Fix a bug in the wifi executor script

When stopping wpa_supplicant, the code is supposed to check if a file named $PIDFILE exists and kill the process listed inside. Instead it was checking if a directory named $PIDFILE exists and because this was never the case, killing of the wpa_supplicant process would always silently fail.

This would, after a few invocations of the ifup command, leave the system with large number of running wpa_supplicant processes, all trying to take control of the same interface.

COPYING

@@ -1,4 +1,5 @@
-Copyright (c) 2020 Ariadne Conill <ariadne@dereferenced.org>
+Copyright (c) 2020-2021 Ariadne Conill <ariadne@dereferenced.org>
+Copyright (c) 2020-2021 Maximilian Wilhelm <max@sdn.clinic>
 
 Permission to use, copy, modify, and/or distribute this software for any
 purpose with or without fee is hereby granted, provided that the above

Makefile

@@ -14,7 +14,8 @@ CONFIG_FILE := /etc/network/ifupdown-ng.conf
 EXECUTOR_PATH := /usr/libexec/ifupdown-ng
 
 CFLAGS ?= -ggdb3 -Os
-CFLAGS += -Wall -Wextra
+CFLAGS += -Wall -Wextra -Werror
+CFLAGS += -Wmissing-declarations -Wmissing-prototypes -Wcast-align -Wpointer-arith -Wreturn-type
 CFLAGS += ${LIBBSD_CFLAGS}
 CPPFLAGS = -I.
 CPPFLAGS += -DINTERFACES_FILE=\"${INTERFACES_FILE}\"
@@ -119,6 +120,8 @@ EXECUTOR_SCRIPTS ?= ${EXECUTOR_SCRIPTS_CORE} ${EXECUTOR_SCRIPTS_OPT}
 
 EXECUTOR_SCRIPTS_STUB ?=
 
+EXECUTOR_SCRIPTS_NATIVE ?=
+
 TARGET_LIBS = ${LIBIFUPDOWN_LIB}
 LIBS += ${TARGET_LIBS} ${LIBBSD_LIBS}
 
@@ -153,6 +156,9 @@ install: all
 	for i in ${EXECUTOR_SCRIPTS_STUB}; do \
 		install -D -m755 executor-scripts/stub/$$i ${DESTDIR}${EXECUTOR_PATH}/$$i; \
 	done
+	for i in ${EXECUTOR_SCRIPTS_NATIVE}; do \
+		install -D -m755 executor-scripts/${LAYOUT}-native/$$i ${DESTDIR}${EXECUTOR_PATH}/$$i; \
+	done
 	install -D -m644 dist/ifupdown-ng.conf.example ${DESTDIR}${CONFIG_FILE}.example
 
 .scd.1 .scd.2 .scd.3 .scd.4 .scd.5 .scd.6 .scd.7 .scd.8:

README.md

@@ -39,7 +39,7 @@ On glibc systems, you must install `libbsd-dev` or equivalent and additionally d
     make LIBBSD_CFLAGS="$(pkg-config --cflags libbsd-overlay)" LIBBSD_LIBS="$(pkg-config --cflags --libs libbsd-overlay)"
     make install
 
-To run the tests, do `make check`. Running the checks requires `kyua` (`apk add kyua`, not packaged for Debian).
+To run the tests, do `make check`. Running the checks requires `kyua` (`apk add kyua` / `apt install kyua`).
 
