1NETWORKMANAGER.CONF(5) Configuration NETWORKMANAGER.CONF(5)
2
6 NetworkManager.conf - NetworkManager configuration file
7
9 /etc/NetworkManager/NetworkManager.conf,
10 /etc/NetworkManager/conf.d/name.conf,
11 /run/NetworkManager/conf.d/name.conf,
12 /usr/lib/NetworkManager/conf.d/name.conf,
13 /var/lib/NetworkManager/NetworkManager-intern.conf
14
16 NetworkManager.conf is the configuration file for NetworkManager. It is
17 used to set up various aspects of NetworkManager's behavior. The
18 location of the main file and configuration directories may be changed
19 through use of the --config, --config-dir, --system-config-dir, and
20 --intern-config argument for NetworkManager, respectively.
21 If a default NetworkManager.conf is provided by your distribution's
23 packages, you should not modify it, since your changes may get
24 overwritten by package updates. Instead, you can add additional .conf
25 files to the /etc/NetworkManager/conf.d directory. These will be read
26 in order, with later files overriding earlier ones. Packages might
27 install further configuration snippets to
28 /usr/lib/NetworkManager/conf.d. This directory is parsed first, even
29 before NetworkManager.conf. Scripts can also put per-boot configuration
30 into /run/NetworkManager/conf.d. This directory is parsed second, also
31 before NetworkManager.conf. The loading of a file
32 /run/NetworkManager/conf.d/name.conf can be prevented by adding a file
33 /etc/NetworkManager/conf.d/name.conf. Likewise, a file
34 /usr/lib/NetworkManager/conf.d/name.conf can be shadowed by putting a
35 file of the same name to either /etc/NetworkManager/conf.d or
36 /run/NetworkManager/conf.d.
37 NetworkManager can overwrite certain user configuration options via
39 D-Bus or other internal operations. In this case it writes those
40 changes to /var/lib/NetworkManager/NetworkManager-intern.conf. This
41 file is not intended to be modified by the user, but it is read last
42 and can shadow user configuration from NetworkManager.conf.
43 Certain settings from the configuration can be reloaded at runtime
45 either by sending SIGHUP signal or via D-Bus' Reload call.
46
48 The configuration file format is so-called key file (sort of ini-style
49 format). It consists of sections (groups) of key-value pairs. Lines
50 beginning with a '#' and blank lines are considered comments. Sections
51 are started by a header line containing the section enclosed in '[' and
52 ']', and ended implicitly by the start of the next section or the end
53 of the file. Each key-value pair must be contained in a section.
54 For keys that take a list of devices as their value, you can specify
56 devices by their MAC addresses or interface names, or "*" to specify
57 all devices. See the section called “Device List Format” below.
58 Minimal system settings configuration file looks like this:
60 [main]
62 plugins=keyfile
63 As an extension to the normal keyfile format, you can also append a
65 value to a previously-set list-valued key by doing:
66 plugins+=another-plugin
68 plugins-=remove-me
69
72 plugins
73 Lists system settings plugin names separated by ','. These plugins
74 are used to read and write system-wide connection profiles. When
75 multiple plugins are specified, the connections are read from all
76 listed plugins. When writing connections, the plugins will be asked
77 to save the connection in the order listed here; if the first
78 plugin cannot write out that connection type (or can't write out
79 any connections) the next plugin is tried, etc. If none of the
80 plugins can save the connection, an error is returned to the user.
81 The default value and the number of available plugins is
83 distro-specific. See the section called “PLUGINS” below for the
84 available plugins. Note that NetworkManager's native keyfile plugin
85 is always appended to the end of this list (if it doesn't already
86 appear earlier in the list).
87 monitor-connection-files
89 This setting is deprecated and has no effect. Profiles from disk
90 are never automatically reloaded. Use for example nmcli connection
91 (re)load for that.
92 auth-polkit
94 Whether the system uses PolicyKit for authorization. If true,
95 non-root requests are authorized using PolicyKit. Requests from
96 root (user ID zero) are always granted without asking PolicyKit. If
97 false, all requests will be allowed and PolicyKit is not used. If
98 set to root-only PolicyKit is not used and all requests except root
99 are denied. The default value is true.
100 dhcp
102 This key sets up what DHCP client NetworkManager will use. Allowed
103 values are dhclient, dhcpcd, and internal. The dhclient and dhcpcd
104 options require the indicated clients to be installed. The internal
105 option uses a built-in DHCP client which is not currently as
106 featureful as the external clients.
107 If this key is missing, it defaults to internal. It the chosen
109 plugin is not available, clients are looked for in this order:
110 dhclient, dhcpcd, internal.
111 no-auto-default
113 Specify devices for which NetworkManager shouldn't create default
114 wired connection (Auto eth0). By default, NetworkManager creates a
115 temporary wired connection for any Ethernet device that is managed
116 and doesn't have a connection configured. List a device in this
117 option to inhibit creating the default connection for the device.
