November 2019 - connman

by Daniel Wagner

Add WireGuard support to the VPN daemon. This version isn't too bad, so if no one is speaking up I am going to merge it. We can still clean up stuff later. The only thing which should be in place from day one are the config options. Please have a look at them and speak up if you think these are wrongly named etc. One thing which needs to be changed after this goes in, are how we handle the secret data (passwords, etc). Currently, all settings are showing up in the logs unless the hackish 'hide_value' API is used. But this is for latter. changes v1: - error handling improved - rewrite of host/ip parsing code - configuration options overhal Daniel Wagner (11): include: Remove unused definition shared: Remove netlink code vpn: Remove Host check in plugins vpn: Add provider only on success to hash table build: Test for libmnl independent of nftables vpn: Add WireGuard plugin placeholder shared: Add Generic Netlink helpers for libmnl vpn: Add embeddable WireGuard library vpn: Introduce VPN_FLAG_NO_DAEMON doc: Document WireGuard VPN plugin vpn: Add WireGuard support Makefile.am | 13 +- Makefile.plugins | 25 + configure.ac | 23 +- doc/vpn-config-format.txt | 22 + include/provider.h | 2 - src/shared/mnlg.c | 325 ++++++++++++ src/shared/mnlg.h | 27 + src/shared/netlink.c | 666 ------------------------- src/shared/netlink.h | 53 -- tools/netlink-test.c | 123 ----- vpn/plugins/libwireguard.c | 998 +++++++++++++++++++++++++++++++++++++ vpn/plugins/openconnect.c | 7 - vpn/plugins/openvpn.c | 6 - vpn/plugins/pptp.c | 8 +- vpn/plugins/vpn.c | 51 +- vpn/plugins/vpn.h | 3 +- vpn/plugins/vpnc.c | 6 - vpn/plugins/wireguard.c | 373 ++++++++++++++ vpn/plugins/wireguard.h | 103 ++++ vpn/vpn-config.c | 7 +- 20 files changed, 1951 insertions(+), 890 deletions(-) create mode 100644 src/shared/mnlg.c create mode 100644 src/shared/mnlg.h delete mode 100644 src/shared/netlink.c delete mode 100644 src/shared/netlink.h delete mode 100644 tools/netlink-test.c create mode 100644 vpn/plugins/libwireguard.c create mode 100644 vpn/plugins/wireguard.c create mode 100644 vpn/plugins/wireguard.h -- 2.23.0

1 year, 2 months

1
12
0 / 0

Need to remove Passphrase from wifi.../settings also if wifi is not available - Is this possible

by Ryll, Jan (GED-SDD2)

Hello, what if a wifi network service is not available anymore and I need to remove/clear the credential / Passphrase? How could I achieve this? Best regards Jan

1 year, 2 months

2
2
0 / 0

Is there anyway to get SIM ID?

by JH

Hi, I am running connman in a 4G LTE device in Linux system, are there anyway to get SIM ID? and the Operator and LTE signalling strength? Unfoutuantly, I don't have connmanctl due to the limitation of the space to install Python. Thank you. Kind regards, - jh

1 year, 2 months

3
6
0 / 0

[PATCH] timeserver: reload nameservers when service nameservers change

by Vivien Henriet

This is to fix an issue where connman is unable to resolve ntp hostnames. When a service switch from a autoconf link local address (169.254.0.0/16) to an address configured by dhcp, timeserver was not notified and thus was not reloaded its resolver's nameserver. As a consequence, hostnames of ntp server were not resolved. Change-Id: Icfcaba44de922947d03e507008921011bab014d5 --- src/service.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/service.c b/src/service.c index 552b788f..b7a69f10 100644 --- a/src/service.c +++ b/src/service.c @@ -997,8 +997,12 @@ static int nameservers_changed_cb(void *user_data) service->nameservers_timeout = 0; if ((is_idle(service->state) && !service->nameservers) || - is_connected(service->state)) - dns_changed(service); + is_connected(service->state)) { + dns_changed(service); + if (service == connman_service_get_default()) + __connman_timeserver_sync(service); + } + return FALSE; } -- 2.21.0

