1NETWORKMANAGER.CONF(5) Configuration NETWORKMANAGER.CONF(5)
2
6 NetworkManager.conf - NetworkManager configuration file
7
9 /etc/NetworkManager/NetworkManager.conf,
10 /etc/NetworkManager/conf.d/name.conf,
11 /run/NetworkManager/conf.d/name.conf,
12 /usr/lib/NetworkManager/conf.d/name.conf,
13 /var/lib/NetworkManager/NetworkManager-intern.conf
14
16 NetworkManager.conf is the configuration file for NetworkManager. It is
17 used to set up various aspects of NetworkManager's behavior. The
18 location of the main file and configuration directories may be changed
19 through use of the --config, --config-dir, --system-config-dir, and
20 --intern-config argument for NetworkManager, respectively.
21 If a default NetworkManager.conf is provided by your distribution's
23 packages, you should not modify it, since your changes may get
24 overwritten by package updates. Instead, you can add additional .conf
25 files to the /etc/NetworkManager/conf.d directory. These will be read
26 in order, with later files overriding earlier ones. Packages might
27 install further configuration snippets to
28 /usr/lib/NetworkManager/conf.d. This directory is parsed first, even
29 before NetworkManager.conf. Scripts can also put per-boot configuration
30 into /run/NetworkManager/conf.d. This directory is parsed second, also
31 before NetworkManager.conf. The loading of a file
32 /run/NetworkManager/conf.d/name.conf can be prevented by adding a file
33 /etc/NetworkManager/conf.d/name.conf. Likewise, a file
34 /usr/lib/NetworkManager/conf.d/name.conf can be shadowed by putting a
35 file of the same name to either /etc/NetworkManager/conf.d or
36 /run/NetworkManager/conf.d.
37 NetworkManager can overwrite certain user configuration options via
39 D-Bus or other internal operations. In this case it writes those
40 changes to /var/lib/NetworkManager/NetworkManager-intern.conf. This
41 file is not intended to be modified by the user, but it is read last
42 and can shadow user configuration from NetworkManager.conf.
43 Certain settings from the configuration can be reloaded at runtime
45 either by sending SIGHUP signal or via D-Bus' Reload call.
46
48 The configuration file format is so-called key file (sort of ini-style
49 format). It consists of sections (groups) of key-value pairs. Lines
50 beginning with a '#' and blank lines are considered comments. Sections
51 are started by a header line containing the section enclosed in '[' and
52 ']', and ended implicitly by the start of the next section or the end
53 of the file. Each key-value pair must be contained in a section.
54 For keys that take a list of devices as their value, you can specify
56 devices by their MAC addresses or interface names, or "*" to specify
57 all devices. See the section called “Device List Format” below.
58 Minimal system settings configuration file looks like this:
60 [main]
62 plugins=keyfile
63 As an extension to the normal keyfile format, you can also append a
65 value to a previously-set list-valued key by doing:
66 plugins+=another-plugin
68 plugins-=remove-me
69
72 plugins
73 Lists system settings plugin names separated by ','. These plugins
74 are used to read and write system-wide connection profiles. When
75 multiple plugins are specified, the connections are read from all
76 listed plugins. When writing connections, the plugins will be asked
77 to save the connection in the order listed here; if the first
78 plugin cannot write out that connection type (or can't write out
79 any connections) the next plugin is tried, etc. If none of the
80 plugins can save the connection, an error is returned to the user.
81 The default value and the number of available plugins is
83 distro-specific. See the section called “PLUGINS” below for the
84 available plugins. Note that NetworkManager's native keyfile plugin
85 is always appended to the end of this list (if it doesn't already
86 appear earlier in the list).
87 monitor-connection-files
89 Whether the configured settings plugin(s) should set up file
90 monitors and immediately pick up changes made to connection files
91 while NetworkManager is running. This is disabled by default;
92 NetworkManager will only read the connection files at startup, and
93 when explicitly requested via the ReloadConnections D-Bus call. If
94 this key is set to 'true', then NetworkManager will reload
95 connection files any time they changed. Automatic reloading is not
96 advised because there are race conditions involved and it depends
97 on the way how the editor updates the file. In some situations,
98 NetworkManager might first delete and add the connection anew,
99 instead of updating the existing one. Also, NetworkManager might
100 pick up incomplete settings while the user is still editing the
101 files.
102 Note that neither this setting nor restarting the NetworkManager
104 daemon is the advised way to reload connection profiles from disk.
105 Instead, after modifying the files reload them with nmcli
106 connection reload or nmcli connection load "$FILENAME". Even
107 better, instead of modifying files directly, use NetworkManager
108 tools like nmcli, nmtui or the GUI.
109 This setting is deprecated and will have no effect in the future.
111 auth-polkit
113 Whether the system uses PolicyKit for authorization. If false, all
114 requests will be allowed. If true, non-root requests are authorized
115 using PolicyKit. The default value is true.