 To build the documentation, do `make docs` and `make install_docs`.  Building
 the documentation requires scdoc (`apk add scdoc` / `apt install scdoc`).

cmd/ifctrstat-linux.c

@@ -17,7 +17,8 @@
 #include <limits.h>
 #include <stdio.h>
 #include <string.h>
-#include "multicall.h"
+#include "cmd/multicall.h"
+#include "cmd/ifctrstat-linux.h"
 
 struct counter_desc {
 	const char *name;
@@ -41,7 +42,7 @@ counter_compare(const void *key, const void *candidate)
 	return strcasecmp((const char *)key, ((struct counter_desc *)candidate)->name);
 }
 
-char *
+const char *
 read_counter(const char *interface, const char *counter)
 {
 	FILE *fp;

cmd/ifctrstat-linux.h

@@ -0,0 +1,22 @@
+/*
+ * cmd/ifctrstat-linux.c
+ * Purpose: Implement ifctrstat system-specific routines for Linux
+ *
+ * Copyright (c) 2021 Maximilian Wilhelm <max@sdn.clinic>
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * This software is provided 'as is' and without any warranty, express or
+ * implied.  In no event shall the authors be liable for any damages arising
+ * from the use of this software.
+ */
+
+
+#ifndef IFUPDOWN_IFCTRSTAT_LINUX__H__GUARD
+#define IFUPDOWN_IFCTRSTAT_LINUX__H__GUARD
+
+extern const char * read_counter(const char *interface, const char *counter);
+
+#endif

cmd/ifctrstat.c

@@ -20,12 +20,11 @@
 #include <string.h>
 #include "libifupdown/libifupdown.h"
 #include "cmd/multicall.h"
+#include "cmd/ifctrstat-linux.h"
 
 extern struct counter_desc { const char *name; const void *data; } avail_counters[];
 extern int avail_counters_count;
 
-extern const char *read_counter(const char *interface, const char *counter);
-
 static bool show_label = true;
 
 static bool
@@ -96,7 +95,7 @@ ifctrstat_set_nolabel(const char *opt_arg)
 	show_label = false;
 }
 
-int
+static int
 ifctrstat_main(int argc, char *argv[])
 {
 	if (optind >= argc)

cmd/ifparse.c

@@ -131,7 +131,7 @@ pp_impl_cmp(const void *a, const void *b)
 	return strcmp(key, impl->name);
 }
 
-int
+static int
 ifparse_main(int argc, char *argv[])
 {
 	struct lif_dict state = {};

cmd/ifquery.c

@@ -22,7 +22,7 @@
 #include "cmd/multicall.h"
 #include "cmd/pretty-print-iface.h"
 
-void
+static void
 print_interface_dot(struct lif_dict *collection, struct lif_interface *iface, struct lif_interface *parent)
 {
 	if (!lif_lifecycle_query_dependents(&exec_opts, iface, iface->ifname))
@@ -57,7 +57,7 @@ print_interface_dot(struct lif_dict *collection, struct lif_interface *iface, st
 	}
 }
 
-void
+static void
 print_interface_property(struct lif_interface *iface, const char *property)
 {
 	struct lif_node *iter;
@@ -83,7 +83,7 @@ print_interface_property(struct lif_interface *iface, const char *property)
 	}
 }
 
-void
+static void
 list_interfaces(struct lif_dict *collection, struct match_options *opts)
 {
 	struct lif_node *iter;
@@ -126,7 +126,7 @@ list_interfaces(struct lif_dict *collection, struct match_options *opts)
 static bool listing = false, listing_stat = false, listing_running = false;
 static bool allow_undefined = false;
 
-void
+static void
 list_state(struct lif_dict *state, struct match_options *opts)
 {
 	struct lif_node *iter;
@@ -217,7 +217,7 @@ static struct if_option_group local_option_group = {
 	.group = local_options
 };
 
-int
+static int
 ifquery_main(int argc, char *argv[])
 {
 	struct lif_dict state = {};

cmd/ifupdown.c

@@ -27,7 +27,7 @@
 
 static bool up;
 
-bool
+static bool
 is_ifdown()
 {
 	if (strstr(argv0, "ifdown") != NULL)
@@ -36,7 +36,7 @@ is_ifdown()
 	return false;
 }
 
-int
+static int
 acquire_state_lock(const char *state_path, const char *lifname)
 {
 	if (exec_opts.mock || exec_opts.no_lock)
@@ -94,7 +94,7 @@ acquire_state_lock(const char *state_path, const char *lifname)
 	return fd;
 }
 