118 May have the special value * to apply to all devices.
119 When the default wired connection is deleted or saved to a new
121 persistent connection by a plugin, the device is added to a list in
122 the file /var/lib/NetworkManager/no-auto-default.state to prevent
123 creating the default connection for that device again.
124 See the section called “Device List Format” for the syntax how to
126 specify a device.
127 Example:
129 no-auto-default=00:22:68:5c:5d:c4,00:1e:65:ff:aa:ee
131 no-auto-default=eth0,eth1
132 no-auto-default=*
133 ignore-carrier
136 This setting is deprecated for the per-device setting
137 ignore-carrier which overwrites this setting if specified (See
138 ignore-carrier). Otherwise, it is a list of matches to specify for
139 which device carrier should be ignored. See the section called
140 “Device List Format” for the syntax how to specify a device. Note
141 that master types like bond, bridge, and team ignore carrier by
142 default. You can however revert that default using the "except:"
143 specifier (or better, use the per-device setting instead of the
144 deprecated setting).
145 assume-ipv6ll-only
147 Specify devices for which NetworkManager will try to generate a
148 connection based on initial configuration when the device only has
149 an IPv6 link-local address.
150 See the section called “Device List Format” for the syntax how to
152 specify a device.
153 configure-and-quit
155 When set to 'true', NetworkManager quits after performing initial
156 network configuration but spawns small helpers to preserve DHCP
157 leases and IPv6 addresses. This is useful in environments where
158 network setup is more or less static or it is desirable to save
159 process time but still handle some dynamic configurations. When
160 this option is true, network configuration for Wi-Fi, WWAN,
161 Bluetooth, ADSL, and PPPoE interfaces cannot be preserved due to
162 their use of external services, and these devices will be
163 deconfigured when NetworkManager quits even though other
164 interface's configuration may be preserved. Also, to preserve DHCP
165 addresses the 'dhcp' option must be set to 'internal'. The default
166 value of the 'configure-and-quit' option is 'false', meaning that
167 NetworkManager will continue running after initial network
168 configuration and continue responding to system and hardware
169 events, D-Bus requests, and user commands.
170 hostname-mode
172 Set the management mode of the hostname. This parameter will affect
173 only the transient hostname. If a valid static hostname is set,
174 NetworkManager will skip the update of the hostname despite the
175 value of this option. An hostname empty or equal to 'localhost',
176 'localhost6', 'localhost.localdomain' or 'localhost6.localdomain'
177 is considered invalid.
178 default: NetworkManager will update the hostname with the one
180 provided via DHCP on the main connection (the one with a default
181 route). If not present, the hostname will be updated to the last
182 one set outside NetworkManager. If it is not valid, NetworkManager
183 will try to recover the hostname from the reverse lookup of the IP
184 address of the main connection. If this fails too, the hostname
185 will be set to 'localhost.localdomain'.
186 dhcp: NetworkManager will update the transient hostname only with
188 information coming from DHCP. No fallback nor reverse lookup will
189 be performed, but when the dhcp connection providing the hostname
190 is deactivated, the hostname is reset to the last hostname set
191 outside NetworkManager or 'localhost' if none valid is there.
192 none: NetworkManager will not manage the transient hostname and
194 will never set it.
195 dns
197 Set the DNS processing mode.
198 If the key is unspecified, default is used, unless /etc/resolv.conf
200 is a symlink to /run/systemd/resolve/stub-resolv.conf,
201 /run/systemd/resolve/resolv.conf, /lib/systemd/resolv.conf or
202 /usr/lib/systemd/resolv.conf. In that case, systemd-resolved is
203 chosen automatically.
204 default: NetworkManager will update /etc/resolv.conf to reflect the
206 nameservers provided by currently active connections.
207 dnsmasq: NetworkManager will run dnsmasq as a local caching
209 nameserver, using "Conditional Forwarding" if you are connected to
210 a VPN, and then update resolv.conf to point to the local
211 nameserver. It is possible to pass custom options to the dnsmasq
212 instance by adding them to files in the
213 "/etc/NetworkManager/dnsmasq.d/" directory. Note that when multiple
214 upstream servers are available, dnsmasq will initially contact them
215 in parallel and then use the fastest to respond, probing again
216 other servers after some time. This behavior can be modified
217 passing the 'all-servers' or 'strict-order' options to dnsmasq (see
218 the manual page for more details).
219 systemd-resolved: NetworkManager will push the DNS configuration to
221 systemd-resolved
222 unbound: NetworkManager will talk to unbound and dnssec-triggerd,
224 using "Conditional Forwarding" with DNSSEC support.
225 /etc/resolv.conf will be managed by dnssec-trigger daemon.
226 none: NetworkManager will not modify resolv.conf. This implies
228 rc-manager unmanaged
229 Note that the plugins dnsmasq, systemd-resolved and unbound are
231 caching local nameservers. Hence, when NetworkManager writes
232 /run/NetworkManager/resolv.conf and /etc/resolv.conf (according to
233 rc-manager setting below), the name server there will be localhost
234 only. NetworkManager also writes a file
235 /run/NetworkManager/no-stub-resolv.conf that contains the original
236 name servers pushed to the DNS plugin.
