1NETWORKMANAGER.CONF(5) Configuration NETWORKMANAGER.CONF(5)
2
3
4
6 NetworkManager.conf - NetworkManager configuration file
7
9 /etc/NetworkManager/NetworkManager.conf,
10 /etc/NetworkManager/conf.d/name.conf,
11 /run/NetworkManager/conf.d/name.conf,
12 /usr/lib/NetworkManager/conf.d/name.conf,
13 /var/lib/NetworkManager/NetworkManager-intern.conf
14
16 NetworkManager.conf is the configuration file for NetworkManager. It is
17 used to set up various aspects of NetworkManager's behavior. The
18 location of the main file and configuration directories may be changed
19 through use of the --config, --config-dir, --system-config-dir, and
20 --intern-config argument for NetworkManager, respectively.
21
22 If a default NetworkManager.conf is provided by your distribution's
23 packages, you should not modify it, since your changes may get
24 overwritten by package updates. Instead, you can add additional .conf
25 files to the /etc/NetworkManager/conf.d directory. These will be read
26 in order, with later files overriding earlier ones. Packages might
27 install further configuration snippets to
28 /usr/lib/NetworkManager/conf.d. This directory is parsed first, even
29 before NetworkManager.conf. Scripts can also put per-boot configuration
30 into /run/NetworkManager/conf.d. This directory is parsed second, also
31 before NetworkManager.conf. The loading of a file
32 /run/NetworkManager/conf.d/name.conf can be prevented by adding a file
33 /etc/NetworkManager/conf.d/name.conf. Likewise, a file
34 /usr/lib/NetworkManager/conf.d/name.conf can be shadowed by putting a
35 file of the same name to either /etc/NetworkManager/conf.d or
36 /run/NetworkManager/conf.d.
37
38 NetworkManager can overwrite certain user configuration options via
39 D-Bus or other internal operations. In this case it writes those
40 changes to /var/lib/NetworkManager/NetworkManager-intern.conf. This
41 file is not intended to be modified by the user, but it is read last
42 and can shadow user configuration from NetworkManager.conf.
43
44 Certain settings from the configuration can be reloaded at runtime
45 either by sending SIGHUP signal or via D-Bus' Reload call.
46
48 The configuration file format is so-called key file (sort of ini-style
49 format). It consists of sections (groups) of key-value pairs. Lines
50 beginning with a '#' and blank lines are considered comments. Sections
51 are started by a header line containing the section enclosed in '[' and
52 ']', and ended implicitly by the start of the next section or the end
53 of the file. Each key-value pair must be contained in a section.
54
55 For keys that take a list of devices as their value, you can specify
56 devices by their MAC addresses or interface names, or "*" to specify
57 all devices. See the section called “Device List Format” below.
58
59 Minimal system settings configuration file looks like this:
60
61 [main]
62 plugins=keyfile
63
64 As an extension to the normal keyfile format, you can also append a
65 value to a previously-set list-valued key by doing:
66
67 plugins+=another-plugin
68 plugins-=remove-me
69
70
72 plugins
73 Lists system settings plugin names separated by ','. These plugins
74 are used to read and write system-wide connection profiles. When
75 multiple plugins are specified, the connections are read from all
76 listed plugins. When writing connections, the plugins will be asked
77 to save the connection in the order listed here; if the first
78 plugin cannot write out that connection type (or can't write out
79 any connections) the next plugin is tried, etc. If none of the
80 plugins can save the connection, an error is returned to the user.
81
82 The default value and the number of available plugins is
83 distro-specific. See the section called “PLUGINS” below for the
84 available plugins. Note that NetworkManager's native keyfile plugin
85 is always appended to the end of this list (if it doesn't already
86 appear earlier in the list).
87
88 monitor-connection-files
89 This setting is deprecated and has no effect.
90
91 auth-polkit
92 Whether the system uses PolicyKit for authorization. If false, all
93 requests will be allowed. If true, non-root requests are authorized
94 using PolicyKit. The default value is true.
95
96 dhcp
97 This key sets up what DHCP client NetworkManager will use. Allowed
98 values are dhclient, dhcpcd, and internal. The dhclient and dhcpcd
99 options require the indicated clients to be installed. The internal
100 option uses a built-in DHCP client which is not currently as
101 featureful as the external clients.
102
103 If this key is missing, it defaults to internal. It the chosen
104 plugin is not available, clients are looked for in this order:
105 dhclient, dhcpcd, internal.
106
107 no-auto-default
108 Specify devices for which NetworkManager shouldn't create default
109 wired connection (Auto eth0). By default, NetworkManager creates a
110 temporary wired connection for any Ethernet device that is managed
111 and doesn't have a connection configured. List a device in this
112 option to inhibit creating the default connection for the device.
