1NETWORKMANAGER.CONF(5) Configuration NETWORKMANAGER.CONF(5)
2
6 NetworkManager.conf - NetworkManager configuration file
7
9 /etc/NetworkManager/NetworkManager.conf,
10 /etc/NetworkManager/conf.d/name.conf,
11 /run/NetworkManager/conf.d/name.conf,
12 /usr/lib/NetworkManager/conf.d/name.conf,
13 /var/lib/NetworkManager/NetworkManager-intern.conf
14
16 NetworkManager.conf is the configuration file for NetworkManager. It is
17 used to set up various aspects of NetworkManager's behavior. The
18 location of the main file and configuration directories may be changed
19 through use of the --config, --config-dir, --system-config-dir, and
20 --intern-config argument for NetworkManager, respectively.
21 If a default NetworkManager.conf is provided by your distribution's
23 packages, you should not modify it, since your changes may get
24 overwritten by package updates. Instead, you can add additional .conf
25 files to the /etc/NetworkManager/conf.d directory. These will be read
26 in order, with later files overriding earlier ones. Packages might
27 install further configuration snippets to
28 /usr/lib/NetworkManager/conf.d. This directory is parsed first, even
29 before NetworkManager.conf. Scripts can also put per-boot configuration
30 into /run/NetworkManager/conf.d. This directory is parsed second, also
31 before NetworkManager.conf. The loading of a file
32 /run/NetworkManager/conf.d/name.conf can be prevented by adding a file
33 /etc/NetworkManager/conf.d/name.conf. Likewise, a file
34 /usr/lib/NetworkManager/conf.d/name.conf can be shadowed by putting a
35 file of the same name to either /etc/NetworkManager/conf.d or
36 /run/NetworkManager/conf.d.
37 NetworkManager can overwrite certain user configuration options via
39 D-Bus or other internal operations. In this case it writes those
40 changes to /var/lib/NetworkManager/NetworkManager-intern.conf. This
41 file is not intended to be modified by the user, but it is read last
42 and can shadow user configuration from NetworkManager.conf.
43 Certain settings from the configuration can be reloaded at runtime
45 either by sending SIGHUP signal or via D-Bus' Reload call.
46
48 The configuration file format is so-called key file (sort of ini-style
49 format). It consists of sections (groups) of key-value pairs. Lines
50 beginning with a '#' and blank lines are considered comments. Sections
51 are started by a header line containing the section enclosed in '[' and
52 ']', and ended implicitly by the start of the next section or the end
53 of the file. Each key-value pair must be contained in a section.
54 For keys that take a list of devices as their value, you can specify
56 devices by their MAC addresses or interface names, or "*" to specify
57 all devices. See the section called “Device List Format” below.
58 Minimal system settings configuration file looks like this:
60 [main]
62 plugins=keyfile
63 As an extension to the normal keyfile format, you can also append a
65 value to a previously-set list-valued key by doing:
66 plugins+=another-plugin
68 plugins-=remove-me
69
72 plugins
73 Lists system settings plugin names separated by ','. These plugins
74 are used to read and write system-wide connection profiles. When
75 multiple plugins are specified, the connections are read from all
76 listed plugins. When writing connections, the plugins will be asked
77 to save the connection in the order listed here; if the first
78 plugin cannot write out that connection type (or can't write out
79 any connections) the next plugin is tried, etc. If none of the
80 plugins can save the connection, an error is returned to the user.
81 The default value and the number of available plugins is
83 distro-specific. See the section called “PLUGINS” below for the
84 available plugins. Note that NetworkManager's native keyfile plugin
85 is always appended to the end of this list (if it doesn't already
86 appear earlier in the list).
87 monitor-connection-files
89 This setting is deprecated and has no effect. Profiles from disk
90 are never automatically reloaded. Use for example nmcli connection
91 (re)load for that.