237 When using dnsmasq and systemd-resolved per-connection added dns
239 servers will always be queried using the device the connection has
240 been activated on.
241 rc-manager
243 Set the resolv.conf management mode. The default value depends on
244 NetworkManager build options, and this version of NetworkManager
245 was build with a default of "symlink". Regardless of this setting,
246 NetworkManager will always write resolv.conf to its runtime state
247 directory /run/NetworkManager/resolv.conf.
248 symlink: If /etc/resolv.conf is a regular file, NetworkManager will
250 replace the file on update. If /etc/resolv.conf is instead a
251 symlink, NetworkManager will leave it alone. Unless the symlink
252 points to the internal file /run/NetworkManager/resolv.conf, in
253 which case the symlink will be updated to emit an inotify
254 notification. This allows the user to conveniently instruct
255 NetworkManager not to manage /etc/resolv.conf by replacing it with
256 a symlink.
257 file: NetworkManager will write /etc/resolv.conf as file. If it
259 finds a symlink to an existing target, it will follow the symlink
260 and update the target instead. In no case will an existing symlink
261 be replaced by a file. Note that older versions of NetworkManager
262 behaved differently and would replace dangling symlinks with a
263 plain file.
264 resolvconf: NetworkManager will run resolvconf to update the DNS
266 configuration.
267 netconfig: NetworkManager will run netconfig to update the DNS
269 configuration.
270 unmanaged: don't touch /etc/resolv.conf.
272 none: deprecated alias for symlink.
274 systemd-resolved
276 Send the connection DNS configuration to systemd-resolved. Defaults
277 to "true".
278 Note that this setting is complementary to the dns setting. You can
280 keep this enabled while using dns set to another DNS plugin
281 alongside systemd-resolved, or dns set to systemd-resolved to
282 configure the system resolver to use systemd-resolved.
283 If systemd-resolved is enabled, the connectivity check resolves the
285 hostname per-device.
286 debug
288 Comma separated list of options to aid debugging. This value will
289 be combined with the environment variable NM_DEBUG. Currently the
290 following values are supported:
291 RLIMIT_CORE: set ulimit -c unlimited to write out core dumps.
293 Beware, that a core dump can contain sensitive information such as
294 passwords or configuration settings.
295 fatal-warnings: set g_log_set_always_fatal() to core dump on
297 warning messages from glib. This is equivalent to the
298 --g-fatal-warnings command line option.
299 autoconnect-retries-default
301 The number of times a connection activation should be automatically
302 tried before switching to another one. This value applies only to
303 connections that can auto-connect and have a
304 connection.autoconnect-retries property set to -1. If not
305 specified, connections will be tried 4 times. Setting this value to
306 1 means to try activation once, without retry.
307 slaves-order
309 This key specifies in which order slave connections are
310 auto-activated on boot or when the master activates them. Allowed
311 values are name (order connection by interface name, the default),
312 or index (order slaves by their kernel index).
313
315 This section contains keyfile-plugin-specific options, and is normally
316 only used when you are not using any other distro-specific plugin.
317 hostname
319 This key is deprecated and has no effect since the hostname is now
320 stored in /etc/hostname or other system configuration files
321 according to build options.
322 path
324 The location where keyfiles are read and stored. This defaults to
325 "/etc/NetworkManager/system-connections".
326 unmanaged-devices
328 Set devices that should be ignored by NetworkManager.
329 See the section called “Device List Format” for the syntax how to
331 specify a device.
332 Example:
334 unmanaged-devices=interface-name:em4
336 unmanaged-devices=mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4;interface-name:eth2
337
340 This section contains ifupdown-specific options and thus only has
341 effect when using the ifupdown plugin.
342 managed
344 If set to true, then interfaces listed in /etc/network/interfaces
345 are managed by NetworkManager. If set to false, then any interface
346 listed in /etc/network/interfaces will be ignored by
347 NetworkManager. Remember that NetworkManager controls the default
348 route, so because the interface is ignored, NetworkManager may
349 assign the default route to some other interface.
350 The default value is false.
352
354 This section controls NetworkManager's logging. Any settings here are
355 overridden by the --log-level and --log-domains command-line options.
356 level
358 The default logging verbosity level. One of OFF, ERR, WARN, INFO,
359 DEBUG, TRACE. The ERR level logs only critical errors. WARN logs
360 warnings that may reflect operation. INFO logs various
361 informational messages that are useful for tracking state and
362 operations. DEBUG enables verbose logging for debugging purposes.
363 TRACE enables even more verbose logging then DEBUG level.
364 Subsequent levels also log all messages from earlier levels; thus
365 setting the log level to INFO also logs error and warning messages.
