1NETWORKMANAGER.CONF(5) Configuration NETWORKMANAGER.CONF(5)
2
3
4
6 NetworkManager.conf - NetworkManager configuration file
7
9 /etc/NetworkManager/NetworkManager.conf,
10 /etc/NetworkManager/conf.d/name.conf,
11 /run/NetworkManager/conf.d/name.conf,
12 /usr/lib/NetworkManager/conf.d/name.conf,
13 /var/lib/NetworkManager/NetworkManager-intern.conf
14
16 NetworkManager.conf is the configuration file for NetworkManager. It is
17 used to set up various aspects of NetworkManager's behavior. The
18 location of the main file and configuration directories may be changed
19 through use of the --config, --config-dir, --system-config-dir, and
20 --intern-config argument for NetworkManager, respectively.
21
22 If a default NetworkManager.conf is provided by your distribution's
23 packages, you should not modify it, since your changes may get
24 overwritten by package updates. Instead, you can add additional .conf
25 files to the /etc/NetworkManager/conf.d directory. These will be read
26 in order, with later files overriding earlier ones. Packages might
27 install further configuration snippets to
28 /usr/lib/NetworkManager/conf.d. This directory is parsed first, even
29 before NetworkManager.conf. Scripts can also put per-boot configuration
30 into /run/NetworkManager/conf.d. This directory is parsed second, also
31 before NetworkManager.conf. The loading of a file
32 /run/NetworkManager/conf.d/name.conf can be prevented by adding a file
33 /etc/NetworkManager/conf.d/name.conf. Likewise, a file
34 /usr/lib/NetworkManager/conf.d/name.conf can be shadowed by putting a
35 file of the same name to either /etc/NetworkManager/conf.d or
36 /run/NetworkManager/conf.d.
37
38 NetworkManager can overwrite certain user configuration options via
39 D-Bus or other internal operations. In this case it writes those
40 changes to /var/lib/NetworkManager/NetworkManager-intern.conf. This
41 file is not intended to be modified by the user, but it is read last
42 and can shadow user configuration from NetworkManager.conf.
43
44 Certain settings from the configuration can be reloaded at runtime
45 either by sending SIGHUP signal or via D-Bus' Reload call.
46
48 The configuration file format is so-called key file (sort of ini-style
49 format). It consists of sections (groups) of key-value pairs. Lines
50 beginning with a '#' and blank lines are considered comments. Sections
51 are started by a header line containing the section enclosed in '[' and
52 ']', and ended implicitly by the start of the next section or the end
53 of the file. Each key-value pair must be contained in a section.
54
55 For keys that take a list of devices as their value, you can specify
56 devices by their MAC addresses or interface names, or "*" to specify
57 all devices. See the section called “Device List Format” below.
58
59 Minimal system settings configuration file looks like this:
60
61 [main]
62 plugins=keyfile
63
64 As an extension to the normal keyfile format, you can also append a
65 value to a previously-set list-valued key by doing:
66
67 plugins+=another-plugin
68 plugins-=remove-me
69
70
72 plugins
73 Lists system settings plugin names separated by ','. These plugins
74 are used to read and write system-wide connection profiles. When
75 multiple plugins are specified, the connections are read from all
76 listed plugins. When writing connections, the plugins will be asked
77 to save the connection in the order listed here; if the first
78 plugin cannot write out that connection type (or can't write out
79 any connections) the next plugin is tried, etc. If none of the
80 plugins can save the connection, an error is returned to the user.
81
82 The default value and the number of available plugins is
83 distro-specific. See the section called “PLUGINS” below for the
84 available plugins. Note that NetworkManager's native keyfile plugin
85 is always appended to the end of this list (if it doesn't already
86 appear earlier in the list).
87
88 monitor-connection-files
89 Whether the configured settings plugin(s) should set up file
90 monitors and immediately pick up changes made to connection files
91 while NetworkManager is running. This is disabled by default;
92 NetworkManager will only read the connection files at startup, and
93 when explicitly requested via the ReloadConnections D-Bus call. If
94 this key is set to 'true', then NetworkManager will reload
95 connection files any time they changed. Automatic reloading is not
96 advised because there are race conditions involved and it depends
97 on the way how the editor updates the file. In some situations,
98 NetworkManager might first delete and add the connection anew,
99 instead of updating the existing one. Also, NetworkManager might
100 pick up incomplete settings while the user is still editing the
101 files.
102
103 auth-polkit
104 Whether the system uses PolicyKit for authorization. If false, all
105 requests will be allowed. If true, non-root requests are authorized
106 using PolicyKit. The default value is true.
