Roaming Profiles with NetworkManager

Skill: Intermidiate Complexity: Moderate EstTimeToComplete: 1.5 hours

RelatedMod: DynamicFirewall OptionalMod: AnonymizingNetworkMACAddresses

This guide is aimed at laptop/portable systems with a single wifi interface and a single wired interface. However, the methods are applicable to varied other system setups. I also recommend installing the DynamicFirewall to help secure and offer a layer of protection while you are roaming about. Optionally you may consider AnonymizingNetworkMACAddresses to afford some privacy.

Sometimes there are specific local settings depending on the network you've associated to. For example, when on the work network you have default printers, unique firewall rules or other applications with location specific settings that are substantially different for home network settings. This guide will illustrate a way to provide roaming profiles via NetworkManager.

NetworkManager is fantastic, if you let it completely manage the network. Laptop-net is fantastic at managing profiles. However things just don't work well using laptop-net and NetworkManager together.

So, rather than force laptop-net to accomodate NetworkManager's penchant for total control, I've devised some procedural additions that work within NetworkManager's methodology.

With the following configuration examples you can change most system settings, except static ip address management. I attempted to utilize the NetworkManager interface status system to force the static ip assignment but failed at every attempt. Accomodating for static addresses will hopefully be resolved in 0.7 of NetworkManager. There is a kludge to force static ip assignments after NetworkManager completes.

Regardless, the following examples illustrate ways to change profiles using NetworkManager alone. The examples emulate the behaviour of laptop-net. While not as complete as what laptop-net it as least cooperates with NetworkManager.

Attachments are provided containing the initial file heiarchy. Download the tarball archives and review prior to installation.

You will have to edit/add/remove the script files to make them fit your environment.

You will have to edit/add/remove the script files to make them fit your environment.

You will have to edit/add/remove the script files to make them fit your environment.

Commands in the guide assume you have sudo'ed root. i.e., sudo -i after each login.

Load TarBall Archives

Save the tarball: attachment:nmprofiles.tar.gz

cd /
tar xvfzp nmprofiles.tar.gz

File Descriptions and Behavior

This set of files is for the static IP address assignment kludge described later on. Includes the firewall reload.

etc/network/
etc/network/interfaces_home-wired
etc/network/force_work-wired
etc/network/interfaces_work-wired
etc/network/force_home-wired

This is the location and example file set for your roaming network profile scripts that move files, restart services and reload the firewall.

