pub/scm/network/connman/connman.git  about / heads / tags
Connection Manager
$ git log --pretty=format:'%h %s (%cs)%d'
8173d708 dnsproxy: Do not use untrusted value in computation (2024-05-07)
	(HEAD -> master)
16044e9f dnsproxy: zero-terminate the buffer after recvfrom (2024-05-07)
cc868b8c dnsproxy: Check sendto error return (2024-05-07)
ec389b64 dnsproxy: Check fcntl return value (2024-05-07)
3ba03174 dnsproxy: Fix cached ttl update (2024-04-22)
be1767db iwd: set network to connected if it is already (2024-04-22)
77a9ba6f technology: Fix memory leak. (2024-04-18)
b569e011 wifi: Fix indentation. (2024-04-18)
e7d72d1e wifi: Fix memory leak. (2024-04-18)
f1f6db78 wifi: Fix use-after-free when tethering is disabled. (2024-04-18)

$ git cat-file blob HEAD:README
Connection Manager

Copyright (C) 2007-2012  Intel Corporation. All rights reserved.

Functionality and features

The following features are built-in into Connection Manager:
	- Generic plugin infrastructure
	- Device and network abstraction (with basic storage support)
	- IPv4, IPv4-LL (link-local) and DHCP
	- IPv4 address conflict detection (ACD) according to RFC 5227
	- IPv6, DHCPv6 and 6to4 tunnels
	- Advanced routing and DNS configuration
	- Built-in DNS proxy and intelligent caching
	- Built-in WISPr hotspot logins and portal detection
	- Time and timezone configuration (manual and automatic with NTP)
	- Proxy handling (manual and automatic with WPAD)
	- Tethering support (USB, Bluetooth and WiFi AP mode)
	- Detailed statistics handling (home and roaming)

Various plugins can be enabled for networking support:
	- Ethernet plugin
	- WiFi plugin with WEP40/WEP128 and WPA/WPA2 (personal and enterprise)
	- Bluetooth plugin (using BlueZ)
	- 2G/3G/4G plugin (using oFono)

Also plugins with additional features are available:
	- Loopback interface setup
	- PACrunner proxy handling
	- PolicyKit authorization support

Note that when ConnMan starts, it clears all network interfaces that are
going to be used. If this is not desired, network interfaces can be ignored
either by setting NetworkInterfaceBlacklist in the main.conf config file or
by using the -I command line option.

Compilation and installation

In order to compile Connection Manager you need following software packages:
	- GCC compiler
	- GLib library
	- D-Bus library
	- IP-Tables library (for tethering support)
	- GnuTLS library (optional)
	- PolicyKit (optional)
	- readline (command line client)

To configure run:
	./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var

Configure automatically searches for all required components and packages.

To compile and install run:
	make && make install

Configuration and options

For a working system, certain configuration options need to be enabled:


		Disable support for Ethernet network cards

		By default Ethernet technology support is built-in and
		enabled. This option can be used to build a small daemon
		for a specific system if Ethernet support is not required.


		Disable support for USB Ethernet Gadget devices

		By default USB Ethernet Gadget technology support is built-in and
		enabled. This option can be used to build a small daemon
		for a specific system if USB Ethernet Gadget support is not required.


		Disable support for WiFi devices

		By default WiFi technology support is built-in and
		enabled. This option can be used to build a small daemon
		for a specific system if WiFi support is not required.

		It is safe to build a daemon with WiFi support and no
		running wpa_supplicant. The start of wpa_supplicant is
		automatically detected and only a runtime dependency. It
		is not needed to build ConnMan.


		Disable support for Bluetooth devices

		By default Bluetooth technology support is built-in and
		enabled. This option can be used to build a small daemon
		for a specific system if Bluetooth support is not required.

		It is safe to build a daemon with Bluetooth support and no
		running bluetoothd. The start of bluetoothd is automatically
		detected and only a runtime dependency. It is not needed to
		build ConnMan.


