search

pigmonkey / nmtrust

A simple framework for determining network trust with NetworkManager
17 stars 5 forks source link

10trust NetworkManager dispatcher script gets executed for every connection #11

Open ckotte opened 1 year ago

ckotte commented 1 year ago

The dispatcher script gets executed for every connection. In my case it's loopback, WiFi, Docker bridged networks, etc. pp. This only happens at the system startup. It doesn't have a real negative impact except logging many messages in the log. The services are just "started multiple times".

Sep 04 17:13:13 icarus nm-dispatcher[1537]: req:9 'up' [wlp2s0], "/etc/NetworkManager/dispatcher.d/10trust": complete: failed with Script '/etc/NetworkManager/dispatcher.d/10trust' exited w>
...
Sep 04 17:13:14 icarus nm-dispatcher[2969]: All connections are trusted
Sep 04 17:13:14 icarus nm-dispatcher[2954]: Starting trusted system units
Sep 04 17:13:14 icarus nm-dispatcher[2954]: Starting trusted user units
...
Sep 04 17:13:14 icarus nm-dispatcher[1537]: req:12 'up' [br-4d9297e3e7cb], "/etc/NetworkManager/dispatcher.d/10trust": complete: failed with Script '/etc/NetworkManager/dispatcher.d/10trust>
...
Sep 04 17:13:15 icarus nm-dispatcher[3242]: All connections are trusted
Sep 04 17:13:15 icarus nm-dispatcher[3227]: Starting trusted system units
Sep 04 17:13:15 icarus nm-dispatcher[3227]: Starting trusted user units
...
Sep 04 17:13:15 icarus nm-dispatcher[1537]: req:15 'up' [br-8e15dbfdbac6], "/etc/NetworkManager/dispatcher.d/10trust": complete: failed with Script '/etc/NetworkManager/dispatcher.d/10trust>
...
Sep 04 17:13:16 icarus nm-dispatcher[3512]: All connections are trusted
Sep 04 17:13:16 icarus nm-dispatcher[3497]: Starting trusted system units
Sep 04 17:13:16 icarus nm-dispatcher[3497]: Starting trusted user units
...
Sep 04 17:13:16 icarus nm-dispatcher[1537]: req:16 'up' [br-89e023c415a6], "/etc/NetworkManager/dispatcher.d/10trust": complete: failed with Script '/etc/NetworkManager/dispatcher.d/10trust>
...
Sep 04 17:13:16 icarus nm-dispatcher[3782]: All connections are trusted
Sep 04 17:13:16 icarus nm-dispatcher[3767]: Starting trusted system units
Sep 04 17:13:16 icarus nm-dispatcher[3767]: Starting trusted user units
...

Those networks are all excluded:

/etc/nmtrust/excluded_networks

# Ansible managed
docker?
br-*
virbr*
vnet*
lo

Does it make sense to ignore all excluded networks from the dispatcher execution? For example:

/etc/NetworkManager/dispatcher.d/10trust

#!/bin/bash
# Toggle trusted units whenever a connection is activated or deactived.

EXCLUDEFILE="/etc/nmtrust/excluded_networks"

interface=$1 action=$2

check_connection() {
    local name=$1
    local connection_excluded=false
    mapfile -t excludes < <(grep -v '^#' < $EXCLUDEFILE)
    for exclude in "${excludes[@]}"; do
        # NOTE: Cannot quote right-hand site of == because glob matching is needed [shellcheck(SC2053)]
        if [[ "$name" == $exclude ]]; then
            connection_excluded=true
            break
        fi
    done
    echo $connection_excluded
}

if [[ $(check_connection "$interface") = false ]]; then
    echo "$interface"
    case $action in
        up)
            ttoggle
            ;;
        down)
            ttoggle
            ;;
    esac
fi

exit $?

So, does it make sense to only execute it for networks not excluded or just execute it every time?

pigmonkey commented 1 year ago

What NetworkManager passes to the dispatcher script as $1 is the name of the interface -- or, in NetworkManager parlance, the "device". Not the name of the network. For the case of Docker bridges, it may be that the name of the device and the name of the network are the same. But I would not expect to put device names in the network exclusion file.

So to accomplish this it would be more appropriate to create a new /etc/nmtrust/excluded_devices file and check against that in the dispatch script. I'd want the behaviour to be the same if nmtrust/ttoggle were executed manually, so the list_connections() function in nmtrust would have to be modified to exclude connections on those devices.

If the concern is log noise it may be simpler to just add the -q flag inside the dispatcher script.

pigmonkey commented 1 year ago

Although it looks like the name of the connection ought to be available to the distpacher script in the CONNECTION_ID environment variable. So something like your modified dispatcher example could work, but using $CONNECTION_ID instead of $1/$interface.