Re: connection to disable an interface
Hi Thomas That is already very helpful for me. I will have a look at it and try to write a patch. Let's see if something comes out that works. Regards, Adrian On Sat, 2022-05-14 at 21:33 +0200, Thomas Haller wrote: > On Fri, 2022-05-13 at 23:23 +0200, Adrian Freihofer via networkmanager- > list wrote: > > Hi > > > > Is it somehow possible to disable an interface via NetworkManager? > > > > I am thinking of something like: > > > > nmcli connection modify con-eth0 802-3-ethernet.phy disabled > > nmcli connection up con-eth0 > > > > which would basically have the same effect as: > > > > ip link set eth0 down > > > > > > nmcli connection modify con-eth0 802-3-ethernet.phy enabled > > nmcli connection up con-eth0 > > > > which would basically have the same effect as: > > > > ip link set eth0 up > > > > > > The background is a security requirement. Unused interfaces must > > ideally remain disabled at the physical layer when a cable is plugged > > in. Ideally, the LEDs would also remain dark. > > > > If this function does not exist yet, would it be interesting for > > NetworkManager? > > Could the functionality be implemented with reasonable effort or > > would > > it be difficult to implement? > > > > Thank you and regards, > > Adrian > > no, what you ask for is currently not possible. > > > NM always likes to set the interface up, because otherwise it wouldn't > get a carrier event (to know whether a cable is plugged in). Doing that > causes other difficulties, like when the device is "disconnected" in > NetworkManager, then NetworkManager needs to set IPv6 addr-gen-mode > "none". Otherwise, kernel would already add an IPv6 address, which is > more than NetworkManager wants. What would be best, if kernel would > allow to enable carrier-detection on an interface, without all the > other things that "IFF_UP" brings. > > But what you ask for is very sensible. Just not done yet, and it's also > not entirely clear what do to. > > "ethernet.phy no" seems odd to me, because you have to activate a > profile to set it down. Also, most of the other settings of the profile > would be meaningless with "phy no". > > What you already can do, is `nmcli device set $IFNAME managed no`. I > think that is the way. The only problem with this is, that > NetworkManager will give up the interface and leave it to the user an a > not well-defined state. What would even be the right state? If the > device is currently connected, I partly think that NM should just leave > everything up (including all IP addresses). The advantage of that would > be, that setting a device unmanaged does not disconnect you right away. > On the other hand, if the device is currently disconnected and you set > it unmanaged, then I think the addr-gen-mode will stay at "none". That > is confusing to the user, because IPv6 does not work without > modification. Or should NM always deconfigure it? Maybe it is indeed > the latter, and then NM should also set the interface down. > > Patch welcome, but maybe first discuss what it should do in detail :) > Thank you. > > > best, > Thomas > ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: connection to disable an interface
On Sat, 2022-05-14 at 21:54 +0200, Thomas Haller via networkmanager- list wrote: > On Sat, 2022-05-14 at 22:43 +0300, Andrei Borzenkov wrote: > > On 14.05.2022 22:24, Thomas Haller wrote: > > > Hi, > > > > > > > > > On Sat, 2022-05-14 at 07:38 +0300, Andrei Borzenkov via > > > networkmanager- > > > list wrote: > > > > > > > > > > > > > > > The background is a security requirement. Unused interfaces > > > > > must > > > > > ideally remain disabled at the physical layer when a cable is > > > > > plugged > > > > > in. Ideally, the LEDs would also remain dark. > > > > > > > > > > > > > It sounds like > > > > > > > > no-auto-default=* > > > > > > > > mostly does what you want. Yes, we are already doing that. But it's only part of the solution. > > > > > > > > > that option merely disables that NetworkManager will automatically > > > generate a profile for ethernet devices, that don't have a profile > > > yet. > > > Such profiles are called "Wired connection 1", which is how you can > > > recognize it. > > > > > > This does very little magic, you can manually create a profile to > > > the > > > same effect. In any case, NetworkManager would have already set the > > > interface IFF_UP at this point -- regardless of "(no-)auto- > > > default". > > > It solves the problem after a reboot but it does not allow to disable a port via DBUS