[Novalug] F.C. 1-- NetworkManager

Peter Larsen peter@peterlarsen.org
Fri Dec 2 15:48:50 EST 2016

On 12/02/2016 01:37 PM, Walt Smith via Novalug wrote:
> ( no specific problem:  information exchange )
> HI,
> I remarked that NetworkManager was limited 
> in what it could do.  It's been pointed out that 
> NetworkManager is a wrapper using more
> "standard" linux functions ( utilities ) under
> the hood, and does quite a bit-- I wanted to 
> know more.

It's a wrapper to kernel functions. Pretty much everything is. Ie.
NetworkManager doesn't call the IP command directly using a shell. It
uses the same libraries that "ip" does and hence you don't need to
access 10-20 different commands anymore to have the complete set of
network configuration "utilities" you'll need.  Just like ls, cd, lpr
are wrappers for functions that eventually are syscalls to the kernel we
know as Linux. We're simply talking about the most efficient way to
manage this.

Here's the description of NetworkManager according to the man page:
The NetworkManager daemon attempts to make networking configuration and
operation as painless and automatic as possible by managing the primary
network connection and other network interfaces, like Ethernet, WiFi,
and Mobile Broadband devices. NetworkManager will connect any network
device when a connection for that device becomes available, unless that
behavior is disabled. Information about networking is exported via a
D-Bus interface to any interested application, providing a rich API with
which to inspect and control network settings and operation.

Another good source for information about NetworkManager is

Note that the original concept of NetworkManager was to provide better
GUI access to networking configuration. So DBUS was an important aspect
from day 1. This is also why NetworkManager early on wasn't the best
choice for servers. It wasn't the primary focus for servers - but now
that's been bridged too.

> A set of utilities/functions it performs can be 
> made as list.  It's also possible to list some 
> service/functions that  NetworkManager does 
> not perform that people may have assumed it did.
> For people learning networking, there are many 
> blurred lines. 

Sure - you can do that for every program. But where you draw the line?
How do you think about features you want to find out if they belong in
the "has" or "has not" list? Ie. should I add "access a database" to
that list?

>  Especially since much terminology
> in the industry has changed or has multiple
> meanings.   In 2016, some things have settled.
> NetworkManager (8) is the ref for manpages.
> ( get the capitalization right !!! )

My guess here is, that nm was used by netmap before NetworkManager came
around. So a unique name was needed.  But strangely, some of the add-on
utilities for NetworkManager are prefixed with lower case nm ... who
ever said there was consistency in the community ;)

> The doc's describe Network configuration and 
> operations. Whatever that means.  

This is why I posted the description. It makes a good stab at "whatever
that means". It's meant to automatically respond to network interfaces
becoming available, and other types of events on your system. Ie. when
your dialup has a CONNECT, NetworkManager can start the ppp negotiation,
and then finally add IP information. Or when the modem hangs up, remove
and clean up the interface.  What's even more interesting is, because of
DBUS use, other tools can be tightly integrated into NetworkManager -
such as firewalld.

> A look at
> the program in operation (  click icon ) shows
> where to start : wired and wireless.  a list of wired
> ( usually ethernet for home users ) is easily
> seen from a left-click.  You can add connections 
> to either.  The same menu is used for editing.  
> Wireless does a survey of your geographic  
> area, and lists what it sees.  

So depending on your DE, that utility may or may not represent the full
functionality of NetworkManager. GNome and KDE have very different
implementations of this UI, and that goes for other DEs too.  Even
within Gnome we don't have _all_ the features that nmcli has for
instance, but as time progresses that's being taken care of. So to get a
full view of everything that NetworkManager can do, I would start with
the man page you mentioned, and then example "nmcli", "nmcli-examples",
"nm-settings" to get a full list of features.

> You can edit the individual connections/interfaces 
> for your desired connection type - ip6, ipv4, 
> general user access type, IP address of the 
> interface,  DNS servers to use, search domains (?),
A list of search domains are a list of domain suffixes your system will
look for if you don't give a FQDN as a hostname. Ie. if I enter "ping
myhost" and my search domain says "home.com", my system will try to
resolve "myhost.home.com" first. You can have multiple search domains.
If you don't have any, the domain of your host is used.