113 May have the special value * to apply to all devices.
114
115 When the default wired connection is deleted or saved to a new
116 persistent connection by a plugin, the device is added to a list in
117 the file /var/lib/NetworkManager/no-auto-default.state to prevent
118 creating the default connection for that device again.
119
120 See the section called “Device List Format” for the syntax how to
121 specify a device.
122
123 Example:
124
125 no-auto-default=00:22:68:5c:5d:c4,00:1e:65:ff:aa:ee
126 no-auto-default=eth0,eth1
127 no-auto-default=*
128
129
130 ignore-carrier
131 This setting is deprecated for the per-device setting
132 ignore-carrier which overwrites this setting if specified (See
133 ignore-carrier). Otherwise, it is a list of matches to specify for
134 which device carrier should be ignored. See the section called
135 “Device List Format” for the syntax how to specify a device. Note
136 that master types like bond, bridge, and team ignore carrier by
137 default. You can however revert that default using the "except:"
138 specifier (or better, use the per-device setting instead of the
139 deprecated setting).
140
141 assume-ipv6ll-only
142 Specify devices for which NetworkManager will try to generate a
143 connection based on initial configuration when the device only has
144 an IPv6 link-local address.
145
146 See the section called “Device List Format” for the syntax how to
147 specify a device.
148
149 configure-and-quit
150 When set to 'true', NetworkManager quits after performing initial
151 network configuration but spawns small helpers to preserve DHCP
152 leases and IPv6 addresses. This is useful in environments where
153 network setup is more or less static or it is desirable to save
154 process time but still handle some dynamic configurations. When
155 this option is true, network configuration for Wi-Fi, WWAN,
156 Bluetooth, ADSL, and PPPoE interfaces cannot be preserved due to
157 their use of external services, and these devices will be
158 deconfigured when NetworkManager quits even though other
159 interface's configuration may be preserved. Also, to preserve DHCP
160 addresses the 'dhcp' option must be set to 'internal'. The default
161 value of the 'configure-and-quit' option is 'false', meaning that
162 NetworkManager will continue running after initial network
163 configuration and continue responding to system and hardware
164 events, D-Bus requests, and user commands.
165
166 hostname-mode
167 Set the management mode of the hostname. This parameter will affect
168 only the transient hostname. If a valid static hostname is set,
169 NetworkManager will skip the update of the hostname despite the
170 value of this option. An hostname empty or equal to 'localhost',
171 'localhost6', 'localhost.localdomain' or 'localhost6.localdomain'
172 is considered invalid.
173
174 default: NetworkManager will update the hostname with the one
175 provided via DHCP on the main connection (the one with a default
176 route). If not present, the hostname will be updated to the last
177 one set outside NetworkManager. If it is not valid, NetworkManager
178 will try to recover the hostname from the reverse lookup of the IP
179 address of the main connection. If this fails too, the hostname
180 will be set to 'localhost.localdomain'.
181
182 dhcp: NetworkManager will update the transient hostname only with
183 information coming from DHCP. No fallback nor reverse lookup will
184 be performed, but when the dhcp connection providing the hostname
185 is deactivated, the hostname is reset to the last hostname set
186 outside NetworkManager or 'localhost' if none valid is there.
187
188 none: NetworkManager will not manage the transient hostname and
189 will never set it.
190
191 dns
192 Set the DNS processing mode.
193
194 If the key is unspecified, default is used, unless /etc/resolv.conf
195 is a symlink to /run/systemd/resolve/stub-resolv.conf,
196 /run/systemd/resolve/resolv.conf, /lib/systemd/resolv.conf or
197 /usr/lib/systemd/resolv.conf. In that case, systemd-resolved is
198 chosen automatically.
199
200 default: NetworkManager will update /etc/resolv.conf to reflect the
201 nameservers provided by currently active connections.
202
203 dnsmasq: NetworkManager will run dnsmasq as a local caching
204 nameserver, using "Conditional Forwarding" if you are connected to
205 a VPN, and then update resolv.conf to point to the local
206 nameserver. It is possible to pass custom options to the dnsmasq
207 instance by adding them to files in the
208 "/etc/NetworkManager/dnsmasq.d/" directory. Note that when multiple
209 upstream servers are available, dnsmasq will initially contact them
210 in parallel and then use the fastest to respond, probing again
211 other servers after some time. This behavior can be modified
212 passing the 'all-servers' or 'strict-order' options to dnsmasq (see
213 the manual page for more details).
214
215 systemd-resolved: NetworkManager will push the DNS configuration to
216 systemd-resolved
217
218 unbound: NetworkManager will talk to unbound and dnssec-triggerd,
219 using "Conditional Forwarding" with DNSSEC support.
220 /etc/resolv.conf will be managed by dnssec-trigger daemon.