1 year, 2 months

1
0
0 / 0

The order of a OpenVpn service with topology subnet cannot be changed due to a missing route

by Thomas Achleitner

Hi, one of our clients uses a server configuration with topology subnet and does not push a route from server. This causes an error when moving the vpn service below the ethernet service and the default gateway then is the vpn connection. From the openvpn log i get Tue Nov 5 09:29:02 2019 SENT CONTROL [test.vpn]: 'PUSH_REQUEST' (status=1) Tue Nov 5 09:29:02 2019 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.3 255.255.255.0,peer-id 0' and the journalctl log states Nov 05 11:19:46 blue-x21150002 connmand[278]: vpn0 {create} index 12 type 65534 <NONE> Nov 05 11:19:46 blue-x21150002 connmand[278]: vpn0 {update} flags 4240 <DOWN> Nov 05 11:19:46 blue-x21150002 connmand[278]: vpn0 {newlink} index 12 address 00:00:00:00:00:00 mtu 1500 Nov 05 11:19:46 blue-x21150002 connmand[278]: vpn0 {newlink} index 12 operstate 2 <DOWN> Nov 05 11:19:47 blue-x21150002 connman-vpnd[259]: vpn0 {create} index 12 type 65534 <NONE> Nov 05 11:19:47 blue-x21150002 connman-vpnd[259]: vpn0 {update} flags 4240 <DOWN> Nov 05 11:19:47 blue-x21150002 connman-vpnd[259]: vpn0 {newlink} index 12 operstate 2 <DOWN> Nov 05 11:19:49 blue-x21150002 connmand[278]: vpn0 {update} flags 102609 <UP,RUNNING,LOWER_UP> Nov 05 11:19:49 blue-x21150002 connmand[278]: vpn0 {newlink} index 12 address 00:00:00:00:00:00 mtu 1500 Nov 05 11:19:49 blue-x21150002 connmand[278]: vpn0 {newlink} index 12 operstate 6 <UP> Nov 05 11:19:49 blue-x21150002 connman-vpnd[259]: vpn0 {update} flags 102609 <UP,RUNNING,LOWER_UP> Nov 05 11:19:49 blue-x21150002 connman-vpnd[259]: vpn0 {newlink} index 12 operstate 6 <UP> Nov 05 11:19:49 blue-x21150002 connmand[278]: vpn0 {add} address 10.8.0.3/24 label vpn0 family 2 Nov 05 11:19:49 blue-x21150002 connmand[278]: vpn0 {add} route 10.8.0.0 gw 0.0.0.0 scope 253 <LINK> Nov 05 11:19:50 blue-x21150002 connmand[278]: Setting domainname to test.vpn Nov 05 11:19:50 blue-x21150002 connmand[278]: ipconfig state 4 ipconfig method 1 Nov 05 11:19:50 blue-x21150002 connmand[278]: eth0 {add} route 185.48.116.146 gw 192.168.30.4 scope 0 <UNIVERSE> Nov 05 11:19:50 blue-x21150002 connmand[278]: eth0 {del} route 0.0.0.0 gw 192.168.30.4 scope 0 <UNIVERSE> Nov 05 11:19:50 blue-x21150002 connmand[278]: vpn0 {add} route 0.0.0.0 gw 0.0.0.0 scope 253 <LINK> Nov 05 11:19:50 blue-x21150002 connmand[278]: Cannot move service. No routes defined for provider test_vpn_test_vpn i wrote a patch for removing the check and after applying the connection works --- a/src/service.c 2019-11-05 12:31:42.310731141 +0100 +++ b/src/service.c 2019-11-05 12:34:54.042859743 +0100 @@ -4820,17 +4820,6 @@ return __connman_error_invalid_service(msg); if (target->type == CONNMAN_SERVICE_TYPE_VPN) { - /* - * We only allow VPN route splitting if there are - * routes defined for a given VPN. - */ - if (!__connman_provider_check_routes(target->provider)) { - connman_info("Cannot move service. " - "No routes defined for provider %s", - __connman_provider_get_ident(target->provider)); - return __connman_error_invalid_service(msg); - } - set_split_routing(target, true); } else set_split_routing(target, false); Can this cause any other trouble? Thank you! Best regards, Thomas