107
108 dhcp
109 This key sets up what DHCP client NetworkManager will use. Allowed
110 values are dhclient, dhcpcd, and internal. The dhclient and dhcpcd
111 options require the indicated clients to be installed. The internal
112 option uses a built-in DHCP client which is not currently as
113 featureful as the external clients.
114
115 If this key is missing, it defaults to internal. It the chosen
116 plugin is not available, clients are looked for in this order:
117 dhclient, dhcpcd, internal.
118
119 no-auto-default
120 Specify devices for which NetworkManager shouldn't create default
121 wired connection (Auto eth0). By default, NetworkManager creates a
122 temporary wired connection for any Ethernet device that is managed
123 and doesn't have a connection configured. List a device in this
124 option to inhibit creating the default connection for the device.
125 May have the special value * to apply to all devices.
126
127 When the default wired connection is deleted or saved to a new
128 persistent connection by a plugin, the device is added to a list in
129 the file /run/NetworkManager/no-auto-default.state to prevent
130 creating the default connection for that device again.
131
132 See the section called “Device List Format” for the syntax how to
133 specify a device.
134
135 Example:
136
137 no-auto-default=00:22:68:5c:5d:c4,00:1e:65:ff:aa:ee
138 no-auto-default=eth0,eth1
139 no-auto-default=*
140
141
142 ignore-carrier
143 This setting is deprecated for the per-device setting
144 ignore-carrier which overwrites this setting if specified (See
145 ignore-carrier). Otherwise, it is a list of matches to specify for
146 which device carrier should be ignored. See the section called
147 “Device List Format” for the syntax how to specify a device. Note
148 that master types like bond, bridge, and team ignore carrier by
149 default. You can however revert that default using the "except:"
150 specifier (or better, use the per-device setting instead of the
151 deprecated setting).
152
153 assume-ipv6ll-only
154 Specify devices for which NetworkManager will try to generate a
155 connection based on initial configuration when the device only has
156 an IPv6 link-local address.
157
158 See the section called “Device List Format” for the syntax how to
159 specify a device.
160
161 configure-and-quit
162 When set to 'true', NetworkManager quits after performing initial
163 network configuration but spawns small helpers to preserve DHCP
164 leases and IPv6 addresses. This is useful in environments where
165 network setup is more or less static or it is desirable to save
166 process time but still handle some dynamic configurations. When
167 this option is true, network configuration for WiFi, WWAN,
168 Bluetooth, ADSL, and PPPoE interfaces cannot be preserved due to
169 their use of external services, and these devices will be
170 deconfigured when NetworkManager quits even though other
171 interface's configuration may be preserved. Also, to preserve DHCP
172 addresses the 'dhcp' option must be set to 'internal'. The default
173 value of the 'configure-and-quit' option is 'false', meaning that
174 NetworkManager will continue running after initial network
175 configuration and continue responding to system and hardware
176 events, D-Bus requests, and user commands.
177
178 hostname-mode
179 Set the management mode of the hostname. This parameter will affect
180 only the transient hostname. If a valid static hostname is set,
181 NetworkManager will skip the update of the hostname despite the
182 value of this option. An hostname empty or equal to 'localhost',
183 'localhost6', 'localhost.localdomain' or 'localhost6.localdomain'
184 is considered invalid.
185
186 default: NetworkManager will update the hostname with the one
187 provided via DHCP on the main connection (the one with a default
188 route). If not present, the hostname will be updated to the last
189 one set outside NetworkManager. If it is not valid, NetworkManager
190 will try to recover the hostname from the reverse lookup of the IP
191 address of the main connection. If this fails too, the hostname
192 will be set to 'localhost.localdomain'.
193
194 dhcp: NetworkManager will update the transient hostname only with
195 information coming from DHCP. No fallback nor reverse lookup will
196 be performed, but when the dhcp connection providing the hostname
197 is deactivated, the hostname is reset to the last hostname set
198 outside NetworkManager or 'localhost' if none valid is there.
199
200 none: NetworkManager will not manage the transient hostname and
201 will never set it.
202
203 dns
204 Set the DNS (resolv.conf) processing mode. If the key is
205 unspecified, default is used, unless /etc/resolv.conf is a symlink
206 to /run/systemd/resolve/stub-resolv.conf,
207 /run/systemd/resolve/resolv.conf, /lib/systemd/resolv.conf or
208 /usr/lib/systemd/resolv.conf. In that case, systemd-resolved is
209 chosen automatically.
210
211 default: NetworkManager will update /etc/resolv.conf to reflect the
212 nameservers provided by currently active connections.
