Previously, the property was checked only when an uevent is received,
so even if an interface has ID_NET_MANAGED_BY property, the interface
will be configured by networkd when reconfiguration is triggered e.g.
when interface state is changed.
Follow-up for ba87a61d05.
Fixes#36997.
This fixes the following warning:
```
/tmp/systemd/test/test-network/systemd-networkd-tests.py:5107: SyntaxWarning: invalid escape sequence '\.'
self.assertRegex(output, 'inet 10\.234\.77\.111/32.*dummy98')
```
Follow-up for 6479204e56.
iproute2 v6.15 fixed some rounding errors in the reported stats:
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=d947f365602b30657d1b797e7464000d0ab88d5a
so the current regex doesn't work anymore. Fix it to check for both
old and new values.
systemd-networkd-tests.py[523]: FAIL: test_qdisc_tbf (__main__.NetworkdTCTests.test_qdisc_tbf)
systemd-networkd-tests.py[523]: ----------------------------------------------------------------------
systemd-networkd-tests.py[523]: Traceback (most recent call last):
systemd-networkd-tests.py[523]: File "/usr/lib/systemd/tests/testdata/test-network/systemd-networkd-tests.py", line 5402, in test_qdisc_tbf
systemd-networkd-tests.py[523]: self.assertRegex(output, 'rate 1Gbit burst 5000b peakrate 100Gbit minburst 987500b lat 70(.0)?ms')
systemd-networkd-tests.py[523]: ~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
systemd-networkd-tests.py[523]: AssertionError: Regex didn't match: 'rate 1Gbit burst 5000b peakrate 100Gbit minburst 987500b lat 70(.0)?ms' not found in 'qdisc tbf 35: root refcnt 2 rate 1Gbit burst 5000b peakrate 100Gbit minburst 999200b lat 70ms \nqdisc pfifo 37: parent 35: limit 100000p'
test_keep_configuration_on_restart() works, but the error printed is
misleading because self.assertNotEmpty() doesn't exist.
Add a working assert statement so, when the unmanaged interface is
altered, the test fails with a meaningful error, like:
### ip monitor dev unmanaged0 BEGIN
222:33::/64 proto kernel metric 256 pref medium
FAIL
[...]
Traceback (most recent call last):
File "/work/src/test/test-network/systemd-networkd-tests.py", line 5085, in test_keep_configuration_on_restart
self.assertEqual(line, '')
AssertionError: '222:33::/64 proto kernel metric 256 pref medium' != ''
- 222:33::/64 proto kernel metric 256 pref medium
While at it, strip the trailing newline so we can print easily the
string (and in future build more a robust regexp which uses the $ token)
Add support for creating HSR/PRP interfaces. HSR (High-availability Seamless
Redundancy) and PRP (Parallel Redundancy Protocol) are two protocols that
provide seamless failover against failure of any single network component. They
are both implemented by the "hsr" kernel driver.
Check that when networkd restarts, and the network configures
KeepConfiguration=yes, the network configuration is never changed.
Ensure this by dumping the `ip monitor` output when networkd is restarting.
Co-authored-by: Yu Watanabe <watanabe.yu+github@gmail.com>
- split out verifications into two functions,
- also check the following scenarios:
* unmanaging an existing interface,
* re-managing an unmanaged interface,
* adding a new unmanaged interface,
* removing an unmanaged interface.
- Also configures route to the gateway and prefix route in the specified
table, if necessary.
- Also set preferred source address of the route.
Closes#36168.
"Recently" (as of 5.18) the Linux kernel gained the ability of locking
bridge ports to restrict network access to authenticated hosts only.
This is implemented by disabling automated learning and dropping
incoming traffic from unknown hosts. User space is then expected to add
fdb entries for authenticated hosts. Once a fdb entry exist, traffic for
that host will be forwarded as expected.
This was later extended with "Mac Authentication Bypass", where the
locking was extended to fdb entries. In this mode the kernel adds fdb
entries again automatically, but they are locked by default.