221
222 none: NetworkManager will not modify resolv.conf. This implies
223 rc-manager unmanaged
224
225 Note that the plugins dnsmasq, systemd-resolved and unbound are
226 caching local nameservers. Hence, when NetworkManager writes
227 /run/NetworkManager/resolv.conf and /etc/resolv.conf (according to
228 rc-manager setting below), the name server there will be localhost
229 only. NetworkManager also writes a file
230 /run/NetworkManager/no-stub-resolv.conf that contains the original
231 name servers pushed to the DNS plugin.
232
233 rc-manager
234 Set the resolv.conf management mode. The default value depends on
235 NetworkManager build options, and this version of NetworkManager
236 was build with a default of "symlink". Regardless of this setting,
237 NetworkManager will always write resolv.conf to its runtime state
238 directory /run/NetworkManager/resolv.conf.
239
240 symlink: If /etc/resolv.conf is a regular file, NetworkManager will
241 replace the file on update. If /etc/resolv.conf is instead a
242 symlink, NetworkManager will leave it alone. Unless the symlink
243 points to the internal file /run/NetworkManager/resolv.conf, in
244 which case the symlink will be updated to emit an inotify
245 notification. This allows the user to conveniently instruct
246 NetworkManager not to manage /etc/resolv.conf by replacing it with
247 a symlink.
248
249 file: NetworkManager will write /etc/resolv.conf as file. If it
250 finds a symlink to an existing target, it will follow the symlink
251 and update the target instead. In no case will an existing symlink
252 be replaced by a file. Note that older versions of NetworkManager
253 behaved differently and would replace dangling symlinks with a
254 plain file.
255
256 resolvconf: NetworkManager will run resolvconf to update the DNS
257 configuration.
258
259 netconfig: NetworkManager will run netconfig to update the DNS
260 configuration.
261
262 unmanaged: don't touch /etc/resolv.conf.
263
264 none: deprecated alias for symlink.
265
266 systemd-resolved
267 Send the connection DNS configuration to systemd-resolved. Defaults
268 to "true".
269
270 Note that this setting is complementary to the dns setting. You can
271 keep this enabled while using dns set to another DNS plugin
272 alongside systemd-resolved, or dns set to systemd-resolved to
273 configure the system resolver to use systemd-resolved.
274
275 If systemd-resolved is enabled, the connectivity check resolves the
276 hostname per-device.
277
278 debug
279 Comma separated list of options to aid debugging. This value will
280 be combined with the environment variable NM_DEBUG. Currently the
281 following values are supported:
282
283 RLIMIT_CORE: set ulimit -c unlimited to write out core dumps.
284 Beware, that a core dump can contain sensitive information such as
285 passwords or configuration settings.
286
287 fatal-warnings: set g_log_set_always_fatal() to core dump on
288 warning messages from glib. This is equivalent to the
289 --g-fatal-warnings command line option.
290
291 autoconnect-retries-default
292 The number of times a connection activation should be automatically
293 tried before switching to another one. This value applies only to
294 connections that can auto-connect and have a
295 connection.autoconnect-retries property set to -1. If not
296 specified, connections will be tried 4 times. Setting this value to
297 1 means to try activation once, without retry.
298
299 slaves-order
300 This key specifies in which order slave connections are
301 auto-activated on boot or when the master activates them. Allowed
302 values are name (order connection by interface name, the default),
303 or index (order slaves by their kernel index).
304
306 This section contains keyfile-plugin-specific options, and is normally
307 only used when you are not using any other distro-specific plugin.
308
309 hostname
310 This key is deprecated and has no effect since the hostname is now
311 stored in /etc/hostname or other system configuration files
312 according to build options.
313
314 path
315 The location where keyfiles are read and stored. This defaults to
316 "/etc/NetworkManager/system-connections".
317
318 unmanaged-devices
319 Set devices that should be ignored by NetworkManager.
320
321 See the section called “Device List Format” for the syntax how to
322 specify a device.
323
324 Example:
325
326 unmanaged-devices=interface-name:em4
327 unmanaged-devices=mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4;interface-name:eth2
328
329
331 This section contains ifupdown-specific options and thus only has
332 effect when using the ifupdown plugin.
333
334 managed
335 If set to true, then interfaces listed in /etc/network/interfaces
336 are managed by NetworkManager. If set to false, then any interface
337 listed in /etc/network/interfaces will be ignored by
338 NetworkManager. Remember that NetworkManager controls the default
339 route, so because the interface is ignored, NetworkManager may
340 assign the default route to some other interface.
341
342 The default value is false.
343
345 This section controls NetworkManager's logging. Any settings here are
346 overridden by the --log-level and --log-domains command-line options.
347
348 level
349 The default logging verbosity level. One of OFF, ERR, WARN, INFO,
350 DEBUG, TRACE. The ERR level logs only critical errors. WARN logs
351 warnings that may reflect operation. INFO logs various
352 informational messages that are useful for tracking state and
353 operations. DEBUG enables verbose logging for debugging purposes.