API. > > > > Sure, but usual question is - what are the expected threats? Simply > > having interface up does not hurt anyone (except may be audit > > company). That's exactly the point here. The use case is very similar to a switch where the user can enable or disable a port. The expectation is that the LEDs go off when the port is disabled and the link establishes as soon as the port gets enabled. The enable part is perfectly handled by NetworkManager. But the disable case is at least not obvious to me. In more detail: The use case is that Linux manages a switch via DSA. Creating a bridge with NetworkManager configures the switch chip to do all the switching in hardware. It's really great. Only the disabling of a port via DBUS API is not really ready for a security audit or a perfect responsive UI. That's why I'm asking if the "ip link down" feature could be somehow provided via DBUS API and nmconnection file by NetworkManager. Adrian > > But having automatic profile on interface allows someone to connect > > PC > > with DHCP server and so get known IP address to (attempt to) access > > the > > server. This is prevented by no-auto-default. > > > > you are right! > > Thomas > > ___ > networkmanager-list mailing list > networkmanager-list@gnome.org > https://mail.gnome.org/mailman/listinfo/networkmanager-list ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: connection to disable an interface
On Sat, 2022-05-14 at 22:43 +0300, Andrei Borzenkov wrote: > On 14.05.2022 22:24, Thomas Haller wrote: > > Hi, > > > > > > On Sat, 2022-05-14 at 07:38 +0300, Andrei Borzenkov via > > networkmanager- > > list wrote: > > > > > > > > > > > > The background is a security requirement. Unused interfaces > > > > must > > > > ideally remain disabled at the physical layer when a cable is > > > > plugged > > > > in. Ideally, the LEDs would also remain dark. > > > > > > > > > > It sounds like > > > > > > no-auto-default=* > > > > > > mostly does what you want. > > > > > > that option merely disables that NetworkManager will automatically > > generate a profile for ethernet devices, that don't have a profile > > yet. > > Such profiles are called "Wired connection 1", which is how you can > > recognize it. > > > > This does very little magic, you can manually create a profile to > > the > > same effect. In any case, NetworkManager would have already set the > > interface IFF_UP at this point -- regardless of "(no-)auto- > > default". > > > > Sure, but usual question is - what are the expected threats? Simply > having interface up does not hurt anyone (except may be audit > company). > But having automatic profile on interface allows someone to connect > PC > with DHCP server and so get known IP address to (attempt to) access > the > server. This is prevented by no-auto-default. > you are right! Thomas ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: connection to disable an interface
On 14.05.2022 22:24, Thomas Haller wrote: > Hi, > > > On Sat, 2022-05-14 at 07:38 +0300, Andrei Borzenkov via networkmanager- > list wrote: >>> >>> >>> The background is a security requirement. Unused interfaces must >>> ideally remain disabled at the physical layer when a cable is >>> plugged >>> in. Ideally, the LEDs would also remain dark. >>> >> >> It sounds like >> >> no-auto-default=* >> >> mostly does what you want. > > > that option merely disables that NetworkManager will automatically > generate a profile for ethernet devices, that don't have a profile yet. > Such profiles are called "Wired connection 1", which is how you can > recognize it. > > This does very little magic, you can manually create a profile to the > same effect. In any case, NetworkManager would have already set the > interface IFF_UP at this point -- regardless of "(no-)auto-default". > Sure, but usual question is - what are the expected threats? Simply having interface up does not hurt anyone (except may be audit company). But having automatic profile on interface allows someone to connect PC with DHCP server and so get known IP address to (attempt to) access the server. This is prevented by no-auto-default. ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: connection to disable an interface