etc/nm-profiles/
etc/nm-profiles/home-wired/
etc/nm-profiles/home-wired/if-post-down.d/
etc/nm-profiles/home-wired/if-post-down.d/15firewall
etc/nm-profiles/home-wired/files.d/
etc/nm-profiles/home-wired/files.d/etc/
etc/nm-profiles/home-wired/files.d/etc/cups/
etc/nm-profiles/home-wired/files.d/etc/cups/printers.conf
etc/nm-profiles/home-wired/if-up.d/
etc/nm-profiles/home-wired/if-post-up.d/
etc/nm-profiles/home-wired/if-post-up.d/20initrestarts
etc/nm-profiles/home-wired/if-post-up.d/10copyfiles
etc/nm-profiles/home-wired/if-post-up.d/15firewall
etc/nm-profiles/home-wired/if-down.d/
etc/nm-profiles/home-wired/if-pre-up.d/
etc/nm-profiles/home-wired/if-pre-down.d/
etc/nm-profiles/work-wifi/
etc/nm-profiles/work-wifi/if-post-down.d/
etc/nm-profiles/work-wifi/if-post-down.d/15firewall
etc/nm-profiles/work-wifi/files.d/
etc/nm-profiles/work-wifi/files.d/etc/
etc/nm-profiles/work-wifi/files.d/etc/fwbuilder.fw
etc/nm-profiles/work-wifi/files.d/etc/network/
etc/nm-profiles/work-wifi/files.d/etc/network/interfaces_work-wired
etc/nm-profiles/work-wifi/files.d/etc/cups/
etc/nm-profiles/work-wifi/files.d/etc/cups/printers.conf
etc/nm-profiles/work-wifi/files.d/etc/resolv.conf
etc/nm-profiles/work-wifi/files.d/etc/hosts
etc/nm-profiles/work-wifi/if-up.d/
etc/nm-profiles/work-wifi/if-post-up.d/
etc/nm-profiles/work-wifi/if-post-up.d/20initrestarts
etc/nm-profiles/work-wifi/if-post-up.d/10copyfiles
etc/nm-profiles/work-wifi/if-post-up.d/15firewall
etc/nm-profiles/work-wifi/if-down.d/
etc/nm-profiles/work-wifi/if-pre-up.d/
etc/nm-profiles/work-wifi/if-pre-down.d/
etc/nm-profiles/work-wired/
etc/nm-profiles/work-wired/if-post-down.d/
etc/nm-profiles/work-wired/if-post-down.d/15firewall
etc/nm-profiles/work-wired/files.d/
etc/nm-profiles/work-wired/files.d/etc/
etc/nm-profiles/work-wired/files.d/etc/fwbuilder.fw
etc/nm-profiles/work-wired/files.d/etc/network/
etc/nm-profiles/work-wired/files.d/etc/network/interfaces_work-wired
etc/nm-profiles/work-wired/files.d/etc/cups/
etc/nm-profiles/work-wired/files.d/etc/cups/printers.conf
etc/nm-profiles/work-wired/files.d/etc/resolv.conf
etc/nm-profiles/work-wired/files.d/etc/hosts
etc/nm-profiles/work-wired/if-up.d/
etc/nm-profiles/work-wired/if-post-up.d/
etc/nm-profiles/work-wired/if-post-up.d/20initrestarts
etc/nm-profiles/work-wired/if-post-up.d/10copyfiles
etc/nm-profiles/work-wired/if-post-up.d/15firewall
etc/nm-profiles/work-wired/if-down.d/
etc/nm-profiles/work-wired/if-pre-up.d/
etc/nm-profiles/work-wired/if-pre-down.d/
etc/nm-profiles/home-wifi/
etc/nm-profiles/home-wifi/if-post-down.d/
etc/nm-profiles/home-wifi/if-post-down.d/15firewall
etc/nm-profiles/home-wifi/files.d/
etc/nm-profiles/home-wifi/files.d/etc/
etc/nm-profiles/home-wifi/files.d/etc/cups/
etc/nm-profiles/home-wifi/files.d/etc/cups/printers.conf
etc/nm-profiles/home-wifi/if-up.d/
etc/nm-profiles/home-wifi/if-post-up.d/
etc/nm-profiles/home-wifi/if-post-up.d/20initrestarts
etc/nm-profiles/home-wifi/if-post-up.d/10copyfiles
etc/nm-profiles/home-wifi/if-post-up.d/15firewall
etc/nm-profiles/home-wifi/if-down.d/
etc/nm-profiles/home-wifi/if-pre-up.d/
etc/nm-profiles/home-wifi/if-pre-down.d/

The nm-dispatcher and the dispatcher.d scripts work together. Files in dispatcher.d are called in alpha order. The 99* scripts have an include for code from nm-dispatcher. The 99* scripts are only executed if the interface name and ip addresses of the passed interface match.

etc/NetworkManager/
etc/NetworkManager/nm-dispatchworker
etc/NetworkManager/dispatcher.d/
etc/NetworkManager/dispatcher.d/99home-wifi
etc/NetworkManager/dispatcher.d/99home-wired
etc/NetworkManager/dispatcher.d/99work-wifi
etc/NetworkManager/dispatcher.d/99work-wired

Device Order and if-*.d Files

The files in /etc/nm-profiles/<PROFILENAME>/if*.d are called from /etc/NetworkManager/dispatcher.d/99* scripts. The device state determines the group of scripts to call.

When a device is activated the call order is:

pre-up
up
post-up

When a device is deactivated the call order is:

pre-down
down
post-down

The files are called in alpha order. The script examples copy location specific files, reloads the firewall (refer to DynamicFirewall), and restarts services who's configuration files were altered.

