NetworkManager keeps connectoin to the gateway on port 67

[bobololo]

Hello,

I'm not sure whether this is a normal behavior and why NetworkManager needs to keep the connection to the gateway Established for all the time. The case is as follows:

I just tried a netstat in the terminal and I've found the following output:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3211/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 3083/cupsd
tcp6 0 0 :::22 :::* LISTEN 3211/sshd
tcp6 0 0 ::1:631 :::* LISTEN 3083/cupsd
udp 0 0 192.168.100.9:68 192.168.100.1:67 ESTABLISHED 2916/NetworkManager
udp6 0 0 fe80:c2ff:fe0:546 :::* 2916/NetworkManager
raw6 0 0 :::58 :::* 7 2916/NetworkManager

I just found that on every Gentoo machine, no matter whether the machine is connected wired or wireless. NetworkManager keeps Established connection to the gateway. I have also a few Ubuntu machines in the same network and they doesn't have same behavior like the Gentoo ones. On Ubuntu there is no Established connection to the gateway on port 68.

I tried to dump the traffic on port 68 but it doesn't log anything. However it's annoying to keep connection when other Linux distribution doesn't do that.

Is it possible the NetworkManager included in Gentoo to have some some un-patched security issues? I'm using the stable build and NetworkManager version is 1.26.0

I've looked for similar topic in the forum, but I didn't found anything. In Google I found similar or the same question for Arch Linux here: https://bbs.archlinux.org/viewtopic.php?id=252041 but the topic no answer.

Does anybody see the same NetworkManager behavior on their environment? And does anybody knows why it's necessary to keep Established connection to the gateway?

Thanks in advance.

[Princess Nell]

When comparing Gentoo with Ubuntu, are you comparing like with like? Are the Ubuntu machines using NM? Are the resp. netstat programs from the same source? Looking at a Bionic box, it seems the answer to the second question is yes, but not for the first one - netstat shows that systemd-networkd is used.

Code: Select all

udp        0      0 192.168.1.11:68       0.0.0.0:*                           564/systemd-network 

The netstat man page states that in the case of UDP, the state column may be left blank. This holds true for the Ubuntu case, but not the Gentoo case, but why? We know UDP is a stateless and connectionless protocol.

This posting, https://stackoverflow.com/questions/238 ... state-list, explains how the Linux kernel (re-)uses the TCP connection states for UDP. And this one, https://stackoverflow.com/questions/108 ... stablished, how a UDP socket can be connected with connect(2) so that packets are only accepted from the named peer. You can actually see this is the case here if you strace the networkmanager process and break the network link, then reestablish it (plug out the wire, wait a few seconds, plug it in again)

Code: Select all

localhost ~ # strace -p 12345  -e trace=connect
strace: Process 12345 attached
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3485, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
connect(21, {sa_family=AF_INET, sin_port=htons(67), sin_addr=inet_addr("192.168.1.254")}, 16) = 0
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3728, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
connect(25, {sa_family=AF_INET, sin_port=htons(67), sin_addr=inet_addr("192.168.1.254")}, 16) = 0
... 

Also, if you break and reestablish the link, you will see traffic on these ports. Run tcpdump and filter out all irrelevant ports, it will show the BOOTP/DHCP broadcast and the rest of the DHCP conversation.

In brief, NM does not have an established connection to the gateway, but netstat (ss, /proc/net/udp) uses symbolic TCP connection states to show that there's a socket waiting for connections from the gateway. On Ubuntu, the systemd-networkd process appears to have a socket open that listens to broadcasts from any source - I would call that a security concern:)