
+        return 0;
+}
+
 const NetDevVTable xfrm_vtable = {
         .object_size = sizeof(Xfrm),
         .sections = NETDEV_COMMON_SECTIONS "Xfrm\0",
         .fill_message_create = xfrm_fill_message_create,
+        .config_verify = xfrm_verify,
         .create_type = NETDEV_CREATE_STACKED,
         .iftype = ARPHRD_NONE,
 };

src/network/networkd-dhcp-server.c

@@ -58,13 +58,22 @@ void network_adjust_dhcp_server(Network *network) {
                 ORDERED_HASHMAP_FOREACH(address, network->addresses_by_section) {
                         if (section_is_invalid(address->section))
                                 continue;
-                        if (address->family == AF_INET &&
-                            !in4_addr_is_localhost(&address->in_addr.in) &&
-                            in4_addr_is_null(&address->in_addr_peer.in)) {
+
+                        if (address->family != AF_INET)
+                                continue;
+
+                        if (in4_addr_is_localhost(&address->in_addr.in))
+                                continue;
+
+                        if (in4_addr_is_link_local(&address->in_addr.in))
+                                continue;
+
+                        if (in4_addr_is_set(&address->in_addr_peer.in))
+                                continue;
+
                         have = true;
                         break;
                 }
-                }
                 if (!have) {
                         log_warning("%s: DHCPServer= is enabled, but no static address configured. "
                                     "Disabling DHCP server.",
@@ -130,6 +139,8 @@ static int link_find_dhcp_server_address(Link *link, Address **ret) {
                         continue;
                 if (in4_addr_is_localhost(&address->in_addr.in))
                         continue;
+                if (in4_addr_is_link_local(&address->in_addr.in))
+                        continue;
                 if (in4_addr_is_set(&address->in_addr_peer.in))
                         continue;
 

test/test-network/conf/25-xfrm-independent.netdev

@@ -4,4 +4,5 @@ Kind=xfrm
 Name=xfrm99
 
 [Xfrm]
+InterfaceId=0x99
 Independent=yes

test/test-network/conf/25-xfrm.netdev

@@ -1,4 +1,7 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 [NetDev]
 Kind=xfrm
-Name=xfrm99
+Name=xfrm98
+
+[Xfrm]
+InterfaceId=0x98

test/test-network/conf/netdev-link-local-addressing-yes.network

@@ -18,7 +18,7 @@ Name=geneve99
 Name=ifb99
 Name=ipiptun99
 Name=nlmon99
-Name=xfrm99
+Name=xfrm98 xfrm99
 Name=vxlan98
 Name=hogehogehogehogehogehoge
 

test/test-network/conf/xfrm.network

@@ -4,4 +4,4 @@ Name=dummy98
 
 [Network]
 IPv6AcceptRA=no
-Xfrm=xfrm99
+Xfrm=xfrm98

test/test-network/systemd-networkd-tests.py

@@ -886,6 +886,7 @@ class NetworkctlTests(unittest.TestCase, Utilities):
 class NetworkdNetDevTests(unittest.TestCase, Utilities):
 
     links_remove_earlier = [
+        'xfrm98',
         'xfrm99',
     ]
 
@@ -1797,20 +1798,21 @@ class NetworkdNetDevTests(unittest.TestCase, Utilities):
     @expectedFailureIfModuleIsNotAvailable('xfrm_interface')
     def test_xfrm(self):
         copy_unit_to_networkd_unit_path('12-dummy.netdev', 'xfrm.network',
-                                        '25-xfrm.netdev', 'netdev-link-local-addressing-yes.network')
+                                        '25-xfrm.netdev', '25-xfrm-independent.netdev',
+                                        'netdev-link-local-addressing-yes.network')
         start_networkd()
 
-        self.wait_online(['xfrm99:degraded', 'dummy98:degraded'])
+        self.wait_online(['dummy98:degraded', 'xfrm98:degraded', 'xfrm99:degraded'])
 
-        output = check_output('ip link show dev xfrm99')
+        output = check_output('ip -d link show dev xfrm98')
         print(output)
+        self.assertIn('xfrm98@dummy98:', output)
+        self.assertIn('xfrm if_id 0x98 ', output)
 
-    @expectedFailureIfModuleIsNotAvailable('xfrm_interface')
-    def test_xfrm_independent(self):
-        copy_unit_to_networkd_unit_path('25-xfrm-independent.netdev', 'netdev-link-local-addressing-yes.network')
-        start_networkd()
-
-        self.wait_online(['xfrm99:degraded'])
+        output = check_output('ip -d link show dev xfrm99')
+        print(output)
+        self.assertIn('xfrm99@lo:', output)
+        self.assertIn('xfrm if_id 0x99 ', output)
 
     @expectedFailureIfModuleIsNotAvailable('fou')
     def test_fou(self):