Merge pull request #29769 from poettering/network-generator-ll

network-generator: add new mode ip=link-local

NEWS

@@ -37,6 +37,11 @@ CHANGES WITH 255 in spe:
           Transitions between real systems should be done with "systemctl soft-reboot"
           instead.
 
+        * The ip=off and ip=none kernel command line options interpreted by
+          systemd-network-generator will now result in IPv6RA + link-local
+          addressing to be disabled, too. Previously DHCP was turned off, but
+          IPv6RA and IPv6 link-local addressing was left enabled.
+
         Device Management:
 
         * udev will now create symlinks to loopback block devices in the

TODO

@@ -144,11 +144,6 @@ Features:
   root=nvme:<trtype>:<traddr>:<trsvcid>:<nqn>:<partition> to boot directly from
   nvme-oF
 
-* systemd-network-generator: add ip=link-local or so which configures all
-  network devices, but for ipv4ll/ipv6ll only, i.e. restricted to link-local
-  addressing. usecase: storage target mode (NVMe-TCP), where it makes sense for
-  security reasons to limit access to local links.
-
 * add a new systemd-project@.service that is very similar to user@.service but
   uses DynamicUser=1 and no PAMName= to invoke an unprivileged somewhat
   light-weight service manager. Use HOME=/var/lib/systemd/projects/%i as home

man/systemd-network-generator.service.xml

@@ -30,7 +30,7 @@
     <title>Description</title>
 
     <para><filename>systemd-network-generator.service</filename> is a system service that translates
-    <varname>ip=</varname> and the related settings on the kernel command line (see below) into
+    <varname>ip=</varname> and related settings on the kernel command line (see below) into
     <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
     <citerefentry><refentrytitle>systemd.netdev</refentrytitle><manvolnum>5</manvolnum></citerefentry>, and
     <citerefentry><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry>
@@ -59,8 +59,15 @@
         <term><varname>rd.route=</varname></term>
         <term><varname>rd.peerdns=</varname></term>
         <listitem>
-          <para>— translated into
-          <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry> files.</para>
+          <para>Translated into
+          <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+          files.</para>
+
+          <para>In addition to the parameters <citerefentry
+          project='man-pages'><refentrytitle>dracut.cmdline</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+          defines the <varname>ip=</varname> option accepts the special value
+          <literal>link-local</literal>. If selected, the network interfaces will be configured for
+          link-local addressing (IPv4LL, IPv6LL) only, DHCP or IPv6RA will not be enabled.</para>
 
           <xi:include href="version-info.xml" xpointer="v245"/>
         </listitem>
@@ -70,8 +77,9 @@
         <term><varname>ifname=</varname></term>
         <term><varname>net.ifname-policy=</varname></term>
         <listitem>
-          <para>— translated into
-          <citerefentry><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry> files.</para>
+          <para>Translated into
+          <citerefentry><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+          files.</para>
 
           <xi:include href="version-info.xml" xpointer="v245"/>
         </listitem>
@@ -83,8 +91,9 @@
         <term><varname>bridge=</varname></term>
         <term><varname>bootdev=</varname></term>
         <listitem>
-          <para>— translated into
-          <citerefentry><refentrytitle>systemd.netdev</refentrytitle><manvolnum>5</manvolnum></citerefentry> files.</para>
+          <para>Translated into
+          <citerefentry><refentrytitle>systemd.netdev</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+          files.</para>
 