		Disable support for cellular 2G/3G/4G devices

		By default oFono technology support is built-in and
		enabled. This option can be used to build a small daemon
		for a specific system where oFono is not used.

		It is safe to build a daemon with oFono support and no
		running ofonod. That start of ofonod is automatically
		detected and only a runtime dependency. It is not needed to
		build ConnMan.


		Disable support for Bluetooth DUN devices

		By default Bluetooth DUN technology (dundee) support is
		built-in and enabled. This option can be used to build a
		small daemon for a specific system where dundee is not used.

		It is safe to build a daemon with dundee support and no
		running dundee. That start of dundee is automatically
		detected and only a runtime dependency. It is not needed to
		build ConnMan.


		Enable support for Wireless daemon for Linux

		The IWD project does not have initial release so far,
		therefore by default IWD support is not enabled.

		It is safe to enable this option along WiFi support.


		Disable support for PACrunner proxy handling

		By default PACrunner support is built-in and enabled. This
		option can be used to build a small daemon for a specific
		system where PACrunner is not used.

		It is safe to build a daemon with PACrunner support and no
		pacrunner daemon. It will detect and start a PACrunner
		process if needed at runtime. The presence is not needed
		to build ConnMan.


		Disable setup of loopback device

		For distributions with a really minimal init system and no
		networking scripts this can take care of setting up the
		loopback device and enabling it.

		It is safe to leave this selected even if networking
		scripts are in place. It detects an already configured
		loopback device and leaves it as it is.


		Disable support for WISPr hotspot logins

		For systems with really minimal memory requirements, this
		will disable the support for WISPr hotspot logins. The code
		for WISPr will be still compiled into the daemon, but its
		requirement on GnuTLS for secure connections will be lifted.

		The missing GnuTLS support shrinks the memory requirements
		by about 30% and for systems that are more stationary and do
		not log into hotspots this might be a better trade off.

		Disabling WISPr support is not disabling the portal detection
		support. A portal will still be detected, but instead of being
		asked for login credentials, the request for a browser session
		will be made through the agent.


		Enable support for PolicyKit authorization

		This allows to check every D-Bus access against a security
		policy and so restrict access to certain functionality.


		Enable support for NetworkManager compatibility interfaces

		This allows to expose a minimal set of NetworkManager
		interfaces. It is useful for systems with applications
		written to use NetworkManager to detect online/offline
		status and have not yet been converted to use ConnMan.


		Disable support for the command line client

		By default the command line client is enabled and uses the
		readline library. For specific systems where ConnMan is
		configured by other means, the command line client can be
		disabled and the dependency on readline is removed.


		Enable support for compiling SElinux type enforcement rules

		The TE rules are needed if host environment is in enforcing
		mode. Without this option, the VPN client process cannot
		send notification to connman-vpnd via net.connman.Task
		interface. The compiled connman-task.pp module needs to
		also installed using this command
			# semodule -i connman-task.pp
		in order to enable the dbus access.


		Enable support for a DNS resolving backend

		Select a DNS backend to use. Supported values are "internal"
		and "systemd-resolved". If "internal" is selected, ConnMan
		will be build with a caching DNS proxy. If "systemd-resolved"
		is selected, ConnMan configures systemd-resolved to do DNS
		resolving. The default value is "internal".

Activating debugging

One can activate debugging prints in ConnMan using -d command line option.
If the -d option has no parameters, then debugging is activated for all
source code files. If the -d option has parameters, they tell which source
code files have debugging activated. One can use wild cards in file names.
    -d                   Activate all normal debug prints
    -d src/service.c     This prints debugging info from src/service.c
                         file only
    -d src/network.c:src/ipconfig.c
                         This activates debug prints in src/network.c
                         and src/ipconfig.c files.
    -d 'src/n*.c'        This would activate debug print from all the C source
                         files starting with letter 'n' in src directory.
                         Note the quotation marks around option, that is to
                         prevent shell expansion.
    -d '*/n*.c:*/i*.c'   Activate debug prints for all C source files starting
                         with letters 'n' or 'i' in any sub-directory.