354 TRACE enables even more verbose logging then DEBUG level.
355 Subsequent levels also log all messages from earlier levels; thus
356 setting the log level to INFO also logs error and warning messages.
357
358 domains
359 The following log domains are available: PLATFORM, RFKILL, ETHER,
360 WIFI, BT, MB, DHCP4, DHCP6, PPP, WIFI_SCAN, IP4, IP6, AUTOIP4, DNS,
361 VPN, SHARING, SUPPLICANT, AGENTS, SETTINGS, SUSPEND, CORE, DEVICE,
362 OLPC, WIMAX, INFINIBAND, FIREWALL, ADSL, BOND, VLAN, BRIDGE,
363 DBUS_PROPS, TEAM, CONCHECK, DCB, DISPATCH, AUDIT, SYSTEMD,
364 VPN_PLUGIN, PROXY.
365
366 In addition, these special domains can be used: NONE, ALL, DEFAULT,
367 DHCP, IP.
368
369 You can specify per-domain log level overrides by adding a colon
370 and a log level to any domain. E.g., "WIFI:DEBUG,WIFI_SCAN:OFF".
371
372 Domain descriptions:
373 PLATFORM : OS (platform) operations
374 RFKILL : RFKill subsystem operations
375 ETHER : Ethernet device operations
376 WIFI : Wi-Fi device operations
377 BT : Bluetooth operations
378 MB : Mobile broadband operations
379 DHCP4 : DHCP for IPv4
380 DHCP6 : DHCP for IPv6
381 PPP : Point-to-point protocol operations
382 WIFI_SCAN : Wi-Fi scanning operations
383 IP4 : IPv4-related operations
384 IP6 : IPv6-related operations
385 AUTOIP4 : AutoIP operations
386 DNS : Domain Name System related operations
387 VPN : Virtual Private Network connections and
388 operations
389 SHARING : Connection sharing. With TRACE level log queries
390 for dnsmasq instance
391 SUPPLICANT : WPA supplicant related operations
392 AGENTS : Secret agents operations and communication
393 SETTINGS : Settings/config service operations
394 SUSPEND : Suspend/resume
395 CORE : Core daemon and policy operations
396 DEVICE : Activation and general interface operations
397 OLPC : OLPC Mesh device operations
398 WIMAX : WiMAX device operations
399 INFINIBAND : InfiniBand device operations
400 FIREWALL : FirewallD related operations
401 ADSL : ADSL device operations
402 BOND : Bonding operations
403 VLAN : VLAN operations
404 BRIDGE : Bridging operations
405 DBUS_PROPS : D-Bus property changes
406 TEAM : Teaming operations
407 CONCHECK : Connectivity check
408 DCB : Data Center Bridging (DCB) operations
409 DISPATCH : Dispatcher scripts
410 AUDIT : Audit records
411 SYSTEMD : Messages from internal libsystemd
412 VPN_PLUGIN : logging messages from VPN plugins
413 PROXY : logging messages for proxy handling
414
415 NONE : when given by itself logging is disabled
416 ALL : all log domains
417 DEFAULT : default log domains
418 DHCP : shortcut for "DHCP4,DHCP6"
419 IP : shortcut for "IP4,IP6"
420
421 HW : deprecated alias for "PLATFORM"
422
423 In general, the logfile should not contain passwords or private
424 data. However, you are always advised to check the file before
425 posting it online or attaching to a bug report. VPN_PLUGIN is
426 special as it might reveal private information of the VPN plugins
427 with verbose levels. Therefore this domain will be excluded when
428 setting ALL or DEFAULT to more verbose levels then INFO.
429
430 backend
431 The logging backend. Supported values are "syslog" and "journal".
432 When NetworkManager is started with "--debug" in addition all
433 messages will be printed to stderr. If unspecified, the default is
434 "journal".
435
436 audit
437 Whether the audit records are delivered to auditd, the audit
438 daemon. If false, audit records will be sent only to the
439 NetworkManager logging system. If set to true, they will be also
440 sent to auditd. The default value is false.
441
443 Specify default values for connections.
444
445 Example:
446
447 [connection]
448 ipv6.ip6-privacy=0
449
450
451 Supported Properties
452 Not all properties can be overwritten, only the following properties
453 are supported to have their default values configured (see nm-
454 settings(5) for details). A default value is only consulted if the
455 corresponding per-connection value explicitly allows for that.
456
457
458
459 802-1x.auth-timeout
460
461 cdma.mtu
462
463 connection.auth-retries
464 If left unspecified, the default value is 3 tries before failing
465 the connection.
