Is Netplan acting like hidden malware?

[bushw]

Armbian uses Netplan by default to manage network settings. But when it uses  NetworkManager as renderer, it silently changes iptables rules—without asking, without telling.

 

*Neither Netplan nor NetworkManager are supposed to manage firewall settings.*

 

But they do it anyway, behind the scenes. That kind of behavior—making security changes without user consent—feels a lot like what malware does.

[eselarm]

When I got my ROCK3A around 2024-12-01 I thought it was a good idea to use a newest Linux userspace so I started with Armbian Ubuntu minimal image. Just getting to know the board HW and only SD-card and serial console and RJ45 that was fine, but soon the problems started. I managed to install NetworkManager and disable networkd, so I could copy a rather complex set of NM files from my other SBC, NanoPi-R6C that is using bridges VLANs and libvirt KVM. Same as I did earlier copy that same *.nmconnection files from RaspberryPi4 (PiOS bullseye/bookworm) . And just changing a cloned-mac address entry essentially  in 1 .nmconnection file initially so my router assigns the correct IP address (just initial setting), changed that later. 

 

 

Long story short, it turns out that you need netplan.io and that generates .nmconnection files in /etc/NetworkManager/system-connections/, at least that was my conclusion after doing tricks with apt, maybe it is different, I did not want to waste time on it anymore.

 

Same .nmconnection files (same content) are somewhere in /var or so, I forgot where and those seem to be generated from netplan yaml files. I once constructed yaml files to get 64-bit Ubuntu server image running on RPi4 when RPL only had 32-bit ARMv6 raspbian, but already then I thought never again that netplan stuff. I already removed all snapd stuff myself.

 

So after wasting way too much time I just created a clone image on an SD-card from a Btrfs snapshot of my running NanoPi-R6C, copied some U-Boot and kernel and DTB files then done. Could start even VMs on dedicated VLANs etc. That by the way is also an issue with Ubuntu, they keep certain files needed for running KVM different from Bookworm, so VMs did not start, I needed to look at Ubuntu fora to figure out what the issue was. I forgot what as I wiped it all.

 

So my opinion is more or less that Canonical has some vendor lock-ins here and there and/or 'cookies' to keep you stay with them (Ubuntu). Not internet-browser cookies, but goodies, like adding BSD code to Linux (ZFS). As the world of SBCs is almost exclusively about pre-installed images with most people not able to boot an iso CD-ROM and install Linux themselves, it is easy getting into peoples homes. For me, netplan is like hidden malware as I am unable to just install NetworkManager without also getting netplan and then needing to know/learn 3 network config scripting things. Opensuse Tumbleweed also has its own network managing tool (wicked), but at least that can be ignored if you want NetworkManager (dedicated switch in YaST). Same for Debian although manual apt packages and services actions.

 

And then there is nmtui tool that works via serial console, so for me a key feature to configure networking initially in a good interactive way. It is much easier than reading yaml docs or nmcli command options docs. So lesson learned is that I avoid Armbian Ubuntu, also Armbian Bookworm minimal. Only if downloadable Armbian Bookworm images where NM is default I would maybe use, else just clone 1 of my own installations.

For own image generation with Armbian build, there is option to use NM, so I noted that somewhere. Pity is that recommended/supported build host environment is Ubuntu. I did most builds on Armbian Bookworm lately, works fine. But last time I started it on Trixie it failed. Will try again sometime soon.

Edited Saturday at 08:12 AM by eselarm

[laibsch]

please be more specific, what happened exactly?  where did you get that statement that netplan or networkmanager are not supposed to touch firewall settings?  when you bring a network interface up or down that can obviously affect firewall rules.

[Cancer]

fully agree with author statement. The same as change from ethx to endx is a step in wrong direction. Somebody was using windows too much. ifconfig is not even installed by default because of ip command. Distribution managers should be forced to stop such things.

@laibsch "when you bring a network interface up or down that can obviously affect firewall rules" Is it a joke? 

[laibsch]

this is not a vote but a technical discussion, @Cancer.  your hostile tone and unfounded accusations of "somebody was using windows too much" are out of place (and simply laughable).  consider yourself warned. 

 

and if you don't understand the technicalities maybe it's best to keep quiet?  and yes, of course bringing up or down a network interface can obviously affect the firewall.  and distribution managers are free to do whatever they want with their distribution, it is theirs not yours.  entitled much?  this is FOSS, you have the code, change it if you don't like it.  but otherwise, keep your entitled and ungrateful attitude to yourself.  thank you.

[robertoj]

XD

 

take your concerns to Canonical

[Cancer]

It's not about technicalities but basic logic. We have here situation where one program which should offer on/off functionality affects config of  another one.

@laibsch I'm not sure why have you reacted this way. Maybe i'm not proffessional but it's about linux and users should at least point on such things

@robertoj Naturally, it's not about armbian itself, but generally linux related. F.e. when i configure another samba instance usual way and find it's not working by looking in logs and finding after some lost time that interface name has changed. How many people are requesting isssue with samba and loosing time just because of that?

Edited 14 hours ago by Cancer

[laibsch]

  

16 minutes ago, Cancer said:

We have here situation where one program which should offer on/off functionality affects config of  another one.