92 auth-polkit
94 Whether the system uses PolicyKit for authorization. If true,
95 non-root requests are authorized using PolicyKit. Requests from
96 root (user ID zero) are always granted without asking PolicyKit. If
97 false, all requests will be allowed and PolicyKit is not used. If
98 set to root-only PolicyKit is not used and all requests except root
99 are denied. The default value is true.
100 dhcp
102 This key sets up what DHCP client NetworkManager will use. Allowed
103 values are dhclient, dhcpcd, and internal. The dhclient and dhcpcd
104 options require the indicated clients to be installed. The internal
105 option uses a built-in DHCP client which is not currently as
106 featureful as the external clients.
107 If this key is missing, it defaults to internal. If the chosen
109 plugin is not available, clients are looked for in this order:
110 dhclient, dhcpcd, internal.
111 no-auto-default
113 Specify devices for which NetworkManager shouldn't create default
114 wired connection (Auto eth0). By default, NetworkManager creates a
115 temporary wired connection for any Ethernet device that is managed
116 and doesn't have a connection configured. List a device in this
117 option to inhibit creating the default connection for the device.
118 May have the special value * to apply to all devices.
119 When the default wired connection is deleted or saved to a new
121 persistent connection by a plugin, the device is added to a list in
122 the file /var/lib/NetworkManager/no-auto-default.state to prevent
123 creating the default connection for that device again.
124 See the section called “Device List Format” for the syntax how to
126 specify a device.
127 Example:
129 no-auto-default=00:22:68:5c:5d:c4,00:1e:65:ff:aa:ee
131 no-auto-default=eth0,eth1
132 no-auto-default=*
133 ignore-carrier
136 This setting is deprecated for the per-device setting
137 ignore-carrier which overwrites this setting if specified (See
138 ignore-carrier). Otherwise, it is a list of matches to specify for
139 which device carrier should be ignored. See the section called
140 “Device List Format” for the syntax how to specify a device. Note
141 that master types like bond, bridge, and team ignore carrier by
142 default. You can however revert that default using the "except:"
143 specifier (or better, use the per-device setting instead of the
144 deprecated setting).
145 assume-ipv6ll-only
147 Specify devices for which NetworkManager will try to generate a
148 connection based on initial configuration when the device only has
149 an IPv6 link-local address.
150 See the section called “Device List Format” for the syntax how to
152 specify a device.
153 configure-and-quit
155 When set to 'true', NetworkManager quits after performing initial
156 network configuration but spawns small helpers to preserve DHCP
157 leases and IPv6 addresses. This is useful in environments where
158 network setup is more or less static or it is desirable to save
159 process time but still handle some dynamic configurations. When
160 this option is true, network configuration for Wi-Fi, WWAN,
161 Bluetooth, ADSL, and PPPoE interfaces cannot be preserved due to
162 their use of external services, and these devices will be
163 deconfigured when NetworkManager quits even though other
164 interface's configuration may be preserved. Also, to preserve DHCP
165 addresses the 'dhcp' option must be set to 'internal'. The default
166 value of the 'configure-and-quit' option is 'false', meaning that
167 NetworkManager will continue running after initial network
168 configuration and continue responding to system and hardware
169 events, D-Bus requests, and user commands.
170 hostname-mode
172 Set the management mode of the hostname. This parameter will affect
173 only the transient hostname. If a valid static hostname is set,
174 NetworkManager will skip the update of the hostname despite the
175 value of this option. An hostname empty or equal to 'localhost',
176 'localhost6', 'localhost.localdomain' or 'localhost6.localdomain'
177 is considered invalid.
178 default: NetworkManager will update the hostname with the one
180 provided via DHCP or reverse DNS lookup of the IP address on the
181 connection with the default route or on any connection with the
182 property hostname.only-from-default set to 'false'. Connections are
183 considered in order of increasing value of the hostname.priority
184 property. In case multiple connections have the same priority,
185 connections activated earlier are considered first. If no hostname
186 can be determined in such way, the hostname will be updated to the
187 last one set outside NetworkManager or to 'localhost.localdomain'.