           <xi:include href="version-info.xml" xpointer="v245"/>
         </listitem>

src/network/generator/network-generator.c

@@ -17,10 +17,10 @@
 
 /*
   # .network
-  ip={dhcp|on|any|dhcp6|auto6|either6|link6}
-  ip=<interface>:{dhcp|on|any|dhcp6|auto6|link6}[:[<mtu>][:<macaddr>]]
-  ip=<client-IP>:[<peer>]:<gateway-IP>:<netmask>:<client_hostname>:<interface>:{none|off|dhcp|on|any|dhcp6|auto6|link6|ibft}[:[<mtu>][:<macaddr>]]
-  ip=<client-IP>:[<peer>]:<gateway-IP>:<netmask>:<client_hostname>:<interface>:{none|off|dhcp|on|any|dhcp6|auto6|link6|ibft}[:[<dns1>][:<dns2>]]
+  ip={dhcp|on|any|dhcp6|auto6|either6|link6|link-local}
+  ip=<interface>:{dhcp|on|any|dhcp6|auto6|link6|link-local}[:[<mtu>][:<macaddr>]]
+  ip=<client-IP>:[<peer>]:<gateway-IP>:<netmask>:<client_hostname>:<interface>:{none|off|dhcp|on|any|dhcp6|auto6|link6|ibft|link-local}[:[<mtu>][:<macaddr>]]
+  ip=<client-IP>:[<peer>]:<gateway-IP>:<netmask>:<client_hostname>:<interface>:{none|off|dhcp|on|any|dhcp6|auto6|link6|ibft|link-local}[:[<dns1>][:<dns2>]]
   rd.route=<net>/<netmask>:<gateway>[:<interface>]
   nameserver=<IP> [nameserver=<IP> ...]
   rd.peerdns=0
@@ -44,35 +44,57 @@
 */
 
 static const char * const dracut_dhcp_type_table[_DHCP_TYPE_MAX] = {
-        [DHCP_TYPE_NONE]    = "none",
-        [DHCP_TYPE_OFF]     = "off",
-        [DHCP_TYPE_ON]      = "on",
-        [DHCP_TYPE_ANY]     = "any",
-        [DHCP_TYPE_DHCP4]   = "dhcp",
-        [DHCP_TYPE_DHCP6]   = "dhcp6",
-        [DHCP_TYPE_AUTO6]   = "auto6",
-        [DHCP_TYPE_EITHER6] = "either6",
-        [DHCP_TYPE_IBFT]    = "ibft",
-        [DHCP_TYPE_LINK6]   = "link6",
+        [DHCP_TYPE_NONE]       = "none",
+        [DHCP_TYPE_OFF]        = "off",
+        [DHCP_TYPE_ON]         = "on",
+        [DHCP_TYPE_ANY]        = "any",
+        [DHCP_TYPE_DHCP]       = "dhcp",
+        [DHCP_TYPE_DHCP6]      = "dhcp6",
+        [DHCP_TYPE_AUTO6]      = "auto6",
+        [DHCP_TYPE_EITHER6]    = "either6",
+        [DHCP_TYPE_IBFT]       = "ibft",
+        [DHCP_TYPE_LINK6]      = "link6",
+        [DHCP_TYPE_LINK_LOCAL] = "link-local",
 };
 
 DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING(dracut_dhcp_type, DHCPType);
 
 static const char * const networkd_dhcp_type_table[_DHCP_TYPE_MAX] = {
-        [DHCP_TYPE_NONE]    = "no",
-        [DHCP_TYPE_OFF]     = "no",
-        [DHCP_TYPE_ON]      = "yes",
-        [DHCP_TYPE_ANY]     = "yes",
-        [DHCP_TYPE_DHCP4]   = "ipv4",
-        [DHCP_TYPE_DHCP6]   = "ipv6",
-        [DHCP_TYPE_AUTO6]   = "no",   /* TODO: enable other setting? */
-        [DHCP_TYPE_EITHER6] = "ipv6", /* TODO: enable other setting? */
-        [DHCP_TYPE_IBFT]    = "no",
-        [DHCP_TYPE_LINK6]   = "no",
+        [DHCP_TYPE_NONE]       = "no",
+        [DHCP_TYPE_OFF]        = "no",
+        [DHCP_TYPE_ON]         = "yes",
+        [DHCP_TYPE_ANY]        = "yes",
+        [DHCP_TYPE_DHCP]       = "ipv4",
+        [DHCP_TYPE_DHCP6]      = "ipv6",
+        [DHCP_TYPE_AUTO6]      = "no",   /* TODO: enable other setting? */
+        [DHCP_TYPE_EITHER6]    = "ipv6", /* TODO: enable other setting? */
+        [DHCP_TYPE_IBFT]       = "no",
+        [DHCP_TYPE_LINK6]      = "no",
+        [DHCP_TYPE_LINK_LOCAL] = "no",
 };
 