Some components of ConnMan have environment variable activated debug prints.
If the environment variable is set, then corresponding component will print
some extra debugging information.
Following environment variables can be used:
    CONNMAN_DHCP_DEBUG        DHCPv4 related debug information
    CONNMAN_DHCPV6_DEBUG      DHCPv6 related debug information
    CONNMAN_IPTABLES_DEBUG    Extra information when iptables is used
    CONNMAN_RESOLV_DEBUG      Name resolver debug prints. These debug prints
                              are used when ConnMan resolves host names for
                              its own use.
                              Note that the DNS proxy debug prints do not
                              use this environment variable. For that, one
                              can use "-d src/dnsproxy.c" command line option.
    CONNMAN_SUPPLICANT_DEBUG  Debugging prints for communication between
                              connmand and wpa_supplicant processes.
    CONNMAN_WEB_DEBUG         Debug information when ConnMan does Internet
                              connectivity check in Wispr and 6to4 components.

    CONNMAN_WEB_DEBUG=1 src/connmand -n

If timing conditions are relevant then it is recommended command to
get log traces as follows:
    connmand -d 2>&1 | ts '[%H:%M:%.S]' | tee connman.log

The 'ts' program is normally available in the moreutils package.

Kernel configuration

In order to support tethering, the following kernel configuration options
need to be enabled either as modules (m) or builtin (y):


In order to enable CONFIG_IP_NF_TARGET_MASQUERADE, the following options need
to be enabled also as modules (m) or builtin (y):


For routing and statistic support in Sessions, the following options
need to be enabled as modules (m) or builtin (y):


In order to support USB gadget tethering, the following kernel configuration
options need to be enabled:


wpa_supplicant configuration

In order to get wpa_supplicant and Connection Manager working properly
together you should edit wpa_supplicant .config file and set:




This last option will enable the support of background scanning while being
connected, which is necessary when roaming on wifi.

It is recommended to use wpa_supplicant 2.x or later.

If wpa_supplicant is configured to D-Bus autostart, then ConnMan will
trigger the autostart of wpa_supplicant. However please keep in mind
that this trigger only happens once. If wpa_supplicant stops or crashes,
ConnMan does not periodically try to autostart it. It is up to systemd or
similar service management tool to autostart it. In case wpa_supplicant
is not started by ConnMan then make sure option "-u" is used in order
to enable its D-Bus control interface and ensure ConnMan can communicate
with it.


In order to compile pptp and l2tp VPN plugins, you need ppp development

To run l2tp you will need
	- xl2tpd,

To run pptp you will need
	- pptp client,

Both l2tp and pptp also need pppd.


Up to version 2.2 of OpenVPN, pushing additional routes from the
server will not always work. Some of the symptons are that additional
routes will not be set by ConnMan if the uplink is a cellular
network. While the same setup works well for a WiFi or ethernet

Up to (at least) version 2.4.5 of OpenVPN getting information about
private key decryption failures via management channel is missing. This
will result in attempting with the invalid key over and over as the
information about failed decryprion is not delivered to OpenVPN plugin.
The following patch to OpenVPN is required for the private key
decryption failures to be sent:


When using GnuTLS be aware that depending on the configuration of
GnuTLS does either an lazy or eager initialization of an internal
entropy pool using /dev/urandom. On eager initialization the loading
of ConnMan will be delayed by the link loader until the entropy pool
is filled. On smaller system this can easily delay the startup of
ConnMan by several seconds (we had reports of 25 seconds and more

GnuTLS allows to switch back to lazy evaluation when the environment
variable GNUTLS_NO_EXPLICIT_INIT. For more details please read
the man page to gnutls_global_init(3).

Online check

ConnMan tries to detect if it has Internet connection or not when
a service is connected. If the online check succeeds the service
enters Online state, if not it stays in Ready state. The online
check is also used to detect whether ConnMan is behind a captive
portal like when you are in hotel and need to pay for connectivity.

