[Networkmanager] Can public/trusted network setting return to UI?

Thu Jun 22 12:42:11 UTC 2023

On Wed, 2023-06-21 at 19:20 +0200, Petr Menšík wrote:
> On 21. 06. 23 16:42, Andrei Borzenkov wrote:
> > On 21.06.2023 17:19, Petr Menšík wrote:
> > > The problem with that approach is I would like to configure also
> > > other
> > > services based on that. Not only ports open to receive requests
> > > from
> > > outside, but also permission to join the interface with mdns
> > > service and
> > > send queries over it.
> > > 
> > > Is it possible to receive this information to dispatcher script,
> > > which
> > > might customize settings based on its value? Can I adjust
> > > services,
> > > stopping them instead of just blocking access to them?
> > > 
> > > I would like to set default values for few values, like:
> > > 
> > > public:
> > > 
> > > connection.lldp:                        no
> > > connection.mdns:                        no
> > > connection.llmnr:                       no
> > > connection.dns-over-tls:                yes
> > > ipv4.dhcp-send-hostname      no
> > > 
> > 
> > See "man NetworkManager.conf" for description how to set default 
> > values. ipv4.dhcp-send-hostname is not listed as supported though,
> > I 
> > do not know if it is just missing documentation.

The docuentation is correct, only a subset is configurable via global
connection defaults, as documented in NetworkManager.conf. "ipv4.dhcp-
send-hostname" is not configurable because historically it's just a
boolean, and those global connection defaults only take effect if the
per-property value is set to a special "default"/"unset" value. Of
course, the underlying reason that this feature is not supported, is
that nobody send a patch to extend the existing mechanism in a backward
compatible way.
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/584

> The problem is I do not want general default values. I want to choose
> one of two "profiles", from which to set those values. Either one for
> public or trusted networks. Without having to set multiple values for
> each SSID i set public or trusted network. I would like to prepare 
> multiple different presets, not just one set of default values.

Note that there is a "[connection*].match-device=" option so you can
have default values per-interface. Maybe there could also be a
"[connection*].match-profile=" setting, so you could have defaults
based on certain profiles. It's not implemented however, and it is not
clear how this "match-profile" option could be powerful/flexible,
generic, consistent and understandable.

Maybe there also could be a "connection.defaults-from=" property in the
profile, and if set, then defaults would be first looked up on the
profile that is referenced. The advantage is, that this base profile is
just a profile itself and not a new concept, and all the tools for
creating profiles already exist. On the other hand, it's also confusing
that the default profile looks like a regular profile, but maybe you
never intend to activate it (which maybe could be solved by coloring
such profiles differently in the UI).

I think the proper way is to create the profiles with the values you
want. There is an API to set values of a property, just use it and
write a script. The benefit is also, that you can see the currently set
value in `nmcli -o connection show "$PROFILE"`, with the other two
approaches, it's not clear which default value is chosen at runtime.

Thomas

> > 
> > > possibly with ipv4.ignore-auto-dns=yes, and ipv4.dns=8.8.8.8
> > > 
> > > for trusted:
> > > 
> > > connection.lldp:                        default
> > > connection.mdns:                        yes
> > > connection.llmnr:                       yes
> > > connection.dns-over-tls:           opportunistic
> > > ipv4.dhcp-send-hostname      yes
> > > 
> > > I would like to kind of pre-configure different "groups" and
> > > assign
> > > connections to one of them. If I don't override value in
> > > connection
> > > itself, use values from the group. Not to manually specify the
> > > same for
> > > regionjet.cz SSID, CDWIFI SSID, airport SSID and similar places
> > > again
> > > and again. Is something similar possible without having a tool,
> > > which
> > > will copy values on network connection creation?
> > > 
> > > Kind of derived classes in C++, which get more and more
> > > specialized. How
> > > hard would be implementing something like that?
> > > 
> > > > Hi,
> > > > 
> > > > the "connection.zone" property is all that NetworkManager does
> > > > about
> > > > firewall. It only applies, if you also use firewalld. You would
> > > > configure the zones in firewalld, and "connection.zone" refers
> > > > to that.
> > > > 
> > > > I seem to remember, that nm-connection-editor hides the
> > > > configuration
> > > > option, if it detects that firewalld is not enabled. I guess
> > > > you are
> > > > looking at gnome-control-center? I don't know whether it
> > > > supports the
> > > > zone. If it doesn't, it possibly should. RFE/patch welcome. The
> > > > workaround is to configure the zone using nmcli:
> > > > 
> > > >     $ nmcli connection modify "$PROFILE" connection.zone
> > > > "$ZONE"
> > > > 
> > > > Make sure to enable and use firewalld.
> > > > 
> > > > 
> > > > Thomas
> > > > 
> > 