1NETWORKMANAGER.CONF(5) Configuration NETWORKMANAGER.CONF(5)
2
6 NetworkManager.conf - NetworkManager configuration file
7
9 /etc/NetworkManager/NetworkManager.conf,
10 /etc/NetworkManager/conf.d/name.conf,
11 /run/NetworkManager/conf.d/name.conf,
12 /usr/lib/NetworkManager/conf.d/name.conf,
13 /var/lib/NetworkManager/NetworkManager-intern.conf
14
16 NetworkManager.conf is the configuration file for NetworkManager. It is
17 used to set up various aspects of NetworkManager's behavior. The
18 location of the main file and configuration directories may be changed
19 through use of the --config, --config-dir, --system-config-dir, and
20 --intern-config argument for NetworkManager, respectively.
21 If a default NetworkManager.conf is provided by your distribution's
23 packages, you should not modify it, since your changes may get
24 overwritten by package updates. Instead, you can add additional .conf
25 files to the /etc/NetworkManager/conf.d directory. These will be read
26 in order, with later files overriding earlier ones. Packages might
27 install further configuration snippets to
28 /usr/lib/NetworkManager/conf.d. This directory is parsed first, even
29 before NetworkManager.conf. Scripts can also put per-boot configuration
30 into /run/NetworkManager/conf.d. This directory is parsed second, also
31 before NetworkManager.conf. The loading of a file
32 /run/NetworkManager/conf.d/name.conf can be prevented by adding a file
33 /etc/NetworkManager/conf.d/name.conf. Likewise, a file
34 /usr/lib/NetworkManager/conf.d/name.conf can be shadowed by putting a
35 file of the same name to either /etc/NetworkManager/conf.d or
36 /run/NetworkManager/conf.d.
37 NetworkManager can overwrite certain user configuration options via
39 D-Bus or other internal operations. In this case it writes those
40 changes to /var/lib/NetworkManager/NetworkManager-intern.conf. This
41 file is not intended to be modified by the user, but it is read last
42 and can shadow user configuration from NetworkManager.conf.
43 Certain settings from the configuration can be reloaded at runtime
45 either by sending SIGHUP signal or via D-Bus' Reload call.
46
48 The configuration file format is so-called key file (sort of ini-style
49 format). It consists of sections (groups) of key-value pairs. Lines
50 beginning with a '#' and blank lines are considered comments. Sections
51 are started by a header line containing the section enclosed in '[' and
52 ']', and ended implicitly by the start of the next section or the end
53 of the file. Each key-value pair must be contained in a section.
54 For keys that take a list of devices as their value, you can specify
56 devices by their MAC addresses or interface names, or "*" to specify
57 all devices. See the section called “Device List Format” below.
58 Minimal system settings configuration file looks like this:
60 [main]
62 plugins=keyfile
63 As an extension to the normal keyfile format, you can also append a
65 value to a previously-set list-valued key by doing:
66 plugins+=another-plugin
68 plugins-=remove-me
69
72 plugins
73 Lists system settings plugin names separated by ','. These plugins
74 are used to read and write system-wide connection profiles. When
75 multiple plugins are specified, the connections are read from all
76 listed plugins. When writing connections, the plugins will be asked
77 to save the connection in the order listed here; if the first
78 plugin cannot write out that connection type (or can't write out
79 any connections) the next plugin is tried, etc. If none of the
80 plugins can save the connection, an error is returned to the user.
81 The default value and the number of available plugins is
83 distro-specific. See the section called “PLUGINS” below for the
84 available plugins. Note that NetworkManager's native keyfile plugin
85 is always appended to the end of this list (if it doesn't already
86 appear earlier in the list).
87 monitor-connection-files
89 This setting is deprecated and has no effect.
90 auth-polkit
92 Whether the system uses PolicyKit for authorization. If true,
93 non-root requests are authorized using PolicyKit. Requests from
94 root (user ID zero) are always granted without asking PolicyKit. If
95 false, all requests will be allowed and PolicyKit is not used. If
96 set to root-only PolicyKit is not used and all requests except root
97 are denied. The default value is true.
98 dhcp
100 This key sets up what DHCP client NetworkManager will use. Allowed
101 values are dhclient, dhcpcd, and internal. The dhclient and dhcpcd
102 options require the indicated clients to be installed. The internal
103 option uses a built-in DHCP client which is not currently as
104 featureful as the external clients.
105 If this key is missing, it defaults to internal. It the chosen
107 plugin is not available, clients are looked for in this order:
108 dhclient, dhcpcd, internal.
109 no-auto-default
111 Specify devices for which NetworkManager shouldn't create default
112 wired connection (Auto eth0). By default, NetworkManager creates a
113 temporary wired connection for any Ethernet device that is managed
114 and doesn't have a connection configured. List a device in this
115 option to inhibit creating the default connection for the device.