The online check is done by trying to fetch status.html document
from (for IPv4 connectivity) and
(for IPv6 connectivity). The used URL looks like this

The online check operates in one of three modes:

  * "none"
  * "one-shot"
  * "continuous"

where "one-shot" is the default and is governed by the
"OnlineCheckMode" setting.

In "none" mode, there are no "online" HTTP-based Internet
reachability checks. Any connected service and the manager state
will terminate at the Ready state and will not progress to

In "one-shot", the default mode, there is a single, one-shot "online"
HTTP-based Internet reachability check for the default service (that
is, the service with the high-priority (metric 0) gateway default
route). When the check succeeds, the associated service and the
manager state will terminate at the "online" state. When the check
fails, subsequent checks will be rescheduled according to
"OnlineCheckIntervalStyle", "OnlineCheckInitialInterval", and
"OnlineCheckMaxInterval" and will continue indefinitely until one
succeeds or until the service is disconnected.

In "continuous" mode, there are ongoing "online" HTTP-based Internet
reachability checks for the default service (that is, the service with
the high-priority (metric 0) gateway default route). As with
"one-shot" mode, when the first check succeeds, the associated service
and the manager state will terminate at the Online state. Thereafter,
subsequent checks will be scheduled according to
"OnlineCheckIntervalStyle" and "OnlineCheckMaxInterval". When the
check fails, subsequent checks will be rescheduled according to
"OnlineCheckIntervalStyle", "OnlineCheckInitialInterval", and
"OnlineCheckMaxInterval". When and if "OnlineCheckFailuresThreshold"
is met, the service and manager state will be demoted to Ready and the
service will have its "Error" property set to "online-check-failed"
while subsequent checks will continue. In the interim, if available,
another service may be promoted to the default service and online
checks will be initiated for it. When and if, for the demoted service,
"OnlineCheckSuccessesThreshold" is met, the service "Error" property
will be cleared and the service state promoted to Online, potentially
causing it to become the default service again.

See connman.conf(5) for the "OnlineCheckMode" option, if you need to
disable the feature. It is also possible to specify other URLs via
"OnlineCheckIPv4URL" and "OnlineCheckIPv6URL" options. The range of
intervals between two online check requests can be fine-tuned via
"OnlineCheckInitialInterval" and "OnlineCheckMaxInterval" options as
well as with the "OnlineCheckIntervalStyle" option.

As intimated above, for the "one-shot" and "continuous" modes, when an
online check request fails (or, in the case of "continuous" mode,
succeeds as well), another one is triggered after a longer
interval. The intervals follows one of two mathemetical sequences,
depending on the "OnlineCheckIntervalStyle" setting: "fibonacci" or
"geometric", with a default of "geometric". The geometric setting is
the square series of numbers in the range specified by
"OnlineCheckInitialInterval" and "OnlineCheckMaxInterval".  The
default values for "OnlineCheckInitialInterval" and
"OnlineCheckMaxInterval" are the range [1, 12], which correspond to
the following "geometric" intervals, in seconds: 1, 4, 9, 16, 25, 36,
49, 64, 81, 100, 121 and 144 over that range. By contrast, the
correspending "fibonacci" sequence over that range is 1, 1, 2, 3, 5,
8, 13, 21, 34, 55, 89, and 144. The "fibonacci" series and style is
more aggressive in check rate up to 12 steps (its equivalence point
with "geometric" at 144 seconds) than "geometric" but backs off far
more aggressively past that point reaching an hour at interval 19
which "geometric" does not reach until interval 60.

During the online check procedure, ConnMan will temporarily install
a host route to both the and so that
the online check query can be directed via the correct network
interface which the connected service is using. This host route is
automatically removed when the online check is done. Note that the server
expressly does not log any connection information, including IPv4/6
addresses of connecting clients. The server runtime logs cycle in RAM
memory depending on amount of connections processed.

