Let the user completly disable polkit authentication by
building NM with configure option '--enable-polkit=disabled'.
In that case, configuring 'main.auth-polkit=yes' will fail all
authentication requests (except root-requests, which are always granted).
This reduces the size of the NetworkManager binary by some 26KB (16KB
stripped).
Signed-off-by: Thomas Haller <thaller@redhat.com>
This makes NetworkManager independent of <polkit/polkit.h>
development headers and libpolkit-gobject-1.so library.
Instead communicate directly with polkit using its DBUS
interface.
PolicyKit support is now always compiled in. You can control
polkit authorization with the configuration option
[main]
auth-polkit=yes|no
If the configure option is omitted, a build time default
value is used. This default value can be set with the
configure option --enable-polkit.
This commit adds a new class NMAuthManager that reimplements the
relevant DBUS client parts. It takes source code from the polkit
library.
https://bugzilla.gnome.org/show_bug.cgi?id=734146
Signed-off-by: Thomas Haller <thaller@redhat.com>
There's not much point in keeping them separate: all existing
libnm-glib-vpn users also link against libnm-glib, and the amount of
extra code added to libnm by merging in libnm-vpn is negligible.
Additionally, nm-vpn-plugin will later need access to some
libnm-internal APIs.
So, merge them together.
Instead of having basically the same code in a bunch of different
place to find helper programs, just have one place do it. Yes, this
does mean that the same sequence of paths is searched for all helpers
(so for example, dnsmasq will no longer be found first in /usr/local)
but I think consistency is the better option here.
https://bugzilla.gnome.org/show_bug.cgi?id=734131
This patch requires both upstream kernel support for
IFLA_INET6_ADDR_GEN_MODE which was merged in this patch:
ipv6: addrconf: implement address generation modes
bc91b0f07ada5535427373a4e2050877bcc12218
and corresponding libnl support, merged in these patches:
veth: add kernel header linux/veth.h for VETH defines
9dc6e6da90016a33929f262bea0187396e1a061b
link: update copy of kernel header include/linux/if_link.h
b51815a9dbd8e45fd2558bbe337fb360ca2fd861
link/inet6: add link IPv6 address generation mode support
558f966782539f6d975da705fd73cea561c9dc83
Instead of handling iBFT (iSCSI Boot Firmware Table) in the ifcfg-rh plugin,
create a new plugin for it. This allows all distributions to use iBFT
configuration, and makes both iBFT handling and ifcfg-rh less complicated.
The plugin (like the old ifcfg-rh code) creates read-only connections backed
by the data exported by iscsiadm. The plugin does not support adding new
connections or modifying existing connections (since the iBFT data is
read-only anyway). Instead, users should change their iBFT data through
the normal firmware interfaces.
Unmanaged devices can be configured through NetworkManager.conf and the
normal 'keyfile' mechanisms.
(In the future, we'll read this data directly from the kernel's
/sys/firmware/ibft/ethernetX directory instead of iscsiadm, since the
kernel has all the information we need and that's where iscsiadm gets
it from anyway.)
https://bugzilla.gnome.org/show_bug.cgi?id=734009
The scripts extracts plugin description from document comments for particular
properties and builds a XML file out of the data. The XML file can be used
later for generating manual pages or other documentation.
Unfortunately, gtk-doc won't allow descriptions that would be separated from
the main gtk-doc stuff. But it is still useful to have plugin description bits
co-located with property definitions. We use our home-grown comments and parse
them ourself. Afterall it's not that bad, and in addition it brings us a
freedom in shaping the comments to our needs.
Previously, user could only change the udev base directory,
but not disabling installation entirely.
Support this now with:
./configure --with-udev-dir=no
or
./configure --without-udev-dir
Also, just passing '--with-udev-dir' equals '--with-udev-dir=yes'.
Treat 'yes' equal to the default '/lib/udev'.
Also, check that the path is an absolute path starting with a '/'.