366 domains
368 The following log domains are available: PLATFORM, RFKILL, ETHER,
369 WIFI, BT, MB, DHCP4, DHCP6, PPP, WIFI_SCAN, IP4, IP6, AUTOIP4, DNS,
370 VPN, SHARING, SUPPLICANT, AGENTS, SETTINGS, SUSPEND, CORE, DEVICE,
371 OLPC, WIMAX, INFINIBAND, FIREWALL, ADSL, BOND, VLAN, BRIDGE,
372 DBUS_PROPS, TEAM, CONCHECK, DCB, DISPATCH, AUDIT, SYSTEMD,
373 VPN_PLUGIN, PROXY.
374 In addition, these special domains can be used: NONE, ALL, DEFAULT,
376 DHCP, IP.
377 You can specify per-domain log level overrides by adding a colon
379 and a log level to any domain. E.g., "WIFI:DEBUG,WIFI_SCAN:OFF".
380 Domain descriptions:
382 PLATFORM : OS (platform) operations
383 RFKILL : RFKill subsystem operations
384 ETHER : Ethernet device operations
385 WIFI : Wi-Fi device operations
386 BT : Bluetooth operations
387 MB : Mobile broadband operations
388 DHCP4 : DHCP for IPv4
389 DHCP6 : DHCP for IPv6
390 PPP : Point-to-point protocol operations
391 WIFI_SCAN : Wi-Fi scanning operations
392 IP4 : IPv4-related operations
393 IP6 : IPv6-related operations
394 AUTOIP4 : AutoIP operations
395 DNS : Domain Name System related operations
396 VPN : Virtual Private Network connections and
397 operations
398 SHARING : Connection sharing. With TRACE level log queries
399 for dnsmasq instance
400 SUPPLICANT : WPA supplicant related operations
401 AGENTS : Secret agents operations and communication
402 SETTINGS : Settings/config service operations
403 SUSPEND : Suspend/resume
404 CORE : Core daemon and policy operations
405 DEVICE : Activation and general interface operations
406 OLPC : OLPC Mesh device operations
407 WIMAX : WiMAX device operations
408 INFINIBAND : InfiniBand device operations
409 FIREWALL : FirewallD related operations
410 ADSL : ADSL device operations
411 BOND : Bonding operations
412 VLAN : VLAN operations
413 BRIDGE : Bridging operations
414 DBUS_PROPS : D-Bus property changes
415 TEAM : Teaming operations
416 CONCHECK : Connectivity check
417 DCB : Data Center Bridging (DCB) operations
418 DISPATCH : Dispatcher scripts
419 AUDIT : Audit records
420 SYSTEMD : Messages from internal libsystemd
421 VPN_PLUGIN : logging messages from VPN plugins
422 PROXY : logging messages for proxy handling
423 NONE : when given by itself logging is disabled
425 ALL : all log domains
426 DEFAULT : default log domains
427 DHCP : shortcut for "DHCP4,DHCP6"
428 IP : shortcut for "IP4,IP6"
429 HW : deprecated alias for "PLATFORM"
431 In general, the logfile should not contain passwords or private
433 data. However, you are always advised to check the file before
434 posting it online or attaching to a bug report. VPN_PLUGIN is
435 special as it might reveal private information of the VPN plugins
436 with verbose levels. Therefore this domain will be excluded when
437 setting ALL or DEFAULT to more verbose levels then INFO.
438 backend
440 The logging backend. Supported values are "syslog" and "journal".
441 When NetworkManager is started with "--debug" in addition all
442 messages will be printed to stderr. If unspecified, the default is
443 "journal".
444 audit
446 Whether the audit records are delivered to auditd, the audit
447 daemon. If false, audit records will be sent only to the
448 NetworkManager logging system. If set to true, they will be also
449 sent to auditd. The default value is false.
450
452 Specify default values for connections.
453 Example:
455 [connection]
457 ipv6.ip6-privacy=0
458 Supported Properties
461 Not all properties can be overwritten, only the following properties
462 are supported to have their default values configured (see nm-
463 settings(5) for details). A default value is only consulted if the
464 corresponding per-connection value explicitly allows for that.
465 802-1x.auth-timeout
469 cdma.mtu
471 connection.auth-retries
473 If left unspecified, the default value is 3 tries before failing
474 the connection.
475 connection.autoconnect-slaves
477 connection.mud-url
479 If unspecified, MUD URL defaults to "none".
480 connection.lldp
482 connection.llmnr
484 If unspecified, the ultimate default values depends on the DNS
485 plugin. With systemd-resolved the default currently is "yes" (2)
486 and for all other plugins "no" (0).
487 connection.mdns
489 If unspecified, the ultimate default values depends on the DNS
490 plugin. With systemd-resolved the default currently is "no" (0) and
491 for all other plugins also "no" (0).
