diff options
| author | Yu Watanabe <watanabe.yu+github@gmail.com> | 2021-06-07 23:21:57 +0200 |
|---|---|---|
| committer | Yu Watanabe <watanabe.yu+github@gmail.com> | 2021-06-08 21:56:48 +0200 |
| commit | 9e1432d5ccf4604b1276e8b623ccb65dda518d85 (patch) | |
| tree | 9acbcdbfb0fd4807c8f23bea1b89b61770508f90 /src/network/networkd-sysctl.c | |
| parent | test-libcrypt-util: print out default for password settings, run make_salt() ... (diff) | |
| download | systemd-9e1432d5ccf4604b1276e8b623ccb65dda518d85.tar.xz systemd-9e1432d5ccf4604b1276e8b623ccb65dda518d85.zip | |
network: introduce IPv6StableSecretAddress= setting
Previously, IPv6LinkLocalAddressGenerationMode= is not set, then we
define the address generation mode based on the result of reading
stable_secret sysctl value. This makes the mode is determined by whether
a secret address is specified in the new setting.
Closes #19622.
Diffstat (limited to 'src/network/networkd-sysctl.c')
| -rw-r--r-- | src/network/networkd-sysctl.c | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/src/network/networkd-sysctl.c b/src/network/networkd-sysctl.c index ee5fe5f93d..e3e2c0c7a1 100644 --- a/src/network/networkd-sysctl.c +++ b/src/network/networkd-sysctl.c @@ -11,6 +11,9 @@ #include "string-table.h" #include "sysctl-util.h" +#define STABLE_SECRET_APP_ID_1 SD_ID128_MAKE(aa,05,1d,94,43,68,45,07,b9,73,f1,e8,e4,b7,34,52) +#define STABLE_SECRET_APP_ID_2 SD_ID128_MAKE(52,c4,40,a0,9f,2f,48,58,a9,3a,f6,29,25,ba,7a,7d) + static int link_update_ipv6_sysctl(Link *link) { assert(link); @@ -202,6 +205,48 @@ int link_set_ipv6_mtu(Link *link) { return sysctl_write_ip_property_uint32(AF_INET6, link->ifname, "mtu", link->network->ipv6_mtu); } +static int link_set_ipv6ll_stable_secret(Link *link) { + _cleanup_free_ char *str = NULL; + struct in6_addr a; + int r; + + assert(link); + assert(link->network); + + if (link->network->ipv6ll_address_gen_mode != IPV6_LINK_LOCAL_ADDRESSS_GEN_MODE_STABLE_PRIVACY) + return 0; + + if (in6_addr_is_set(&link->network->ipv6ll_stable_secret)) + a = link->network->ipv6ll_stable_secret; + else { + sd_id128_t key; + le64_t v; + + /* Generate a stable secret address from machine-ID and the interface name. */ + + r = sd_id128_get_machine_app_specific(STABLE_SECRET_APP_ID_1, &key); + if (r < 0) + return log_link_debug_errno(link, r, "Failed to generate key: %m"); + + v = htole64(siphash24_string(link->ifname, key.bytes)); + memcpy(a.s6_addr, &v, sizeof(v)); + + r = sd_id128_get_machine_app_specific(STABLE_SECRET_APP_ID_2, &key); + if (r < 0) + return log_link_debug_errno(link, r, "Failed to generate key: %m"); + + v = htole64(siphash24_string(link->ifname, key.bytes)); + assert_cc(sizeof(v) * 2 == sizeof(a.s6_addr)); + memcpy(a.s6_addr + sizeof(v), &v, sizeof(v)); + } + + r = in6_addr_to_string(&a, &str); + if (r < 0) + return r; + + return sysctl_write_ip_property(AF_INET6, link->ifname, "stable_secret", str); +} + static int link_set_ipv4_accept_local(Link *link) { assert(link); @@ -273,6 +318,10 @@ int link_set_sysctl(Link *link) { if (r < 0) log_link_warning_errno(link, r, "Cannot set IPv6 MTU, ignoring: %m"); + r = link_set_ipv6ll_stable_secret(link); + if (r < 0) + log_link_warning_errno(link, r, "Cannot set stable secret address for IPv6 link local address: %m"); + r = link_set_ipv4_accept_local(link); if (r < 0) log_link_warning_errno(link, r, "Cannot set IPv4 accept_local flag for interface, ignoring: %m"); |