213
214 dnsmasq: NetworkManager will run dnsmasq as a local caching
215 nameserver, using a "split DNS" configuration if you are connected
216 to a VPN, and then update resolv.conf to point to the local
217 nameserver. It is possible to pass custom options to the dnsmasq
218 instance by adding them to files in the
219 "/etc/NetworkManager/dnsmasq.d/" directory. Note that when multiple
220 upstream servers are available, dnsmasq will initially contact them
221 in parallel and then use the fastest to respond, probing again
222 other servers after some time. This behavior can be modified
223 passing the 'all-servers' or 'strict-order' options to dnsmasq (see
224 the manual page for more details).
225
226 unbound: NetworkManager will talk to unbound and dnssec-triggerd,
227 providing a "split DNS" configuration with DNSSEC support.
228 /etc/resolv.conf will be managed by dnssec-trigger daemon.
229
230 systemd-resolved: NetworkManager will push the DNS configuration to
231 systemd-resolved
232
233 none: NetworkManager will not modify resolv.conf. This implies
234 rc-manager unmanaged
235
236 rc-manager
237 Set the resolv.conf management mode. The default value depends on
238 NetworkManager build options, and this version of NetworkManager
239 was build with a default of "symlink". Regardless of this setting,
240 NetworkManager will always write resolv.conf to its runtime state
241 directory /var/run/NetworkManager/resolv.conf.
242
243 symlink: If /etc/resolv.conf is a regular file, NetworkManager will
244 replace the file on update. If /etc/resolv.conf is instead a
245 symlink, NetworkManager will leave it alone. Unless the symlink
246 points to the internal file /var/run/NetworkManager/resolv.conf, in
247 which case the symlink will be updated to emit an inotify
248 notification. This allows the user to conveniently instruct
249 NetworkManager not to manage /etc/resolv.conf by replacing it with
250 a symlink.
251
252 file: NetworkManager will write /etc/resolv.conf as file. If it
253 finds a symlink to an existing target, it will follow the symlink
254 and update the target instead. In no case will an existing symlink
255 be replaced by a file. Note that older versions of NetworkManager
256 behaved differently and would replace dangling symlinks with a
257 plain file.
258
259 resolvconf: NetworkManager will run resolvconf to update the DNS
260 configuration.
261
262 netconfig: NetworkManager will run netconfig to update the DNS
263 configuration.
264
265 unmanaged: don't touch /etc/resolv.conf.
266
267 none: deprecated alias for symlink.
268
269 debug
270 Comma separated list of options to aid debugging. This value will
271 be combined with the environment variable NM_DEBUG. Currently the
272 following values are supported:
273
274 RLIMIT_CORE: set ulimit -c unlimited to write out core dumps.
275 Beware, that a core dump can contain sensitive information such as
276 passwords or configuration settings.
277
278 fatal-warnings: set g_log_set_always_fatal() to core dump on
279 warning messages from glib. This is equivalent to the
280 --g-fatal-warnings command line option.
281
282 autoconnect-retries-default
283 The number of times a connection activation should be automatically
284 tried before switching to another one. This value applies only to
285 connections that can auto-connect and have a
286 connection.autoconnect-retries property set to -1. If not
287 specified, connections will be tried 4 times. Setting this value to
288 1 means to try activation once, without retry.
289
290 slaves-order
291 This key specifies in which order slave connections are
292 auto-activated on boot or when the master activates them. Allowed
293 values are name (order connection by interface name, the default),
294 or index (order slaves by their kernel index).
295
297 This section contains keyfile-plugin-specific options, and is normally
298 only used when you are not using any other distro-specific plugin.
299
300 hostname
301 This key is deprecated and has no effect since the hostname is now
302 stored in /etc/hostname or other system configuration files
303 according to build options.
304
305 path
306 The location where keyfiles are read and stored. This defaults to
307 "/etc/NetworkManager/system-connections".
308
309 unmanaged-devices
310 Set devices that should be ignored by NetworkManager.
311
312 See the section called “Device List Format” for the syntax how to
313 specify a device.
314
315 Example:
316
317 unmanaged-devices=interface-name:em4
318 unmanaged-devices=mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4;interface-name:eth2
319
320
322 This section contains ifupdown-specific options and thus only has
323 effect when using the ifupdown plugin.
324
325 managed
326 If set to true, then interfaces listed in /etc/network/interfaces
327 are managed by NetworkManager. If set to false, then any interface
328 listed in /etc/network/interfaces will be ignored by
329 NetworkManager. Remember that NetworkManager controls the default
330 route, so because the interface is ignored, NetworkManager may
331 assign the default route to some other interface.
332
333 The default value is false.
334
336 This section controls NetworkManager's logging. Any settings here are
337 overridden by the --log-level and --log-domains command-line options.