188 dhcp: this is similar to 'default', with the difference that after
190 trying to get the DHCP hostname, reverse DNS lookup is not done.
191 Note that selecting this option is equivalent to setting the
192 property 'hostname.from-dns-lookup' to 'false' globally for all
193 connections in NetworkManager.conf.
194 none: NetworkManager will not manage the transient hostname and
196 will never set it.
197 dns
199 Set the DNS processing mode.
200 If the key is unspecified, default is used, unless /etc/resolv.conf
202 is a symlink to /run/systemd/resolve/stub-resolv.conf,
203 /run/systemd/resolve/resolv.conf, /lib/systemd/resolv.conf or
204 /usr/lib/systemd/resolv.conf. In that case, systemd-resolved is
205 chosen automatically.
206 default: NetworkManager will update /etc/resolv.conf to reflect the
208 nameservers provided by currently active connections. The
209 rc-manager setting (below) controls how this is done.
210 dnsmasq: NetworkManager will run dnsmasq as a local caching
212 nameserver, using "Conditional Forwarding" if you are connected to
213 a VPN, and then update resolv.conf to point to the local
214 nameserver. It is possible to pass custom options to the dnsmasq
215 instance by adding them to files in the
216 "/etc/NetworkManager/dnsmasq.d/" directory. Note that when multiple
217 upstream servers are available, dnsmasq will initially contact them
218 in parallel and then use the fastest to respond, probing again
219 other servers after some time. This behavior can be modified
220 passing the 'all-servers' or 'strict-order' options to dnsmasq (see
221 the manual page for more details).
222 systemd-resolved: NetworkManager will push the DNS configuration to
224 systemd-resolved
225 unbound: NetworkManager will talk to unbound and dnssec-triggerd,
227 using "Conditional Forwarding" with DNSSEC support.
228 /etc/resolv.conf will be managed by dnssec-trigger daemon.
229 none: NetworkManager will not modify resolv.conf. This implies
231 rc-manager unmanaged
232 Note that the plugins dnsmasq, systemd-resolved and unbound are
234 caching local nameservers. Hence, when NetworkManager writes
235 /run/NetworkManager/resolv.conf and /etc/resolv.conf (according to
236 rc-manager setting below), the name server there will be localhost
237 only. NetworkManager also writes a file
238 /run/NetworkManager/no-stub-resolv.conf that contains the original
239 name servers pushed to the DNS plugin.
240 When using dnsmasq and systemd-resolved per-connection added dns
242 servers will always be queried using the device the connection has
243 been activated on.
244 rc-manager
246 Set the resolv.conf management mode. This option is about how
247 NetworkManager writes to /etc/resolv.conf, if at all. The default
248 value depends on NetworkManager build options, and this version of
249 NetworkManager was build with a default of "auto". Regardless of
250 this setting, NetworkManager will always write its version of
251 resolv.conf to its runtime state directory as
252 /run/NetworkManager/resolv.conf.
253 If you configure dns=none or make /etc/resolv.conf immutable with
255 chattr +i, NetworkManager will ignore this setting and always
256 choose unmanaged (below).
257 auto: if systemd-resolved plugin is configured via the dns setting
259 or if it gets detected as main DNS plugin, NetworkManager will
260 update systemd-resolved without touching /etc/resolv.conf.
261 Alternatively, if resolvconf or netconfig are enabled at compile
262 time and the respective binary is found, NetworkManager will
263 automatically use it. Note that if you install or uninstall these
264 binaries, you need to reload the rc-manager setting with SIGHUP or
265 systemctl reload NetworkManager. As last fallback it uses the
266 symlink option (see next).
