Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Moving to connman difficulties[SOLVED]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
jserink
l33t
l33t


Joined: 30 Jan 2004
Posts: 992

PostPosted: Mon Apr 20, 2020 9:09 am    Post subject: Moving to connman difficulties[SOLVED] Reply with quote

Hi All:

I have installed connman to handle my wifi needs to replace wicd as the former does not support python 3 and pthon2.7 is basically done.

I used wicd ONLY when I needed wifi, else the daemon was off.

In addition, I used vde with KVM and dnsmasq for my VM requirements when either on wife or in Ethernet or both.
This worked fine.

I have moved to connman and am having issues with this setup because connman using its own dnsproxy so it occupies udp 53 when it starts.
This breaks by VM prep startup script which looks like this:
#!/bin/bash
vde_switch --numports 4 --mod 777 --group users --tap tap0 -x -d
ip addr add dev tap0 192.168.100.1/24 brd 192.168.100.255
ip link set dev tap0 up
echo "1" > /proc/sys/net/ipv4/ip_forward
dnsmasq --log-queries --interface=tap0,enp0s31f6
iptables -t nat -A POSTROUTING -o wlp2s0 -j MASQUERADE
iptables -A FORWARD -j ACCEPT
iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i enp0s31f6 -j ACCEPT

So my VDE switch is attached to tap0 and I connect my VMs to this. I use DNSmasq to forward DNS queries from VM and hosts on my Ethernet port out the wifi.
This worked fine with wicd.

With connman, this breaks because the connman dnsproxy occupies udp 53 so dnsmasq fails to start and my VMs and Ethernet port get no name lookup.

So, I tried stopping the dnsporxy function by changing the /etc/con.d/connman file to this:
jserinki7 ~ # cat /etc/conf.d/connman
# conf.d file for connman
#
# Please check connmand --help for more information.
# Useful options are:
# -c, --compat: enable NetworkManager compatibility mode.
# -W, --wifi=NAME: select wpa_supplicant wifi driver to use.
# This is useful if your wpa_supplicant is < 0.7
# since connmand by default gives wpa_supplicant a
# comma separated list of values and < 0.7 does not
# understand or accept it.
# -i, --device=DEV: force use of given interface name.
# -I, --nodevice=DEV: force ignore of given interface name.
# -p, --plugin=NAME: specify plugins to load.
# -P, --noplugin=NAME: specify plugins not to load.
CONNMAN_OPTS="--nodnsproxy"

And this works, it stops the dns proxy, but then my machine gets no namelookup.

In short, I think its best to mod my dnsmasq setup to possibly use the connman dnsproxy but have no idea how to do that.
Any ideas on that?

Cheers,
john


Last edited by jserink on Thu Oct 01, 2020 4:28 am; edited 1 time in total
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6799
Location: Blighty

PostPosted: Fri Apr 24, 2020 10:52 am    Post subject: Reply with quote

Maybe look into something less invasive like dhcpcd-gtk or dhcpcd-qt?
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
jserink
l33t
l33t


Joined: 30 Jan 2004
Posts: 992

PostPosted: Thu Oct 01, 2020 4:34 am    Post subject: Reply with quote

Ok, I figured out how to turn off the DNS proxy but then connman has its own dhcp client, and its own this and that.....
Connman and Network Manager are the systemd's of networking....doing everything themselves because dhcpcd and dnsmaq weren't good enough?

Anyhow, my solution was to drop both of them and just use wpa_supplicant on its own.
This gives me full control of everything.
My VM networking works, my iptables rules etc. There is no i'll-make-it-easier-for-you daemon running somewhere changing stuff I don't want changed.

So yah, my solution was to:
1. Dump wicd (nice package but python2.7 was polluting my system preventing updates),
2. Dump connman(I did give this package a good whirl but in the end, its too much of a I'll-make-it-easier-for-you),
3. Dump Network manager(disclaimer, didn't spend much time on this but it looked exactly like connman).
4. Use wpa_supplicant with some network scanners if necessary and just do it that way.

Cheers,
john
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6799
Location: Blighty

PostPosted: Thu Oct 01, 2020 10:43 am    Post subject: Reply with quote

jserink wrote:
but then connman has its own dhcp client, and its own this and that.....
Connman and Network Manager are the systemd's of networking....doing everything themselves because dhcpcd and dnsmaq weren't good enough?


It's the current flavour of the day - everyone has to have their own DHCP client.
But to be fair, dhcpcd grew network management code - but only enough to manage >1 interface for DHCP which is essential if you want to share the same IP address on >1 interface.

Anyway, dhcpcd-9.3 (released soon I hope) will be the only DHCP client that is secured with Linux seccomp.
It already supports FreeBSD Capsicum and OpenBSD Pledge, making it the most secure DHCP client available.
I don't think any Linux DHCP client other than dhcpcd even does privilege separation. Do you really want a root process listening on public ports?
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum