Re: connection to disable an interface

From: Adrian Freihofer <adrian freihofer gmail com>
To: Thomas Haller <thaller redhat com>, networkmanager-list gnome org
Subject: Re: connection to disable an interface
Date: Mon, 16 May 2022 08:38:23 +0200

Hi Thomas

That is already very helpful for me. I will have a look at it and try
to write a patch. Let's see if something comes out that works.

Regards,
Adrian

On Sat, 2022-05-14 at 21:33 +0200, Thomas Haller wrote:

On Fri, 2022-05-13 at 23:23 +0200, Adrian Freihofer via networkmanager-
list wrote:

Hi

Is it somehow possible to disable an interface via NetworkManager?

I am thinking of something like:

nmcli connection modify con-eth0 802-3-ethernet.phy disabled
nmcli connection up con-eth0

which would basically have the same effect as:

ip link set eth0 down


nmcli connection modify con-eth0 802-3-ethernet.phy enabled
nmcli connection up con-eth0

which would basically have the same effect as:

ip link set eth0 up


The background is a security requirement. Unused interfaces must
ideally remain disabled at the physical layer when a cable is plugged
in. Ideally, the LEDs would also remain dark.

If this function does not exist yet, would it be interesting for
NetworkManager?
Could the functionality be implemented with reasonable effort or
would
it be difficult to implement?

Thank you and regards,
Adrian


no, what you ask for is currently not possible.


NM always likes to set the interface up, because otherwise it wouldn't
get a carrier event (to know whether a cable is plugged in). Doing that
causes other difficulties, like when the device is "disconnected" in
NetworkManager, then NetworkManager needs to set IPv6 addr-gen-mode
"none". Otherwise, kernel would already add an IPv6 address, which is
more than NetworkManager wants. What would be best, if kernel would
allow to enable carrier-detection on an interface, without all the
other things that "IFF_UP" brings.

But what you ask for is very sensible. Just not done yet, and it's also
not entirely clear what do to.

"ethernet.phy no" seems odd to me, because you have to activate a
profile to set it down. Also, most of the other settings of the profile
would be meaningless with "phy no".

What you already can do, is `nmcli device set $IFNAME managed no`. I
think that is the way. The only problem with this is, that
NetworkManager will give up the interface and leave it to the user an a
not well-defined state. What would even be the right state? If the
device is currently connected, I partly think that NM should just leave
everything up (including all IP addresses). The advantage of that would
be, that setting a device unmanaged does not disconnect you right away.
On the other hand, if the device is currently disconnected and you set
it unmanaged, then I think the addr-gen-mode will stay at "none". That
is confusing to the user, because IPv6 does not work without
modification. Or should NM always deconfigure it? Maybe it is indeed
the latter, and then NM should also set the interface down.

Patch welcome, but maybe first discuss what it should do in detail :)
Thank you.


best,
Thomas

References:
- connection to disable an interface
  - From: Adrian Freihofer
- Re: connection to disable an interface
  - From: Thomas Haller

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]