267 symlink: If /etc/resolv.conf is a regular file or does not exist,
269 NetworkManager will write the file directly. If /etc/resolv.conf is
270 instead a symlink, NetworkManager will leave it alone. Unless the
271 symlink points to the internal file
272 /run/NetworkManager/resolv.conf, in which case the symlink will be
273 updated to emit an inotify notification. This allows the user to
274 conveniently instruct NetworkManager not to manage /etc/resolv.conf
275 by replacing it with a symlink.
276 file: NetworkManager will write /etc/resolv.conf as regular file.
278 If it finds a symlink to an existing target, it will follow the
279 symlink and update the target instead. In no case will an existing
280 symlink be replaced by a file. Note that older versions of
281 NetworkManager behaved differently and would replace dangling
282 symlinks with a plain file.
283 resolvconf: NetworkManager will run resolvconf to update the DNS
285 configuration.
286 netconfig: NetworkManager will run netconfig to update the DNS
288 configuration.
289 unmanaged: don't touch /etc/resolv.conf.
291 none: deprecated alias for symlink.
293 systemd-resolved
295 Send the connection DNS configuration to systemd-resolved. Defaults
296 to "true".
297 Note that this setting is complementary to the dns setting. You can
299 keep this enabled while using dns set to another DNS plugin
300 alongside systemd-resolved, or dns set to systemd-resolved to
301 configure the system resolver to use systemd-resolved.
302 If systemd-resolved is enabled, the connectivity check resolves the
304 hostname per-device.
305 debug
307 Comma separated list of options to aid debugging. This value will
308 be combined with the environment variable NM_DEBUG. Currently, the
309 following values are supported:
310 RLIMIT_CORE: set ulimit -c unlimited to write out core dumps.
312 Beware, that a core dump can contain sensitive information such as
313 passwords or configuration settings.
314 fatal-warnings: set g_log_set_always_fatal() to core dump on
316 warning messages from glib. This is equivalent to the
317 --g-fatal-warnings command line option.
318 autoconnect-retries-default
320 The number of times a connection activation should be automatically
321 tried before switching to another one. This value applies only to
322 connections that can auto-connect and have a
323 connection.autoconnect-retries property set to -1. If not
324 specified, connections will be tried 4 times. Setting this value to
325 1 means to try activation once, without retry.
326 slaves-order
328 This key specifies in which order slave connections are
329 auto-activated on boot or when the master activates them. Allowed
330 values are name (order connection by interface name, the default),
331 or index (order slaves by their kernel index).
332
334 This section contains keyfile-plugin-specific options, and is normally
335 only used when you are not using any other distro-specific plugin.
336 hostname
338 This key is deprecated and has no effect since the hostname is now
339 stored in /etc/hostname or other system configuration files
340 according to build options.
341 path
343 The location where keyfiles are read and stored. This defaults to
344 "/etc/NetworkManager/system-connections".
345 unmanaged-devices
347 Set devices that should be ignored by NetworkManager.
348 See the section called “Device List Format” for the syntax on how
350 to specify a device.
351 Example:
353 unmanaged-devices=interface-name:em4
355 unmanaged-devices=mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4;interface-name:eth2
356
359 This section contains ifupdown-specific options and thus only has
360 effect when using the ifupdown plugin.
361 managed
363 If set to true, then interfaces listed in /etc/network/interfaces
364 are managed by NetworkManager. If set to false, then any interface
365 listed in /etc/network/interfaces will be ignored by
366 NetworkManager. Remember that NetworkManager controls the default
367 route, so because the interface is ignored, NetworkManager may
368 assign the default route to some other interface.
369 The default value is false.
371
373 This section controls NetworkManager's logging. Any settings here are
374 overridden by the --log-level and --log-domains command-line options.
375 level
377 The default logging verbosity level. One of OFF, ERR, WARN, INFO,
378 DEBUG, TRACE. The ERR level logs only critical errors. WARN logs
379 warnings that may reflect operation. INFO logs various
380 informational messages that are useful for tracking state and
381 operations. DEBUG enables verbose logging for debugging purposes.