116 dhcp
118 This key sets up what DHCP client NetworkManager will use. Allowed
119 values are dhclient, dhcpcd, and internal. The dhclient and dhcpcd
120 options require the indicated clients to be installed. The internal
121 option uses a built-in DHCP client which is not currently as
122 featureful as the external clients.
123 If this key is missing, it defaults to dhclient. It the chosen
125 plugin is not available, clients are looked for in this order:
126 dhclient, dhcpcd, internal.
127 no-auto-default
129 Specify devices for which NetworkManager shouldn't create default
130 wired connection (Auto eth0). By default, NetworkManager creates a
131 temporary wired connection for any Ethernet device that is managed
132 and doesn't have a connection configured. List a device in this
133 option to inhibit creating the default connection for the device.
134 May have the special value * to apply to all devices.
135 When the default wired connection is deleted or saved to a new
137 persistent connection by a plugin, the device is added to a list in
138 the file /var/lib/NetworkManager/no-auto-default.state to prevent
139 creating the default connection for that device again.
140 See the section called “Device List Format” for the syntax how to
142 specify a device.
143 Example:
145 no-auto-default=00:22:68:5c:5d:c4,00:1e:65:ff:aa:ee
147 no-auto-default=eth0,eth1
148 no-auto-default=*
149 ignore-carrier
152 This setting is deprecated for the per-device setting
153 ignore-carrier which overwrites this setting if specified (See
154 ignore-carrier). Otherwise, it is a list of matches to specify for
155 which device carrier should be ignored. See the section called
156 “Device List Format” for the syntax how to specify a device. Note
157 that master types like bond, bridge, and team ignore carrier by
158 default. You can however revert that default using the "except:"
159 specifier (or better, use the per-device setting instead of the
160 deprecated setting).
161 assume-ipv6ll-only
163 Specify devices for which NetworkManager will try to generate a
164 connection based on initial configuration when the device only has
165 an IPv6 link-local address.
166 See the section called “Device List Format” for the syntax how to
168 specify a device.
169 configure-and-quit
171 When set to 'true', NetworkManager quits after performing initial
172 network configuration but spawns small helpers to preserve DHCP
173 leases and IPv6 addresses. This is useful in environments where
174 network setup is more or less static or it is desirable to save
175 process time but still handle some dynamic configurations. When
176 this option is true, network configuration for Wi-Fi, WWAN,
177 Bluetooth, ADSL, and PPPoE interfaces cannot be preserved due to
178 their use of external services, and these devices will be
179 deconfigured when NetworkManager quits even though other
180 interface's configuration may be preserved. Also, to preserve DHCP
181 addresses the 'dhcp' option must be set to 'internal'. The default
182 value of the 'configure-and-quit' option is 'false', meaning that
183 NetworkManager will continue running after initial network
184 configuration and continue responding to system and hardware
185 events, D-Bus requests, and user commands.
186 hostname-mode
188 Set the management mode of the hostname. This parameter will affect
189 only the transient hostname. If a valid static hostname is set,
190 NetworkManager will skip the update of the hostname despite the
191 value of this option. An hostname empty or equal to 'localhost',
192 'localhost6', 'localhost.localdomain' or 'localhost6.localdomain'
193 is considered invalid.
194 default: NetworkManager will update the hostname with the one
196 provided via DHCP on the main connection (the one with a default
197 route). If not present, the hostname will be updated to the last
198 one set outside NetworkManager. If it is not valid, NetworkManager
199 will try to recover the hostname from the reverse lookup of the IP
200 address of the main connection. If this fails too, the hostname
201 will be set to 'localhost.localdomain'.
202 dhcp: NetworkManager will update the transient hostname only with
204 information coming from DHCP. No fallback nor reverse lookup will
205 be performed, but when the dhcp connection providing the hostname
206 is deactivated, the hostname is reset to the last hostname set
207 outside NetworkManager or 'localhost' if none valid is there.
208 none: NetworkManager will not manage the transient hostname and
210 will never set it.
211 dns
213 Set the DNS processing mode.
214 If the key is unspecified, default is used, unless /etc/resolv.conf
216 is a symlink to /run/systemd/resolve/stub-resolv.conf,
217 /run/systemd/resolve/resolv.conf, /lib/systemd/resolv.conf or
218 /usr/lib/systemd/resolv.conf. In that case, systemd-resolved is
219 chosen automatically.
220 default: NetworkManager will update /etc/resolv.conf to reflect the
222 nameservers provided by currently active connections.
223 dnsmasq: NetworkManager will run dnsmasq as a local caching
225 nameserver, using a "split DNS" configuration if you are connected
226 to a VPN, and then update resolv.conf to point to the local
227 nameserver. It is possible to pass custom options to the dnsmasq
228 instance by adding them to files in the
229 "/etc/NetworkManager/dnsmasq.d/" directory. Note that when multiple
230 upstream servers are available, dnsmasq will initially contact them
231 in parallel and then use the fastest to respond, probing again
232 other servers after some time. This behavior can be modified
233 passing the 'all-servers' or 'strict-order' options to dnsmasq (see
234 the manual page for more details).