1 year, 2 months

2
1
0 / 0

[PATCH v0 0/3] Address a couple of warnings

by Daniel Wagner

- Replace deprecated GTimeVal with GDateTime - Address the gcc string truncation warnings Daniel Wagner (3): service: Replace GTimeVal with GDateTime tools: Replace GTimeVal with GDateTime plugins/ethernet: Properly NUL-terminated strncpy() operations plugins/ethernet.c | 7 ++++++- src/service.c | 42 +++++++++++++++++++++++++++++++++++------- tools/stats-tool.c | 11 ++++++++--- 3 files changed, 49 insertions(+), 11 deletions(-) -- 2.23.0

1 year, 2 months

1
5
0 / 0

[PATCH] vpn-provider: make reset_error_counters() static

by Marcus Folkesson

Declare reset_error_counters() as static as it should not be used in other contexts. Get rid of this error from GCC 9.1.0: vpn/vpn-provider.c:865:6: error: no previous declaration for ‘reset_error_counters’ [-Werror=missing-declarations] 865 | void reset_error_counters(struct vpn_provider *provider) Signed-off-by: Marcus Folkesson <marcus.folkesson(a)gmail.com> --- vpn/vpn-provider.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vpn/vpn-provider.c b/vpn/vpn-provider.c index b8b94cbf..08792ecc 100644 --- a/vpn/vpn-provider.c +++ b/vpn/vpn-provider.c @@ -862,7 +862,7 @@ static gchar **create_network_list(GSList *networks, gsize *count) return result; } -void reset_error_counters(struct vpn_provider *provider) +static void reset_error_counters(struct vpn_provider *provider) { if (!provider) return; -- 2.23.0

1 year, 2 months

2
1
0 / 0

[PATCH] plugins/ethernet: fix strncpy errors with GCC>9.1

by Nicola Lunghi

From: Nicola Lunghi <nick83ola(a)gmail.com> This fixes the following errors: In function ‘strncpy’, inlined from ‘get_dsa_port’ at plugins/ethernet.c:102:2: /usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: error: ‘__builtin_strncpy’ specified bound 16 equals destination size [-Werror=stringop-truncation] 106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In function ‘strncpy’, inlined from ‘get_dsa_port’ at plugins/ethernet.c:106:2: /usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: error: ‘__builtin_strncpy’ specified bound 24 equals destination size [-Werror=stringop-truncation] 106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In function ‘strncpy’, inlined from ‘get_dsa_port’ at plugins/ethernet.c:109:3: /usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: error: ‘__builtin_strncpy’ output may be truncated copying 16 bytes from a string of length 23 [-Werror=stringop-truncation] 106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CC plugins/src_connmand-neard.o CC src/shared/connmand-util.o CC src/shared/connmand-netlink.o CC src/shared/connmand-arp.o In function ‘strncpy’, inlined from ‘get_vlan_vid’ at plugins/ethernet.c:76:2, inlined from ‘add_network’ at plugins/ethernet.c:199:9, inlined from ‘ethernet_newlink’ at plugins/ethernet.c:253:4: /usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: error: ‘__builtin_strncpy’ specified bound 24 equals destination size [-Werror=stringop-truncation] 106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Nicola Lunghi <nick83ola(a)gmail.com> --- plugins/ethernet.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/plugins/ethernet.c b/plugins/ethernet.c index b0395c83..6ceb2266 100644 --- a/plugins/ethernet.c +++ b/plugins/ethernet.c @@ -73,7 +73,7 @@ static int get_vlan_vid(const char *ifname) return -errno; vifr.cmd = GET_VLAN_VID_CMD; - strncpy(vifr.device1, ifname, sizeof(vifr.device1)); + strncpy(vifr.device1, ifname, sizeof(vifr.device1) - 1); if(ioctl(sk, SIOCSIFVLAN, &vifr) >= 0) vid = vifr.u.VID; @@ -99,14 +99,17 @@ static int get_dsa_port(const char *ifname) return -errno; memset(&ifr, 0, sizeof(ifr)); - strncpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)); + strncpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name) - 1); /* check if it is a vlan and get physical interface name*/ vifr.cmd = GET_VLAN_REALDEV_NAME_CMD; - strncpy(vifr.device1, ifname, sizeof(vifr.device1)); + strncpy(vifr.device1, ifname, sizeof(vifr.device1) - 1); +#pragma GCC diagnostic push +#pragma GCC diagnostic ignored "-Wstringop-truncation" if(ioctl(sk, SIOCSIFVLAN, &vifr) >= 0) - strncpy(ifr.ifr_name, vifr.u.device2, sizeof(ifr.ifr_name)); + strncpy(ifr.ifr_name, vifr.u.device2, sizeof(ifr.ifr_name) - 1); +#pragma GCC diagnostic pop /* get driver info */ drvinfocmd.cmd = ETHTOOL_GDRVINFO; -- 2.20.1