338
339 level
340 The default logging verbosity level. One of OFF, ERR, WARN, INFO,
341 DEBUG, TRACE. The ERR level logs only critical errors. WARN logs
342 warnings that may reflect operation. INFO logs various
343 informational messages that are useful for tracking state and
344 operations. DEBUG enables verbose logging for debugging purposes.
345 TRACE enables even more verbose logging then DEBUG level.
346 Subsequent levels also log all messages from earlier levels; thus
347 setting the log level to INFO also logs error and warning messages.
348
349 domains
350 The following log domains are available: PLATFORM, RFKILL, ETHER,
351 WIFI, BT, MB, DHCP4, DHCP6, PPP, WIFI_SCAN, IP4, IP6, AUTOIP4, DNS,
352 VPN, SHARING, SUPPLICANT, AGENTS, SETTINGS, SUSPEND, CORE, DEVICE,
353 OLPC, WIMAX, INFINIBAND, FIREWALL, ADSL, BOND, VLAN, BRIDGE,
354 DBUS_PROPS, TEAM, CONCHECK, DCB, DISPATCH, AUDIT, SYSTEMD,
355 VPN_PLUGIN, PROXY.
356
357 In addition, these special domains can be used: NONE, ALL, DEFAULT,
358 DHCP, IP.
359
360 You can specify per-domain log level overrides by adding a colon
361 and a log level to any domain. E.g., "WIFI:DEBUG,WIFI_SCAN:OFF".
362
363 Domain descriptions:
364 PLATFORM : OS (platform) operations
365 RFKILL : RFKill subsystem operations
366 ETHER : Ethernet device operations
367 WIFI : Wi-Fi device operations
368 BT : Bluetooth operations
369 MB : Mobile broadband operations
370 DHCP4 : DHCP for IPv4
371 DHCP6 : DHCP for IPv6
372 PPP : Point-to-point protocol operations
373 WIFI_SCAN : Wi-Fi scanning operations
374 IP4 : IPv4-related operations
375 IP6 : IPv6-related operations
376 AUTOIP4 : AutoIP operations
377 DNS : Domain Name System related operations
378 VPN : Virtual Private Network connections and
379 operations
380 SHARING : Connection sharing. With TRACE level log queries
381 for dnsmasq instance
382 SUPPLICANT : WPA supplicant related operations
383 AGENTS : Secret agents operations and communication
384 SETTINGS : Settings/config service operations
385 SUSPEND : Suspend/resume
386 CORE : Core daemon and policy operations
387 DEVICE : Activation and general interface operations
388 OLPC : OLPC Mesh device operations
389 WIMAX : WiMAX device operations
390 INFINIBAND : InfiniBand device operations
391 FIREWALL : FirewallD related operations
392 ADSL : ADSL device operations
393 BOND : Bonding operations
394 VLAN : VLAN operations
395 BRIDGE : Bridging operations
396 DBUS_PROPS : D-Bus property changes
397 TEAM : Teaming operations
398 CONCHECK : Connectivity check
399 DCB : Data Center Bridging (DCB) operations
400 DISPATCH : Dispatcher scripts
401 AUDIT : Audit records
402 SYSTEMD : Messages from internal libsystemd
403 VPN_PLUGIN : logging messages from VPN plugins
404 PROXY : logging messages for proxy handling
405
406 NONE : when given by itself logging is disabled
407 ALL : all log domains
408 DEFAULT : default log domains
409 DHCP : shortcut for "DHCP4,DHCP6"
410 IP : shortcut for "IP4,IP6"
411
412 HW : deprecated alias for "PLATFORM"
413
414 In general, the logfile should not contain passwords or private
415 data. However, you are always advised to check the file before
416 posting it online or attaching to a bug report. VPN_PLUGIN is
417 special as it might reveal private information of the VPN plugins
418 with verbose levels. Therefore this domain will be excluded when
419 setting ALL or DEFAULT to more verbose levels then INFO.
420
421 backend
422 The logging backend. Supported values are "syslog" and "journal".
423 When NetworkManager is started with "--debug" in addition all
424 messages will be printed to stderr. If unspecified, the default is
425 "journal".
426
427 audit
428 Whether the audit records are delivered to auditd, the audit
429 daemon. If false, audit records will be sent only to the
430 NetworkManager logging system. If set to true, they will be also
431 sent to auditd. The default value is false.
432
434 Specify default values for connections.
435
436 Example:
437
438 [connection]
439 ipv6.ip6-privacy=0
440
441
442 Supported Properties
443 Not all properties can be overwritten, only the following properties
444 are supported to have their default values configured (see nm-
445 settings(5) for details). A default value is only consulted if the
446 corresponding per-connection value explicitly allows for that.
447
448 connection.auth-retries
449 If left unspecified, the default value is 3 tries before failing
450 the connection.