466
467 connection.autoconnect-slaves
468
469 connection.lldp
470
471 connection.llmnr
472
473 connection.mdns
474
475 connection.stable-id
476
477 ethernet.cloned-mac-address
478 If left unspecified, it defaults to "preserve".
479
480 ethernet.generate-mac-address-mask
481
482 ethernet.mtu
483 If configured explicitly to 0, the MTU is not reconfigured during
484 device activation unless it is required due to IPv6 constraints. If
485 left unspecified, a DHCP/IPv6 SLAAC provided value is used or the
486 MTU is not reconfigured during activation.
487
488 ethernet.wake-on-lan
489
490 gsm.mtu
491
492 infiniband.mtu
493 If configured explicitly to 0, the MTU is not reconfigured during
494 device activation unless it is required due to IPv6 constraints. If
495 left unspecified, a DHCP/IPv6 SLAAC provided value is used or the
496 MTU is left unspecified on activation.
497
498 ip-tunnel.mtu
499 If configured explicitly to 0, the MTU is not reconfigured during
500 device activation unless it is required due to IPv6 constraints. If
501 left unspecified, a DHCP/IPv6 SLAAC provided value is used or a
502 default of 1500.
503
504 ipv4.dad-timeout
505
506 ipv4.dhcp-client-id
507
508 ipv4.dhcp-timeout
509 If left unspecified, the default value for the interface type is
510 used.
511
512 ipv4.dns-priority
513 If unspecified or zero, use 50 for VPN profiles and 100 for other
514 profiles.
515
516 ipv4.route-metric
517
518 ipv4.route-table
519 If left unspecified, routes are only added to the main table. Note
520 that this is different from explicitly selecting the main table
521 254, because of how NetworkManager removes extraneous routes from
522 the tables.
523
524 ipv6.dhcp-duid
525 If left unspecified, it defaults to "lease".
526
527 ipv6.dhcp-timeout
528 If left unspecified, the default value for the interface type is
529 used.
530
531 ipv6.dns-priority
532 If unspecified or zero, use 50 for VPN profiles and 100 for other
533 profiles.
534
535 ipv6.ip6-privacy
536 If ipv6.ip6-privacy is unset, use the content of
537 "/proc/sys/net/ipv6/conf/default/use_tempaddr" as last fallback.
538
539 ipv6.route-metric
540
541 ipv6.route-table
542 If left unspecified, routes are only added to the main table. Note
543 that this is different from explicitly selecting the main table
544 254, because of how NetworkManager removes extraneous routes from
545 the tables.
546
547 sriov.autoprobe-drivers
548 If left unspecified, drivers are autoprobed when the SR-IOV VF gets
549 created.
550
551 vpn.timeout
552 If left unspecified, default value of 60 seconds is used.
553
554 wifi.cloned-mac-address
555 If left unspecified, it defaults to "preserve".
556
557 wifi.generate-mac-address-mask
558
559 wifi.mac-address-randomization
560 If left unspecified, MAC address randomization is disabled. This
561 setting is deprecated for wifi.cloned-mac-address.
562
563 wifi.mtu
564 If configured explicitly to 0, the MTU is not reconfigured during
565 device activation unless it is required due to IPv6 constraints. If
566 left unspecified, a DHCP/IPv6 SLAAC provided value is used or a
567 default of 1500.
568
569 wifi.powersave
570 If left unspecified, the default value "ignore" will be used.
571
572 wifi-sec.pmf
573 If left unspecified, the default value "optional" will be used.
574
575 wifi-sec.fils
576 If left unspecified, the default value "optional" will be used.
577
578 wifi.wake-on-wlan
579
580 wireguard.mtu
581
582
583 Sections
584 You can configure multiple connection sections, by having different
585 sections with a name that all start with "connection". Example:
586
587 [connection]
588 ipv6.ip6-privacy=0
589 connection.autoconnect-slaves=1
590 vpn.timeout=120
591
592 [connection-wifi-wlan0]
593 match-device=interface-name:wlan0
594 ipv4.route-metric=50
595
596 [connection-wifi-other]
597 match-device=type:wifi
598 ipv4.route-metric=55
599 ipv6.ip6-privacy=1
600
601 The sections within one file are considered in order of appearance,
602 with the exception that the [connection] section is always considered
603 last. In the example above, this order is [connection-wifi-wlan0],
604 [connection-wlan-other], and [connection]. When checking for a default
605 configuration value, the sections are searched until the requested
606 value is found. In the example above, "ipv4.route-metric" for wlan0
607 interface is set to 50, and for all other Wi-Fi typed interfaces to 55.
608 Also, Wi-Fi devices would have IPv6 private addresses enabled by
609 default, but other devices would have it disabled. Note that also
610 "wlan0" gets "ipv6.ip6-privacy=1", because although the section
611 "[connection-wifi-wlan0]" matches the device, it does not contain that
612 property and the search continues.
613
614 When having different sections in multiple files, sections from files
615 that are read later have higher priority. So within one file the
616 priority of the sections is top-to-bottom. Across multiple files later
617 definitions take precedence.
618
619 The following properties further control how a connection section
620 applies.
621
622 match-device
623 An optional device spec that restricts when the section applies.
624 See the section called “Device List Format” for the possible
625 values.
626
627 stop-match
628 An optional boolean value which defaults to no. If the section
629 matches (based on match-device), further sections will not be
630 considered even if the property in question is not present. In the
631 example above, if [connection-wifi-wlan0] would have stop-match set
632 to yes, the device wlan0 would have ipv6.ip6-privacy property
633 unspecified. That is, the search for the property would not
634 continue in the connection sections [connection-wifi-other] or
635 [connection].
636
638 Contains per-device persistent configuration.
639
640 Example:
641
642 [device]
643 match-device=interface-name:eth3
644 managed=1
645
646
647 Supported Properties
648 The following properties can be configured per-device.
649
650 managed
651 Whether the device is managed or not. A device can be marked as
652 managed via udev rules (ENV{NM_UNMANAGED}), or via setting plugins
653 (keyfile.unmanaged-devices). This is yet another way. Note that
654 this configuration can be overruled at runtime via D-Bus. Also, it
655 has higher priority then udev rules.
656
657 carrier-wait-timeout
658 Specify the timeout for waiting for carrier in milliseconds. When
659 the device loses carrier, NetworkManager does not react
660 immediately. Instead, it waits for this timeout before considering
661 the link lost. Also, on startup, NetworkManager considers the
662 device as busy for this time, as long as the device has no carrier.
663 This delays startup-complete signal and NetworkManager-wait-online.
664 Configuring this too high means to block NetworkManager-wait-online
665 longer then necessary. Configuring it too low, means that
666 NetworkManager will declare startup-complete, although carrier is
667 about to come and auto-activation to kick in. The default is 5000
668 milliseconds.
669
670 ignore-carrier
671 Specify devices for which NetworkManager will (partially) ignore
672 the carrier state. Normally, for device types that support
673 carrier-detect, such as Ethernet and InfiniBand, NetworkManager
674 will only allow a connection to be activated on the device if
675 carrier is present (ie, a cable is plugged in), and it will
676 deactivate the device if carrier drops for more than a few seconds.
677
678 A device with carrier ignored will allow activating connections on
679 that device even when it does not have carrier, provided that the
680 connection uses only statically-configured IP addresses.
681 Additionally, it will allow any active connection (whether static
682 or dynamic) to remain active on the device when carrier is lost.
683
684 Note that the "carrier" property of NMDevices and device D-Bus
685 interfaces will still reflect the actual device state; it's just
686 that NetworkManager will not make use of that information.
687
688 Master types like bond, bridge and team ignore carrier by default,
689 while other device types react on carrier changes by default.
690
691 This setting overwrites the deprecated main.ignore-carrier setting
692 above.
693
694 wifi.scan-rand-mac-address
695 Configures MAC address randomization of a Wi-Fi device during
696 scanning. This defaults to yes in which case a random,
697 locally-administered MAC address will be used. The setting
698 wifi.scan-generate-mac-address-mask allows to influence the
699 generated MAC address to use certain vendor OUIs. If disabled, the
700 MAC address during scanning is left unchanged to whatever is
701 configured. For the configured MAC address while the device is
702 associated, see instead the per-connection setting
703 wifi.cloned-mac-address.
704
705 wifi.backend
706 Specify the Wi-Fi backend used for the device. Currently supported
707 are wpa_supplicant and iwd (experimental).
708
709 wifi.scan-generate-mac-address-mask
710 Like the per-connection settings ethernet.generate-mac-address-mask
711 and wifi.generate-mac-address-mask, this allows to configure the
712 generated MAC addresses during scanning. See nm-settings(5) for
713 details.
714
715 sriov-num-vfs
716 Specify the number of virtual functions (VF) to enable for a PCI
717 physical device that supports single-root I/O virtualization
718 (SR-IOV).
719
720 Sections
721 The [device] section works the same as the [connection] section. That
722 is, multiple sections that all start with the prefix "device" can be
723 specified. The settings "match-device" and "stop-match" are available
724 to match a device section on a device. The order of multiple sections
725 is also top-down within the file and later files overwrite previous
726 settings. See “Sections” under the section called “CONNECTION SECTION”
727 for details.
728
730 This section controls NetworkManager's optional connectivity checking
731 functionality. This allows NetworkManager to detect whether or not the
732 system can actually access the internet or whether it is behind a
733 captive portal.
734
735 Connectivity checking serves two purposes. For one, it exposes a
736 connectivity state on D-Bus, which other applications may use. For
737 example, Gnome's portal helper uses this as signal to show a captive
738 portal login page. The other use is that default-route of devices
739 without global connectivity get a penalty of +20000 to the
740 route-metric. This has the purpose to give a better default-route to
741 devices that have global connectivity. For example, when being
742 connected to WWAN and to a Wi-Fi network which is behind a captive
743 portal, WWAN still gets preferred until login.
744
745 Note that your distribution might set
746 /proc/sys/net/ipv4/conf/*/rp_filter to strict filtering. That works
747 badly with per-device connectivity checking, which uses SO_BINDDEVICE
748 to send requests on all devices. A strict rp_filter setting will reject
749 any response and the connectivity check on all but the best route will
750 fail.
751
752 uri
753 The URI of a web page to periodically request when connectivity is
754 being checked. This page should return the header
755 "X-NetworkManager-Status" with a value of "online". Alternatively,
756 its body content should be set to "NetworkManager is online". The
757 body content check can be controlled by the response option. If
758 this option is blank or missing, connectivity checking is disabled.
759
760 interval
761 Specified in seconds; controls how often connectivity is checked
762 when a network connection exists. If set to 0 connectivity checking
763 is disabled. If missing, the default is 300 seconds.
764
765 response
766 If set, controls what body content NetworkManager checks for when
767 requesting the URI for connectivity checking. Note that this only
768 compares that the HTTP response starts with the specifid text, it
769 does not compare the exact string. This behavior might change in
770 the future, so avoid relying on it. If missing, the response
771 defaults to "NetworkManager is online". If set to empty, the HTTP
772 server is expected to answer with status code 204 or send no data.
773
775 This section specifies global DNS settings that override
776 connection-specific configuration.
777
778 searches
779 A list of search domains to be used during hostname lookup.
780
781 options
782 A list of options to be passed to the hostname resolver.
783
785 Sections with a name starting with the "global-dns-domain-" prefix
786 allow to define global DNS configuration for specific domains. The part
787 of section name after "global-dns-domain-" specifies the domain name a
788 section applies to. More specific domains have the precedence over less
789 specific ones and the default domain is represented by the wildcard
790 "*". A default domain section is mandatory.
791
792 servers
793 A list of addresses of DNS servers to be used for the given domain.
794
795 options
796 A list of domain-specific DNS options. Not used at the moment.
797
799 This is a special section that contains options which apply to the
800 configuration file that contains the option.
801
802 enable
803 Defaults to "true". If "false", the configuration file will be
804 skipped during loading. Note that the main configuration file
805 NetworkManager.conf cannot be disabled.
806
807 # always skip loading the config file
808 [.config]
809 enable=false
810
811 You can also match against the version of NetworkManager. For
812 example the following are valid configurations:
813
814 # only load on version 1.0.6
815 [.config]
816 enable=nm-version:1.0.6
817
818 # load on all versions 1.0.x, but not 1.2.x
819 [.config]
820 enable=nm-version:1.0
821
822 # only load on versions >= 1.1.6. This does not match
823 # with version 1.2.0 or 1.4.4. Only the last digit is considered.
824 [.config]
825 enable=nm-version-min:1.1.6
826
827 # only load on versions >= 1.2. Contrary to the previous
828 # example, this also matches with 1.2.0, 1.2.10, 1.4.4, etc.
829 [.config]
830 enable=nm-version-min:1.2
831
832 # Match against the maximum allowed version. The example matches
833 # versions 1.2.0, 1.2.2, 1.2.4. Again, only the last version digit
834 # is allowed to be smaller. So this would not match match on 1.1.10.
835 [.config]
836 enable=nm-version-max:1.2.6
837
838 You can also match against the value of the environment variable
839 NM_CONFIG_ENABLE_TAG, like:
840
841 # always skip loading the file when running NetworkManager with
842 # environment variable "NM_CONFIG_ENABLE_TAG=TAG1"
843 [.config]
844 enable=env:TAG1
845
846 More then one match can be specified. The configuration will be
847 enabled if one of the predicates matches ("or"). The special prefix
848 "except:" can be used to negate the match. Note that if one
849 except-predicate matches, the entire configuration will be
850 disabled. In other words, a except predicate always wins over other
851 predicates. If the setting only consists of "except:" matches and
852 none of the negative conditions are satisfied, the configuration is
853 still enabled.
854
855 # enable the configuration either when the environment variable
856 # is present or the version is at least 1.2.0.
857 [.config]
858 enable=env:TAG2,nm-version-min:1.2
859
860 # enable the configuration for version >= 1.2.0, but disable
861 # it when the environment variable is set to "TAG3"
862 [.config]
863 enable=except:env:TAG3,nm-version-min:1.2
864
865 # enable the configuration on >= 1.3, >= 1.2.6, and >= 1.0.16.
866 # Useful if a certain feature is only present since those releases.
867 [.config]
868 enable=nm-version-min:1.3,nm-version-min:1.2.6,nm-version-min:1.0.16
869
870
872 Settings plugins for reading and writing connection profiles. The
873 number of available plugins is distribution specific.
874
875 keyfile
876 The keyfile plugin is the generic plugin that supports all the
877 connection types and capabilities that NetworkManager has. It
878 writes files out in an .ini-style format in
879 /etc/NetworkManager/system-connections. See nm-settings-keyfile(5)
880 for details about the file format.