235 systemd-resolved: NetworkManager will push the DNS configuration to
237 systemd-resolved
238 unbound: NetworkManager will talk to unbound and dnssec-triggerd,
240 providing a "split DNS" configuration with DNSSEC support.
241 /etc/resolv.conf will be managed by dnssec-trigger daemon.
242 none: NetworkManager will not modify resolv.conf. This implies
244 rc-manager unmanaged
245 Note that the plugins dnsmasq, systemd-resolved and unbound are
247 caching local nameservers. Hence, when NetworkManager writes
248 /var/run/NetworkManager/resolv.conf and /etc/resolv.conf (according
249 to rc-manager setting below), the name server there will be
250 localhost only. NetworkManager also writes a file
251 /var/run/NetworkManager/no-stub-resolv.conf that contains the
252 original name servers pushed to the DNS plugin.
253 rc-manager
255 Set the resolv.conf management mode. The default value depends on
256 NetworkManager build options, and this version of NetworkManager
257 was build with a default of "symlink". Regardless of this setting,
258 NetworkManager will always write resolv.conf to its runtime state
259 directory /var/run/NetworkManager/resolv.conf.
260 symlink: If /etc/resolv.conf is a regular file, NetworkManager will
262 replace the file on update. If /etc/resolv.conf is instead a
263 symlink, NetworkManager will leave it alone. Unless the symlink
264 points to the internal file /var/run/NetworkManager/resolv.conf, in
265 which case the symlink will be updated to emit an inotify
266 notification. This allows the user to conveniently instruct
267 NetworkManager not to manage /etc/resolv.conf by replacing it with
268 a symlink.
269 file: NetworkManager will write /etc/resolv.conf as file. If it
271 finds a symlink to an existing target, it will follow the symlink
272 and update the target instead. In no case will an existing symlink
273 be replaced by a file. Note that older versions of NetworkManager
274 behaved differently and would replace dangling symlinks with a
275 plain file.
276 resolvconf: NetworkManager will run resolvconf to update the DNS
278 configuration.
279 netconfig: NetworkManager will run netconfig to update the DNS
281 configuration.
282 unmanaged: don't touch /etc/resolv.conf.
284 none: deprecated alias for symlink.
286 systemd-resolved
288 Send the connection DNS configuration to systemd-resolved. Defaults
289 to "true".
290 Note that this setting is complementary to the dns setting. You can
292 keep this enabled while using dns set to another DNS plugin
293 alongside systemd-resolved, or dns set to systemd-resolved to
294 configure the system resolver to use systemd-resolved.
295 If systemd-resolved is enabled, the connectivity check resolves the
297 hostname per-device.
298 debug
300 Comma separated list of options to aid debugging. This value will
301 be combined with the environment variable NM_DEBUG. Currently the
302 following values are supported:
303 RLIMIT_CORE: set ulimit -c unlimited to write out core dumps.
305 Beware, that a core dump can contain sensitive information such as
306 passwords or configuration settings.
307 fatal-warnings: set g_log_set_always_fatal() to core dump on
309 warning messages from glib. This is equivalent to the
310 --g-fatal-warnings command line option.
311 autoconnect-retries-default
313 The number of times a connection activation should be automatically
314 tried before switching to another one. This value applies only to
315 connections that can auto-connect and have a
316 connection.autoconnect-retries property set to -1. If not
317 specified, connections will be tried 4 times. Setting this value to
318 1 means to try activation once, without retry.
319 slaves-order
321 This key specifies in which order slave connections are
322 auto-activated on boot or when the master activates them. Allowed
323 values are name (order connection by interface name, the default),
324 or index (order slaves by their kernel index).
325
327 This section contains keyfile-plugin-specific options, and is normally
328 only used when you are not using any other distro-specific plugin.
329 hostname
331 This key is deprecated and has no effect since the hostname is now
332 stored in /etc/hostname or other system configuration files
333 according to build options.
334 path
336 The location where keyfiles are read and stored. This defaults to
337 "/etc/NetworkManager/system-connections".
338 unmanaged-devices
340 Set devices that should be ignored by NetworkManager.
341 See the section called “Device List Format” for the syntax how to
343 specify a device.
344 Example:
346 unmanaged-devices=interface-name:em4
348 unmanaged-devices=mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4;interface-name:eth2
349
352 This section contains ifupdown-specific options and thus only has
353 effect when using the ifupdown plugin.
354 managed
356 If set to true, then interfaces listed in /etc/network/interfaces
357 are managed by NetworkManager. If set to false, then any interface
358 listed in /etc/network/interfaces will be ignored by
359 NetworkManager. Remember that NetworkManager controls the default
360 route, so because the interface is ignored, NetworkManager may
361 assign the default route to some other interface.