On Fri, 2022-05-13 at 23:23 +0200, Adrian Freihofer via networkmanager- list wrote: > Hi > > Is it somehow possible to disable an interface via NetworkManager? > > I am thinking of something like: > > nmcli connection modify con-eth0 802-3-ethernet.phy disabled > nmcli connection up con-eth0 > > which would basically have the same effect as: > > ip link set eth0 down > > > nmcli connection modify con-eth0 802-3-ethernet.phy enabled > nmcli connection up con-eth0 > > which would basically have the same effect as: > > ip link set eth0 up > > > The background is a security requirement. Unused interfaces must > ideally remain disabled at the physical layer when a cable is plugged > in. Ideally, the LEDs would also remain dark. > > If this function does not exist yet, would it be interesting for > NetworkManager? > Could the functionality be implemented with reasonable effort or > would > it be difficult to implement? > > Thank you and regards, > Adrian no, what you ask for is currently not possible. NM always likes to set the interface up, because otherwise it wouldn't get a carrier event (to know whether a cable is plugged in). Doing that causes other difficulties, like when the device is "disconnected" in NetworkManager, then NetworkManager needs to set IPv6 addr-gen-mode "none". Otherwise, kernel would already add an IPv6 address, which is more than NetworkManager wants. What would be best, if kernel would allow to enable carrier-detection on an interface, without all the other things that "IFF_UP" brings. But what you ask for is very sensible. Just not done yet, and it's also not entirely clear what do to. "ethernet.phy no" seems odd to me, because you have to activate a profile to set it down. Also, most of the other settings of the profile would be meaningless with "phy no". What you already can do, is `nmcli device set $IFNAME managed no`. I think that is the way. The only problem with this is, that NetworkManager will give up the interface and leave it to the user an a not well-defined state. What would even be the right state? If the device is currently connected, I partly think that NM should just leave everything up (including all IP addresses). The advantage of that would be, that setting a device unmanaged does not disconnect you right away. On the other hand, if the device is currently disconnected and you set it unmanaged, then I think the addr-gen-mode will stay at "none". That is confusing to the user, because IPv6 does not work without modification. Or should NM always deconfigure it? Maybe it is indeed the latter, and then NM should also set the interface down. Patch welcome, but maybe first discuss what it should do in detail :) Thank you. best, Thomas ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: connection to disable an interface
Hi, On Sat, 2022-05-14 at 07:38 +0300, Andrei Borzenkov via networkmanager- list wrote: > > > > > > The background is a security requirement. Unused interfaces must > > ideally remain disabled at the physical layer when a cable is > > plugged > > in. Ideally, the LEDs would also remain dark. > > > > It sounds like > > no-auto-default=* > > mostly does what you want. that option merely disables that NetworkManager will automatically generate a profile for ethernet devices, that don't have a profile yet. Such profiles are called "Wired connection 1", which is how you can recognize it. This does very little magic, you can manually create a profile to the same effect. In any case, NetworkManager would have already set the interface IFF_UP at this point -- regardless of "(no-)auto-default". Thomas ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: connection to disable an interface
On 14.05.2022 00:23, Adrian Freihofer via networkmanager-list wrote: > Hi > > Is it somehow possible to disable an interface via NetworkManager? > > I am thinking of something like: > > nmcli connection modify con-eth0 802-3-ethernet.phy disabled > nmcli connection up con-eth0 > > which would basically have the same effect as: > > ip link set eth0 down > > > nmcli connection modify con-eth0 802-3-ethernet.phy enabled > nmcli connection up con-eth0 > > which would basically have the same effect as: > > ip link set eth0 up > > > The background is a security requirement. Unused interfaces must > ideally remain disabled at the physical layer when a cable is plugged > in. Ideally, the LEDs would also remain dark. > It sounds like no-auto-default=* mostly does what you want. > If this function does not exist yet, would it be interesting for > NetworkManager? > Could the functionality be implemented with reasonable effort or would > it be difficult to implement? > > Thank you and regards, > Adrian > ___ > networkmanager-list mailing list > networkmanager-list@gnome.org > https://mail.gnome.org/mailman/listinfo/networkmanager-list ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