492 connection.stable-id
494 ethernet.cloned-mac-address
496 If left unspecified, it defaults to "preserve".
497 ethernet.generate-mac-address-mask
499 ethernet.mtu
501 If configured explicitly to 0, the MTU is not reconfigured during
502 device activation unless it is required due to IPv6 constraints. If
503 left unspecified, a DHCP/IPv6 SLAAC provided value is used or the
504 MTU is not reconfigured during activation.
505 ethernet.wake-on-lan
507 gsm.mtu
509 infiniband.mtu
511 If configured explicitly to 0, the MTU is not reconfigured during
512 device activation unless it is required due to IPv6 constraints. If
513 left unspecified, a DHCP/IPv6 SLAAC provided value is used or the
514 MTU is left unspecified on activation.
515 ip-tunnel.mtu
517 If configured explicitly to 0, the MTU is not reconfigured during
518 device activation unless it is required due to IPv6 constraints. If
519 left unspecified, a DHCP/IPv6 SLAAC provided value is used or a
520 default of 1500.
521 ipv4.dad-timeout
523 ipv4.dhcp-client-id
525 ipv4.dhcp-iaid
527 If left unspecified, it defaults to "ifname".
528 ipv4.dhcp-hostname-flags
530 If left unspecified, the value 3 (fqdn-encoded,fqdn-serv-update) is
531 used.
532 ipv4.dhcp-timeout
534 If left unspecified, the default value for the interface type is
535 used.
536 ipv4.dhcp-vendor-class-identifier
538 If left unspecified, the default is to not send the DHCP option to
539 the server.
540 ipv4.dns-priority
542 If unspecified or zero, use 50 for VPN profiles and 100 for other
543 profiles.
544 ipv4.route-metric
546 ipv4.route-table
548 If left unspecified, routes are only added to the main table. Note
549 that this is different from explicitly selecting the main table
550 254, because of how NetworkManager removes extraneous routes from
551 the tables.
552 ipv6.ra-timeout
554 If left unspecified, the default value depends on the sysctl
555 solicitation settings.
556 ipv6.dhcp-duid
558 If left unspecified, it defaults to "lease".
559 ipv6.dhcp-iaid
561 If left unspecified, it defaults to "ifname".
562 ipv6.dhcp-hostname-flags
564 If left unspecified, the value 1 (fqdn-serv-update) is used.
565 ipv6.dhcp-timeout
567 If left unspecified, the default value for the interface type is
568 used.
569 ipv6.dns-priority
571 If unspecified or zero, use 50 for VPN profiles and 100 for other
572 profiles.
573 ipv6.ip6-privacy
575 If ipv6.ip6-privacy is unset, use the content of
576 "/proc/sys/net/ipv6/conf/default/use_tempaddr" as last fallback.
577 ipv6.route-metric
579 ipv6.route-table
581 If left unspecified, routes are only added to the main table. Note
582 that this is different from explicitly selecting the main table
583 254, because of how NetworkManager removes extraneous routes from
584 the tables.
585 sriov.autoprobe-drivers
587 If left unspecified, drivers are autoprobed when the SR-IOV VF gets
588 created.
589 vpn.timeout
591 If left unspecified, default value of 60 seconds is used.
592 wifi.cloned-mac-address
594 If left unspecified, it defaults to "preserve".
595 wifi.generate-mac-address-mask
597 wifi.mac-address-randomization
599 If left unspecified, MAC address randomization is disabled. This
600 setting is deprecated for wifi.cloned-mac-address.
601 wifi.mtu
603 If configured explicitly to 0, the MTU is not reconfigured during
604 device activation unless it is required due to IPv6 constraints. If
605 left unspecified, a DHCP/IPv6 SLAAC provided value is used or a
606 default of 1500.
607 wifi.powersave
609 If left unspecified, the default value "ignore" will be used.
610 wifi-sec.pmf
612 If left unspecified, the default value "optional" will be used.
613 wifi-sec.fils
615 If left unspecified, the default value "optional" will be used.
616 wifi.wake-on-wlan
618 wireguard.mtu
620 Sections
623 You can configure multiple connection sections, by having different
624 sections with a name that all start with "connection". Example:
625 [connection]
627 ipv6.ip6-privacy=0
628 connection.autoconnect-slaves=1
629 vpn.timeout=120
630 [connection-wifi-wlan0]
632 match-device=interface-name:wlan0
633 ipv4.route-metric=50
634 [connection-wifi-other]
636 match-device=type:wifi
637 ipv4.route-metric=55
638 ipv6.ip6-privacy=1
639 The sections within one file are considered in order of appearance,
641 with the exception that the [connection] section is always considered
642 last. In the example above, this order is [connection-wifi-wlan0],
643 [connection-wlan-other], and [connection]. When checking for a default
644 configuration value, the sections are searched until the requested
645 value is found. In the example above, "ipv4.route-metric" for wlan0
646 interface is set to 50, and for all other Wi-Fi typed interfaces to 55.
647 Also, Wi-Fi devices would have IPv6 private addresses enabled by
648 default, but other devices would have it disabled. Note that also
649 "wlan0" gets "ipv6.ip6-privacy=1", because although the section
650 "[connection-wifi-wlan0]" matches the device, it does not contain that
651 property and the search continues.