To properly configure this, add two network options and one netdev
option:
* `LinkLocalLearning=` to prevent the kernel from creating unlocked
entries based on link-local traffic, which would bypass any
authentication. Needed when enabling learning on a locked port.
* `Locked=` to allow setting a bridge port to locked.
* `MACAuthenticationBypass=` to allow enabling Mac Authentication
Bypass on a port. Requires learning to be enabled on the port as well
(and consequently `LinkLocalLearning` disabled on the bridge).
An authenticator (e.g. hostapd) is still needed to do the actual
authentication, the kernel only provides the access control.
Since linux commit a35ec8e38cdd1766f29924ca391a01de20163931 ("bridge:
Add MAC Authentication Bypass (MAB) support"), included since v6.2, it
is possible to enable MAC Authentication Bypass for bridge ports. In
this mode the locked port learns again, but the learned fdb entries are
locked, allowing user space to unlock hosts based seen MAC addresses.
This requires learning to be enabled on the port, and link-local
learning disabled for the bridge.
Add support to systemd-network for setting the new attribute for bridge
ports.
Since linux commit a21d9a670d81103db7f788de1a4a4a6e4b891a0b ("net:
bridge: Add support for bridge port in locked mode"), included since
v5.18, it is possible to set bridge ports to locked.
Locked ports do not learn automatically, and discard any traffic from
unknown source MACs. To allow traffic, the userspace authenticator is
expected to create fdb entries for authenticated hosts.
Add support to systemd-network for setting the new attribute for bridge
ports.
When using locked ports on a bridge link-local learning needs to be
disabled to prevent the kernel from learning and automatically unlocking
hosts based on link-local traffic.
So add support for enabling NO_LL_LEARN for bridges.
Otherwise, if networkd is failed, e.g. .network files that triggered the
failure will remain, and the next test case will start with previous
.network files. So, most subsequent test will fail.
Otherwise, nexthop ID may contain e.g. 300, then
===
AssertionError: '300' unexpectedly found in
'default nhid 3860882700 via fe80::1034:56ff:fe78:9a99 proto ra metric 512 expires 1798sec pref high\n
default nhid 2639230080 via fe80::1034:56ff:fe78:9a98 proto ra metric 2048 expires 1798sec pref low'
===
Previously, when multiple routers send RAs with the same preference,
then the kernel merges routes with the same gateway address:
===
default proto ra metric 1024 expires 595sec pref medium
nexthop via fe80::200:10ff:fe10:1060 dev enp0s9 weight 1
nexthop via fe80::200:10ff:fe10:1061 dev enp0s9 weight 1
===
This causes IPv6 Conformance Test v6LC.2.2.11 failure, as reported in #33470.
To avoid the coalescing issue, we can use nexthop, as suggested by Ido Schimmel:
https://lore.kernel.org/netdev/ZytjEINNRmtpadr_@shredder/
> BTW, you can avoid the coalescing problem by using the nexthop API.
> # ip nexthop add id 1 via fe80::200:10ff:fe10:1060 dev enp0s9
> # ip -6 route add default nhid 1 expires 600 proto ra
> # ip nexthop add id 2 via fe80::200:10ff:fe10:1061 dev enp0s9
> # ip -6 route append default nhid 2 expires 600 proto ra
> # ip -6 route
> fe80::/64 dev enp0s9 proto kernel metric 256 pref medium
> default nhid 1 via fe80::200:10ff:fe10:1060 dev enp0s9 proto ra metric 1024 expires 563sec pref medium
> default nhid 2 via fe80::200:10ff:fe10:1061 dev enp0s9 proto ra metric 1024 expires 594sec pref medium
Fixes#33470.
Suggested-by: Ido Schimmel <idosch@idosch.org>
- fix verifiers in test_router_preference() to make them actually check
if unnecessary routes are removed,
- stop radv in test_ndisc_vs_static_route() before checking if the static
route is preserved even when the router sends a RA with zero lifetime,
- make verifiers in NetworkdIPv6PrefixTests stricter.