 DEFINE_PRIVATE_STRING_TABLE_LOOKUP_TO_STRING(networkd_dhcp_type, DHCPType);
 
+static const char * const networkd_ipv6ra_type_table[_DHCP_TYPE_MAX] = {
+        [DHCP_TYPE_NONE]       = "no",
+        [DHCP_TYPE_OFF]        = "no",
+        [DHCP_TYPE_LINK6]      = "no",
+        [DHCP_TYPE_LINK_LOCAL] = "no",
+        /* We omit the other entries, to leave the default in effect */
+};
+
+DEFINE_PRIVATE_STRING_TABLE_LOOKUP_TO_STRING(networkd_ipv6ra_type, DHCPType);
+
+static const char * const networkd_link_local_type_table[_DHCP_TYPE_MAX] = {
+        [DHCP_TYPE_NONE]       = "no",
+        [DHCP_TYPE_OFF]        = "no",
+        [DHCP_TYPE_LINK6]      = "ipv6",
+        [DHCP_TYPE_LINK_LOCAL] = "yes",
+        /* We omit the other entries, to leave the default in effect */
+};
+
+DEFINE_PRIVATE_STRING_TABLE_LOOKUP_TO_STRING(networkd_link_local_type, DHCPType);
+
 static Address *address_free(Address *address) {
         if (!address)
                 return NULL;
@@ -1131,6 +1153,16 @@ void network_dump(Network *network, FILE *f) {
         if (dhcp)
                 fprintf(f, "DHCP=%s\n", dhcp);
 
+        const char *ll;
+        ll = networkd_link_local_type_to_string(network->dhcp_type);
+        if (ll)
+                fprintf(f, "LinkLocalAddressing=%s\n", ll);
+
+        const char *ra;
+        ra = networkd_ipv6ra_type_to_string(network->dhcp_type);
+        if (ra)
+                fprintf(f, "IPv6AcceptRA=%s\n", ra);
+
         if (!strv_isempty(network->dns))
                 STRV_FOREACH(dns, network->dns)
                         fprintf(f, "DNS=%s\n", *dns);

src/network/generator/network-generator.h

@@ -10,15 +10,16 @@
 
 typedef enum DHCPType {
         DHCP_TYPE_NONE,
-        DHCP_TYPE_OFF,
+        DHCP_TYPE_OFF,   /* Same as DHCP_TYPE_NONE */
         DHCP_TYPE_ON,
-        DHCP_TYPE_ANY,
-        DHCP_TYPE_DHCP4,
+        DHCP_TYPE_ANY,   /* Same as DHCP_TYPE_ON */
+        DHCP_TYPE_DHCP,  /* Actually means: DHCPv4 */
         DHCP_TYPE_DHCP6,
         DHCP_TYPE_AUTO6,
         DHCP_TYPE_EITHER6,
         DHCP_TYPE_IBFT,
         DHCP_TYPE_LINK6,
+        DHCP_TYPE_LINK_LOCAL,
         _DHCP_TYPE_MAX,
         _DHCP_TYPE_INVALID = -EINVAL,
 } DHCPType;

test/test-network-generator-conversion/test-02-bridge.expected/90-eth0.network

@@ -7,6 +7,8 @@ Name=eth0
 
 [Network]
 DHCP=no
+LinkLocalAddressing=no
+IPv6AcceptRA=no
 DNS=10.10.10.10
 DNS=10.10.10.11
 Bridge=bridge99

test/test-network-generator-conversion/test-02-bridge.expected/90-eth1.network

@@ -7,6 +7,8 @@ Name=eth1
 
 [Network]
 DHCP=no
+LinkLocalAddressing=no
+IPv6AcceptRA=no
 DNS=10.10.10.10
 DNS=10.10.10.11
 Bridge=bridge99

test/test-network-generator-conversion/test-03-issue-14319.expected/90-enp3s0.network

@@ -7,6 +7,8 @@ Name=enp3s0
 
 [Network]
 DHCP=no
+LinkLocalAddressing=no
+IPv6AcceptRA=no
 
 [DHCP]