362 The default value is false.
364
366 This section controls NetworkManager's logging. Any settings here are
367 overridden by the --log-level and --log-domains command-line options.
368 level
370 The default logging verbosity level. One of OFF, ERR, WARN, INFO,
371 DEBUG, TRACE. The ERR level logs only critical errors. WARN logs
372 warnings that may reflect operation. INFO logs various
373 informational messages that are useful for tracking state and
374 operations. DEBUG enables verbose logging for debugging purposes.
375 TRACE enables even more verbose logging then DEBUG level.
376 Subsequent levels also log all messages from earlier levels; thus
377 setting the log level to INFO also logs error and warning messages.
378 domains
380 The following log domains are available: PLATFORM, RFKILL, ETHER,
381 WIFI, BT, MB, DHCP4, DHCP6, PPP, WIFI_SCAN, IP4, IP6, AUTOIP4, DNS,
382 VPN, SHARING, SUPPLICANT, AGENTS, SETTINGS, SUSPEND, CORE, DEVICE,
383 OLPC, WIMAX, INFINIBAND, FIREWALL, ADSL, BOND, VLAN, BRIDGE,
384 DBUS_PROPS, TEAM, CONCHECK, DCB, DISPATCH, AUDIT, SYSTEMD,
385 VPN_PLUGIN, PROXY.
386 In addition, these special domains can be used: NONE, ALL, DEFAULT,
388 DHCP, IP.
389 You can specify per-domain log level overrides by adding a colon
391 and a log level to any domain. E.g., "WIFI:DEBUG,WIFI_SCAN:OFF".
392 Domain descriptions:
394 PLATFORM : OS (platform) operations
395 RFKILL : RFKill subsystem operations
396 ETHER : Ethernet device operations
397 WIFI : Wi-Fi device operations
398 BT : Bluetooth operations
399 MB : Mobile broadband operations
400 DHCP4 : DHCP for IPv4
401 DHCP6 : DHCP for IPv6
402 PPP : Point-to-point protocol operations
403 WIFI_SCAN : Wi-Fi scanning operations
404 IP4 : IPv4-related operations
405 IP6 : IPv6-related operations
406 AUTOIP4 : AutoIP operations
407 DNS : Domain Name System related operations
408 VPN : Virtual Private Network connections and
409 operations
410 SHARING : Connection sharing. With TRACE level log queries
411 for dnsmasq instance
412 SUPPLICANT : WPA supplicant related operations
413 AGENTS : Secret agents operations and communication
414 SETTINGS : Settings/config service operations
415 SUSPEND : Suspend/resume
416 CORE : Core daemon and policy operations
417 DEVICE : Activation and general interface operations
418 OLPC : OLPC Mesh device operations
419 WIMAX : WiMAX device operations
420 INFINIBAND : InfiniBand device operations
421 FIREWALL : FirewallD related operations
422 ADSL : ADSL device operations
423 BOND : Bonding operations
424 VLAN : VLAN operations
425 BRIDGE : Bridging operations
426 DBUS_PROPS : D-Bus property changes
427 TEAM : Teaming operations
428 CONCHECK : Connectivity check
429 DCB : Data Center Bridging (DCB) operations
430 DISPATCH : Dispatcher scripts
431 AUDIT : Audit records
432 SYSTEMD : Messages from internal libsystemd
433 VPN_PLUGIN : logging messages from VPN plugins
434 PROXY : logging messages for proxy handling
435 NONE : when given by itself logging is disabled
437 ALL : all log domains
438 DEFAULT : default log domains
439 DHCP : shortcut for "DHCP4,DHCP6"
440 IP : shortcut for "IP4,IP6"
441 HW : deprecated alias for "PLATFORM"
443 In general, the logfile should not contain passwords or private
445 data. However, you are always advised to check the file before
446 posting it online or attaching to a bug report. VPN_PLUGIN is
447 special as it might reveal private information of the VPN plugins
448 with verbose levels. Therefore this domain will be excluded when
449 setting ALL or DEFAULT to more verbose levels then INFO.
450 backend
452 The logging backend. Supported values are "syslog" and "journal".
453 When NetworkManager is started with "--debug" in addition all
454 messages will be printed to stderr. If unspecified, the default is
455 "journal".
456 audit
458 Whether the audit records are delivered to auditd, the audit
459 daemon. If false, audit records will be sent only to the
460 NetworkManager logging system. If set to true, they will be also
461 sent to auditd. The default value is false.
462
464 Specify default values for connections.
465 Example:
467 [connection]
469 ipv6.ip6-privacy=0
470 Supported Properties
473 Not all properties can be overwritten, only the following properties
474 are supported to have their default values configured (see nm-
475 settings(5) for details). A default value is only consulted if the
476 corresponding per-connection value explicitly allows for that.
477 802-1x.auth-timeout
481 cdma.mtu
483 connection.auth-retries
485 If left unspecified, the default value is 3 tries before failing
486 the connection.
