Re: Preventing network scans once connected via libnm

From: Beniamino Galvani <bgalvani redhat com>
To: Charles Lohr <charlesl valvesoftware com>
Cc: "'networkmanager-list gnome org'" <networkmanager-list gnome org>
Subject: Re: Preventing network scans once connected via libnm
Date: Mon, 3 Oct 2022 10:13:18 +0200

On Sat, Oct 01, 2022 at 12:46:24AM +0000, Charles Lohr via networkmanager-list wrote:

In our application, we need to maintain connection to an AP and it needs to stay low latency for a variety 
of reasons.  Whenever networks are scanned, for us they create an unacceptable level of latency (>50ms in 
many cases) on the connection.

Sometimes we stop NetworkManager from running with `pkill -STOP NetworkManager` and `pkill -CONT 
NetworkManager` but, for a variety of reasons this is disadvantageous.

I've seen references to people online saying you can prevent scanning once connected by specifying a BSSID, 
but I don't see how that can be done with libnm.

Currently we use the following, where path can be gotten from either a scan or `nm_connection_get_path`

```
nm_client_activate_connection_async ( m_pClient, conn, (NMDevice*)m_pDevice, sAccessPointPath.c_str(), 
nullptr, []( GObject* pObj, GAsyncResult* res, gpointer pContext ) {...} );
```

What mechanism can we use to specify that a given path should lock it's BSSID when using NetworkManager via 
libnm?


Hi,

to disable scanning, you can set the property
NM_SETTING_WIRELESS_BSSID of the setting NMSettingWireless to the AP's
BSSID when the connection profile is created. To get the AP's BSSID
use nm_access_point_get_bssid().

References:
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/1.40.0/examples/C/glib/add-connection-libnm.c#L44
https://networkmanager.dev/docs/api/latest/nm-settings-dbus.html#id-1.2.9.4.48 ("bssid property")
https://networkmanager.dev/docs/libnm/latest/NMAccessPoint.html#nm-access-point-get-bssid
https://fedoramagazine.org/using-python-and-networkmanager-to-control-the-network/

Second question:  Are there any mechanisms we can use to lock out other apps from requesting scans from 
NetworkManager?  This solution would be preferred for our application because scans have such a significant 
impact on the system.  Or is there a way to just outright disable all scanning via NetworkManger for a 
period of time?


If the feature is enabled at build time, NM can use polkit to
authorize D-Bus requests. In particular, there is a "Wi-Fi scan"
permission that grants access to scans. I think you can use polkit
rules to restrict the access to a certain user or process; however,
note that any process running as root bypasses polkit checks and is
always authorized.

References:
https://networkmanager.dev/docs/libnm/latest/libnm-nm-dbus-interface.html#NMClientPermission
https://networkmanager.dev/docs/api/latest/nmcli.html (nmcli general permissions)

Beniamino

Attachment: signature.asc
Description: PGP signature

Follow-Ups:
- RE: Preventing network scans once connected via libnm
  - From: Charles Lohr

References:
- Preventing network scans once connected via libnm
  - From: Charles Lohr

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]