116 May have the special value * to apply to all devices.
117 When the default wired connection is deleted or saved to a new
119 persistent connection by a plugin, the device is added to a list in
120 the file /var/lib/NetworkManager/no-auto-default.state to prevent
121 creating the default connection for that device again.
122 See the section called “Device List Format” for the syntax how to
124 specify a device.
125 Example:
127 no-auto-default=00:22:68:5c:5d:c4,00:1e:65:ff:aa:ee
129 no-auto-default=eth0,eth1
130 no-auto-default=*
131 ignore-carrier
134 This setting is deprecated for the per-device setting
135 ignore-carrier which overwrites this setting if specified (See
136 ignore-carrier). Otherwise, it is a list of matches to specify for
137 which device carrier should be ignored. See the section called
138 “Device List Format” for the syntax how to specify a device. Note
139 that master types like bond, bridge, and team ignore carrier by
140 default. You can however revert that default using the "except:"
141 specifier (or better, use the per-device setting instead of the
142 deprecated setting).
143 assume-ipv6ll-only
145 Specify devices for which NetworkManager will try to generate a
146 connection based on initial configuration when the device only has
147 an IPv6 link-local address.
148 See the section called “Device List Format” for the syntax how to
150 specify a device.
151 configure-and-quit
153 When set to 'true', NetworkManager quits after performing initial
154 network configuration but spawns small helpers to preserve DHCP
155 leases and IPv6 addresses. This is useful in environments where
156 network setup is more or less static or it is desirable to save
157 process time but still handle some dynamic configurations. When
158 this option is true, network configuration for Wi-Fi, WWAN,
159 Bluetooth, ADSL, and PPPoE interfaces cannot be preserved due to
160 their use of external services, and these devices will be
161 deconfigured when NetworkManager quits even though other
162 interface's configuration may be preserved. Also, to preserve DHCP
163 addresses the 'dhcp' option must be set to 'internal'. The default
164 value of the 'configure-and-quit' option is 'false', meaning that
165 NetworkManager will continue running after initial network
166 configuration and continue responding to system and hardware
167 events, D-Bus requests, and user commands.
168 hostname-mode
170 Set the management mode of the hostname. This parameter will affect
171 only the transient hostname. If a valid static hostname is set,
172 NetworkManager will skip the update of the hostname despite the
173 value of this option. An hostname empty or equal to 'localhost',
174 'localhost6', 'localhost.localdomain' or 'localhost6.localdomain'
175 is considered invalid.
176 default: NetworkManager will update the hostname with the one
178 provided via DHCP on the main connection (the one with a default
179 route). If not present, the hostname will be updated to the last
180 one set outside NetworkManager. If it is not valid, NetworkManager
181 will try to recover the hostname from the reverse lookup of the IP
182 address of the main connection. If this fails too, the hostname
183 will be set to 'localhost.localdomain'.
184 dhcp: NetworkManager will update the transient hostname only with
186 information coming from DHCP. No fallback nor reverse lookup will
187 be performed, but when the dhcp connection providing the hostname
188 is deactivated, the hostname is reset to the last hostname set
189 outside NetworkManager or 'localhost' if none valid is there.
190 none: NetworkManager will not manage the transient hostname and
192 will never set it.
193 dns
195 Set the DNS processing mode.
196 If the key is unspecified, default is used, unless /etc/resolv.conf
198 is a symlink to /run/systemd/resolve/stub-resolv.conf,
199 /run/systemd/resolve/resolv.conf, /lib/systemd/resolv.conf or
200 /usr/lib/systemd/resolv.conf. In that case, systemd-resolved is
201 chosen automatically.
202 default: NetworkManager will update /etc/resolv.conf to reflect the
204 nameservers provided by currently active connections.
205 dnsmasq: NetworkManager will run dnsmasq as a local caching
207 nameserver, using "Conditional Forwarding" if you are connected to
208 a VPN, and then update resolv.conf to point to the local
209 nameserver. It is possible to pass custom options to the dnsmasq
210 instance by adding them to files in the
211 "/etc/NetworkManager/dnsmasq.d/" directory. Note that when multiple
212 upstream servers are available, dnsmasq will initially contact them
213 in parallel and then use the fastest to respond, probing again
214 other servers after some time. This behavior can be modified
215 passing the 'all-servers' or 'strict-order' options to dnsmasq (see
216 the manual page for more details).
217 systemd-resolved: NetworkManager will push the DNS configuration to
219 systemd-resolved
220 unbound: NetworkManager will talk to unbound and dnssec-triggerd,
222 using "Conditional Forwarding" with DNSSEC support.
223 /etc/resolv.conf will be managed by dnssec-trigger daemon.
224 none: NetworkManager will not modify resolv.conf. This implies
226 rc-manager unmanaged
227 Note that the plugins dnsmasq, systemd-resolved and unbound are
229 caching local nameservers. Hence, when NetworkManager writes
230 /run/NetworkManager/resolv.conf and /etc/resolv.conf (according to
231 rc-manager setting below), the name server there will be localhost
232 only. NetworkManager also writes a file
233 /run/NetworkManager/no-stub-resolv.conf that contains the original
234 name servers pushed to the DNS plugin.