382 TRACE enables even more verbose logging then DEBUG level.
383 Subsequent levels also log all messages from earlier levels; thus
384 setting the log level to INFO also logs error and warning messages.
385 domains
387 The following log domains are available: PLATFORM, RFKILL, ETHER,
388 WIFI, BT, MB, DHCP4, DHCP6, PPP, WIFI_SCAN, IP4, IP6, AUTOIP4, DNS,
389 VPN, SHARING, SUPPLICANT, AGENTS, SETTINGS, SUSPEND, CORE, DEVICE,
390 OLPC, WIMAX, INFINIBAND, FIREWALL, ADSL, BOND, VLAN, BRIDGE,
391 DBUS_PROPS, TEAM, CONCHECK, DCB, DISPATCH, AUDIT, SYSTEMD,
392 VPN_PLUGIN, PROXY.
393 In addition, these special domains can be used: NONE, ALL, DEFAULT,
395 DHCP, IP.
396 You can specify per-domain log level overrides by adding a colon
398 and a log level to any domain. E.g., "WIFI:DEBUG,WIFI_SCAN:OFF".
399 Domain descriptions:
401 PLATFORM : OS (platform) operations
402 RFKILL : RFKill subsystem operations
403 ETHER : Ethernet device operations
404 WIFI : Wi-Fi device operations
405 BT : Bluetooth operations
406 MB : Mobile broadband operations
407 DHCP4 : DHCP for IPv4
408 DHCP6 : DHCP for IPv6
409 PPP : Point-to-point protocol operations
410 WIFI_SCAN : Wi-Fi scanning operations
411 IP4 : IPv4-related operations
412 IP6 : IPv6-related operations
413 AUTOIP4 : AutoIP operations
414 DNS : Domain Name System related operations
415 VPN : Virtual Private Network connections and
416 operations
417 SHARING : Connection sharing. With TRACE level log queries
418 for dnsmasq instance
419 SUPPLICANT : WPA supplicant related operations
420 AGENTS : Secret agents operations and communication
421 SETTINGS : Settings/config service operations
422 SUSPEND : Suspend/resume
423 CORE : Core daemon and policy operations
424 DEVICE : Activation and general interface operations
425 OLPC : OLPC Mesh device operations
426 WIMAX : WiMAX device operations
427 INFINIBAND : InfiniBand device operations
428 FIREWALL : FirewallD related operations
429 ADSL : ADSL device operations
430 BOND : Bonding operations
431 VLAN : VLAN operations
432 BRIDGE : Bridging operations
433 DBUS_PROPS : D-Bus property changes
434 TEAM : Teaming operations
435 CONCHECK : Connectivity check
436 DCB : Data Center Bridging (DCB) operations
437 DISPATCH : Dispatcher scripts
438 AUDIT : Audit records
439 SYSTEMD : Messages from internal libsystemd
440 VPN_PLUGIN : logging messages from VPN plugins
441 PROXY : logging messages for proxy handling
442 NONE : when given by itself logging is disabled
444 ALL : all log domains
445 DEFAULT : default log domains
446 DHCP : shortcut for "DHCP4,DHCP6"
447 IP : shortcut for "IP4,IP6"
448 HW : deprecated alias for "PLATFORM"
450 In general, the logfile should not contain passwords or private
452 data. However, you are always advised to check the file before
453 posting it online or attaching to a bug report. VPN_PLUGIN is
454 special as it might reveal private information of the VPN plugins
455 with verbose levels. Therefore this domain will be excluded when
456 setting ALL or DEFAULT to more verbose levels then INFO.
457 backend
459 The logging backend. Supported values are "syslog" and "journal".
460 When NetworkManager is started with "--debug" in addition all
461 messages will be printed to stderr. If unspecified, the default is
462 "journal".
463 audit
465 Whether the audit records are delivered to auditd, the audit
466 daemon. If false, audit records will be sent only to the
467 NetworkManager logging system. If set to true, they will be also
468 sent to auditd. The default value is false.