> selection of static or dynamic address assignment 
> ( DHCP - to the interface? 

If the method is set to "dhcp" it means for that group - like ipv4, on
that interface use dhcp. If you have more than one network interface on
your system, some may be static, some may be dynamically assigned.

> or to other connected 
> devices ), and DHCP client, and static route entry 
> for that interface ( does the route table/edit 
> include the entire host box ? )

It does support route tables, but as we've spoken about on a thread
earlier, that's really not needed unless you're doing very advanced
networking. By default, routes are created when you specify an IP for
the subnet of that network. And if you specify a default gateway, a
route is created for that gateway too. In other words, for ordinary use
you have no need to specify routes manually. HOWEVER, if you want to:

nmcli connection modify eth0 +ipv4.routes ""

This adds the above entry to the route table for the interface eth0.
Note, this may be another thing that'll eventually catch up to you -
network interface names are (have) changed. NetBiosNames adds the device
and location to the name, so it's easy to see the relationship betwen
the network interface name, and the actual physical port on the system.
For instance, on my current laptop the physical interface port is named:
enp0s25. For single interface systems this may seem nonsense - and you
can turn off this feature if you want to. It does however tell you a lot
once you get used to it, and have helped me realize I had the wrong
kernel module (driver) associated with my interface in the past.

If you want a friendlier way to learn about all the features, I would
recommend the manual here:

> .  If MAC addresses are
> retrieved automatically, they are shown, otherwise,
> you can enter a MAC number for an interface, and you 
> can clone a MAC address.

MAC (Media Access Control) Address are firmware assigned. They're the
only identity the hardware has when turned on. On some cards, you can
overwrite the MAC address. Mostly you only need to do this on virtual
interfaces, and "you" in this case wold most likely be the framework
you're working with. Ie. if you're doing virtual machines using libvirt,
libvirt will assign a MAC address for you. You can override it, but
really - don't :)

> It's handy to learn what NetworkManager does not do.

First - it's important to know what it is. It's a network configuration
tool. It's not about firewalls and anything you run on the network. But
if you think that functionality would make sense in NetworkManager, I
would file an RFE.

> not a firewall 
> no port blocking
> no ip filtering,
> doesn't do NAT
> no port forwarding, 
> no MAC filtering,

All firewall stuff - all stuff taken care of by firewalld and which is
integrated with NetworkManager. Ie. when NetworkManager starts an
interface, the rules for that interface are activated too. You have
several settings in NetworkManager like "connection.zone" that specifies
the firewalld zone an interface belongs to. So it's a bit of a stretch,
but it's technically possible to assign rules to an interface by specify
an existing zone on the firewall.

I would also want to point out, that firewall rules have never been part
of "ip", "ifconfig", "route" etc.

> no dynamic routing (IP's )
> no switching (MAC numbers )

I covered both above. You can create custom routing and you can change
the MAC if you want to (if your NIC supports it).

> There is a handy command line tool as part of the
> NetworkManager package to show the various interface's 
> status: nm-tools 

I think you may be referring to nmcli?
> These are the major doings and not doings. Obviously there
> are many additional details needed for each interface.  For 
> example,  I did not discuss the "Security" tab. For those, the 
> user can use other sources specific to those tasks.

Actually, it's one of the main reasons/purposes for NetworkManager. 
Being able to change a network interface as a _user_ - not an admin - is
a big step. The permission features inside NetworkManager talks about if
this interface can be changed by a user.  You can define VLANs and other
types of secure tunnels but now we're really getting into the real of
enterprise grade big networking stuff.

> I also don't know yet, or considered, any  possible 
> interactions between the various functions listed above:
> a matter of who did something first, did the result go
> to function 2, etc.   There may be none to consider.

As I pointed out, firewalld and NetworkManager are integrated. But they
are definitely two different tools.

  Peter Larsen

More information about the Novalug mailing list