Issues with Network Manager bridge

I created a network bridge for use with qemu/kvm, with Network Manager nmcli command line. I followed these steps:

# Create bridge and add eth0 to it
nmcli con add type bridge ifname br0 stp no
nmcli con add type bridge-slave ifname eth0 master br0

# Disable current connection
nmcli con down "Wired connection 1"

# Enable the bridge
nmcli con up bridge-br0
nmcli con up bridge-slave-eth0

Fortunately it seemingly works.

However, I stumbled with a new problem:

I often need to change networks from wired one to wireless. With normal eth0 connection -before making the bridge-, I just unplugged Ethernet cable and after few seconds notification popped “Wired connection disconnected”, then I connected to saved wireless one.

Now with bridged wired connection, I unplug cable and the disconnection notification no longer shows up. I connect to wireless one, and it connects, but no internet. I check with “ip route” and “cat /etc/resolv.conf” and realize that effectively wired connection doesn’t disconnect properly: gateway and/or DNS addresses still from wired connection.

In Network Manager applet’s network list, all available wireless networks appear, as well as the normal eth0 connection. But this last one appears as not connected, and the bridged connection never appears, no matter whether I use “stp no” option when creating the bridge.

So how can I correctly disconnect from wired bridged network in Network Manager?
And, stp option is supposedly to “advertise/not to advertise” the network in NM. But I don’t see it doing anything. What is it for then? Or am I confused?

Hope someone can help.
Thanks very much beforehand for your attention.

Hi
Might be easier to check in nm-connection-editor and set the priority or the metric? (I have separate devices here)

https://forums.opensuse.org/attachment.php?attachmentid=1112&stc=1

Screenshot from 2022-08-20 18-17-37.png

nmcli connection down bridge-br0

And, stp option is supposedly to “advertise/not to advertise” the network in NM.

It has nothing to do with “Advertising to NM”. “stp” option enables Spanning Tree Protocol on this bridge.

You better ask on NetworkManager list. It is not as simple - bridge is virtual interface which is created by activating corresponding connection profile so deactivating this connection actually deletes this interface. The current logic is that slave connections (bridge members) are activated together with master connection (bridge) and you basically would like the opposite logic - master connection is activated when slave interface gets carrier.

Thanks very much for your help -and patience as well-. It helps to understand better until now.

Now, a final issue I found is, nmcli commands seem to require root privileges, while in the Arch Linux docs it’s implied it doesn’t (or shouldn’t) need!

Thanks again.

You need to check/adjust the related PolKit settings for NetworkManager.

It does not here for activating or deactivating connection. You need to describe what you do and what results you get in more details.

But as already mentioned, NetworkManager is using PolicyKit to check for authorization and by default any active local session is allowed activating and deactivating of connections. So you need to also explain how you login into your system.

Yes, you’re right. I needed to study more. Sorry for that.

On the other hand, I just saw -yes, just until now…- that I can create bridge -and other devices- from NM’s applet in task bar, by opening the settings, and it doesn’t ask for privileged access unlike nmcli. Why is this? More Polkit settings, or the applet is setuid or the like?

Also, I saw that I can create tun-tap devices with nmcli, but not in NM applet: the option is nowhere to be found there. Why?

Thanks again.

There is no such thing as “NM’s applet”. There are applets specific to each desktop environment. You always have to start with telling your desktop environment and whether you are using native applet or some other tool.

and it doesn’t ask for privileged access unlike nmcli.

And it certainly does here on Xfce using default installation (in which nm-applet program is used).

Why is this?

Because we are using different NM frontends which have different defaults.

More Polkit settings,

Sort of. Connection can be restricted to specific user(s) or can be available to all users. Some NM frontends default to user specific connections which by default do not require superuser authorization. Other NM frontends default to “available to all users” (or “system”) connections which by default do require superuser authorization. And yes, both are controlled by PolicyKit and can be changed. Or you can go to connection properties when creating it and change default setting (assuming this setting is exposed).

I saw that I can create tun-tap devices with nmcli, but not in NM applet: the option is nowhere to be found there. Why?

Because nobody implemented support for this particular connection type in the NM frontend you are using.

To illustrate:

bor@localhost:~> nmcli --ask connection add type bridge ifname br0 stp no 
...
System policy prevents modification of network settings for all users
(action_id: org.freedesktop.NetworkManager.settings.modify.system)
password (root): ^C
bor@localhost:~> nmcli --ask connection add type bridge ifname br0 stp no connection.permissions bor
...
Connection 'bridge-br0' (379afcaa-9816-4e61-a9e3-52c7cc8f5460) successfully added.
bor@localhost:~>

You were right yet again; hell with me…
I’m sorry sir. I’m using KDE desktop right now, and the default installed “applet” in the taskbar.

Oh, and thanks for your last illustration. I’ll definitely try that as soon as I’m back there. Thanks very much for your help and patience.

Oh, and just for the record, how permissions are set by default for my case:

user@localhost:~> nmcli general permissions
PERMISSION                                                        VALUE 
org.freedesktop.NetworkManager.checkpoint-rollback                auth  
org.freedesktop.NetworkManager.enable-disable-connectivity-check  yes   
org.freedesktop.NetworkManager.enable-disable-network             yes   
org.freedesktop.NetworkManager.enable-disable-statistics          yes   
org.freedesktop.NetworkManager.enable-disable-wifi                yes   
org.freedesktop.NetworkManager.enable-disable-wimax               yes   
org.freedesktop.NetworkManager.enable-disable-wwan                yes   
org.freedesktop.NetworkManager.network-control                    yes   
org.freedesktop.NetworkManager.reload                             auth  
org.freedesktop.NetworkManager.settings.modify.global-dns         auth  
org.freedesktop.NetworkManager.settings.modify.hostname           auth  
org.freedesktop.NetworkManager.settings.modify.own                yes   
org.freedesktop.NetworkManager.settings.modify.system             auth  
org.freedesktop.NetworkManager.sleep-wake                         yes   
org.freedesktop.NetworkManager.wifi.scan                          yes   
org.freedesktop.NetworkManager.wifi.share.open                    auth  
org.freedesktop.NetworkManager.wifi.share.protected               auth  
user@localhost:~>

Thanks again.