469
471 Specify default values for connections.
472 Such default values are only consulted if the corresponding
474 per-connection property explicitly allows for that. That means, all
475 these properties correspond to a property of the connection profile
476 (for example connection.mud-url). Only if the per-profile property is
477 set to a special value that indicates to use the default, the default
478 value from NetworkManager.conf is consulted. It depends on the
479 property, which is the special value that indicates fallback to the
480 default, but it usually is something like empty, unset values or
481 special numeric values like 0 or -1. That means the effectively used
482 value can first always be configured for each profile, and these
483 default values only matter if the per-profile values explicitly
484 indicates to use the default from NetworkManager.conf.
485 Example:
487 [connection]
489 ipv6.ip6-privacy=0
490 Supported Properties
493 Not all properties can be overwritten, only the following properties
494 are supported to have their default values configured (see nm-
495 settings(5) for details).
496 802-1x.auth-timeout
498 cdma.mtu
500 connection.auth-retries
502 If left unspecified, the default value is 3 tries before failing
503 the connection.
504 connection.autoconnect-slaves
506 connection.mud-url
508 If unspecified, MUD URL defaults to "none".
509 connection.lldp
511 connection.llmnr
513 If unspecified, the ultimate default values depends on the DNS
514 plugin. With systemd-resolved the default currently is "yes" (2)
515 and for all other plugins "no" (0).
516 connection.mdns
518 If unspecified, the ultimate default values depends on the DNS
519 plugin. With systemd-resolved the default currently is "no" (0) and
520 for all other plugins also "no" (0).
521 connection.stable-id
523 ethernet.cloned-mac-address
525 If left unspecified, it defaults to "preserve".
526 ethernet.generate-mac-address-mask
528 ethernet.mtu
530 If configured explicitly to 0, the MTU is not reconfigured during
531 device activation unless it is required due to IPv6 constraints. If
532 left unspecified, a DHCP/IPv6 SLAAC provided value is used or the
533 MTU is not reconfigured during activation.
534 ethernet.wake-on-lan
536 gsm.mtu
538 hostname.from-dhcp
540 hostname.from-dns-lookup
542 hostname.only-from-default
544 hostname.priority
546 infiniband.mtu
548 If configured explicitly to 0, the MTU is not reconfigured during
549 device activation unless it is required due to IPv6 constraints. If
550 left unspecified, a DHCP/IPv6 SLAAC provided value is used or the
551 MTU is left unspecified on activation.
552 ip-tunnel.mtu
554 If configured explicitly to 0, the MTU is not reconfigured during
555 device activation unless it is required due to IPv6 constraints. If
556 left unspecified, a DHCP/IPv6 SLAAC provided value is used or a
557 default of 1500.
558 ipv4.dad-timeout
560 ipv4.dhcp-client-id
562 ipv4.dhcp-iaid
564 If left unspecified, it defaults to "ifname".
565 ipv4.dhcp-hostname-flags
567 If left unspecified, the value 3 (fqdn-encoded,fqdn-serv-update) is
568 used.
569 ipv4.dhcp-timeout
571 If left unspecified, the default value for the interface type is
572 used.
573 ipv4.dhcp-vendor-class-identifier
575 If left unspecified, the default is to not send the DHCP option to
576 the server.
577 ipv4.dns-priority
579 If unspecified or zero, use 50 for VPN profiles and 100 for other
580 profiles.
581 ipv4.route-metric
583 ipv4.route-table
585 If left unspecified, routes are only added to the main table. Note
586 that this is different from explicitly selecting the main table
587 254, because of how NetworkManager removes extraneous routes from
588 the tables.
589 ipv6.ra-timeout
591 If left unspecified, the default value depends on the sysctl
592 solicitation settings.