ConnMan sends this very minimal information in http header when doing
the online check request (example):
	User-Agent: ConnMan/1.23 wispr
	Connection: close

Currently following information is returned from if
the connection is successful (200 OK http response code is returned):
	Server: nginx
	Date: Mon, 09 Jun 2014 09:25:42 GMT
	Content-Type: text/html
	Connection: close
	X-ConnMan-Status: online

The X-ConnMan-Status field is used in portal detection, if it is missing
ConnMan will call RequestBrowser method in net.connman.Agent dbus
interface to handle the portal login if the portal does not support WISPr.
See doc/agent-api.txt for more details.


Mailing list:

If you would like to subscribe to receive mail in your inbox, just
send a (empty) message from your email account to

Mailing list archive:

	ircs:// (for SSL)
	irc:// (for non-SSL)

# heads (aka `branches'):
$ git for-each-ref --sort=-creatordate refs/heads \
	--format='%(HEAD) %(refname:short) %(subject) (%(creatordate:short))'
* master       dnsproxy: Do not use untrusted value in computation (2024-05-07)

# tags:
$ git for-each-ref --sort=-creatordate refs/tags \
	--format='%(refname:short) %(subject) (%(creatordate:short))'
1.42         Release 1.42 (2023-08-04) tar.gz
1.41         Release 1.41 (2022-01-28) tar.gz
1.40         Release 1.40 (2021-06-10) tar.gz
1.39         Release 1.39 (2021-02-08) tar.gz
1.38         Release 1.38 (2020-02-14) tar.gz
1.37         Release 1.37 (2019-03-29) tar.gz
1.36         Release 1.36 (2018-05-12) tar.gz
1.35         Release 1.35 (2017-08-10) tar.gz
1.34         Release 1.34 (2017-04-27) tar.gz
1.33         Release 1.33 (2016-07-17) tar.gz