487 connection.autoconnect-slaves
489 connection.lldp
491 connection.llmnr
493 connection.mdns
495 connection.stable-id
497 ethernet.cloned-mac-address
499 If left unspecified, it defaults to "preserve".
500 ethernet.generate-mac-address-mask
502 ethernet.mtu
504 If configured explicitly to 0, the MTU is not reconfigured during
505 device activation unless it is required due to IPv6 constraints. If
506 left unspecified, a DHCP/IPv6 SLAAC provided value is used or the
507 MTU is not reconfigured during activation.
508 ethernet.wake-on-lan
510 gsm.mtu
512 infiniband.mtu
514 If configured explicitly to 0, the MTU is not reconfigured during
515 device activation unless it is required due to IPv6 constraints. If
516 left unspecified, a DHCP/IPv6 SLAAC provided value is used or the
517 MTU is left unspecified on activation.
518 ip-tunnel.mtu
520 If configured explicitly to 0, the MTU is not reconfigured during
521 device activation unless it is required due to IPv6 constraints. If
522 left unspecified, a DHCP/IPv6 SLAAC provided value is used or a
523 default of 1500.
524 ipv4.dad-timeout
526 ipv4.dhcp-client-id
528 ipv4.dhcp-timeout
530 If left unspecified, the default value for the interface type is
531 used.
532 ipv4.dns-priority
534 If unspecified or zero, use 50 for VPN profiles and 100 for other
535 profiles.
536 ipv4.route-metric
538 ipv4.route-table
540 If left unspecified, routes are only added to the main table. Note
541 that this is different from explicitly selecting the main table
542 254, because of how NetworkManager removes extraneous routes from
543 the tables.
544 ipv6.dhcp-duid
546 If left unspecified, it defaults to "lease".
547 ipv6.dhcp-timeout
549 If left unspecified, the default value for the interface type is
550 used.
551 ipv6.dns-priority
553 If unspecified or zero, use 50 for VPN profiles and 100 for other
554 profiles.
555 ipv6.ip6-privacy
557 If ipv6.ip6-privacy is unset, use the content of
558 "/proc/sys/net/ipv6/conf/default/use_tempaddr" as last fallback.
559 ipv6.route-metric
561 ipv6.route-table
563 If left unspecified, routes are only added to the main table. Note
564 that this is different from explicitly selecting the main table
565 254, because of how NetworkManager removes extraneous routes from
566 the tables.
567 sriov.autoprobe-drivers
569 If left unspecified, drivers are autoprobed when the SR-IOV VF gets
570 created.
571 vpn.timeout
573 If left unspecified, default value of 60 seconds is used.
574 wifi.cloned-mac-address
576 If left unspecified, it defaults to "preserve".
577 wifi.generate-mac-address-mask
579 wifi.mac-address-randomization
581 If left unspecified, MAC address randomization is disabled. This
582 setting is deprecated for wifi.cloned-mac-address.
583 wifi.mtu
585 If configured explicitly to 0, the MTU is not reconfigured during
586 device activation unless it is required due to IPv6 constraints. If
587 left unspecified, a DHCP/IPv6 SLAAC provided value is used or a
588 default of 1500.
589 wifi.powersave
591 If left unspecified, the default value "ignore" will be used.
592 wifi-sec.pmf
594 If left unspecified, the default value "optional" will be used.
595 wifi-sec.fils
597 If left unspecified, the default value "optional" will be used.
598 wifi.wake-on-wlan
600 wireguard.mtu
602 Sections
605 You can configure multiple connection sections, by having different
606 sections with a name that all start with "connection". Example:
607 [connection]
609 ipv6.ip6-privacy=0
610 connection.autoconnect-slaves=1
611 vpn.timeout=120
612 [connection-wifi-wlan0]
614 match-device=interface-name:wlan0
615 ipv4.route-metric=50
616 [connection-wifi-other]
618 match-device=type:wifi
619 ipv4.route-metric=55
620 ipv6.ip6-privacy=1
621 The sections within one file are considered in order of appearance,
623 with the exception that the [connection] section is always considered
624 last. In the example above, this order is [connection-wifi-wlan0],
625 [connection-wlan-other], and [connection]. When checking for a default
626 configuration value, the sections are searched until the requested
627 value is found. In the example above, "ipv4.route-metric" for wlan0
628 interface is set to 50, and for all other Wi-Fi typed interfaces to 55.
629 Also, Wi-Fi devices would have IPv6 private addresses enabled by
630 default, but other devices would have it disabled. Note that also
631 "wlan0" gets "ipv6.ip6-privacy=1", because although the section
632 "[connection-wifi-wlan0]" matches the device, it does not contain that
633 property and the search continues.
634 When having different sections in multiple files, sections from files
636 that are read later have higher priority. So within one file the
637 priority of the sections is top-to-bottom. Across multiple files later
638 definitions take precedence.
639 The following properties further control how a connection section
641 applies.