 

I agree that would normally be a bug.  And Debian would agree and in turn us.  We have not established that being the case yet, though.  At least not for me since @bushw has not yet responded.  @Cancer Do you have an example for me to look into?

  

16 minutes ago, Cancer said:

when i configure another samba instance usual way and find it's not working by looking in logs and finding after some lost time that interface name has changed

 

Please do tell us more.

[MaxT]

How many people are requesting isssue with samba and loosing time just because of that?

I guess they are free to spend that time to develop own samba implementation

[ag123]

accordingly, one can remove Netplan if one don't like it

https://www.baeldung.com/linux/etc-network-interfaces-netplan-switch

 

and that actually even with Netplan one can configure a different renderer, e.g. Network-Manager
https://docs.armbian.com/User-Guide_Networking/

or for that matter, I think it is feasible to remove Netplan altogether and just use Network Manager, if one prefers that
or even for that matter switch back to the raw lowest level /etc/network/interfaces as described in the 1st link

In addition

• show the detailed  sequence of events and provide details that:

  Quote

  Netplan by default to manage network settings. But when it uses  NetworkManager as renderer, it silently changes iptables rules—without asking, without telling.

   

if you cannot show this in detail, then what is your basis of saying that it happens? 

 

Note that normally, there is a sequence of events, the interfaces need to be setup first hand, then that the firewall (e.g. iptables) is configured after that.

What you need to proof in addition, is that Netplan or NetworkManager *revoke or change* your iptables / firewall setup if they are configured after Netplan / NetworkManager setup the interfaces.
i.e. that it is potentially malicious

 

if all that you mention can be rigiously proven then that perhaps we can file that with mitre and have the world cybersecurity issue a major CVE about it.

https://attack.mitre.org/

https://www.cve.org/

i.e. that the whole world and every web server, every vps,  anyone any servers running wordpress on linux,  any webs running linux,  everyone including the whole amazonaws, azure, google cloud, redhat ibm, etc etc running linux follow up and fix *all the servers in the Internet*

 

[ag123]

@Cancer

Why you need to drop ifconfig for ip:

https://opensource.com/article/21/1/ifconfig-ip-linux

If you’re still using ifconfig, you’re living in the past

https://ubuntu.com/blog/if-youre-still-using-ifconfig-youre-living-in-the-past

 

there are certain things in this article that can be done in ip command that takes more than just ifconfig to do the same. 

Introduction to Linux interfaces for virtual networking

https://developers.redhat.com/blog/2018/10/22/introduction-to-linux-interfaces-for-virtual-networking#vlan

^ this matters if you are bothered about containers, docker, virtual machines, virtualbox, vpn, wireguard, vlan, etc etc

otherwise, if you don't need any of containers, docker, virtual machines, virtualbox, vpn, wireguard, vlan, etc etc you can live with ifconfig

in a certain sense, the availability of this network infrastructure in linux along with ip command as one of the tools accounts for the modern trillion $ cloud services: amazon aws, google cloud, azure, ibm redhat, and practically every other vps, web, any sort of cloud services on Internet that runs on linux today.

 

anyway, to get ifconfig it is simply

sudo apt install net-tools

https://www.fosslinux.com/121757/how-to-install-missing-ifconfig-command-on-linux.htm

 

 

[Werner]

moved to userspace

[Igor]

On 8/30/2025 at 10:02 AM, eselarm said:

Pity is that recommended/supported build host environment is Ubuntu.

 

We appreciate idea, but we have to look at the health of the whole ecosystem. Our build framework deals with many boards and non-standard low-level components (e.g., U-Boot), and right now it builds reliably only on Ubuntu Jammy. Even Noble isn’t fully compatible yet; adding Debian (unofficially, to some degree, it already works for many years) at this stage would likely cause regressions. As Ubuntu is more present in embedded world, making Debian recommended would costs a lot more from budget we don't have while bringing nothing in return.

 

12 hours ago, Cancer said:

Naturally, it's not about armbian itself, but generally linux related

 

Exactly. There are many issues in FOSS and there is little we can do. We didn't develop any of those tools - we provide them. Networking stack is an important part, it has its own diversity and this should be in users domain. I think our logic for providing images is a good compromise - we provide Debian and Ubuntu images, we provide them once with systemd-networkd (minimal) and the rest with NetworkManager. Now to keep some consistency and make it simple for non experts, using NetPlan as a central config point also makes sense - for most of use cases and most of users. Those who needs special handling of net stack, its easy to replace them with something else.

[bushw]

3 hours ago, ag123 said:

if you cannot show this in detail, then what is your basis of saying that it happens? 

To be honest, I'm shocked that I need to provide evidence. I assumed this was common knowledge — at the very least among the forum moderators — and that we'd be discussing how it's even possible for the recommended package to behave this way.

 

How to reproduce it?

 

Just implement "mode: ap" in netplan config and check your iptables chains.

[Werner]

1 hour ago, bushw said:

at the very least among the forum moderators

Forum moderatores are there to provide guidance in discussion and take action if things get out of control. Having a wide varity of knowledge in various areas is desireable but not mandatory.

As for myself I did not know about that either.