652 When having different sections in multiple files, sections from files
654 that are read later have higher priority. So within one file the
655 priority of the sections is top-to-bottom. Across multiple files later
656 definitions take precedence.
657 The following properties further control how a connection section
659 applies.
660 match-device
662 An optional device spec that restricts when the section applies.
663 See the section called “Device List Format” for the possible
664 values.
665 stop-match
667 An optional boolean value which defaults to no. If the section
668 matches (based on match-device), further sections will not be
669 considered even if the property in question is not present. In the
670 example above, if [connection-wifi-wlan0] would have stop-match set
671 to yes, the device wlan0 would have ipv6.ip6-privacy property
672 unspecified. That is, the search for the property would not
673 continue in the connection sections [connection-wifi-other] or
674 [connection].
675
677 Contains per-device persistent configuration.
678 Example:
680 [device]
682 match-device=interface-name:eth3
683 managed=1
684 Supported Properties
687 The following properties can be configured per-device.
688 managed
690 Whether the device is managed or not. A device can be marked as
691 managed via udev rules (ENV{NM_UNMANAGED}), or via setting plugins
692 (keyfile.unmanaged-devices). This is yet another way. Note that
693 this configuration can be overruled at runtime via D-Bus. Also, it
694 has higher priority then udev rules.
695 carrier-wait-timeout
697 Specify the timeout for waiting for carrier in milliseconds. When
698 the device loses carrier, NetworkManager does not react
699 immediately. Instead, it waits for this timeout before considering
700 the link lost. Also, on startup, NetworkManager considers the
701 device as busy for this time, as long as the device has no carrier.
702 This delays startup-complete signal and NetworkManager-wait-online.
703 Configuring this too high means to block NetworkManager-wait-online
704 longer then necessary. Configuring it too low, means that
705 NetworkManager will declare startup-complete, although carrier is
706 about to come and auto-activation to kick in. The default is 5000
707 milliseconds.
708 ignore-carrier
710 Specify devices for which NetworkManager will (partially) ignore
711 the carrier state. Normally, for device types that support
712 carrier-detect, such as Ethernet and InfiniBand, NetworkManager
713 will only allow a connection to be activated on the device if
714 carrier is present (ie, a cable is plugged in), and it will
715 deactivate the device if carrier drops for more than a few seconds.
716 A device with carrier ignored will allow activating connections on
718 that device even when it does not have carrier, provided that the
719 connection uses only statically-configured IP addresses.
720 Additionally, it will allow any active connection (whether static
721 or dynamic) to remain active on the device when carrier is lost.
722 Note that the "carrier" property of NMDevices and device D-Bus
724 interfaces will still reflect the actual device state; it's just
725 that NetworkManager will not make use of that information.
726 Master types like bond, bridge and team ignore carrier by default,
728 while other device types react on carrier changes by default.
729 This setting overwrites the deprecated main.ignore-carrier setting
731 above.
732 wifi.scan-rand-mac-address
734 Configures MAC address randomization of a Wi-Fi device during
735 scanning. This defaults to yes in which case a random,
736 locally-administered MAC address will be used. The setting
737 wifi.scan-generate-mac-address-mask allows to influence the
738 generated MAC address to use certain vendor OUIs. If disabled, the
739 MAC address during scanning is left unchanged to whatever is
740 configured. For the configured MAC address while the device is
741 associated, see instead the per-connection setting
742 wifi.cloned-mac-address.
743 wifi.backend
745 Specify the Wi-Fi backend used for the device. Currently supported
746 are wpa_supplicant and iwd (experimental).
747 wifi.scan-generate-mac-address-mask
749 Like the per-connection settings ethernet.generate-mac-address-mask
750 and wifi.generate-mac-address-mask, this allows to configure the
751 generated MAC addresses during scanning. See nm-settings(5) for
752 details.
753 sriov-num-vfs
755 Specify the number of virtual functions (VF) to enable for a PCI
756 physical device that supports single-root I/O virtualization
757 (SR-IOV).
758 Sections
760 The [device] section works the same as the [connection] section. That
761 is, multiple sections that all start with the prefix "device" can be
762 specified. The settings "match-device" and "stop-match" are available
763 to match a device section on a device. The order of multiple sections
764 is also top-down within the file and later files overwrite previous
765 settings. See “Sections” under the section called “CONNECTION SECTION”
766 for details.
767
769 This section controls NetworkManager's optional connectivity checking
770 functionality. This allows NetworkManager to detect whether or not the
771 system can actually access the internet or whether it is behind a
772 captive portal.
773 Connectivity checking serves two purposes. For one, it exposes a
775 connectivity state on D-Bus, which other applications may use. For
776 example, Gnome's portal helper uses this as signal to show a captive
777 portal login page. The other use is that default-route of devices
778 without global connectivity get a penalty of +20000 to the
779 route-metric. This has the purpose to give a better default-route to
780 devices that have global connectivity. For example, when being
781 connected to WWAN and to a Wi-Fi network which is behind a captive
782 portal, WWAN still gets preferred until login.