642 match-device
644 An optional device spec that restricts when the section applies.
645 See the section called “Device List Format” for the possible
646 values.
647 stop-match
649 An optional boolean value which defaults to no. If the section
650 matches (based on match-device), further sections will not be
651 considered even if the property in question is not present. In the
652 example above, if [connection-wifi-wlan0] would have stop-match set
653 to yes, the device wlan0 would have ipv6.ip6-privacy property
654 unspecified. That is, the search for the property would not
655 continue in the connection sections [connection-wifi-other] or
656 [connection].
657
659 Contains per-device persistent configuration.
660 Example:
662 [device]
664 match-device=interface-name:eth3
665 managed=1
666 Supported Properties
669 The following properties can be configured per-device.
670 managed
672 Whether the device is managed or not. A device can be marked as
673 managed via udev rules (ENV{NM_UNMANAGED}), or via setting plugins
674 (keyfile.unmanaged-devices). This is yet another way. Note that
675 this configuration can be overruled at runtime via D-Bus. Also, it
676 has higher priority then udev rules.
677 carrier-wait-timeout
679 Specify the timeout for waiting for carrier in milliseconds. When
680 the device loses carrier, NetworkManager does not react
681 immediately. Instead, it waits for this timeout before considering
682 the link lost. Also, on startup, NetworkManager considers the
683 device as busy for this time, as long as the device has no carrier.
684 This delays startup-complete signal and NetworkManager-wait-online.
685 Configuring this too high means to block NetworkManager-wait-online
686 longer then necessary. Configuring it too low, means that
687 NetworkManager will declare startup-complete, although carrier is
688 about to come and auto-activation to kick in. The default is 5000
689 milliseconds.
690 ignore-carrier
692 Specify devices for which NetworkManager will (partially) ignore
693 the carrier state. Normally, for device types that support
694 carrier-detect, such as Ethernet and InfiniBand, NetworkManager
695 will only allow a connection to be activated on the device if
696 carrier is present (ie, a cable is plugged in), and it will
697 deactivate the device if carrier drops for more than a few seconds.
698 A device with carrier ignored will allow activating connections on
700 that device even when it does not have carrier, provided that the
701 connection uses only statically-configured IP addresses.
702 Additionally, it will allow any active connection (whether static
703 or dynamic) to remain active on the device when carrier is lost.
704 Note that the "carrier" property of NMDevices and device D-Bus
706 interfaces will still reflect the actual device state; it's just
707 that NetworkManager will not make use of that information.
708 Master types like bond, bridge and team ignore carrier by default,
710 while other device types react on carrier changes by default.
711 This setting overwrites the deprecated main.ignore-carrier setting
713 above.
714 wifi.scan-rand-mac-address
716 Configures MAC address randomization of a Wi-Fi device during
717 scanning. This defaults to yes in which case a random,
718 locally-administered MAC address will be used. The setting
719 wifi.scan-generate-mac-address-mask allows to influence the
720 generated MAC address to use certain vendor OUIs. If disabled, the
721 MAC address during scanning is left unchanged to whatever is
722 configured. For the configured MAC address while the device is
723 associated, see instead the per-connection setting
724 wifi.cloned-mac-address.
725 wifi.backend
727 Specify the Wi-Fi backend used for the device. Currently supported
728 are wpa_supplicant and iwd (experimental).
729 wifi.scan-generate-mac-address-mask
731 Like the per-connection settings ethernet.generate-mac-address-mask
732 and wifi.generate-mac-address-mask, this allows to configure the
733 generated MAC addresses during scanning. See nm-settings(5) for
734 details.
735 sriov-num-vfs
737 Specify the number of virtual functions (VF) to enable for a PCI
738 physical device that supports single-root I/O virtualization
739 (SR-IOV).
740 Sections
742 The [device] section works the same as the [connection] section. That
743 is, multiple sections that all start with the prefix "device" can be
744 specified. The settings "match-device" and "stop-match" are available
745 to match a device section on a device. The order of multiple sections
746 is also top-down within the file and later files overwrite previous
747 settings. See “Sections” under the section called “CONNECTION SECTION”
748 for details.
749
751 This section controls NetworkManager's optional connectivity checking
752 functionality. This allows NetworkManager to detect whether or not the
753 system can actually access the internet or whether it is behind a
754 captive portal.
755 Connectivity checking serves two purposes. For one, it exposes a
757 connectivity state on D-Bus, which other applications may use. For
758 example, Gnome's portal helper uses this as signal to show a captive
759 portal login page. The other use is that default-route of devices
760 without global connectivity get a penalty of +20000 to the
761 route-metric. This has the purpose to give a better default-route to
762 devices that have global connectivity. For example, when being
763 connected to WWAN and to a Wi-Fi network which is behind a captive
764 portal, WWAN still gets preferred until login.