235 When using dnsmasq and systemd-resolved per-connection added dns
237 servers will always be queried using the device the connection has
238 been activated on.
239 rc-manager
241 Set the resolv.conf management mode. The default value depends on
242 NetworkManager build options, and this version of NetworkManager
243 was build with a default of "symlink". Regardless of this setting,
244 NetworkManager will always write resolv.conf to its runtime state
245 directory /run/NetworkManager/resolv.conf.
246 symlink: If /etc/resolv.conf is a regular file, NetworkManager will
248 replace the file on update. If /etc/resolv.conf is instead a
249 symlink, NetworkManager will leave it alone. Unless the symlink
250 points to the internal file /run/NetworkManager/resolv.conf, in
251 which case the symlink will be updated to emit an inotify
252 notification. This allows the user to conveniently instruct
253 NetworkManager not to manage /etc/resolv.conf by replacing it with
254 a symlink.
255 file: NetworkManager will write /etc/resolv.conf as file. If it
257 finds a symlink to an existing target, it will follow the symlink
258 and update the target instead. In no case will an existing symlink
259 be replaced by a file. Note that older versions of NetworkManager
260 behaved differently and would replace dangling symlinks with a
261 plain file.
262 resolvconf: NetworkManager will run resolvconf to update the DNS
264 configuration.
265 netconfig: NetworkManager will run netconfig to update the DNS
267 configuration.
268 unmanaged: don't touch /etc/resolv.conf.
270 none: deprecated alias for symlink.
272 systemd-resolved
274 Send the connection DNS configuration to systemd-resolved. Defaults
275 to "true".
276 Note that this setting is complementary to the dns setting. You can
278 keep this enabled while using dns set to another DNS plugin
279 alongside systemd-resolved, or dns set to systemd-resolved to
280 configure the system resolver to use systemd-resolved.
281 If systemd-resolved is enabled, the connectivity check resolves the
283 hostname per-device.
284 debug
286 Comma separated list of options to aid debugging. This value will
287 be combined with the environment variable NM_DEBUG. Currently the
288 following values are supported:
289 RLIMIT_CORE: set ulimit -c unlimited to write out core dumps.
291 Beware, that a core dump can contain sensitive information such as
292 passwords or configuration settings.
293 fatal-warnings: set g_log_set_always_fatal() to core dump on
295 warning messages from glib. This is equivalent to the
296 --g-fatal-warnings command line option.
297 autoconnect-retries-default
299 The number of times a connection activation should be automatically
300 tried before switching to another one. This value applies only to
301 connections that can auto-connect and have a
302 connection.autoconnect-retries property set to -1. If not
303 specified, connections will be tried 4 times. Setting this value to
304 1 means to try activation once, without retry.
305 slaves-order
307 This key specifies in which order slave connections are
308 auto-activated on boot or when the master activates them. Allowed
309 values are name (order connection by interface name, the default),
310 or index (order slaves by their kernel index).
311
313 This section contains keyfile-plugin-specific options, and is normally
314 only used when you are not using any other distro-specific plugin.
315 hostname
317 This key is deprecated and has no effect since the hostname is now
318 stored in /etc/hostname or other system configuration files
319 according to build options.
320 path
322 The location where keyfiles are read and stored. This defaults to
323 "/etc/NetworkManager/system-connections".
324 unmanaged-devices
326 Set devices that should be ignored by NetworkManager.
327 See the section called “Device List Format” for the syntax how to
329 specify a device.
330 Example:
332 unmanaged-devices=interface-name:em4
334 unmanaged-devices=mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4;interface-name:eth2
335
338 This section contains ifupdown-specific options and thus only has
339 effect when using the ifupdown plugin.
340 managed
342 If set to true, then interfaces listed in /etc/network/interfaces
343 are managed by NetworkManager. If set to false, then any interface
344 listed in /etc/network/interfaces will be ignored by
345 NetworkManager. Remember that NetworkManager controls the default
346 route, so because the interface is ignored, NetworkManager may
347 assign the default route to some other interface.
348 The default value is false.
350
352 This section controls NetworkManager's logging. Any settings here are
353 overridden by the --log-level and --log-domains command-line options.
354 level
356 The default logging verbosity level. One of OFF, ERR, WARN, INFO,
357 DEBUG, TRACE. The ERR level logs only critical errors. WARN logs
358 warnings that may reflect operation. INFO logs various
359 informational messages that are useful for tracking state and
360 operations. DEBUG enables verbose logging for debugging purposes.
361 TRACE enables even more verbose logging then DEBUG level.
362 Subsequent levels also log all messages from earlier levels; thus
363 setting the log level to INFO also logs error and warning messages.
364 domains
366 The following log domains are available: PLATFORM, RFKILL, ETHER,
367 WIFI, BT, MB, DHCP4, DHCP6, PPP, WIFI_SCAN, IP4, IP6, AUTOIP4, DNS,
368 VPN, SHARING, SUPPLICANT, AGENTS, SETTINGS, SUSPEND, CORE, DEVICE,
369 OLPC, WIMAX, INFINIBAND, FIREWALL, ADSL, BOND, VLAN, BRIDGE,
370 DBUS_PROPS, TEAM, CONCHECK, DCB, DISPATCH, AUDIT, SYSTEMD,
371 VPN_PLUGIN, PROXY.
372 In addition, these special domains can be used: NONE, ALL, DEFAULT,
374 DHCP, IP.
375 You can specify per-domain log level overrides by adding a colon
377 and a log level to any domain. E.g., "WIFI:DEBUG,WIFI_SCAN:OFF".
378 Domain descriptions:
380 PLATFORM : OS (platform) operations
381 RFKILL : RFKill subsystem operations
382 ETHER : Ethernet device operations
383 WIFI : Wi-Fi device operations
384 BT : Bluetooth operations
385 MB : Mobile broadband operations
386 DHCP4 : DHCP for IPv4
387 DHCP6 : DHCP for IPv6
388 PPP : Point-to-point protocol operations
389 WIFI_SCAN : Wi-Fi scanning operations
390 IP4 : IPv4-related operations
391 IP6 : IPv6-related operations
392 AUTOIP4 : AutoIP operations
393 DNS : Domain Name System related operations
394 VPN : Virtual Private Network connections and
395 operations
396 SHARING : Connection sharing. With TRACE level log queries
397 for dnsmasq instance
398 SUPPLICANT : WPA supplicant related operations
399 AGENTS : Secret agents operations and communication
400 SETTINGS : Settings/config service operations
401 SUSPEND : Suspend/resume
402 CORE : Core daemon and policy operations
403 DEVICE : Activation and general interface operations
404 OLPC : OLPC Mesh device operations
405 WIMAX : WiMAX device operations
406 INFINIBAND : InfiniBand device operations
407 FIREWALL : FirewallD related operations
408 ADSL : ADSL device operations
409 BOND : Bonding operations
410 VLAN : VLAN operations
411 BRIDGE : Bridging operations
412 DBUS_PROPS : D-Bus property changes
413 TEAM : Teaming operations
414 CONCHECK : Connectivity check
415 DCB : Data Center Bridging (DCB) operations
416 DISPATCH : Dispatcher scripts
417 AUDIT : Audit records
418 SYSTEMD : Messages from internal libsystemd
419 VPN_PLUGIN : logging messages from VPN plugins
420 PROXY : logging messages for proxy handling
421 NONE : when given by itself logging is disabled
423 ALL : all log domains
424 DEFAULT : default log domains
425 DHCP : shortcut for "DHCP4,DHCP6"
426 IP : shortcut for "IP4,IP6"
427 HW : deprecated alias for "PLATFORM"
429 In general, the logfile should not contain passwords or private
431 data. However, you are always advised to check the file before
432 posting it online or attaching to a bug report. VPN_PLUGIN is
433 special as it might reveal private information of the VPN plugins
434 with verbose levels. Therefore this domain will be excluded when
435 setting ALL or DEFAULT to more verbose levels then INFO.
436 backend
438 The logging backend. Supported values are "syslog" and "journal".
439 When NetworkManager is started with "--debug" in addition all
440 messages will be printed to stderr. If unspecified, the default is
441 "journal".
442 audit
444 Whether the audit records are delivered to auditd, the audit
445 daemon. If false, audit records will be sent only to the
446 NetworkManager logging system. If set to true, they will be also
447 sent to auditd. The default value is false.
448
450 Specify default values for connections.
451 Example:
453 [connection]
455 ipv6.ip6-privacy=0
456 Supported Properties
459 Not all properties can be overwritten, only the following properties
460 are supported to have their default values configured (see nm-
461 settings(5) for details). A default value is only consulted if the
462 corresponding per-connection value explicitly allows for that.
463 802-1x.auth-timeout
467 cdma.mtu
469 connection.auth-retries
471 If left unspecified, the default value is 3 tries before failing
472 the connection.
473 connection.autoconnect-slaves
475 connection.lldp
477 connection.llmnr
479 If unspecified, the ultimate default values depends on the DNS
480 plugin. With systemd-resolved the default currently is "yes" (2)
481 and for all other plugins "no" (0).
482 connection.mdns
484 If unspecified, the ultimate default values depends on the DNS
485 plugin. With systemd-resolved the default currently is "no" (0) and
486 for all other plugins also "no" (0).
487 connection.stable-id
489 ethernet.cloned-mac-address
491 If left unspecified, it defaults to "preserve".
492 ethernet.generate-mac-address-mask
494 ethernet.mtu
496 If configured explicitly to 0, the MTU is not reconfigured during
497 device activation unless it is required due to IPv6 constraints. If
498 left unspecified, a DHCP/IPv6 SLAAC provided value is used or the
499 MTU is not reconfigured during activation.
500 ethernet.wake-on-lan
502 gsm.mtu
504 infiniband.mtu
506 If configured explicitly to 0, the MTU is not reconfigured during
507 device activation unless it is required due to IPv6 constraints. If
508 left unspecified, a DHCP/IPv6 SLAAC provided value is used or the
509 MTU is left unspecified on activation.
510 ip-tunnel.mtu
512 If configured explicitly to 0, the MTU is not reconfigured during
513 device activation unless it is required due to IPv6 constraints. If
514 left unspecified, a DHCP/IPv6 SLAAC provided value is used or a
515 default of 1500.
516 ipv4.dad-timeout
518 ipv4.dhcp-client-id
520 ipv4.dhcp-iaid
522 If left unspecified, it defaults to "ifname".
523 ipv4.dhcp-hostname-flags
525 If left unspecified, the value 3 (fqdn-encoded,fqdn-serv-update) is
526 used.
527 ipv4.dhcp-timeout
529 If left unspecified, the default value for the interface type is
530 used.
531 ipv4.dns-priority
533 If unspecified or zero, use 50 for VPN profiles and 100 for other
534 profiles.
535 ipv4.route-metric
537 ipv4.route-table
539 If left unspecified, routes are only added to the main table. Note
540 that this is different from explicitly selecting the main table
541 254, because of how NetworkManager removes extraneous routes from
542 the tables.
543 ipv6.ra-timeout
545 If left unspecified, the default value depends on the sysctl
546 solicitation settings.
547 ipv6.dhcp-duid
549 If left unspecified, it defaults to "lease".
550 ipv6.dhcp-iaid
552 If left unspecified, it defaults to "ifname".
553 ipv6.dhcp-hostname-flags
555 If left unspecified, the value 1 (fqdn-serv-update) is used.
556 ipv6.dhcp-timeout
558 If left unspecified, the default value for the interface type is
559 used.
560 ipv6.dns-priority
562 If unspecified or zero, use 50 for VPN profiles and 100 for other
563 profiles.
564 ipv6.ip6-privacy
566 If ipv6.ip6-privacy is unset, use the content of
567 "/proc/sys/net/ipv6/conf/default/use_tempaddr" as last fallback.
568 ipv6.route-metric
570 ipv6.route-table
572 If left unspecified, routes are only added to the main table. Note
573 that this is different from explicitly selecting the main table
574 254, because of how NetworkManager removes extraneous routes from
575 the tables.
576 sriov.autoprobe-drivers
578 If left unspecified, drivers are autoprobed when the SR-IOV VF gets
579 created.
580 vpn.timeout
582 If left unspecified, default value of 60 seconds is used.
583 wifi.cloned-mac-address
585 If left unspecified, it defaults to "preserve".
586 wifi.generate-mac-address-mask
588 wifi.mac-address-randomization
590 If left unspecified, MAC address randomization is disabled. This
591 setting is deprecated for wifi.cloned-mac-address.
592 wifi.mtu
594 If configured explicitly to 0, the MTU is not reconfigured during
595 device activation unless it is required due to IPv6 constraints. If
596 left unspecified, a DHCP/IPv6 SLAAC provided value is used or a
597 default of 1500.
598 wifi.powersave
600 If left unspecified, the default value "ignore" will be used.
601 wifi-sec.pmf
603 If left unspecified, the default value "optional" will be used.
604 wifi-sec.fils
606 If left unspecified, the default value "optional" will be used.
607 wifi.wake-on-wlan
609 wireguard.mtu
611 Sections
614 You can configure multiple connection sections, by having different
615 sections with a name that all start with "connection". Example:
616 [connection]
618 ipv6.ip6-privacy=0
619 connection.autoconnect-slaves=1
620 vpn.timeout=120
621 [connection-wifi-wlan0]
623 match-device=interface-name:wlan0
624 ipv4.route-metric=50
625 [connection-wifi-other]
627 match-device=type:wifi
628 ipv4.route-metric=55
629 ipv6.ip6-privacy=1
630 The sections within one file are considered in order of appearance,
632 with the exception that the [connection] section is always considered
633 last. In the example above, this order is [connection-wifi-wlan0],
634 [connection-wlan-other], and [connection]. When checking for a default
635 configuration value, the sections are searched until the requested
636 value is found. In the example above, "ipv4.route-metric" for wlan0
637 interface is set to 50, and for all other Wi-Fi typed interfaces to 55.
638 Also, Wi-Fi devices would have IPv6 private addresses enabled by
639 default, but other devices would have it disabled. Note that also
640 "wlan0" gets "ipv6.ip6-privacy=1", because although the section
641 "[connection-wifi-wlan0]" matches the device, it does not contain that
642 property and the search continues.
643 When having different sections in multiple files, sections from files
645 that are read later have higher priority. So within one file the
646 priority of the sections is top-to-bottom. Across multiple files later
647 definitions take precedence.
648 The following properties further control how a connection section
650 applies.
651 match-device
653 An optional device spec that restricts when the section applies.
654 See the section called “Device List Format” for the possible
655 values.
656 stop-match
658 An optional boolean value which defaults to no. If the section
659 matches (based on match-device), further sections will not be
660 considered even if the property in question is not present. In the
661 example above, if [connection-wifi-wlan0] would have stop-match set
662 to yes, the device wlan0 would have ipv6.ip6-privacy property
663 unspecified. That is, the search for the property would not
664 continue in the connection sections [connection-wifi-other] or
665 [connection].
666
668 Contains per-device persistent configuration.
669 Example:
671 [device]
673 match-device=interface-name:eth3
674 managed=1
675 Supported Properties
678 The following properties can be configured per-device.
679 managed
681 Whether the device is managed or not. A device can be marked as
682 managed via udev rules (ENV{NM_UNMANAGED}), or via setting plugins
683 (keyfile.unmanaged-devices). This is yet another way. Note that
684 this configuration can be overruled at runtime via D-Bus. Also, it
685 has higher priority then udev rules.
686 carrier-wait-timeout
688 Specify the timeout for waiting for carrier in milliseconds. When
689 the device loses carrier, NetworkManager does not react
690 immediately. Instead, it waits for this timeout before considering
691 the link lost. Also, on startup, NetworkManager considers the
692 device as busy for this time, as long as the device has no carrier.
693 This delays startup-complete signal and NetworkManager-wait-online.
694 Configuring this too high means to block NetworkManager-wait-online
695 longer then necessary. Configuring it too low, means that
696 NetworkManager will declare startup-complete, although carrier is
697 about to come and auto-activation to kick in. The default is 5000
698 milliseconds.
699 ignore-carrier
701 Specify devices for which NetworkManager will (partially) ignore
702 the carrier state. Normally, for device types that support
703 carrier-detect, such as Ethernet and InfiniBand, NetworkManager
704 will only allow a connection to be activated on the device if
705 carrier is present (ie, a cable is plugged in), and it will
706 deactivate the device if carrier drops for more than a few seconds.
707 A device with carrier ignored will allow activating connections on
709 that device even when it does not have carrier, provided that the
710 connection uses only statically-configured IP addresses.
711 Additionally, it will allow any active connection (whether static
712 or dynamic) to remain active on the device when carrier is lost.
713 Note that the "carrier" property of NMDevices and device D-Bus
715 interfaces will still reflect the actual device state; it's just
716 that NetworkManager will not make use of that information.
717 Master types like bond, bridge and team ignore carrier by default,
719 while other device types react on carrier changes by default.
720 This setting overwrites the deprecated main.ignore-carrier setting
722 above.
723 wifi.scan-rand-mac-address
725 Configures MAC address randomization of a Wi-Fi device during
726 scanning. This defaults to yes in which case a random,
727 locally-administered MAC address will be used. The setting
728 wifi.scan-generate-mac-address-mask allows to influence the
729 generated MAC address to use certain vendor OUIs. If disabled, the
730 MAC address during scanning is left unchanged to whatever is
731 configured. For the configured MAC address while the device is
732 associated, see instead the per-connection setting
733 wifi.cloned-mac-address.
734 wifi.backend
736 Specify the Wi-Fi backend used for the device. Currently supported
737 are wpa_supplicant and iwd (experimental).
738 wifi.scan-generate-mac-address-mask
740 Like the per-connection settings ethernet.generate-mac-address-mask
741 and wifi.generate-mac-address-mask, this allows to configure the
742 generated MAC addresses during scanning. See nm-settings(5) for
743 details.
744 sriov-num-vfs
746 Specify the number of virtual functions (VF) to enable for a PCI
747 physical device that supports single-root I/O virtualization
748 (SR-IOV).
749 Sections
751 The [device] section works the same as the [connection] section. That
752 is, multiple sections that all start with the prefix "device" can be
753 specified. The settings "match-device" and "stop-match" are available
754 to match a device section on a device. The order of multiple sections
755 is also top-down within the file and later files overwrite previous
756 settings. See “Sections” under the section called “CONNECTION SECTION”
757 for details.
758
760 This section controls NetworkManager's optional connectivity checking
761 functionality. This allows NetworkManager to detect whether or not the
762 system can actually access the internet or whether it is behind a
763 captive portal.
764 Connectivity checking serves two purposes. For one, it exposes a
766 connectivity state on D-Bus, which other applications may use. For
767 example, Gnome's portal helper uses this as signal to show a captive
768 portal login page. The other use is that default-route of devices
769 without global connectivity get a penalty of +20000 to the
770 route-metric. This has the purpose to give a better default-route to
771 devices that have global connectivity. For example, when being
772 connected to WWAN and to a Wi-Fi network which is behind a captive
773 portal, WWAN still gets preferred until login.
774 Note that your distribution might set
776 /proc/sys/net/ipv4/conf/*/rp_filter to strict filtering. That works
777 badly with per-device connectivity checking, which uses SO_BINDDEVICE
778 to send requests on all devices. A strict rp_filter setting will reject
779 any response and the connectivity check on all but the best route will
780 fail.
781 enabled
783 Whether connectivity check is enabled. Note that to enable
784 connectivity check, a valid uri must also be configured. The value
785 defaults to true, but since the uri is unset by default,
786 connectivity check may be disabled. The main purpose of this option
787 is to have a single flag to disable connectivity check. Note that
788 this setting can also be set via D-Bus API at runtime. In that
789 case, the value gets stored in
790 /var/lib/NetworkManager/NetworkManager-intern.conf file.
791 uri
793 The URI of a web page to periodically request when connectivity is
794 being checked. This page should return the header
795 "X-NetworkManager-Status" with a value of "online". Alternatively,
796 its body content should be set to "NetworkManager is online". The
797 body content check can be controlled by the response option. If
798 this option is blank or missing, connectivity checking is disabled.
799 interval
801 Specified in seconds; controls how often connectivity is checked
802 when a network connection exists. If set to 0 connectivity checking
803 is disabled. If missing, the default is 300 seconds.
804 response
806 If set, controls what body content NetworkManager checks for when
807 requesting the URI for connectivity checking. Note that this only
808 compares that the HTTP response starts with the specifid text, it
809 does not compare the exact string. This behavior might change in
810 the future, so avoid relying on it. If missing, the response
811 defaults to "NetworkManager is online". If set to empty, the HTTP
812 server is expected to answer with status code 204 or send no data.
813
815 This section specifies global DNS settings that override
816 connection-specific configuration.
817 searches
819 A list of search domains to be used during hostname lookup.
820 options
822 A list of options to be passed to the hostname resolver.
823
825 Sections with a name starting with the "global-dns-domain-" prefix
826 allow to define global DNS configuration for specific domains. The part
827 of section name after "global-dns-domain-" specifies the domain name a
828 section applies to. More specific domains have the precedence over less
829 specific ones and the default domain is represented by the wildcard
830 "*". A default domain section is mandatory.
831 servers
833 A list of addresses of DNS servers to be used for the given domain.
834 options
836 A list of domain-specific DNS options. Not used at the moment.
837
839 This is a special section that contains options which apply to the
840 configuration file that contains the option.
841 enable
843 Defaults to "true". If "false", the configuration file will be
844 skipped during loading. Note that the main configuration file
845 NetworkManager.conf cannot be disabled.
846 # always skip loading the config file
848 [.config]
849 enable=false
850 You can also match against the version of NetworkManager. For
852 example the following are valid configurations:
853 # only load on version 1.0.6
855 [.config]
856 enable=nm-version:1.0.6
857 # load on all versions 1.0.x, but not 1.2.x
859 [.config]
860 enable=nm-version:1.0
861 # only load on versions >= 1.1.6. This does not match
863 # with version 1.2.0 or 1.4.4. Only the last digit is considered.
864 [.config]
865 enable=nm-version-min:1.1.6
866 # only load on versions >= 1.2. Contrary to the previous
868 # example, this also matches with 1.2.0, 1.2.10, 1.4.4, etc.
869 [.config]
870 enable=nm-version-min:1.2
871 # Match against the maximum allowed version. The example matches
873 # versions 1.2.0, 1.2.2, 1.2.4. Again, only the last version digit
874 # is allowed to be smaller. So this would not match match on 1.1.10.
875 [.config]
876 enable=nm-version-max:1.2.6
877 You can also match against the value of the environment variable
879 NM_CONFIG_ENABLE_TAG, like:
880 # always skip loading the file when running NetworkManager with
882 # environment variable "NM_CONFIG_ENABLE_TAG=TAG1"
883 [.config]
884 enable=env:TAG1
885 More then one match can be specified. The configuration will be
887 enabled if one of the predicates matches ("or"). The special prefix
888 "except:" can be used to negate the match. Note that if one
889 except-predicate matches, the entire configuration will be
890 disabled. In other words, a except predicate always wins over other
891 predicates. If the setting only consists of "except:" matches and
892 none of the negative conditions are satisfied, the configuration is
893 still enabled.
894 # enable the configuration either when the environment variable
896 # is present or the version is at least 1.2.0.
897 [.config]
898 enable=env:TAG2,nm-version-min:1.2
899 # enable the configuration for version >= 1.2.0, but disable
901 # it when the environment variable is set to "TAG3"
902 [.config]
903 enable=except:env:TAG3,nm-version-min:1.2
904 # enable the configuration on >= 1.3, >= 1.2.6, and >= 1.0.16.
906 # Useful if a certain feature is only present since those releases.
907 [.config]
908 enable=nm-version-min:1.3,nm-version-min:1.2.6,nm-version-min:1.0.16
909
912 Settings plugins for reading and writing connection profiles. The
913 number of available plugins is distribution specific.
914 keyfile
916 The keyfile plugin is the generic plugin that supports all the
917 connection types and capabilities that NetworkManager has. It
918 writes files out in an .ini-style format in
919 /etc/NetworkManager/system-connections. See nm-settings-keyfile(5)
920 for details about the file format.
921 The stored connection file may contain passwords, secrets and
923 private keys in plain text, so it will be made readable only to
924 root, and the plugin will ignore files that are readable or
925 writable by any user or group other than root. See "Secret flag
926 types" in nm-settings(5) for how to avoid storing passwords in
927 plain text.
928 This plugin is always active, and will automatically be used to
930 store any connections that aren't supported by any other active
931 plugin.
932 ifcfg-rh
934 This plugin is used on the Fedora and Red Hat Enterprise Linux
935 distributions to read and write configuration from the standard
936 /etc/sysconfig/network-scripts/ifcfg-* files. It currently supports
937 reading Ethernet, Wi-Fi, InfiniBand, VLAN, Bond, Bridge, and Team
938 connections. Enabling ifcfg-rh implicitly enables ibft plugin, if
939 it is available. This can be disabled by adding no-ibft. See
940 /usr/share/doc/initscripts/sysconfig.txt and nm-settings-ifcfg-
941 rh(5) for more information about the ifcfg file format.
942 ifupdown
944 This plugin is used on the Debian and Ubuntu distributions, and
945 reads Ethernet and Wi-Fi connections from /etc/network/interfaces.
946 This plugin is read-only; any connections (of any type) added from
948 within NetworkManager when you are using this plugin will be saved
949 using the keyfile plugin instead.
950 ibft, no-ibft
952 These plugins are deprecated and their selection has no effect.
953 This is now handled by nm-initrd-generator.
954 ifcfg-suse, ifnet
956 These plugins are deprecated and their selection has no effect. The
957 keyfile plugin should be used instead.
958
960 Device List Format
961 The configuration options main.no-auto-default, main.ignore-carrier,
962 keyfile.unmanaged-devices, connection*.match-device and
963 device*.match-device select devices based on a list of matchings.
964 Devices can be specified using the following format:
965 *
967 Matches every device.
968 IFNAME
970 Case sensitive match of interface name of the device. Globbing is
971 not supported.
972 HWADDR
974 Match the permanent MAC address of the device. Globbing is not
975 supported
976 interface-name:IFNAME, interface-name:~IFNAME
978 Case sensitive match of interface name of the device. Simple
979 globbing is supported with * and ?. Ranges and escaping is not
980 supported.
981 interface-name:=IFNAME
983 Case sensitive match of interface name of the device. Globbing is
984 disabled and IFNAME is taken literally.
985 mac:HWADDR
987 Match the permanent MAC address of the device. Globbing is not
988 supported
989 s390-subchannels:HWADDR
991 Match the device based on the subchannel address. Globbing is not
992 supported
993 type:TYPE
995 Match the device type. Valid type names are as reported by "nmcli
996 -f GENERAL.TYPE device show". Globbing is not supported.
997 driver:DRIVER
999 Match the device driver as reported by "nmcli -f
1000 GENERAL.DRIVER,GENERAL.DRIVER-VERSION device show". "DRIVER" must
1001 match the driver name exactly and does not support globbing.
1002 Optionally, a driver version may be specified separated by '/'.
1003 Globbing is supported for the version.
1004 dhcp-plugin:DHCP
1006 Match the configured DHCP plugin "main.dhcp".
1007 except:SPEC
1009 Negative match of a device. SPEC must be explicitly qualified with
1010 a prefix such as interface-name:. A negative match has higher
1011 priority then the positive matches above.
1012 If there is a list consisting only of negative matches, the
1014 behavior is the same as if there is also match-all. That means, if
1015 none of all the negative matches is satisfied, the overall result
1016 is still a positive match. That means, "except:interface-name:eth0"
1017 is the same as "*,except:interface-name:eth0".
1018 SPEC[,;]SPEC
1020 Multiple specs can be concatenated with commas or semicolons. The
1021 order does not matter as matches are either inclusive or negative
1022 (except:), with negative matches having higher priority.
1023 Backslash is supported to escape the separators ';' and ',', and to
1025 express special characters such as newline ('\n'), tabulator
1026 ('\t'), whitespace ('\s') and backslash ('\\'). The globbing of
1027 interface names cannot be escaped. Whitespace is not a separator
1028 but will be trimmed between two specs (unless escaped as '\s').
1029 Example:
1031 interface-name:em4
1033 mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4;interface-name:eth2
1034 interface-name:vboxnet*,except:interface-name:vboxnet2
1035 *,except:mac:00:22:68:1c:59:b1
1036
1039 NetworkManager(8), nmcli(1), nmcli-examples(7), nm-online(1), nm-
1040 settings(5), nm-applet(1), nm-connection-editor(1)
1041NetworkManager 1.22.10 NETWORKMANAGER.CONF(5)