593 ipv6.dhcp-duid
595 If left unspecified, it defaults to "lease".
596 ipv6.dhcp-iaid
598 If left unspecified, it defaults to "ifname".
599 ipv6.dhcp-hostname-flags
601 If left unspecified, the value 1 (fqdn-serv-update) is used.
602 ipv6.dhcp-timeout
604 If left unspecified, the default value for the interface type is
605 used.
606 ipv6.dns-priority
608 If unspecified or zero, use 50 for VPN profiles and 100 for other
609 profiles.
610 ipv6.ip6-privacy
612 If ipv6.ip6-privacy is unset, use the content of
613 "/proc/sys/net/ipv6/conf/default/use_tempaddr" as last fallback.
614 ipv6.route-metric
616 ipv6.route-table
618 If left unspecified, routes are only added to the main table. Note
619 that this is different from explicitly selecting the main table
620 254, because of how NetworkManager removes extraneous routes from
621 the tables.
622 sriov.autoprobe-drivers
624 If left unspecified, drivers are autoprobed when the SR-IOV VF gets
625 created.
626 vpn.timeout
628 If left unspecified, default value of 60 seconds is used.
629 wifi.ap-isolation
631 If left unspecified, AP isolation is disabled.
632 wifi.cloned-mac-address
634 If left unspecified, it defaults to "preserve".
635 wifi.generate-mac-address-mask
637 wifi.mac-address-randomization
639 If left unspecified, MAC address randomization is disabled. This
640 setting is deprecated for wifi.cloned-mac-address.
641 wifi.mtu
643 If configured explicitly to 0, the MTU is not reconfigured during
644 device activation unless it is required due to IPv6 constraints. If
645 left unspecified, a DHCP/IPv6 SLAAC provided value is used or a
646 default of 1500.
647 wifi.powersave
649 If left unspecified, the default value "ignore" will be used.
650 wifi-sec.pmf
652 If left unspecified, the default value "optional" will be used.
653 wifi-sec.fils
655 If left unspecified, the default value "optional" will be used.
656 wifi.wake-on-wlan
658 wireguard.mtu
660 Sections
663 You can configure multiple connection sections, by having different
664 sections with a name that all start with "connection". Example:
665 [connection]
667 ipv6.ip6-privacy=0
668 connection.autoconnect-slaves=1
669 vpn.timeout=120
670 [connection-wifi-wlan0]
672 match-device=interface-name:wlan0
673 ipv4.route-metric=50
674 [connection-wifi-other]
676 match-device=type:wifi
677 ipv4.route-metric=55
678 ipv6.ip6-privacy=1
679 The sections within one file are considered in order of appearance,
681 with the exception that the [connection] section is always considered
682 last. In the example above, this order is [connection-wifi-wlan0],
683 [connection-wlan-other], and [connection]. When checking for a default
684 configuration value, the sections are searched until the requested
685 value is found. In the example above, "ipv4.route-metric" for wlan0
686 interface is set to 50, and for all other Wi-Fi typed interfaces to 55.
687 Also, Wi-Fi devices would have IPv6 private addresses enabled by
688 default, but other devices would have it disabled. Note that also
689 "wlan0" gets "ipv6.ip6-privacy=1", because although the section
690 "[connection-wifi-wlan0]" matches the device, it does not contain that
691 property and the search continues.
692 When having different sections in multiple files, sections from files
694 that are read later have higher priority. So within one file the
695 priority of the sections is top-to-bottom. Across multiple files later
696 definitions take precedence.
697 The following properties further control how a connection section
699 applies.
700 match-device
702 An optional device spec that restricts when the section applies.
703 See the section called “Device List Format” for the possible
704 values.
705 stop-match
707 An optional boolean value which defaults to no. If the section
708 matches (based on match-device), further sections will not be
709 considered even if the property in question is not present. In the
710 example above, if [connection-wifi-wlan0] would have stop-match set
711 to yes, the device wlan0 would have ipv6.ip6-privacy property
712 unspecified. That is, the search for the property would not
713 continue in the connection sections [connection-wifi-other] or
714 [connection].