881
882 The stored connection file may contain passwords, secrets and
883 private keys in plain text, so it will be made readable only to
884 root, and the plugin will ignore files that are readable or
885 writable by any user or group other than root. See "Secret flag
886 types" in nm-settings(5) for how to avoid storing passwords in
887 plain text.
888
889 This plugin is always active, and will automatically be used to
890 store any connections that aren't supported by any other active
891 plugin.
892
893 ifcfg-rh
894 This plugin is used on the Fedora and Red Hat Enterprise Linux
895 distributions to read and write configuration from the standard
896 /etc/sysconfig/network-scripts/ifcfg-* files. It currently supports
897 reading Ethernet, Wi-Fi, InfiniBand, VLAN, Bond, Bridge, and Team
898 connections. Enabling ifcfg-rh implicitly enables ibft plugin, if
899 it is available. This can be disabled by adding no-ibft. See
900 /usr/share/doc/initscripts/sysconfig.txt and nm-settings-ifcfg-
901 rh(5) for more information about the ifcfg file format.
902
903 ifupdown
904 This plugin is used on the Debian and Ubuntu distributions, and
905 reads Ethernet and Wi-Fi connections from /etc/network/interfaces.
906
907 This plugin is read-only; any connections (of any type) added from
908 within NetworkManager when you are using this plugin will be saved
909 using the keyfile plugin instead.
910
911 ibft, no-ibft
912 These plugins are deprecated and their selection has no effect.
913 This is now handled by nm-initrd-generator.
914
915 ifcfg-suse, ifnet
916 These plugins are deprecated and their selection has no effect. The
917 keyfile plugin should be used instead.
918
920 Device List Format
921 The configuration options main.no-auto-default, main.ignore-carrier,
922 keyfile.unmanaged-devices, connection*.match-device and
923 device*.match-device select devices based on a list of matchings.
924 Devices can be specified using the following format:
925
926 *
927 Matches every device.
928
929 IFNAME
930 Case sensitive match of interface name of the device. Globbing is
931 not supported.
932
933 HWADDR
934 Match the permanent MAC address of the device. Globbing is not
935 supported
936
937 interface-name:IFNAME, interface-name:~IFNAME
938 Case sensitive match of interface name of the device. Simple
939 globbing is supported with * and ?. Ranges and escaping is not
940 supported.
941
942 interface-name:=IFNAME
943 Case sensitive match of interface name of the device. Globbing is
944 disabled and IFNAME is taken literally.
945
946 mac:HWADDR
947 Match the permanent MAC address of the device. Globbing is not
948 supported
949
950 s390-subchannels:HWADDR
951 Match the device based on the subchannel address. Globbing is not
952 supported
953
954 type:TYPE
955 Match the device type. Valid type names are as reported by "nmcli
956 -f GENERAL.TYPE device show". Globbing is not supported.
957
958 driver:DRIVER
959 Match the device driver as reported by "nmcli -f
960 GENERAL.DRIVER,GENERAL.DRIVER-VERSION device show". "DRIVER" must
961 match the driver name exactly and does not support globbing.
962 Optionally, a driver version may be specified separated by '/'.
963 Globbing is supported for the version.
964
965 dhcp-plugin:DHCP
966 Match the configured DHCP plugin "main.dhcp".
967
968 except:SPEC
969 Negative match of a device. SPEC must be explicitly qualified with
970 a prefix such as interface-name:. A negative match has higher
971 priority then the positive matches above.
972
973 If there is a list consisting only of negative matches, the
974 behavior is the same as if there is also match-all. That means, if
975 none of all the negative matches is satisfied, the overall result
976 is still a positive match. That means, "except:interface-name:eth0"
977 is the same as "*,except:interface-name:eth0".
978
979 SPEC[,;]SPEC
980 Multiple specs can be concatenated with commas or semicolons. The
981 order does not matter as matches are either inclusive or negative
982 (except:), with negative matches having higher priority.
983
984 Backslash is supported to escape the separators ';' and ',', and to
985 express special characters such as newline ('\n'), tabulator
986 ('\t'), whitespace ('\s') and backslash ('\\'). The globbing of
987 interface names cannot be escaped. Whitespace is not a separator
988 but will be trimmed between two specs (unless escaped as '\s').
989
990 Example:
991
992 interface-name:em4
993 mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4;interface-name:eth2
994 interface-name:vboxnet*,except:interface-name:vboxnet2
995 *,except:mac:00:22:68:1c:59:b1
996
997
999 NetworkManager(8), nmcli(1), nmcli-examples(7), nm-online(1), nm-
1000 settings(5), nm-applet(1), nm-connection-editor(1)
1001
1002
1003
1004NetworkManager 1.20.8 NETWORKMANAGER.CONF(5)