Dispatcher.d Files

You'll need to edit the 99* files to reflect the network ip numbers and interface names of your particular environments. Also, create any custom dispatcher.d files for other profiles you need. The profile script files in dispatcher.d have an evident section which requires set values for determining which network you've connected.

This setting names the profile. Change to suit your needs. Just remember to update/add to /etc/nm-profiles/NMPROFNAME.

NMPROFNAME="home-wifi"

This sets the profiles phase scripts and location specific files directory.

NMPROFDIR="/etc/nm-profiles"

This is a PERL regex to match the activated devices ip address to. It can as complex as you need. But, in most instances a partial subnet of the location specific network address is all that is needed to differentiate networks.

IPMATCH="10.10.10"

This is also a PERL regex to match the activated devices name. It can as complex as you need. But, in most instances a single interface name will suffice to differentiate profiles.

IFMATCH="eth0"

* Complex example where you want ANY of these address masks and matching interface names to activate the named profile.

IPMATCH="10.10.11|192.168.10|172.16.10"

* Complex example where you want ANY of the interface names and matching ip address masks to activate the named profile.

IFMATCH="ath0|eth0|eth1"

Active Phase Range

As the scripts are currently setup the only phases to ever be reached for profile scripting are up, post-up and pre-down.

Dispatcher Worker and 99* Actions

NetworkManager passes the acting interface name and phase to the dispatcher.d scripts. Your 99* profile scripts armed with the interface name and phase then make a determination about where you are.

To simplify your scripting a worker shell script nm-dispatchworker is installed and called by the dispatcher scripts. The worker script gathers the current interface ip address assignment and matches the current interface name to determine when a location profile is matched.

Only when the IP ADDRESS and INTERFACE NAME matches the acting interface will the named profile phase scripts be called.

Example: NetworkManager is activating eth0. NetworkManager(NM) passes phase pre-up and interface name eth0 to every script in /etc/NetworkManager/dispatcher.d. 99home-wifi is called which attempts to get the current ip address assignment for eth0. Since there is no ip address assignment for eth0 yet, the check for a match against the defined IPMATCH will fail. Therefore the /etc/nm-profiles/home-wifi/if-pre-up.d scripts will not be called.

NetworkManager(NM) then passes phase up and interface name eth0 to the dispatcher.d scripts. 99home-wifi is called which then gets the current ip address assignment for eth0. Now that there is an address assigned to eth0 it is checked against IPMATCH. If the ip address mask and interface name match then the /etc/nm-profiles/home-wifi/if-up.d scripts are called in alpha order.

Finally, NetworkManager(NM) then passes phase post-up and interface name eth0 to the dispatcher.d scripts. 99home-wifi is called which then gets the current ip address assignment for eth0. Now that there is an address assigned to eth0 it is checked against IPMATCH. If the ip address mask and interface name match then the /etc/nm-profiles/home-wifi/if-post-up.d scripts are called in alpha order.

This example applies to the deactivation of an interface where matched interface name and ip addresses will call pre-down profile scripts.

In general, unless you severly modify the dispatcher.d scripts, pre-up, down and post-down profile scripts will not be activated since either the ip address hasn't yet been assigned or was released.

Static IP Assignment Kludge

force_work-wired
force_home-wired

* I didn't include forced static for wirless but you could certainly setup up such scripts.

Offline Profile

There isn't an offline profile per se. NetworkManager logic for deactivating interfaces will eventually get to pre-down phase. It is at this stage that you would encode scripts in if-pre-down.d to reset the laptop to an offline mode. You can't wait until the post-down phase as the ip address assignment will have been lost and would stop the 99* script from calling any if-post-down.d scripts.

If another interface will be brought up, then having reset from the downed interface will have been an un-neccessary step. However, this avoids any message passing about the profile state. So, any scripts to reset for an offline mode should reside in the if-post-down.d directory of each /etc/nm-profiles. (If the offline scripts are the same, you may want to place the scripts in a common area and manage them with symbolic links.)

Creative Commons License