I’m trying to set up a somewhat weird network configuration, three interfaces on a pi, an adhoc AP, a wireless lan, and a USB modem.

I want clients of the USB device to talk to clients of the AP, I want clients of the AP to talk to other clients and a single host on the wireless network.

Sorta simple right? Just a couple firewall rules? Well NetworkManager is a land of logical defaults that do not like to be adjusted. I had it working where the AP clients could not reach out to the internet, but could reach the USB clients. NetworkManager automagic’d a NFTables ruleset that doesn’t appreciate being changed.

Okay so I’ll tell NM to not use a firewall backed in the conf, firewall-backend=none, easy.

But once NM is restarted, the networking is behaving like the firewall is still active, despite NFtables and iptables reporting no rulesets, as NM has taken its ball and gone home.

I can’t even figure out a baseline of “what the fuck is going on” because the level of opaque NM automagic happening behind the scenes. I just poke at it and hope something happens. Half the NetworkManager behavior is hidden in dev blog posts that you need to sift through, the official documentation just basically gives the bare minimum info for a feature.

  • pastermil@sh.itjust.works
    link
    fedilink
    arrow-up
    12
    ·
    7 months ago

    I don’t think NetworkManager is in the market for “somewhat weird network configuration”.

    Why don’t you turn it off and use dhclient or dhcpcd instead?

  • drwankingstein@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    12
    ·
    7 months ago

    Network Manager has been the absolute bane of my existence, however due to it being the defacto standard for most distros, one pretty much needs to support it. at the very least nmcli is… usable.

            • theshatterstone54@feddit.uk
              link
              fedilink
              arrow-up
              1
              ·
              7 months ago

              I’ve been wondering about how feasible an all-systemd system would be. Like, take Arch and do a manual install but replace everything possible with systemd. Resolved, networkd, (whatever the fstab alternative is called), systemd-boot (of course) etc. And just have everything replaced by systemd as much as possible. It’s an interesting idea and ClearLinux essentially did just that so I might check it out for inspiration.

              • allywilson@lemmy.ml
                link
                fedilink
                arrow-up
                1
                ·
                edit-2
                7 months ago

                I think Poettering did a blog post just before he left RedHat (or maybe it was just after) where he described his ‘perfect’ OS - it was pretty detailed, I imagine it was indeed what we’d call systemd+Linux

                Edit: Found it

                • theshatterstone54@feddit.uk
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  7 months ago

                  Holy crap, that dude is just next level. He’s talking about getting absolutely everything encrypted, and here I am, not even having my root partition encrypted.

          • lemmyvore@feddit.nl
            link
            fedilink
            English
            arrow-up
            3
            ·
            7 months ago

            🤦 Then you probably shouldn’t uninstall it. When you enter a discussion about an advanced use case people are going to assume you want to manage /etc/resolv.conf and the network interfaces by hand.

            • delirious_owl
              link
              fedilink
              arrow-up
              1
              ·
              edit-2
              7 months ago

              No I’m fine to do that, but systemd overwrites it every few minutes.

              • 8Bitz0@discuss.tchncs.de
                link
                fedilink
                arrow-up
                2
                ·
                7 months ago

                You’re telling me you don’t want to update a configuration that updates a configuration that updates a configuration?

                Just wait until you use Ubuntu cloud-init which updates netplan which then updates NetworkManager.

                • delirious_owl
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  7 months ago

                  But once NM is gone, I don’t even know how to update the thing that updates the thing that updates the thing.

                  My point is that NM is pretty baked-in, and I don’t know how to remove it without breaking things

    • Shinji_Ikari [he/him]@hexbear.netOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      7 months ago

      Thanks for the suggestion, but I’m using NM for managing the AP and managed connections, not so much the bare connecting to wifi things.

      The only real alternative to NM in this situation is a handful of delicate config files for iwconfig and dnsmasq.

    • Shinji_Ikari [he/him]@hexbear.netOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 months ago

      So I want and have ip forwarding, and I only want to make a firewall whitelist between two of the interfaces.

      I’ve uninstalled iptables, nftables isn’t running, NM has the firewall backend disabled, and ip forwarding is on.

      This should result in traffic moving between the interfaces, yet traffic is moving between two of the interfaces, and blocked between two of the interfaces. It just doesn’t make sense.

      • systemd-catfoodd@lemmy.ml
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        7 months ago

        Sorry I only have this generic troubleshooting point to offer, but have you checked to see if NetworkManager might be modifying your IP routing table in unwanted ways during its operation?

        From what you’ve described I’m under the impression that no Internet traffic needs to run through this system; perhaps NM is adding an unwanted default route?