451
452 connection.autoconnect-slaves
453
454 connection.lldp
455
456 connection.llmnr
457
458 connection.mdns
459
460 connection.stable-id
461
462 ethernet.cloned-mac-address
463 If left unspecified, it defaults to "preserve".
464
465 ethernet.generate-mac-address-mask
466
467 ethernet.mtu
468 If configured explicitly to 0, the MTU is not reconfigured during
469 device activation unless it is required due to IPv6 constraints. If
470 left unspecified, a DHCP/IPv6 SLAAC provided value is used or the
471 MTU is not reconfigured during activation.
472
473 ethernet.wake-on-lan
474
475 infiniband.mtu
476 If configured explicitly to 0, the MTU is not reconfigured during
477 device activation unless it is required due to IPv6 constraints. If
478 left unspecified, a DHCP/IPv6 SLAAC provided value is used or the
479 MTU is left unspecified on activation.
480
481 ip-tunnel.mtu
482 If configured explicitly to 0, the MTU is not reconfigured during
483 device activation unless it is required due to IPv6 constraints. If
484 left unspecified, a DHCP/IPv6 SLAAC provided value is used or a
485 default of 1500.
486
487 ipv4.dad-timeout
488
489 ipv4.dhcp-client-id
490
491 ipv4.dhcp-timeout
492 If left unspecified, the default value for the interface type is
493 used.
494
495 ipv4.route-metric
496
497 ipv4.route-table
498 If left unspecified, routes are only added to the main table. Note
499 that this is different from explicitly selecting the main table
500 254, because of how NetworkManager removes extraneous routes from
501 the tables.
502
503 ipv6.dhcp-duid
504 If left unspecified, it defaults to "lease".
505
506 ipv6.dhcp-timeout
507 If left unspecified, the default value for the interface type is
508 used.
509
510 ipv6.ip6-privacy
511 If ipv6.ip6-privacy is unset, use the content of
512 "/proc/sys/net/ipv6/conf/default/use_tempaddr" as last fallback.
513
514 ipv6.route-metric
515
516 ipv6.route-table
517 If left unspecified, routes are only added to the main table. Note
518 that this is different from explicitly selecting the main table
519 254, because of how NetworkManager removes extraneous routes from
520 the tables.
521
522 sriov.autoprobe-drivers
523 If left unspecified, drivers are autoprobed when the SR-IOV VF gets
524 created.
525
526 vpn.timeout
527 If left unspecified, default value of 60 seconds is used.
528
529 wifi.cloned-mac-address
530 If left unspecified, it defaults to "preserve".
531
532 wifi.generate-mac-address-mask
533
534 wifi.mac-address-randomization
535 If left unspecified, MAC address randomization is disabled. This
536 setting is deprecated for wifi.cloned-mac-address.
537
538 wifi.mtu
539 If configured explicitly to 0, the MTU is not reconfigured during
540 device activation unless it is required due to IPv6 constraints. If
541 left unspecified, a DHCP/IPv6 SLAAC provided value is used or a
542 default of 1500.
543
544 wifi.powersave
545 If left unspecified, the default value "ignore" will be used.
546
547 wifi-sec.pmf
548 If left unspecified, the default value "optional" will be used.
549
550 wifi-sec.fils
551 If left unspecified, the default value "optional" will be used.
552
553 Sections
554 You can configure multiple connection sections, by having different
555 sections with a name that all start with "connection". Example:
556
557 [connection]
558 ipv6.ip6-privacy=0
559 connection.autoconnect-slaves=1
560 vpn.timeout=120
561
562 [connection-wifi-wlan0]
563 match-device=interface-name:wlan0
564 ipv4.route-metric=50
565
566 [connection-wifi-other]
567 match-device=type:wifi
568 ipv4.route-metric=55
569 ipv6.ip6-privacy=1
570
571 The sections within one file are considered in order of appearance,
572 with the exception that the [connection] section is always considered
573 last. In the example above, this order is [connection-wifi-wlan0],
574 [connection-wlan-other], and [connection]. When checking for a default
575 configuration value, the sections are searched until the requested
576 value is found. In the example above, "ipv4.route-metric" for wlan0
577 interface is set to 50, and for all other Wi-Fi typed interfaces to 55.
578 Also, Wi-Fi devices would have IPv6 private addresses enabled by
579 default, but other devices would have it disabled. Note that also
580 "wlan0" gets "ipv6.ip6-privacy=1", because although the section
581 "[connection-wifi-wlan0]" matches the device, it does not contain that
582 property and the search continues.
583
584 When having different sections in multiple files, sections from files
585 that are read later have higher priority. So within one file the
586 priority of the sections is top-to-bottom. Across multiple files later
587 definitions take precedence.