-bool
+static bool
 skip_interface(struct lif_interface *iface, const char *ifname, struct lif_dict *state, bool update_state)
 {
 	if (iface->is_template)
@@ -146,7 +146,7 @@ skip_interface(struct lif_interface *iface, const char *ifname, struct lif_dict
 	return false;
 }
 
-bool
+static bool
 change_interface(struct lif_interface *iface, struct lif_dict *collection, struct lif_dict *state, const char *ifname, bool update_state)
 {
 	int lockfd = acquire_state_lock(exec_opts.state_file, ifname);
@@ -194,7 +194,7 @@ change_interface(struct lif_interface *iface, struct lif_dict *collection, struc
 	return true;
 }
 
-bool
+static bool
 change_auto_interfaces(struct lif_dict *collection, struct lif_dict *state, struct match_options *opts)
 {
 	struct lif_node *iter;
@@ -222,7 +222,7 @@ change_auto_interfaces(struct lif_dict *collection, struct lif_dict *state, stru
 	return true;
 }
 
-int
+static int
 update_state_file_and_exit(int rc, struct lif_dict *state)
 {
 	if (exec_opts.mock)
@@ -243,7 +243,7 @@ update_state_file_and_exit(int rc, struct lif_dict *state)
 	return rc;
 }
 
-int
+static int
 ifupdown_main(int argc, char *argv[])
 {
 	up = !is_ifdown();

cmd/multicall-exec-options.c

@@ -21,10 +21,13 @@
 #include <getopt.h>
 #include "cmd/multicall.h"
 
+#define DEFAULT_TIMEOUT		300
+
 struct lif_execute_opts exec_opts = {
 	.interfaces_file = INTERFACES_FILE,
 	.executor_path = EXECUTOR_PATH,
-	.state_file = STATE_FILE
+	.state_file = STATE_FILE,
+	.timeout = DEFAULT_TIMEOUT,
 };
 
 static void
@@ -74,6 +77,14 @@ set_force(const char *opt_arg)
 	exec_opts.force = true;
 }
 
+static void
+set_timeout(const char *opt_arg)
+{
+	exec_opts.timeout = atoi(opt_arg);
+	if (exec_opts.timeout < 0)
+		exec_opts.timeout = DEFAULT_TIMEOUT;
+}
+
 static struct if_option exec_options[] = {
 	{'f', "force", NULL, "force (de)configuration", false, set_force},
 	{'i', "interfaces", "interfaces FILE", "use FILE for interface definitions", true, set_interfaces_file},
@@ -82,6 +93,7 @@ static struct if_option exec_options[] = {
 	{'v', "verbose", NULL, "show what commands are being run", false, set_verbose},
 	{'E', "executor-path", "executor-path PATH", "use PATH for executor directory", true, set_executor_path},
 	{'S', "state-file", "state-file FILE", "use FILE for state", true, set_state_file},
+	{'T', "timeout", "timeout TIMEOUT", "wait TIMEOUT seconds for executors to complete", true, set_timeout},
 };
 
 struct if_option_group exec_option_group = {

cmd/multicall.c

@@ -62,7 +62,7 @@ struct if_applet *applet_table[] = {
 	&ifupdown_applet,
 };
 
-int
+static int
 applet_cmp(const void *a, const void *b)
 {
 	const char *key = a;
@@ -101,7 +101,7 @@ main(int argc, char *argv[])
 	return self_applet->main(argc, argv);
 }
 
-int
+static int
 multicall_main(int argc, char *argv[])
 {
 	if (argc < 2)

doc/ifdown.scd

@@ -45,6 +45,10 @@ configured in the configuration database.
 *-S, --state-file* _FILE_
 	Use _FILE_ as the state database.
 