783 Note that your distribution might set
785 /proc/sys/net/ipv4/conf/*/rp_filter to strict filtering. That works
786 badly with per-device connectivity checking, which uses SO_BINDDEVICE
787 to send requests on all devices. A strict rp_filter setting will reject
788 any response and the connectivity check on all but the best route will
789 fail.
790 enabled
792 Whether connectivity check is enabled. Note that to enable
793 connectivity check, a valid uri must also be configured. The value
794 defaults to true, but since the uri is unset by default,
795 connectivity check may be disabled. The main purpose of this option
796 is to have a single flag to disable connectivity check. Note that
797 this setting can also be set via D-Bus API at runtime. In that
798 case, the value gets stored in
799 /var/lib/NetworkManager/NetworkManager-intern.conf file.
800 uri
802 The URI of a web page to periodically request when connectivity is
803 being checked. This page should return the header
804 "X-NetworkManager-Status" with a value of "online". Alternatively,
805 its body content should be set to "NetworkManager is online". The
806 body content check can be controlled by the response option. If
807 this option is blank or missing, connectivity checking is disabled.
808 interval
810 Specified in seconds; controls how often connectivity is checked
811 when a network connection exists. If set to 0 connectivity checking
812 is disabled. If missing, the default is 300 seconds.
813 response
815 If set, controls what body content NetworkManager checks for when
816 requesting the URI for connectivity checking. Note that this only
817 compares that the HTTP response starts with the specifid text, it
818 does not compare the exact string. This behavior might change in
819 the future, so avoid relying on it. If missing, the response
820 defaults to "NetworkManager is online". If set to empty, the HTTP
821 server is expected to answer with status code 204 or send no data.
822
824 This section specifies global DNS settings that override
825 connection-specific configuration.
826 searches
828 A list of search domains to be used during hostname lookup.
829 options
831 A list of options to be passed to the hostname resolver.
832
834 Sections with a name starting with the "global-dns-domain-" prefix
835 allow to define global DNS configuration for specific domains. The part
836 of section name after "global-dns-domain-" specifies the domain name a
837 section applies to. More specific domains have the precedence over less
838 specific ones and the default domain is represented by the wildcard
839 "*". A default domain section is mandatory.
840 servers
842 A list of addresses of DNS servers to be used for the given domain.
843 options
845 A list of domain-specific DNS options. Not used at the moment.
846
848 This is a special section that contains options which apply to the
849 configuration file that contains the option.
850 enable
852 Defaults to "true". If "false", the configuration file will be
853 skipped during loading. Note that the main configuration file
854 NetworkManager.conf cannot be disabled.
855 # always skip loading the config file
857 [.config]
858 enable=false
859 You can also match against the version of NetworkManager. For
861 example the following are valid configurations:
862 # only load on version 1.0.6
864 [.config]
865 enable=nm-version:1.0.6
866 # load on all versions 1.0.x, but not 1.2.x
868 [.config]
869 enable=nm-version:1.0
870 # only load on versions >= 1.1.6. This does not match
872 # with version 1.2.0 or 1.4.4. Only the last digit is considered.
873 [.config]
874 enable=nm-version-min:1.1.6
875 # only load on versions >= 1.2. Contrary to the previous
877 # example, this also matches with 1.2.0, 1.2.10, 1.4.4, etc.
878 [.config]
879 enable=nm-version-min:1.2
880 # Match against the maximum allowed version. The example matches
882 # versions 1.2.0, 1.2.2, 1.2.4. Again, only the last version digit
883 # is allowed to be smaller. So this would not match match on 1.1.10.
884 [.config]
885 enable=nm-version-max:1.2.6
886 You can also match against the value of the environment variable
888 NM_CONFIG_ENABLE_TAG, like:
889 # always skip loading the file when running NetworkManager with
891 # environment variable "NM_CONFIG_ENABLE_TAG=TAG1"
892 [.config]
893 enable=env:TAG1
894 More then one match can be specified. The configuration will be
896 enabled if one of the predicates matches ("or"). The special prefix
897 "except:" can be used to negate the match. Note that if one
898 except-predicate matches, the entire configuration will be
899 disabled. In other words, a except predicate always wins over other
900 predicates. If the setting only consists of "except:" matches and
901 none of the negative conditions are satisfied, the configuration is
902 still enabled.
903 # enable the configuration either when the environment variable
905 # is present or the version is at least 1.2.0.
906 [.config]
907 enable=env:TAG2,nm-version-min:1.2
908 # enable the configuration for version >= 1.2.0, but disable
910 # it when the environment variable is set to "TAG3"
911 [.config]
912 enable=except:env:TAG3,nm-version-min:1.2
913 # enable the configuration on >= 1.3, >= 1.2.6, and >= 1.0.16.
915 # Useful if a certain feature is only present since those releases.
916 [.config]
917 enable=nm-version-min:1.3,nm-version-min:1.2.6,nm-version-min:1.0.16
918
921 Settings plugins for reading and writing connection profiles. The
922 number of available plugins is distribution specific.