588
589 The following properties further control how a connection section
590 applies.
591
592 match-device
593 An optional device spec that restricts when the section applies.
594 See the section called “Device List Format” for the possible
595 values.
596
597 stop-match
598 An optional boolean value which defaults to no. If the section
599 matches (based on match-device), further sections will not be
600 considered even if the property in question is not present. In the
601 example above, if [connection-wifi-wlan0] would have stop-match set
602 to yes, the device wlan0 would have ipv6.ip6-privacy property
603 unspecified. That is, the search for the property would not
604 continue in the connection sections [connection-wifi-other] or
605 [connection].
606
608 Contains per-device persistent configuration.
609
610 Example:
611
612 [device]
613 match-device=interface-name:eth3
614 managed=1
615
616
617 Supported Properties
618 The following properties can be configured per-device.
619
620 managed
621 Whether the device is managed or not. A device can be marked as
622 managed via udev rules (ENV{NM_UNMANAGED}), or via setting plugins
623 (keyfile.unmanaged-devices). This is yet another way. Note that
624 this configuration can be overruled at runtime via D-Bus. Also, it
625 has higher priority then udev rules.
626
627 carrier-wait-timeout
628 Specify the timeout for waiting for carrier in milliseconds. When
629 the device loses carrier, NetworkManager does not react
630 immediately. Instead, it waits for this timeout before considering
631 the link lost. Also, on startup, NetworkManager considers the
632 device as busy for this time, as long as the device has no carrier.
633 This delays startup-complete signal and NetworkManager-wait-online.
634 Configuring this too high means to block NetworkManager-wait-online
635 longer then necessary. Configuring it too low, means that
636 NetworkManager will declare startup-complete, although carrier is
637 about to come and auto-activation to kick in. The default is 5000
638 milliseconds.
639
640 ignore-carrier
641 Specify devices for which NetworkManager will (partially) ignore
642 the carrier state. Normally, for device types that support
643 carrier-detect, such as Ethernet and InfiniBand, NetworkManager
644 will only allow a connection to be activated on the device if
645 carrier is present (ie, a cable is plugged in), and it will
646 deactivate the device if carrier drops for more than a few seconds.
647
648 A device with carrier ignored will allow activating connections on
649 that device even when it does not have carrier, provided that the
650 connection uses only statically-configured IP addresses.
651 Additionally, it will allow any active connection (whether static
652 or dynamic) to remain active on the device when carrier is lost.
653
654 Note that the "carrier" property of NMDevices and device D-Bus
655 interfaces will still reflect the actual device state; it's just
656 that NetworkManager will not make use of that information.
657
658 Master types like bond, bridge and team ignore carrier by default,
659 while other device types react on carrier changes by default.
660
661 This setting overwrites the deprecated main.ignore-carrier setting
662 above.
663
664 wifi.scan-rand-mac-address
665 Configures MAC address randomization of a Wi-Fi device during
666 scanning. This defaults to yes in which case a random,
667 locally-administered MAC address will be used. The setting
668 wifi.scan-generate-mac-address-mask allows to influence the
669 generated MAC address to use certain vendor OUIs. If disabled, the
670 MAC address during scanning is left unchanged to whatever is
671 configured. For the configured MAC address while the device is
672 associated, see instead the per-connection setting
673 wifi.cloned-mac-address.
674
675 wifi.backend
676 Specify the Wi-Fi backend used for the device. Currently supported
677 are wpa_supplicant and iwd (experimental).
678
679 wifi.scan-generate-mac-address-mask
680 Like the per-connection settings ethernet.generate-mac-address-mask
681 and wifi.generate-mac-address-mask, this allows to configure the
682 generated MAC addresses during scanning. See nm-settings(5) for
683 details.
684
685 sriov-num-vfs
686 Specify the number of virtual functions (VF) to enable for a PCI
687 physical device that supports single-root I/O virtualization
688 (SR-IOV).
689
690 Sections
691 The [device] section works the same as the [connection] section. That
692 is, multiple sections that all start with the prefix "device" can be
693 specified. The settings "match-device" and "stop-match" are available
694 to match a device section on a device. The order of multiple sections
695 is also top-down within the file and later files overwrite previous
696 settings. See “Sections” under the section called “CONNECTION SECTION”
697 for details.
698
700 This section controls NetworkManager's optional connectivity checking
701 functionality. This allows NetworkManager to detect whether or not the
702 system can actually access the internet or whether it is behind a
703 captive portal.
704
705 uri
706 The URI of a web page to periodically request when connectivity is
707 being checked. This page should return the header
708 "X-NetworkManager-Status" with a value of "online". Alternatively,
709 its body content should be set to "NetworkManager is online". The
710 body content check can be controlled by the response option. If
711 this option is blank or missing, connectivity checking is disabled.