+*-T, --timeout* _TIMEOUT_
+	Wait up to _TIMEOUT_ seconds for executors to complete before
+	raising an error.
+
 *-V, --version*
 	Print the ifupdown-ng version and exit.
 

doc/ifparse.scd

@@ -43,6 +43,10 @@ stanzas between different formats.
 *-S, --state-file* _FILE_
 	Use _FILE_ as the state database.
 
+*-T, --timeout* _TIMEOUT_
+	Wait up to _TIMEOUT_ seconds for executors to complete before
+	raising an error.
+
 *-V, --version*
 	Print the ifupdown-ng version and exit.
 

doc/ifquery.scd

@@ -62,6 +62,10 @@ configuration file to the current format.
 *-S, --state-file* _FILE_
 	Use _FILE_ as the state database.
 
+*-T, --timeout* _TIMEOUT_
+	Wait up to _TIMEOUT_ seconds for executors to complete before
+	raising an error.
+
 *-V, --version*
 	Print the ifupdown-ng version and exit.
 

doc/ifup.scd

@@ -48,6 +48,10 @@ configured in the configuration database.
 *-S, --state-file* _FILE_
 	Use _FILE_ as the state database.
 
+*-T, --timeout* _TIMEOUT_
+	Wait up to _TIMEOUT_ seconds for executors to complete before
+	raising an error.
+
 *-V, --version*
 	Print the ifupdown-ng version and exit.
 

doc/interfaces-vxlan.scd

@@ -32,26 +32,33 @@ other options are optional.
 
 *vxlan-physdev* _interface_
 	Specifies the physical ("underlay") device to use for tunnel
-	endpoint communication.
+	endpoint communication.  This is required for setups using
+	multicast.
 
 *vxlan-local-ip* _address_
 	Specifies the source IP address to use in outgoing packets.
 	For compatiblity with ifupdown2 _vxlan-local-tunnelip_ is an
 	alias for this parameter.
 
-*vxlan-remote-ip* _address_
-	Specifies the unicast destination IP address to use in outgoing
+*vxlan-peer-ips* _list of IP addresses_
+	Specifies the unicast destination IP address(es) to use in outgoing
 	packets when the destination link layer address is not known in
-	the VXLAN device forwarding database. This parameter cannot be
-	specified with the _vxlan-remote-group_ parameter.
-	For compatiblity with ifupdown2 _vxlan-remoteip_ is an alias for
-	this parameter.
+	the VXLAN device forwarding database.  This option can be used to
+	form Point-to-Point as well as Point-to-Multipoint VXLAN tunnels/
+	overlays depending on how many peer IPs are given.  If more than one
+	IP address is given a Point-to-Multipoint overlay is being set up
+	and ingress / head-end replication will be used by the Linux Kernel.
+	This option cannot be used together with _vxlan-peer-group_ option.
+	For compatiblity with ifupdown2 _vxlan-remoteip_ is an alias for this option
+	and for compatibility with previos versions of ifupdown-ng _vxlan-remote-ip_
+	is an alias for this option, too.
 
-*vxlan-remote-group* _multicast group_
-	Specifies the multicast group IP address to join. This parameter
-	cannot be specified with the _vxlan-remote-ip_ parameter.
-	For compatibility with ifupdown2 _vxlan-svcnodeip_ is an alias for
-	this parameter.
+*vxlan-peer-group* _multicast group_
+	Specifies the multicast group address to join, requires _vxlan-phsydev_
+	to be set as well.  This parameter cannot be specified in combination
+	with the _vxlan-peer-ips_ parameter.  For compatibility with ifupdown2
+	_vxlan-svcnodeip_ is an alias for this option and for compatibility
+	with previos version of ifupdown-ng _vxlan-remote-group_ is an alias, too.
 
