network/dhcp: disable RapidCommit= by default when AllowList=/DenyList= is specified

AllowList= and DenyList= filter only DHCPOFFER messages. So, if RapidCommit= is enabled, then networkd unconditionally accepts a rapid ACK message even if its sender is filtered out by the lists. As AllowList=/DenyList= implemented earlier than RapidCommit=, so enabling RapidCommit= unconditionally by default may break existing setups that use AllowList=/DenyList=. Let's disable RapidCommit= by default when AllowList=/DenyList= is enabled. Still the setting can be enabled by setting explicitly even AllowList=/DenyList= is also specified.
author: Yu Watanabe <watanabe.yu+github@gmail.com> 2023-11-21 21:17:58 +0100
committer: Yu Watanabe <watanabe.yu+github@gmail.com> 2023-11-21 21:24:18 +0100
commit: cf289b1415026bac43b39f1c8d8a95005ea57ed3 (patch)
tree: 9906c5b872b6b868895ada2f162d15c730262be8 /src
parent: man: [DHCPv4] RapidCommit= is disabled when Anonymize=yes (diff)
download: systemd-cf289b1415026bac43b39f1c8d8a95005ea57ed3.tar.xz
systemd-cf289b1415026bac43b39f1c8d8a95005ea57ed3.zip
4 files changed, 10 insertions, 3 deletions
diff --git a/src/network/networkd-dhcp4.c b/src/network/networkd-dhcp4.c
index 031507b663..efbae6d868 100644
--- a/src/network/networkd-dhcp4.c
+++ b/src/network/networkd-dhcp4.c
@@ -51,6 +51,13 @@ void network_adjust_dhcp4(Network *network) {
 
         if (network->dhcp_client_identifier < 0)
                 network->dhcp_client_identifier = network->dhcp_anonymize ? DHCP_CLIENT_ID_MAC : DHCP_CLIENT_ID_DUID;
+
+        /* By default, RapidCommit= is enabled when Anonymize=no and neither AllowList= nor DenyList= is specified. */
+        if (network->dhcp_use_rapid_commit < 0)
+                network->dhcp_use_rapid_commit =
+                        !network->dhcp_anonymize &&
+                        set_isempty(network->dhcp_allow_listed_ip) &&
+                        set_isempty(network->dhcp_deny_listed_ip);
 }
 
 static int dhcp4_prefix_covers(
diff --git a/src/network/networkd-network-gperf.gperf b/src/network/networkd-network-gperf.gperf
index 628b1ad19f..dbdd578dc6 100644
--- a/src/network/networkd-network-gperf.gperf
+++ b/src/network/networkd-network-gperf.gperf
@@ -261,7 +261,7 @@ DHCPv4.Use6RD,                               config_parse_bool,
 DHCPv4.IPv6OnlyMode,                         config_parse_tristate,                                    0,                             offsetof(Network, dhcp_ipv6_only_mode)
 DHCPv4.NetLabel,                             config_parse_string,                                      CONFIG_PARSE_STRING_SAFE,      offsetof(Network, dhcp_netlabel)
 DHCPv4.NFTSet,                               config_parse_nft_set,                                     NFT_SET_PARSE_NETWORK,         offsetof(Network, dhcp_nft_set_context)
-DHCPv4.RapidCommit                           config_parse_bool,                                        0,                             offsetof(Network, dhcp_use_rapid_commit)
+DHCPv4.RapidCommit                           config_parse_tristate,                                    0,                             offsetof(Network, dhcp_use_rapid_commit)
 DHCPv6.UseAddress,                           config_parse_bool,                                        0,                             offsetof(Network, dhcp6_use_address)
 DHCPv6.UseDelegatedPrefix,                   config_parse_bool,                                        0,                             offsetof(Network, dhcp6_use_pd_prefix)
 DHCPv6.UseDNS,                               config_parse_dhcp_use_dns,                                AF_INET6,                      0
diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c
index 72ed2abd95..6cbaf82d6f 100644
--- a/src/network/networkd-network.c
+++ b/src/network/networkd-network.c
@@ -396,7 +396,7 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi
                 .dhcp_send_hostname = true,
                 .dhcp_send_release = true,
                 .dhcp_route_metric = DHCP_ROUTE_METRIC,
-                .dhcp_use_rapid_commit = true,
+                .dhcp_use_rapid_commit = -1,
                 .dhcp_client_identifier = _DHCP_CLIENT_ID_INVALID,
                 .dhcp_route_table = RT_TABLE_MAIN,
                 .dhcp_ip_service_type = -1,
diff --git a/src/network/networkd-network.h b/src/network/networkd-network.h
index 4995e55b53..03131b7061 100644
--- a/src/network/networkd-network.h
+++ b/src/network/networkd-network.h
@@ -141,7 +141,7 @@ struct Network {
         bool dhcp_send_hostname_set;
         int dhcp_broadcast;
         int dhcp_ipv6_only_mode;
-        bool dhcp_use_rapid_commit;
+        int dhcp_use_rapid_commit;
         bool dhcp_use_dns;
         bool dhcp_use_dns_set;
         bool dhcp_routes_to_dns;
author	Yu Watanabe <watanabe.yu+github@gmail.com>	2023-11-21 21:17:58 +0100
committer	Yu Watanabe <watanabe.yu+github@gmail.com>	2023-11-21 21:24:18 +0100
commit	cf289b1415026bac43b39f1c8d8a95005ea57ed3 (patch)
tree	9906c5b872b6b868895ada2f162d15c730262be8 /src
parent	man: [DHCPv4] RapidCommit= is disabled when Anonymize=yes (diff)
download	systemd-cf289b1415026bac43b39f1c8d8a95005ea57ed3.tar.xz systemd-cf289b1415026bac43b39f1c8d8a95005ea57ed3.zip