1 year, 2 months

4
6
0 / 0

[PATCH] l2tp: Save 'exclusive' config value in lns context

by Jussi Laakkonen

The config value 'exclusive' must be saved in lns context. This is because if written to lac context parsing will fail (versions 1.3.8 and 1.3.14 were tested): xl2tpd[]: parse_config: line 12: 'exclusive' not valid in this context This went undetected unless the option was set. By default, 'exclusive' is not written to xl2tpd config. The xl2tpd documentation states that "Most of those described in the LNS section may be used in a LAC context, where it make common sense (essentially l2tp procotols tuning flags and authentication / ppp related ones)." Added a enum option OPT_L2LNS for defining other options to be used in lns context only. --- vpn/plugins/l2tp.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/vpn/plugins/l2tp.c b/vpn/plugins/l2tp.c index ff5f08b9..422d6782 100644 --- a/vpn/plugins/l2tp.c +++ b/vpn/plugins/l2tp.c @@ -65,6 +65,7 @@ enum { OPT_L2G = 2, OPT_L2 = 3, OPT_PPPD = 4, + OPT_L2LNS = 5, }; struct { @@ -83,7 +84,7 @@ struct { { "L2TP.DefaultRoute", "defaultroute", OPT_L2, NULL, OPT_STRING }, { "L2TP.FlowBit", "flow bit", OPT_L2, NULL, OPT_STRING }, { "L2TP.TunnelRWS", "tunnel rws", OPT_L2, NULL, OPT_STRING }, - { "L2TP.Exclusive", "exclusive", OPT_L2, NULL, OPT_STRING }, + { "L2TP.Exclusive", "exclusive", OPT_L2LNS, NULL, OPT_STRING }, { "L2TP.Autodial", "autodial", OPT_L2, "yes", OPT_STRING }, { "L2TP.Redial", "redial", OPT_L2, "yes", OPT_STRING }, { "L2TP.RedialTimeout", "redial timeout", OPT_L2, "10", OPT_STRING }, @@ -454,6 +455,9 @@ static int l2tp_write_config(struct vpn_provider *provider, l2tp_write_option(fd, "[global]", NULL); l2tp_write_fields(provider, fd, OPT_L2G); + l2tp_write_option(fd, "[lns]", NULL); + l2tp_write_fields(provider, fd, OPT_L2LNS); + l2tp_write_option(fd, "[lac l2tp]", NULL); option = vpn_provider_get_string(provider, "Host"); -- 2.20.1

1 year, 2 months

2
2
0 / 0

[PATCH] vpn: Set to use C locale with tasks used for running VPN processes

by Jussi Laakkonen

Set LANG and LC_ALL to C locale for each task used to run VPN processes. This ensures that no translations are used. The user for running VPN process can be changed with DACPrivileges configuration (see commit 171989601a7a4fadafda20a7e6d30e9ada3fb516). If the user is changed to other than what connman is ran with a specific language may have been set. Plugins relying on correct output would fail in such case. --- vpn/plugins/vpn.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/vpn/plugins/vpn.c b/vpn/plugins/vpn.c index eef8550e..16946c80 100644 --- a/vpn/plugins/vpn.c +++ b/vpn/plugins/vpn.c @@ -624,6 +624,15 @@ static int vpn_connect(struct vpn_provider *provider, goto exist_err; } + /* + * Change to use C locale, some VPN plugins use screen scraping for + * error parsing. To be on the safe side, set both LANG and LC_ALL. + * This is required especially when the VPN processes are ran using + * user other than root. + */ + connman_task_add_variable(data->task,"LANG", "C"); + connman_task_add_variable(data->task,"LC_ALL", "C"); + ret = vpn_driver_data->vpn_driver->connect(provider, data->task, data->if_name, cb, dbus_sender, user_data); -- 2.20.1

1 year, 2 months

3
4
0 / 0

2021

2020

2019

2018

2017

2016

2015

connman November 2019