 *vxlan-learning* _on/off_
 	Specifies if unknown source link layer addresses and IP addresses
@@ -79,22 +86,46 @@ iface vx_v1001_padcty
 	mtu 1560
 ```
 
+The same works just fine with IPv6 in the underlay:
+
+```
+auto vx_v1400_padcty
+iface vx_v1400_padcty
+        vxlan-id           917505
+        vxlan-physdev      vlan1400
+        vxlan-peer-group   ff42:1400::1
+        #
+        hwaddress f2:00:0d:01:14:00
+        mtu 1560
+```
+
 Note that the underlay must have an MTU of at least 1610 to
-carry the encapsulated packets.
+carry the encapsulated packets of the two VTEPs above.
 
 
-A VTEP with one peer (point-to-point configuration):
+A VTEP with one peer (unicast point-to-point configuration):
 
 ```
 auto vx_ptp1
 iface vx_ptp1
 	vxlan-id        2342
 	vxlan-local-ip  192.0.2.42
-	vxlan-remote-ip 198.51.100.23
+	vxlan-peer-ips  198.51.100.23
 	#
 	hwaddress f2:00:c1:01:10:01
 ```
 
+
+A VTEP with multiple peers (unicast point-to-multipoint with ingress / head-end replication):
+
+```
+auto vx_her
+iface vx_her
+	vxlan-id	1337
+	vxlan-local-ip	2001:db8:1::1
+	vxlan-peer-ips  2001:db8:2::23 2001:db8:3::42 2001:db8:4::84
+```
+
 # AUTHORS
 
 Maximilian Wilhelm <max@sdn.clinic>

doc/interfaces-wireguard.scd

@@ -18,6 +18,15 @@ allow to set up Wireguard VPN tunnels.
 	used. In the latter case _use wireguard_ has to be explicitly
 	set to the interface configuration.
 
+	Be aware that the given configuration file will be loaded using
+	*wg setconf* and not with *wg-quick*.  The file format for both
+	tools isn't compatible so you have to make sure you provide a
+	valid configuration file for the *wg* tool.  If you already have
+	a configuration file for *wg-quick* you can set up the tunnel
+	manually once and then dump the configuration using *wg showconf*
+	and save this to _path_.
+
+
 # EXAMPLES
 
 A Wireguard VPN tunnel with explicit configuration file specified

executor-scripts/linux/vxlan

@@ -10,8 +10,8 @@
 # IF_VXLAN_ID		The VXLAN Network Identifier (VNI)
 # IF_VXLAN_PHYSDEV	Specifies the physical device to use for tunnel endpoint communication
 # IF_VXLAN_LOCAL_IP	Specifies the source IP address to use in outgoing packets
-# IF_VXLAN_REMOTE_IP	IP of the remote VTEP endpoint (for ptp mode)
-# IF_VXLAN_REMOTE_GROUP	Multicast group to use for this VNI (for ptmp mode)
+# IF_VXLAN_PEER_IPS	Space separated list of IPs of the remote VTEP endpoint (for ptp/ptmp mode with ingress replication)
+# IF_VXLAN_PEER_GROUP	Multicast group to use for this VNI (for ptmp mode with multicast)
 # IF_VXLAN_LEARNING	Wether to activate MAC learning on this instance (on/off)
 # IF_VXLAN_AGEING	Specifies the lifetime in seconds of FDB entries learnt by the kernel
 # IF_VXLAN_DSTPORT	UDP destination port to communicate to the remote VXLAN tunnel endpoint (default 4789)
@@ -36,17 +36,27 @@ case "$PHASE" in