712
713 interval
714 Specified in seconds; controls how often connectivity is checked
715 when a network connection exists. If set to 0 connectivity checking
716 is disabled. If missing, the default is 300 seconds.
717
718 response
719 If set controls what body content NetworkManager checks for when
720 requesting the URI for connectivity checking. If missing, defaults
721 to "NetworkManager is online"
722
724 This section specifies global DNS settings that override
725 connection-specific configuration.
726
727 searches
728 A list of search domains to be used during hostname lookup.
729
730 options
731 A list of of options to be passed to the hostname resolver.
732
734 Sections with a name starting with the "global-dns-domain-" prefix
735 allow to define global DNS configuration for specific domains. The part
736 of section name after "global-dns-domain-" specifies the domain name a
737 section applies to. More specific domains have the precedence over less
738 specific ones and the default domain is represented by the wildcard
739 "*". A default domain section is mandatory.
740
741 servers
742 A list of addresses of DNS servers to be used for the given domain.
743
744 options
745 A list of domain-specific DNS options. Not used at the moment.
746
748 This is a special section that contains options which apply to the
749 configuration file that contains the option.
750
751 enable
752 Defaults to "true". If "false", the configuration file will be
753 skipped during loading. Note that the main configuration file
754 NetworkManager.conf cannot be disabled.
755
756 # always skip loading the config file
757 [.config]
758 enable=false
759
760 You can also match against the version of NetworkManager. For
761 example the following are valid configurations:
762
763 # only load on version 1.0.6
764 [.config]
765 enable=nm-version:1.0.6
766
767 # load on all versions 1.0.x, but not 1.2.x
768 [.config]
769 enable=nm-version:1.0
770
771 # only load on versions >= 1.1.6. This does not match
772 # with version 1.2.0 or 1.4.4. Only the last digit is considered.
773 [.config]
774 enable=nm-version-min:1.1.6
775
776 # only load on versions >= 1.2. Contrary to the previous
777 # example, this also matches with 1.2.0, 1.2.10, 1.4.4, etc.
778 [.config]
779 enable=nm-version-min:1.2
780
781 # Match against the maximum allowed version. The example matches
782 # versions 1.2.0, 1.2.2, 1.2.4. Again, only the last version digit
783 # is allowed to be smaller. So this would not match match on 1.1.10.
784 [.config]
785 enable=nm-version-max:1.2.6
786
787 You can also match against the value of the environment variable
788 NM_CONFIG_ENABLE_TAG, like:
789
790 # always skip loading the file when running NetworkManager with
791 # environment variable "NM_CONFIG_ENABLE_TAG=TAG1"
792 [.config]
793 enable=env:TAG1
794
795 More then one match can be specified. The configuration will be
796 enabled if one of the predicates matches ("or"). The special prefix
797 "except:" can be used to negate the match. Note that if one
798 except-predicate matches, the entire configuration will be
799 disabled. In other words, a except predicate always wins over other
800 predicates. If the setting only consists of "except:" matches and
801 none of the negative conditions are satisfied, the configuration is
802 still enabled.
803
804 # enable the configuration either when the environment variable
805 # is present or the version is at least 1.2.0.
806 [.config]
807 enable=env:TAG2,nm-version-min:1.2
808
809 # enable the configuration for version >= 1.2.0, but disable
810 # it when the environment variable is set to "TAG3"
811 [.config]
812 enable=except:env:TAG3,nm-version-min:1.2
813
814 # enable the configuration on >= 1.3, >= 1.2.6, and >= 1.0.16.
815 # Useful if a certain feature is only present since those releases.
816 [.config]
817 enable=nm-version-min:1.3,nm-version-min:1.2.6,nm-version-min:1.0.16
818
819
821 Settings plugins for reading and writing connection profiles. The
822 number of available plugins is distribution specific.
823
824 keyfile
825 The keyfile plugin is the generic plugin that supports all the
826 connection types and capabilities that NetworkManager has. It
827 writes files out in an .ini-style format in
828 /etc/NetworkManager/system-connections. See nm-settings-keyfile(5)
829 for details about the file format.
830
831 The stored connection file may contain passwords, secrets and
832 private keys in plain text, so it will be made readable only to
833 root, and the plugin will ignore files that are readable or
834 writable by any user or group other than root. See "Secret flag
835 types" in nm-settings(5) for how to avoid storing passwords in
836 plain text.
837
838 This plugin is always active, and will automatically be used to
839 store any connections that aren't supported by any other active
840 plugin.
