After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 732826 - nmcli - Disconnect VPN Without Specifying ID or UUID
nmcli - Disconnect VPN Without Specifying ID or UUID
Status: RESOLVED FIXED
Product: NetworkManager
Classification: Platform
Component: nmcli
0.9.x
Other Linux
: Normal normal
: ---
Assigned To: NetworkManager maintainer(s)
NetworkManager maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2014-07-07 08:28 UTC by Lonnie Best
Modified: 2015-04-20 18:51 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description Lonnie Best 2014-07-07 08:28:38 UTC
In a recent attempt to eliminate steps when switching between VPNs ( https://bugs.launchpad.net/ubuntu/+source/network-manager-vpnc/+bug/1215262 ), I discovered a need for adding an additional option to the nmcli command.

Currently, in order to disconnect a VPN, you have to specify its id or uuid. I'm proposing that a general disconnection feature be added that will disconnect any connected VPN without having to specify its id or UUID.

This need becomes more clear when you attempt to automate switching between VPNs, as I describe in this comment:
https://bugs.launchpad.net/ubuntu/+source/network-manager-vpnc/+bug/1215262/comments/4

As you can see, without this proposed feature, switching between VPNs is very verbose to automate.

I wish there was a command like this:
nmcli con down allvpn

This proposed command would disconnects any currently connected VPNs (without the necessity of specifying their id or uuid).



If you are connected to a VPN, this command will return a list of established VPN connections:
nmcli con status | grep -oP '^(([^\s]+\s){1,}[\s]{2,}){4}yes.+$'

This command will list the IDs of any established vpn connections (one per line):
nmcli con status | grep -oP '^(([^\s]+\s){1,}[\s]{2,}){4}yes.+$' | grep -oP '^.*?(?=\s{2,})'

So to disconnect all VPN connections you could do it based on this ID like this:
nmcli con status | grep -oP '^(([^\s]+\s){1,}[\s]{2,}){4}yes.+$' | grep -oP '^.*?(?=\s{2,})' | sed 's/^/\x27/' | sed 's/$/\x27/' | xargs -L1 nmcli con down id

However, perhaps it is better to do this using the UUIDs.

You can list the UUIDs of all established VPN connections like this:
nmcli con status | grep -oP '^(([^\s]+\s){1,}[\s]{2,}){4}yes.+$' | grep -oP '(?<=[\s]{2})[^\s]+(?=(\s+[^\s]+){2}\s+yes.*)'

So you can disconnect all established VPN connections by UUID like this:
nmcli con status | grep -oP '^(([^\s]+\s){1,}[\s]{2,}){4}yes.+$' | grep -oP '(?<=[\s]{2})[^\s]+(?=(\s+[^\s]+){2}\s+yes.*)' | xargs -L1 nmcli con down uuid

Perhaps this logic could be added to nmcli, so that this following proposed option would concisely achieve the same results:
nmcli con down allvpn

Downstream: https://bugs.launchpad.net/network-manager-openvpn/+bug/1338382
Comment 1 Thomas Haller 2014-07-07 11:22:33 UTC
Sidenote: in the meantime nmcli changed the syntax to show active connections.

On 0.9.10 you would do instead:
  [1] nmcli connection show --active

And there was a short time, where the above would have to be written as
  [2] nmcli connection show active
The latter syntax was during development of 0.9.9, and is only present in Fedora 20 AFAIK.


Also, nmcli has also the options --terse, --fields, and --mode. Those might help with parsing of the output.



Regarding a new VPN disconnect-all option: I am not convinced about the need for that. Especially since there is a simple(?) workaround as you presented.
Comment 2 Lonnie Best 2014-07-07 17:22:25 UTC
Perhaps someone with your experience would find these workarounds simple, but I won't pretend that I wrote those commands at my max-type-speed.

Plus, you've already revealed that the latest version already breaks the work-arounds I've implemented.

Therefore, if this feature was offered inherently, by nmcli, it could be relied upon without worry that future updates might break commands, code, or scripts that rely upon parsing "nmcli-output that has an unchanging format/interface".
Comment 3 Thomas Haller 2014-07-07 18:16:51 UTC
(In reply to comment #2)
> Plus, you've already revealed that the latest version already breaks the
> work-arounds I've implemented.
> 
> Therefore, if this feature was offered inherently, by nmcli, it could be relied
> upon without worry that future updates might break commands, code, or scripts
> that rely upon parsing "nmcli-output that has an unchanging format/interface".

If you depend on this new command, you already restrict your script to >= 0.9.10 (unless somebody backports it to nmcli <= 0.9.8, which most likely won't happen).

nmcli <= 0.9.8 was new and not yet finished. Therefore the command line syntax was changed. In the future we will be very careful not to do that again. Really!! :)



Anyway. Such a new command could become a proper NM method that NetworkManager provides via the DBUS interface ( https://developer.gnome.org/NetworkManager/0.9/spec.html ). Any client (including nmcli) would only call this new method and all the work would be done by NetworkManager.

However, probably it would be better and more flexibly to implement it entirely inside the client, i.e. nmcli would use the DBUS API to query the active VPN connections and down them one by one.
If you do that, the nmcli solution is not at all more powerful then a python script (or any other client application that uses the DBUS interface). nmcli uses no other interface then the public DBUS API.

I would suggest instead to write a python application that implements the new command. Examples how to do that would be here http://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/examples/python/
(btw. the DBUS API is "quite" stable, so the script could easily work with >= 0.9.8).



If somebody is willing to implement the such a command in nmcli, I certainly don't oppose it. But I wouldn't hold my breath, and a script using DBUS could do the very same.
Comment 4 Jiri Klimes 2015-03-05 15:11:17 UTC
I have added Lua and Python scripts for deactivating connection by type. Find them in the examples directory:
http://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/examples/lua/lgi/deactivate-all.lua
http://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/examples/python/gi/deactivate-all.py
Comment 5 Lonnie Best 2015-04-20 18:51:01 UTC
In the new version of nmcli, you can disconnect all active vpn connections with the following command:

nmcli connection show --active | grep vpn | grep -oP .{8}-.{4}-.{4}-.{4}-.{12} | xargs -L1 nmcli con down uuid