 		fi
 
 		# Input validation
-		if [ "${IF_VXLAN_REMOTE_IP}" -a "${IF_VXLAN_REMOTE_GROUP}" ]; then
-			echo "Error on ${IFACE} (vxlan): Only one of 'remote' and 'group' can be given!" >&2
+		if [ "${IF_VXLAN_PEER_IPS}" -a "${IF_VXLAN_PEER_GROUP}" ]; then
+			echo "Error on ${IFACE} (vxlan): Only one of 'vxlan-peer-ips' and 'vxlan-peer-group' can be used!" >&2
 			exit 1
 		fi
 
+		# Check if we should operate in unicast ptp or ptmp mode
+		if [ "${IF_VXLAN_PEER_IPS}" ]; then
+			# If it's only one thing which looks like an IPv4/IPv6 address we assume it's ptp
+			if echo "${IF_VXLAN_PEER_IPS}" | grep -q '^[[:space:]]*[[:xdigit:].:]\+[[:space:]]*$'; then
+				UCAST_MODE="ptp"
+			else
+				UCAST_MODE="ptmp"
+			fi
+		fi
+
 		# Gather arguments
 		ARGS=""
 		[ "${IF_VXLAN_PHYSDEV}" ] && ARGS="${ARGS} dev ${IF_VXLAN_PHYSDEV}"
 		[ "${IF_VXLAN_LOCAL_IP}" ] && ARGS="${ARGS} local ${IF_VXLAN_LOCAL_IP}"
-		[ "${IF_VXLAN_REMOTE_IP}" ] && ARGS="${ARGS} remote ${IF_VXLAN_REMOTE_IP}"
-		[ "${IF_VXLAN_REMOTE_GROUP}" ] && ARGS="${ARGS} group ${IF_VXLAN_REMOTE_GROUP}"
+		[ "${UCAST_MODE}" = "ptp" ] && ARGS="${ARGS} remote ${IF_VXLAN_PEER_IPS}"
+		[ "${IF_VXLAN_PEER_GROUP}" ] && ARGS="${ARGS} group ${IF_VXLAN_PEER_GROUP}"
 		[ "${IF_VXLAN_AGEING}" ] && ARGS="${ARGS} ageing ${IF_VXLAN_AGEING}"
 
 		# Linux uses non-standard default port - WTF?
@@ -67,6 +77,13 @@ case "$PHASE" in
 		esac
 
 		${MOCK} ip link add "${IFACE}" type vxlan id "${IF_VXLAN_ID}" ${ARGS}
+
+		# Set up FDB entries for peer VTEPs
+		if [ "${UCAST_MODE}" = "ptmp" ]; then
+			for peer in ${IF_VXLAN_PEER_IPS}; do
+				${MOCK} bridge fdb append 00:00:00:00:00:00 dev "${IFACE}" dst "${peer}" self permanent
+			done
+		fi
 		;;
 
 	destroy)

executor-scripts/linux/wifi

@@ -79,7 +79,7 @@ stop_wpa_supplicant() {
 	[ -z "$IF_WIFI_CONFIG_PATH" ] && rm -- "$WIFI_CONFIG_PATH"
 
 	# If there is no PIDFILE, there is nothing we can do
-	[ ! -d "$PIDFILE" ] && return
+	[ ! -f "$PIDFILE" ] && return
 
 	pid=$(cat "$PIDFILE")
 	rm -- "$PIDFILE"

libifupdown/compat.c

@@ -16,6 +16,7 @@
 #include <stdbool.h>
 #include <stdio.h>
 #include <string.h>
+#include "libifupdown/compat.h"
 #include "libifupdown/config-file.h"
 #include "libifupdown/dict.h"
 #include "libifupdown/interface.h"
@@ -102,7 +103,7 @@ compat_ifupdown2_bridge_ports_inherit_vlans(struct lif_dict *collection)
 	return true;
 }
 
-extern bool
+bool
 lif_compat_apply(struct lif_dict *collection)
 {
 	if (lif_config.compat_ifupdown2_bridge_ports_inherit_vlans &&

libifupdown/compat.h

@@ -17,6 +17,7 @@
 #define LIBIFUPDOWN__COMPAT_H
 
 #include "libifupdown/config-file.h"
+#include "libifupdown/dict.h"
 
 extern bool lif_compat_apply (struct lif_dict *collection);
 

libifupdown/execute.c

@@ -30,6 +30,86 @@
 
 #define SHELL	"/bin/sh"
 
+#if defined(__linux__)