765 Note that your distribution might set
767 /proc/sys/net/ipv4/conf/*/rp_filter to strict filtering. That works
768 badly with per-device connectivity checking, which uses SO_BINDDEVICE
769 to send requests on all devices. A strict rp_filter setting will reject
770 any response and the connectivity check on all but the best route will
771 fail.
772 uri
774 The URI of a web page to periodically request when connectivity is
775 being checked. This page should return the header
776 "X-NetworkManager-Status" with a value of "online". Alternatively,
777 its body content should be set to "NetworkManager is online". The
778 body content check can be controlled by the response option. If
779 this option is blank or missing, connectivity checking is disabled.
780 interval
782 Specified in seconds; controls how often connectivity is checked
783 when a network connection exists. If set to 0 connectivity checking
784 is disabled. If missing, the default is 300 seconds.
785 response
787 If set, controls what body content NetworkManager checks for when
788 requesting the URI for connectivity checking. Note that this only
789 compares that the HTTP response starts with the specifid text, it
790 does not compare the exact string. This behavior might change in
791 the future, so avoid relying on it. If missing, the response
792 defaults to "NetworkManager is online". If set to empty, the HTTP
793 server is expected to answer with status code 204 or send no data.
794
796 This section specifies global DNS settings that override
797 connection-specific configuration.
798 searches
800 A list of search domains to be used during hostname lookup.
801 options
803 A list of options to be passed to the hostname resolver.
804
806 Sections with a name starting with the "global-dns-domain-" prefix
807 allow to define global DNS configuration for specific domains. The part
808 of section name after "global-dns-domain-" specifies the domain name a
809 section applies to. More specific domains have the precedence over less
810 specific ones and the default domain is represented by the wildcard
811 "*". A default domain section is mandatory.
812 servers
814 A list of addresses of DNS servers to be used for the given domain.
815 options
817 A list of domain-specific DNS options. Not used at the moment.
818
820 This is a special section that contains options which apply to the
821 configuration file that contains the option.
822 enable
824 Defaults to "true". If "false", the configuration file will be
825 skipped during loading. Note that the main configuration file
826 NetworkManager.conf cannot be disabled.
827 # always skip loading the config file
829 [.config]
830 enable=false
831 You can also match against the version of NetworkManager. For
833 example the following are valid configurations:
834 # only load on version 1.0.6
836 [.config]
837 enable=nm-version:1.0.6
838 # load on all versions 1.0.x, but not 1.2.x
840 [.config]
841 enable=nm-version:1.0
842 # only load on versions >= 1.1.6. This does not match
844 # with version 1.2.0 or 1.4.4. Only the last digit is considered.
845 [.config]
846 enable=nm-version-min:1.1.6
847 # only load on versions >= 1.2. Contrary to the previous
849 # example, this also matches with 1.2.0, 1.2.10, 1.4.4, etc.
850 [.config]
851 enable=nm-version-min:1.2
852 # Match against the maximum allowed version. The example matches
854 # versions 1.2.0, 1.2.2, 1.2.4. Again, only the last version digit
855 # is allowed to be smaller. So this would not match match on 1.1.10.
856 [.config]
857 enable=nm-version-max:1.2.6
858 You can also match against the value of the environment variable
860 NM_CONFIG_ENABLE_TAG, like:
861 # always skip loading the file when running NetworkManager with
863 # environment variable "NM_CONFIG_ENABLE_TAG=TAG1"
864 [.config]
865 enable=env:TAG1
866 More then one match can be specified. The configuration will be
868 enabled if one of the predicates matches ("or"). The special prefix
869 "except:" can be used to negate the match. Note that if one
870 except-predicate matches, the entire configuration will be
871 disabled. In other words, a except predicate always wins over other
872 predicates. If the setting only consists of "except:" matches and
873 none of the negative conditions are satisfied, the configuration is
874 still enabled.
875 # enable the configuration either when the environment variable
877 # is present or the version is at least 1.2.0.
878 [.config]
879 enable=env:TAG2,nm-version-min:1.2
880 # enable the configuration for version >= 1.2.0, but disable
882 # it when the environment variable is set to "TAG3"
883 [.config]
884 enable=except:env:TAG3,nm-version-min:1.2
885 # enable the configuration on >= 1.3, >= 1.2.6, and >= 1.0.16.
887 # Useful if a certain feature is only present since those releases.
888 [.config]
889 enable=nm-version-min:1.3,nm-version-min:1.2.6,nm-version-min:1.0.16
890
893 Settings plugins for reading and writing connection profiles. The
894 number of available plugins is distribution specific.
895 keyfile
897 The keyfile plugin is the generic plugin that supports all the
898 connection types and capabilities that NetworkManager has. It
899 writes files out in an .ini-style format in
900 /etc/NetworkManager/system-connections. See nm-settings-keyfile(5)
901 for details about the file format.
902 The stored connection file may contain passwords, secrets and
904 private keys in plain text, so it will be made readable only to
905 root, and the plugin will ignore files that are readable or
906 writable by any user or group other than root. See "Secret flag
907 types" in nm-settings(5) for how to avoid storing passwords in
908 plain text.