841
842 ifcfg-rh
843 This plugin is used on the Fedora and Red Hat Enterprise Linux
844 distributions to read and write configuration from the standard
845 /etc/sysconfig/network-scripts/ifcfg-* files. It currently supports
846 reading Ethernet, Wi-Fi, InfiniBand, VLAN, Bond, Bridge, and Team
847 connections. Enabling ifcfg-rh implicitly enables ibft plugin, if
848 it is available. This can be disabled by adding no-ibft. See
849 /usr/share/doc/initscripts/sysconfig.txt and nm-settings-ifcfg-
850 rh(5) for more information about the ifcfg file format.
851
852 ifupdown
853 This plugin is used on the Debian and Ubuntu distributions, and
854 reads Ethernet and Wi-Fi connections from /etc/network/interfaces.
855
856 This plugin is read-only; any connections (of any type) added from
857 within NetworkManager when you are using this plugin will be saved
858 using the keyfile plugin instead.
859
860 ibft, no-ibft
861 This plugin allows to read iBFT configuration (iSCSI Boot Firmware
862 Table). The configuration is read using /sbin/iscsiadm. Users are
863 expected to configure iBFT connections via the firmware interfaces.
864 If ibft support is available, it is automatically enabled after
865 ifcfg-rh. This can be disabled by no-ibft. You can also explicitly
866 specify ibft to load the plugin without ifcfg-rh or to change the
867 plugin order.
868
869 Note that ibft plugin uses /sbin/iscsiadm and thus requires
870 CAP_SYS_ADMIN capability.
871
872 ifcfg-suse, ifnet
873 These plugins are deprecated and their selection has no effect. The
874 keyfile plugin should be used instead.
875
877 Device List Format
878 The configuration options main.no-auto-default, main.ignore-carrier,
879 keyfile.unmanaged-devices, connection*.match-device and
880 device*.match-device select devices based on a list of matchings.
881 Devices can be specified using the following format:
882
883 *
884 Matches every device.
885
886 IFNAME
887 Case sensitive match of interface name of the device. Globbing is
888 not supported.
889
890 HWADDR
891 Match the permanent MAC address of the device. Globbing is not
892 supported
893
894 interface-name:IFNAME, interface-name:~IFNAME
895 Case sensitive match of interface name of the device. Simple
896 globbing is supported with * and ?. Ranges and escaping is not
897 supported.
898
899 interface-name:=IFNAME
900 Case sensitive match of interface name of the device. Globbing is
901 disabled and IFNAME is taken literally.
902
903 mac:HWADDR
904 Match the permanent MAC address of the device. Globbing is not
905 supported
906
907 s390-subchannels:HWADDR
908 Match the device based on the subchannel address. Globbing is not
909 supported
910
911 type:TYPE
912 Match the device type. Valid type names are as reported by "nmcli
913 -f GENERAL.TYPE device show". Globbing is not supported.
914
915 driver:DRIVER
916 Match the device driver as reported by "nmcli -f
917 GENERAL.DRIVER,GENERAL.DRIVER-VERSION device show". "DRIVER" must
918 match the driver name exactly and does not support globbing.
919 Optionally, a driver version may be specified separated by '/'.
920 Globbing is supported for the version.
921
922 dhcp-plugin:DHCP
923 Match the configured DHCP plugin "main.dhcp".
924
925 except:SPEC
926 Negative match of a device. SPEC must be explicitly qualified with
927 a prefix such as interface-name:. A negative match has higher
928 priority then the positive matches above.
929
930 If there is a list consisting only of negative matches, the
931 behavior is the same as if there is also match-all. That means, if
932 none of all the negative matches is satisfied, the overall result
933 is still a positive match. That means, "except:interface-name:eth0"
934 is the same as "*,except:interface-name:eth0".
935
936 SPEC[,;]SPEC
937 Multiple specs can be concatenated with commas or semicolons. The
938 order does not matter as matches are either inclusive or negative
939 (except:), with negative matches having higher priority.
940
941 Backslash is supported to escape the separators ';' and ',', and to
942 express special characters such as newline ('\n'), tabulator
943 ('\t'), whitespace ('\s') and backslash ('\\'). The globbing of
944 interface names cannot be escaped. Whitespace is not a separator
945 but will be trimmed between two specs (unless escaped as '\s').
946
947 Example:
948
949 interface-name:em4
950 mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4;interface-name:eth2
951 interface-name:vboxnet*,except:interface-name:vboxnet2
952 *,except:mac:00:22:68:1c:59:b1
953
954
956 NetworkManager(8), nmcli(1), nmcli-examples(7), nm-online(1), nm-
957 settings(5), nm-applet(1), nm-connection-editor(1)
958
959
960
961NetworkManager 1.14.0 NETWORKMANAGER.CONF(5)