network/dhcp: disable RapidCommit= by default when AllowList=/DenyList= is specified

AllowList= and DenyList= filter only DHCPOFFER messages. So, if
RapidCommit= is enabled, then networkd unconditionally accepts a rapid
ACK message even if its sender is filtered out by the lists.

As AllowList=/DenyList= implemented earlier than RapidCommit=, so
enabling RapidCommit= unconditionally by default may break existing
setups that use AllowList=/DenyList=.

Let's disable RapidCommit= by default when AllowList=/DenyList= is
enabled. Still the setting can be enabled by setting explicitly even
AllowList=/DenyList= is also specified.

diff --git a/man/systemd.network.xml b/man/systemd.network.xml
index 8bdcd42..63a3eef 100644 (file)
--- a/man/systemd.network.xml
+++ b/man/systemd.network.xml
@@ -2236,7 +2236,8 @@ NFTSet=prefix:netdev:filter:eth_ipv4_prefix</programlisting>
           four-message exchange (discover, offer, request, and ack) is used. The two-message exchange
           provides faster client configuration. See
           <ulink url="https://tools.ietf.org/html/rfc4039">RFC 4039</ulink> for details.
-          Defaults to true.</para>
+          Defaults to true when <varname>Anonymize=no</varname> and neither <varname>AllowList=</varname>
+          nor <varname>DenyList=</varname> is specified, and false otherwise.</para>
 
           <xi:include href="version-info.xml" xpointer="v255"/>
         </listitem>
@@ -2670,6 +2671,9 @@ NFTSet=prefix:netdev:filter:eth_ipv4_prefix</programlisting>
           prefix length after <literal>/</literal>. DHCP offers from servers in the list are rejected.
           Note that if <varname>AllowList=</varname> is configured then <varname>DenyList=</varname> is
           ignored.</para>
+          <para>Note that this filters only DHCP offers, so the filtering may not work when
+          <varname>RapidCommit=</varname> is enabled. See also <varname>RapidCommit=</varname> in the above.
+          </para>
 
           <xi:include href="version-info.xml" xpointer="v246"/>
         </listitem>
@@ -2681,6 +2685,9 @@ NFTSet=prefix:netdev:filter:eth_ipv4_prefix</programlisting>
           <para>A whitespace-separated list of IPv4 addresses. Each address can optionally take a
           prefix length after <literal>/</literal>. DHCP offers from servers in the list are accepted.
           </para>
+          <para>Note that this filters only DHCP offers, so the filtering may not work when
+          <varname>RapidCommit=</varname> is enabled. See also <varname>RapidCommit=</varname> in the above.
+          </para>
 
           <xi:include href="version-info.xml" xpointer="v246"/>
         </listitem>

diff --git a/src/network/networkd-dhcp4.c b/src/network/networkd-dhcp4.c
index 031507b..efbae6d 100644 (file)
--- a/src/network/networkd-dhcp4.c
+++ b/src/network/networkd-dhcp4.c
@@ -51,6 +51,13 @@ void network_adjust_dhcp4(Network *network) {
 
         if (network->dhcp_client_identifier < 0)
                 network->dhcp_client_identifier = network->dhcp_anonymize ? DHCP_CLIENT_ID_MAC : DHCP_CLIENT_ID_DUID;
+
+        /* By default, RapidCommit= is enabled when Anonymize=no and neither AllowList= nor DenyList= is specified. */
+        if (network->dhcp_use_rapid_commit < 0)
+                network->dhcp_use_rapid_commit =
+                        !network->dhcp_anonymize &&
+                        set_isempty(network->dhcp_allow_listed_ip) &&
+                        set_isempty(network->dhcp_deny_listed_ip);
 }
 
 static int dhcp4_prefix_covers(

diff --git a/src/network/networkd-network-gperf.gperf b/src/network/networkd-network-gperf.gperf
index 628b1ad..dbdd578 100644 (file)
--- a/src/network/networkd-network-gperf.gperf
+++ b/src/network/networkd-network-gperf.gperf
@@ -261,7 +261,7 @@ DHCPv4.Use6RD,                               config_parse_bool,
 DHCPv4.IPv6OnlyMode,                         config_parse_tristate,                                    0,                             offsetof(Network, dhcp_ipv6_only_mode)
 DHCPv4.NetLabel,                             config_parse_string,                                      CONFIG_PARSE_STRING_SAFE,      offsetof(Network, dhcp_netlabel)
 DHCPv4.NFTSet,                               config_parse_nft_set,                                     NFT_SET_PARSE_NETWORK,         offsetof(Network, dhcp_nft_set_context)
-DHCPv4.RapidCommit                           config_parse_bool,                                        0,                             offsetof(Network, dhcp_use_rapid_commit)
+DHCPv4.RapidCommit                           config_parse_tristate,                                    0,                             offsetof(Network, dhcp_use_rapid_commit)
 DHCPv6.UseAddress,                           config_parse_bool,                                        0,                             offsetof(Network, dhcp6_use_address)
 DHCPv6.UseDelegatedPrefix,                   config_parse_bool,                                        0,                             offsetof(Network, dhcp6_use_pd_prefix)
 DHCPv6.UseDNS,                               config_parse_dhcp_use_dns,                                AF_INET6,                      0

diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c
index 72ed2ab..6cbaf82 100644 (file)
--- a/src/network/networkd-network.c
+++ b/src/network/networkd-network.c
@@ -396,7 +396,7 @@ int network_load_one(Manager *manager, OrderedHashmap **networks, const char *fi
                 .dhcp_send_hostname = true,
                 .dhcp_send_release = true,
                 .dhcp_route_metric = DHCP_ROUTE_METRIC,
-                .dhcp_use_rapid_commit = true,
+                .dhcp_use_rapid_commit = -1,
                 .dhcp_client_identifier = _DHCP_CLIENT_ID_INVALID,
                 .dhcp_route_table = RT_TABLE_MAIN,
                 .dhcp_ip_service_type = -1,

diff --git a/src/network/networkd-network.h b/src/network/networkd-network.h
index 4995e55..03131b7 100644 (file)
--- a/src/network/networkd-network.h
+++ b/src/network/networkd-network.h
@@ -141,7 +141,7 @@ struct Network {
         bool dhcp_send_hostname_set;
         int dhcp_broadcast;
         int dhcp_ipv6_only_mode;
-        bool dhcp_use_rapid_commit;
+        int dhcp_use_rapid_commit;
         bool dhcp_use_dns;
         bool dhcp_use_dns_set;
         bool dhcp_routes_to_dns;