+# include <sys/syscall.h>
+#endif
+
+/* POSIX compatible fallback using waitpid(2) and usleep(3) */
+static inline bool
+lif_process_monitor_busyloop(pid_t child, int timeout_sec, int *status)
+{
+	int ticks = 0;
+
+	while (ticks < timeout_sec * 20)
+	{
+		/* Ugly hack: most executors finish very quickly,
+		 * so give them a chance to finish before sleeping.
+		 */
+		usleep(50);
+
+		if (waitpid(child, status, WNOHANG) == child)
+			return true;
+
+		usleep(49950);
+		ticks++;
+	}
+
+	return false;
+}
+
+#if defined(__linux__) && defined(__NR_pidfd_open)
+
+/* TODO: remove this wrapper once musl and glibc gain pidfd_open() directly. */
+static inline int
+lif_pidfd_open(pid_t pid, unsigned int flags)
+{
+	return syscall(__NR_pidfd_open, pid, flags);
+}
+
+static inline bool
+lif_process_monitor_procdesc(pid_t child, int timeout_sec, int *status)
+{
+	int pidfd = lif_pidfd_open(child, 0);
+
+	/* pidfd_open() not available, fall back to busyloop */
+	if (pidfd == -1 && errno == ENOSYS)
+		return lif_process_monitor_busyloop(child, timeout_sec, status);
+
+	struct pollfd pfd = {
+		.fd = pidfd,
+		.events = POLLIN,
+	};
+
+	if (poll(&pfd, 1, timeout_sec * 1000) < 1)
+		return false;
+
+	waitpid(child, status, 0);
+	close(pidfd);
+	return true;
+}
+
+#endif
+
+static inline bool
+lif_process_monitor(const char *cmdbuf, pid_t child, int timeout_sec)
+{
+	int status;
+
+#if defined(__linux__) && defined(__NR_pidfd_open)
+	if (lif_process_monitor_procdesc(child, timeout_sec, &status))
+		return WIFEXITED(status) && WEXITSTATUS(status) == 0;
+#else
+	if (lif_process_monitor_busyloop(child, timeout_sec, &status))
+		return WIFEXITED(status) && WEXITSTATUS(status) == 0;
+#endif
+
+	fprintf(stderr, "execution of '%s': timeout after %d seconds\n", cmdbuf, timeout_sec);
+	kill(child, SIGKILL);
+	waitpid(child, &status, 0);
+
+	return false;
+}
+
 bool
 lif_execute_fmt(const struct lif_execute_opts *opts, char *const envp[], const char *fmt, ...)
 {
@@ -55,10 +135,7 @@ lif_execute_fmt(const struct lif_execute_opts *opts, char *const envp[], const c
 		return false;
 	}
 
-	int status;
-	waitpid(child, &status, 0);
-
-	return WIFEXITED(status) && WEXITSTATUS(status) == 0;
+	return lif_process_monitor(cmdbuf, child, opts->timeout);
 }
 
 bool
@@ -118,11 +195,8 @@ lif_execute_fmt_with_result(const struct lif_execute_opts *opts, char *buf, size
 		return false;
 	}
 
-	int status;
 no_result:
-	waitpid(child, &status, 0);
-
-	return WIFEXITED(status) && WEXITSTATUS(status) == 0;
+	return lif_process_monitor(cmdbuf, child, opts->timeout);
 }
 
 bool

libifupdown/execute.h

@@ -27,6 +27,7 @@ struct lif_execute_opts {
 	const char *executor_path;
 	const char *interfaces_file;
 	const char *state_file;
+	int timeout;
 };
 
 extern bool lif_execute_fmt(const struct lif_execute_opts *opts, char *const envp[], const char *fmt, ...);