909 This plugin is always active, and will automatically be used to
911 store any connections that aren't supported by any other active
912 plugin.
913 ifcfg-rh
915 This plugin is used on the Fedora and Red Hat Enterprise Linux
916 distributions to read and write configuration from the standard
917 /etc/sysconfig/network-scripts/ifcfg-* files. It currently supports
918 reading Ethernet, Wi-Fi, InfiniBand, VLAN, Bond, Bridge, and Team
919 connections. Enabling ifcfg-rh implicitly enables ibft plugin, if
920 it is available. This can be disabled by adding no-ibft. See
921 /usr/share/doc/initscripts/sysconfig.txt and nm-settings-ifcfg-
922 rh(5) for more information about the ifcfg file format.
923 ifupdown
925 This plugin is used on the Debian and Ubuntu distributions, and
926 reads Ethernet and Wi-Fi connections from /etc/network/interfaces.
927 This plugin is read-only; any connections (of any type) added from
929 within NetworkManager when you are using this plugin will be saved
930 using the keyfile plugin instead.
931 ibft, no-ibft
933 This plugin allows to read iBFT configuration (iSCSI Boot Firmware
934 Table). The configuration is read using /sbin/iscsiadm. Users are
935 expected to configure iBFT connections via the firmware interfaces.
936 If ibft support is available, it is automatically enabled after
937 ifcfg-rh. This can be disabled by no-ibft. You can also explicitly
938 specify ibft to load the plugin without ifcfg-rh or to change the
939 plugin order.
940 Note that ibft plugin uses /sbin/iscsiadm and thus requires
942 CAP_SYS_ADMIN capability.
943 ifcfg-suse, ifnet
945 These plugins are deprecated and their selection has no effect. The
946 keyfile plugin should be used instead.
947
949 Device List Format
950 The configuration options main.no-auto-default, main.ignore-carrier,
951 keyfile.unmanaged-devices, connection*.match-device and
952 device*.match-device select devices based on a list of matchings.
953 Devices can be specified using the following format:
954 *
956 Matches every device.
957 IFNAME
959 Case sensitive match of interface name of the device. Globbing is
960 not supported.
961 HWADDR
963 Match the permanent MAC address of the device. Globbing is not
964 supported
965 interface-name:IFNAME, interface-name:~IFNAME
967 Case sensitive match of interface name of the device. Simple
968 globbing is supported with * and ?. Ranges and escaping is not
969 supported.
970 interface-name:=IFNAME
972 Case sensitive match of interface name of the device. Globbing is
973 disabled and IFNAME is taken literally.
974 mac:HWADDR
976 Match the permanent MAC address of the device. Globbing is not
977 supported
978 s390-subchannels:HWADDR
980 Match the device based on the subchannel address. Globbing is not
981 supported
982 type:TYPE
984 Match the device type. Valid type names are as reported by "nmcli
985 -f GENERAL.TYPE device show". Globbing is not supported.
986 driver:DRIVER
988 Match the device driver as reported by "nmcli -f
989 GENERAL.DRIVER,GENERAL.DRIVER-VERSION device show". "DRIVER" must
990 match the driver name exactly and does not support globbing.
991 Optionally, a driver version may be specified separated by '/'.
992 Globbing is supported for the version.
993 dhcp-plugin:DHCP
995 Match the configured DHCP plugin "main.dhcp".
996 except:SPEC
998 Negative match of a device. SPEC must be explicitly qualified with
999 a prefix such as interface-name:. A negative match has higher
1000 priority then the positive matches above.
1001 If there is a list consisting only of negative matches, the
1003 behavior is the same as if there is also match-all. That means, if
1004 none of all the negative matches is satisfied, the overall result
1005 is still a positive match. That means, "except:interface-name:eth0"
1006 is the same as "*,except:interface-name:eth0".
1007 SPEC[,;]SPEC
1009 Multiple specs can be concatenated with commas or semicolons. The
1010 order does not matter as matches are either inclusive or negative
1011 (except:), with negative matches having higher priority.
1012 Backslash is supported to escape the separators ';' and ',', and to
1014 express special characters such as newline ('\n'), tabulator
1015 ('\t'), whitespace ('\s') and backslash ('\\'). The globbing of
1016 interface names cannot be escaped. Whitespace is not a separator
1017 but will be trimmed between two specs (unless escaped as '\s').
1018 Example:
1020 interface-name:em4
1022 mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4;interface-name:eth2
1023 interface-name:vboxnet*,except:interface-name:vboxnet2
1024 *,except:mac:00:22:68:1c:59:b1
1025
1028 NetworkManager(8), nmcli(1), nmcli-examples(7), nm-online(1), nm-
1029 settings(5), nm-applet(1), nm-connection-editor(1)
1030NetworkManager 1.16.2 NETWORKMANAGER.CONF(5)