Signed-off-by: Thomas Haller <thaller@redhat.com>
This fixes up the code from the previous "clean" import, and adds
build infrastructure.
[There are two slightly orthogonal sets of changes in this patch.
First, the files added in the previous commit were modified as followed:
# Replace internal references to "libnm-util" and "libnm-glib" with "libnm"
perl -pi -e 's/libnm-(util|glib)/libnm/;' libnm-core/*.[ch] libnm-core/tests/*.[ch] libnm/*.[ch] libnm/tests/*.[ch]
# Fix includes of the enum-types files
perl -pi -e 's/nm-utils-enum-types/nm-core-enum-types/;' libnm-core/*.[ch] libnm-core/tests/*.[ch] libnm/*.[ch] libnm/tests/*.[ch]
perl -pi -e 's/nm-glib-enum-types/nm-enum-types/;' libnm/*.[ch] libnm/tests/*.[ch]
# Fix some python example code
perl -pi -e 's/import NMClient/import NM/;' -e 's/NMClient.Client\(\)/NM.Client()/;' libnm/nm-client.c
Then, the build infrastructure was added (without further modifying
any existing files in libnm-core or libnm.)
Note: to regenerate libnm.ver after rebase:
(head -2 libnm-util/libnm-util.ver; (grep -h '\s'nm_ libnm-util/libnm-util.ver libnm-glib/libnm-glib.ver | env LANG=C sort); tail -3 libnm-util/libnm-util.ver) > libnm/libnm.ver
]
When building with '--disable-concheck' with libsoup installed,
configure would set HAVE_LIBSOUP. But without connection
checking, we didn't link against libsoup, resulting in a
linker error.
Add a new configure option '--with-libsoup' / '--without-libsoup'
to control whether linking against libsoup.
The combination '--without-libsoup --enable-concheck' does not
make sense.
https://bugzilla.gnome.org/show_bug.cgi?id=734062
Signed-off-by: Thomas Haller <thaller@redhat.com>
Some subdirectories of src/ encapsulate large chunks of functionality,
but src/config/, src/logging/, and src/posix-signals/ are really only
separated out because they used to be built into separate
sub-libraries that were needed either for test programs, or to prevent
circular dependencies. Since this is no longer relevant, simplify
things by moving their files back into the main source directory.
The remaining contents of the test/ directory are:
- 2 python example programs that aren't as good as the ones in examples/
- a test of the deprecated libnm_glib API which isn't as good as the one
in libnm-glib/
- A DHCP-related test program that hasn't been relevant since 2005
Let's just kill it all
Create a new clients/ subdirectory at the top level, and move cli/ and
tui/ into it, as well as nm-online.c (which was previously in test/,
which made no sense).
cli/ was split into two subdirectories, src/ and completion/. While
this does simplify things (given that the completion file and the
binary both need to be named "nmcli"), it bloats the source tree, and
we can work around it by just renaming the completion file at install
time. Then we can combine the two directories into one and just have
it all under clients/cli/.
NetworkManager.h, NetworkManagerVPN.h, and nm-version.h are part of
the libnm-util API, so move them to libnm-util.
include/ still contains headers that are strictly NM-internal (eg,
nm-glib-compat.h).
Certain build configurations (like --enable-gtk-doc
--disable-introspection) were broken with respect to nm-setting-docs.
Fix this. Also, we don't require just gobject-introspection, we need
pygobject specifically as well.
Not all distros build their readline linked with a termcap library,
since apps are (apparently) supposed to choose one for themselves
and explicitly link to it when using readline. So add some checks
to figure out whether readline is already linked, and if not, prefer
ncurses since we use that for nmtui already.
ax_lib_readline based off:
http://www.gnu.org/software/autoconf-archive/ax_lib_readline.html
nmcli used the GParamSpec doc strings to get property descriptions,
but they will be going away. Generate a .c file from the new XML
setting docs file, and link that into nmcli.
This is a left-over from the early days of libndp when
the libarary was optionally a git-submodule of NetworkManager.