libifupdown/interface-file.c

@@ -100,8 +100,10 @@ static const struct remap_token tokens[] = {
 	{"vendor", "dhcp-vendor"},			/* legacy ifupdown */
 	{"vrf", "vrf-member"},				/* ifupdown2 */
 	{"vxlan-local-tunnelip", "vxlan-local-ip"},	/* ifupdown2 */
-	{"vxlan-remoteip", "vxlan-remote-ip"},		/* ifupdown2 */
-	{"vxlan-svcnodeip", "vxlan-remote-group"},	/* ifupdown2 */
+	{"vxlan-remote-group", "vxlan-peer-group"},	/* ifupdown-ng */
+	{"vxlan-remoteip", "vxlan-peer-ips"},		/* ifupdown2 */
+	{"vxlan-remote-ip", "vxlan-peer-ips"},		/* ifupdown-ng */
+	{"vxlan-svcnodeip", "vxlan-peer-group"},	/* ifupdown2 */
 };
 
 static int

libifupdown/lifecycle.c

@@ -94,7 +94,8 @@ query_dependents_from_executors(const struct lif_execute_opts *opts, char *const
 		struct lif_execute_opts exec_opts = {
 			.verbose = opts->verbose,
 			.executor_path = opts->executor_path,
-			.interfaces_file = opts->interfaces_file
+			.interfaces_file = opts->interfaces_file,
+			.timeout = opts->timeout,
 		};
 
 		if (strcmp(entry->key, "use"))
@@ -114,7 +115,7 @@ query_dependents_from_executors(const struct lif_execute_opts *opts, char *const
 	return true;
 }
 
-bool
+static bool
 append_to_buffer(char **buffer, size_t *buffer_len, char **end, const char *value)
 {
 	size_t value_len = strlen (value);

tests/linux/vxlan_test

@@ -5,7 +5,8 @@ EXECUTOR="$(atf_get_srcdir)/../../executor-scripts/linux/vxlan"
 
 tests_init \
 	create_simple \
-	create_ucast \
+	create_ucast_ptp \
+	create_ucast_ptmp \
 	create_mcast \
 	create_physdev \
 	create_dstport \
@@ -18,14 +19,24 @@ create_simple_body() {
 		${EXECUTOR}
 }
 
-create_ucast_body() {
-	export IFACE=vx_foo PHASE=create MOCK=echo IF_VXLAN_ID=2342 IF_VXLAN_REMOTE_IP=192.2.0.42
+create_ucast_ptp_body() {
+	export IFACE=vx_foo PHASE=create MOCK=echo IF_VXLAN_ID=2342 IF_VXLAN_PEER_IPS=192.2.0.42
 	atf_check -s exit:0 -o match:'ip link add vx_foo type vxlan id 2342 remote 192.2.0.42' \
 		${EXECUTOR}
 }
 
+create_ucast_ptmp_body() {
+	export IFACE=vx_foo PHASE=create MOCK=echo IF_VXLAN_ID=2342 IF_VXLAN_PEER_IPS="10.0.0.1 10.0.0.2 10.0.0.3"
+	atf_check -s exit:0 \
+		-o match:'ip link add vx_foo type vxlan id 2342 dstport 4789' \
+		-o match:'bridge fdb append 00:00:00:00:00:00 dev vx_foo dst 10.0.0.1 self permanent' \
+		-o match:'bridge fdb append 00:00:00:00:00:00 dev vx_foo dst 10.0.0.2 self permanent' \
+		-o match:'bridge fdb append 00:00:00:00:00:00 dev vx_foo dst 10.0.0.3 self permanent' \
+		${EXECUTOR}
+}
+
 create_mcast_body() {
-	export IFACE=vx_foo PHASE=create MOCK=echo IF_VXLAN_ID=2342 IF_VXLAN_REMOTE_GROUP=225.0.8.15
+	export IFACE=vx_foo PHASE=create MOCK=echo IF_VXLAN_ID=2342 IF_VXLAN_PEER_GROUP=225.0.8.15
 	atf_check -s exit:0 -o match:'ip link add vx_foo type vxlan id 2342 group 225.0.8.15' \
 		${EXECUTOR}
 }