# associated public inboxes:
# (number on the left is used for dev purposes)
        484 connman
        143 lkml
        104 linux-bluetooth
         40 linux-arm-kernel
         38 qemu-devel
         36 netdev
         33 u-boot
         30 ofono
         23 linux-devicetree
         23 stable
         20 dri-devel
         17 kvm
         13 linux-fsdevel
         13 dpdk-dev
         13 linuxppc-dev
         13 git
         12 linux-media
         12 intel-gfx
         11 linux-wireless
         11 linux-mm
         11 xen-devel
         11 linux-s390
         11 openembedded-core
          9 alsa-devel
          9 linux-usb
          9 amd-gfx
          9 buildroot
          8 linux-scsi
          8 linux-pci
          8 linux-api
          8 linux-arch
          7 linux-mediatek
          7 linux-iommu
          7 linux-mips
          7 linux-ext4
          7 linux-omap
          7 linux-i2c
          7 openbmc
          7 linux-fbdev
          6 linux-xfs
          6 linux-nfs
          6 linux-crypto
          6 linux-acpi
          6 kvmarm
          6 linux-renesas-soc
          6 linux-rdma
          6 linux-ide
          6 linux-serial
          5 linux-mtd
          5 bpf
          5 linux-pm
          5 linux-input
          5 linux-gpio
          5 linux-sh
          5 iwd
          5 ltp
          5 openembedded-devel
          5 intel-xe
          5 qemu-riscv
          5 lvm-devel
          4 linux-samsung-soc
          4 linux-riscv
          4 netfilter-devel
          4 linux-arm-msm
          4 linux-btrfs
          4 driverdev-devel
          4 selinux
          4 linux-watchdog
          4 linux-doc
          4 linux-mmc
          4 linux-sparse
          4 linux-tegra
          4 linux-rockchip
          4 sparclinux
          3 linux-block
          3 linux-nvme
          3 linux-efi
          3 linux-cifs
          3 linux-amlogic
          3 linux-erofs
          3 linux-nvdimm
          3 linux-rtc
          3 linux-kselftest
          3 linux-clk
          3 linux-security-module
          3 linux-f2fs-devel
          3 linux-rt-users
          3 linux-trace-devel
          3 linux-man
          3 linux-spi
          3 linux-remoteproc
          3 virtualization
          3 linux-kbuild
          3 linux-raid
          3 linux-hardening
          3 lustre-devel
          3 nouveau
          3 nvdimm
          3 yocto
          3 yocto-meta-freescale
          3 yocto-toaster
          3 yocto-meta-arm
          3 linux-patches
          3 kexec
          3 linux-um
          3 poky
          3 cluster-devel
          3 grub-devel
          3 cgroups
          3 linux-sound
          3 ../../../../../igt-dev
          2 fstests
          2 linux-hwmon
          2 kernel-hardening
          2 linux-iio
          2 linux-modules
          2 linux-m68k
          2 util-linux
          2 linux-wpan
          2 wireguard
          2 backports
          2 linux-unionfs
          2 lttng-dev
          2 ceph-devel
          2 linux-can
          2 containers
          2 platform-driver-x86
          2 phone-devel
          2 keyrings
          2 linux-cxl
          2 linux-perf-users
          2 kernel-janitors
          2 linux-coco
          2 ath9k-devel
          2 bitbake-devel
          2 yocto-meta-virtualization
          2 yocto-meta-ti
          2 yocto-meta-arago
          2 outreachy
          2 openrisc
          2 intel-wired-lan
          2 b4-sent
          2 batman
          2 virtio-comment
          2 linux-ia64
          2 cpufreq
          2 kvm-ppc
          2 linux-hexagon
          2 reiserfs-devel
          2 linux-nilfs
          2 virtio-fs
          2 ../../../../../fuego
          2 ../../../../../powertop
          1 linux-fscrypt
          1 cocci
          1 live-patching
          1 linux-integrity
          1 linux-edac
          1 linux-snps-arc
          1 dmaengine
          1 linux-next
          1 linux-parisc
          1 linux-leds
          1 kernelnewbies
          1 linux-sgx
          1 linux-hyperv
          1 workflows
          1 rcu
          1 selinux-refpolicy
          1 linux-i3c
          1 linux-spdx
          1 ksummit-discuss
          1 io-uring
          1 linux-kernel-mentees
          1 linux-csky
          1 tpmdd-devel
          1 linux-firmware
          1 cip-dev
          1 linux-audit
          1 linux-dash
          1 linux-bcache
          1 mm-commits
          1 linux-pwm
          1 linux-fpga
          1 xdp-newbies
          1 dash
          1 dm-devel
          1 linux-sctp
          1 target-devel
          1 soc
          1 ocfs2-devel
          1 rust-for-linux
          1 ath10k
          1 ath11k
          1 linux-phy
          1 linux-staging
          1 linux-sunxi
          1 mptcp
          1 regressions
          1 ksummit
          1 b43-dev
          1 linux-nfc
          1 linux-bcachefs
          1 ntfs3
          1 llvm
          1 linux-ppp
          1 fio
          1 ell
          1 yocto-docs
          1 chrome-platform
          1 ntb
          1 xenomai
          1 damon
          1 asahi
          1 loongarch
          1 imx
          1 ath12k
          1 linux-trace-kernel
          1 oe-linux-nfc
          1 oe-kbuild-all
          1 oe-chipsec
          1 virtio-dev
          1 v9fs
          1 ecryptfs
          1 kbd
          1 autofs
          1 dccp
          1 devicetree-spec
          1 devicetree-compiler
          1 initramfs
          1 hail-devel
          1 kvm-ia64
          1 linux-8086
          1 kernel-testers
          1 linux-alpha
          1 linux-btrace
          1 linux-embedded
          1 linux-hams
          1 linux-hotplug
          1 linux-laptop
          1 trinity
          1 linux-metag
          1 linux-x25
          1 lvs-devel
          1 netfilter
          1 linux-oxnas
          1 u-boot-amlogic
          1 lm-sensors
          1 acpica-devel
          1 perfbook
          1 smatch
          1 ../../../../../wireless-regdb

git clone