Signed-off-by: Thomas Haller <thaller@redhat.com>
Always run the linux platform tests, even if called as non-root user.
In such a case, print a message and return 77 (signalizing that the test
was skipped).
Only if we configured with --enable-test=root, we enforce that the
user executes the tests as root.
Co-Authored-By: Pavel Šimerda <psimerda@redhat.com>
Signed-off-by: Thomas Haller <thaller@redhat.com>
Make Wi-Fi support a plugin using the new device factory interface.
Provides a 7% size reduction in the core NM binary.
Before After
NM: 1154104 1071992 (-7%)
Wi-Fi: 0 110464
(all results from stripped files)
The kernel PPPoE code disconnects when it receives a PADT frame, but
doesn't notify userland about it. So if the server sends a PPPoE PADT
without having sent the standard PPP LCP Termination request first,
then pppd (and thus NetworkManager) will not know that the connection
has been disconnected.
This should eventually be fixed in the kernel, but for now, work
around this by using the userland pppoe client rather than the kernel
code.
The atm/adsl plugin really is a generic ATM plugin but (a) it needs a
bit of work to do IPoATM rather than just PPPoATM and PPPoEoATM, and
(b) most people currently using NM's ATM support are using DSL devices
not actual ATM cards anyway, and have no idea what "ATM" even means.
If we add the necessary IPoATM support later we can rename the plugin
back to -atm
Make WWAN support a plugin using the new device factory interface.
Provides a 5% size reduction in the core NM binary.
Before After
NM: 1187224 1125208 (-5%)
MM: 0 100576
(all results from stripped files)
Make Bluetooth support a plugin using the new device factory interface.
Provides a 5% size reduction in the core NM binary.
Before After
NM: 1253016 1187224 (-5%)
BT: 0 85752
(all results from stripped files)
Make ADSL support a plugin using the new device factory interface.
Provides a 1% size reduction in the core NM binary.
Before After
NM: 1265336 1253016 (-1%)
ATM: 0 27360
(all results from stripped files)
We were setting GLIB_VERSION_MAX_ALLOWED to 2.34, since we provide
reimplementations of a few 2.34 functions in nm-glib-compat.h. But
this was turning off warnings for the 2.34+ APIs we *didn't* have
compat versions of too.
Fix this by setting MAX_ALLOWED to 2.32 (same as MIN_REQUIRED), and
defining macros to wrap calls to compat-ified functions and disable
deprecation warnings around them.
This points out several places where we were accidentally using 2.34
APIs without noticing, which need to be fixed now.
`make dist` packs the 'configure' file in the tarball, so this is
useful, to include the commit id into the release tarball.
Signed-off-by: Thomas Haller <thaller@redhat.com>
At critical times during the connection process, especially during
DHCP and EAPOL, the driver can increase the reliability of communication
in an attempt to increase the possibility of success. This could be
done by suppressing bluetooth for a short period, or locking in a low
(and thus more reliable) bitrate, or enforcing some other interference
protection. The 3.10 kernel added nl80211 support for this, so lets
use it if we can.
Given an IPv4 address and prefix for a shared config, figure out
the DHCP address range automatically. To keep things simple we
allow a max of 252 addresses (not including network address,
broadcast address, and the hotspot) no matter what prefix you use,
so if the address is 10.0.10.1, you still only get a range of
10.0.10.2 -> 10.0.10.254.
But we also leave some addresses available above the host address
for static stuff, like we did before. This is done on a sliding
scale from 0 to 8 addresses, where about 1/10th the number of
available addresses are reserved.
https://bugzilla.gnome.org/show_bug.cgi?id=675973
If the hostname is "foo.example.com" then we want to add
"search example.com" to resolv.conf, but if it's just "example.com",
we don't want to add "search com" (rh #812394).
So if NetworkManager is being built with recent libsoup, use
soup_tld_domain_is_public_suffix() to double-check the domain before
adding it. (If it is not being built with libsoup, or is being built
with too old a version, we just skip that test, keeping the old
behavior.)