923 keyfile
925 The keyfile plugin is the generic plugin that supports all the
926 connection types and capabilities that NetworkManager has. It
927 writes files out in an .ini-style format in
928 /etc/NetworkManager/system-connections. See nm-settings-keyfile(5)
929 for details about the file format.
930 The stored connection file may contain passwords, secrets and
932 private keys in plain text, so it will be made readable only to
933 root, and the plugin will ignore files that are readable or
934 writable by any user or group other than root. See "Secret flag
935 types" in nm-settings(5) for how to avoid storing passwords in
936 plain text.
937 This plugin is always active, and will automatically be used to
939 store any connections that aren't supported by any other active
940 plugin.
941 ifcfg-rh
943 This plugin is used on the Fedora and Red Hat Enterprise Linux
944 distributions to read and write configuration from the standard
945 /etc/sysconfig/network-scripts/ifcfg-* files. It currently supports
946 reading Ethernet, Wi-Fi, InfiniBand, VLAN, Bond, Bridge, and Team
947 connections. Enabling ifcfg-rh implicitly enables ibft plugin, if
948 it is available. This can be disabled by adding no-ibft. See
949 /usr/share/doc/initscripts/sysconfig.txt and nm-settings-ifcfg-
950 rh(5) for more information about the ifcfg file format.
951 ifupdown
953 This plugin is used on the Debian and Ubuntu distributions, and
954 reads Ethernet and Wi-Fi connections from /etc/network/interfaces.
955 This plugin is read-only; any connections (of any type) added from
957 within NetworkManager when you are using this plugin will be saved
958 using the keyfile plugin instead.
959 ibft, no-ibft
961 These plugins are deprecated and their selection has no effect.
962 This is now handled by nm-initrd-generator.
963 ifcfg-suse, ifnet
965 These plugins are deprecated and their selection has no effect. The
966 keyfile plugin should be used instead.
967
969 Device List Format
970 The configuration options main.no-auto-default, main.ignore-carrier,
971 keyfile.unmanaged-devices, connection*.match-device and
972 device*.match-device select devices based on a list of matchings.
973 Devices can be specified using the following format:
974 *
976 Matches every device.
977 IFNAME
979 Case sensitive match of interface name of the device. Globbing is
980 not supported.
981 HWADDR
983 Match the permanent MAC address of the device. Globbing is not
984 supported
985 interface-name:IFNAME, interface-name:~IFNAME
987 Case sensitive match of interface name of the device. Simple
988 globbing is supported with * and ?. Ranges and escaping is not
989 supported.
990 interface-name:=IFNAME
992 Case sensitive match of interface name of the device. Globbing is
993 disabled and IFNAME is taken literally.
994 mac:HWADDR
996 Match the permanent MAC address of the device. Globbing is not
997 supported
998 s390-subchannels:HWADDR
1000 Match the device based on the subchannel address. Globbing is not
1001 supported
1002 type:TYPE
1004 Match the device type. Valid type names are as reported by "nmcli
1005 -f GENERAL.TYPE device show". Globbing is not supported.
1006 driver:DRIVER
1008 Match the device driver as reported by "nmcli -f
1009 GENERAL.DRIVER,GENERAL.DRIVER-VERSION device show". "DRIVER" must
1010 match the driver name exactly and does not support globbing.
1011 Optionally, a driver version may be specified separated by '/'.
1012 Globbing is supported for the version.
1013 dhcp-plugin:DHCP
1015 Match the configured DHCP plugin "main.dhcp".
1016 except:SPEC
1018 Negative match of a device. SPEC must be explicitly qualified with
1019 a prefix such as interface-name:. A negative match has higher
1020 priority then the positive matches above.
1021 If there is a list consisting only of negative matches, the
1023 behavior is the same as if there is also match-all. That means, if
1024 none of all the negative matches is satisfied, the overall result
1025 is still a positive match. That means, "except:interface-name:eth0"
1026 is the same as "*,except:interface-name:eth0".
1027 SPEC[,;]SPEC
1029 Multiple specs can be concatenated with commas or semicolons. The
1030 order does not matter as matches are either inclusive or negative
1031 (except:), with negative matches having higher priority.
1032 Backslash is supported to escape the separators ';' and ',', and to
1034 express special characters such as newline ('\n'), tabulator
1035 ('\t'), whitespace ('\s') and backslash ('\\'). The globbing of
1036 interface names cannot be escaped. Whitespace is not a separator
1037 but will be trimmed between two specs (unless escaped as '\s').
1038 Example:
1040 interface-name:em4
1042 mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4;interface-name:eth2
1043 interface-name:vboxnet*,except:interface-name:vboxnet2
1044 *,except:mac:00:22:68:1c:59:b1
1045
1048 NetworkManager(8), nmcli(1), nmcli-examples(7), nm-online(1), nm-
1049 settings(5), nm-applet(1), nm-connection-editor(1)
1050NetworkManager 1.26.6 NETWORKMANAGER.CONF(5)