715
717 Contains per-device persistent configuration.
718 Example:
720 [device]
722 match-device=interface-name:eth3
723 managed=1
724 Supported Properties
727 The following properties can be configured per-device.
728 managed
730 Whether the device is managed or not. A device can be marked as
731 managed via udev rules (ENV{NM_UNMANAGED}), or via setting plugins
732 (keyfile.unmanaged-devices). This is yet another way. Note that
733 this configuration can be overruled at runtime via D-Bus. Also, it
734 has higher priority then udev rules.
735 carrier-wait-timeout
737 Specify the timeout for waiting for carrier in milliseconds. When
738 the device loses carrier, NetworkManager does not react
739 immediately. Instead, it waits for this timeout before considering
740 the link lost. Also, on startup, NetworkManager considers the
741 device as busy for this time, as long as the device has no carrier.
742 This delays startup-complete signal and NetworkManager-wait-online.
743 Configuring this too high means to block NetworkManager-wait-online
744 longer then necessary. Configuring it too low, means that
745 NetworkManager will declare startup-complete, although carrier is
746 about to come and auto-activation to kick in. The default is 5000
747 milliseconds.
748 ignore-carrier
750 Specify devices for which NetworkManager will (partially) ignore
751 the carrier state. Normally, for device types that support
752 carrier-detect, such as Ethernet and InfiniBand, NetworkManager
753 will only allow a connection to be activated on the device if
754 carrier is present (ie, a cable is plugged in), and it will
755 deactivate the device if carrier drops for more than a few seconds.
756 A device with carrier ignored will allow activating connections on
758 that device even when it does not have carrier, provided that the
759 connection uses only statically-configured IP addresses.
760 Additionally, it will allow any active connection (whether static
761 or dynamic) to remain active on the device when carrier is lost.
762 Note that the "carrier" property of NMDevices and device D-Bus
764 interfaces will still reflect the actual device state; it's just
765 that NetworkManager will not make use of that information.
766 Master types like bond, bridge and team ignore carrier by default,
768 while other device types react on carrier changes by default.
769 This setting overwrites the deprecated main.ignore-carrier setting
771 above.
772 wifi.scan-rand-mac-address
774 Configures MAC address randomization of a Wi-Fi device during
775 scanning. This defaults to yes in which case a random,
776 locally-administered MAC address will be used. The setting
777 wifi.scan-generate-mac-address-mask allows to influence the
778 generated MAC address to use certain vendor OUIs. If disabled, the
779 MAC address during scanning is left unchanged to whatever is
780 configured. For the configured MAC address while the device is
781 associated, see instead the per-connection setting
782 wifi.cloned-mac-address.
783 wifi.backend
785 Specify the Wi-Fi backend used for the device. Currently, supported
786 are wpa_supplicant and iwd (experimental).
787 wifi.scan-generate-mac-address-mask
789 Like the per-connection settings ethernet.generate-mac-address-mask
790 and wifi.generate-mac-address-mask, this allows to configure the
791 generated MAC addresses during scanning. See nm-settings(5) for
792 details.
793 wifi.iwd.autoconnect
795 If wifi.backend is iwd, setting this to false forces IWD's
796 autoconnect mechanism to be disabled for this device and
797 connections will only be initiated by NetworkManager whether
798 commaned by a client or automatically. Leaving it true (default)
799 stops NetworkManager from automatically initiating connections and
800 allows IWD to use its network ranking and scanning logic to decide
801 the best networks to autoconnect to next. Connections'
802 autoconnect-priority, autoconnect-retries settings will be ignored.
803 Other settings like permissions or multi-connect may interfere with
804 IWD connection attempts.
805 sriov-num-vfs
807 Specify the number of virtual functions (VF) to enable for a PCI
808 physical device that supports single-root I/O virtualization
809 (SR-IOV).
810 Sections
812 The [device] section works the same as the [connection] section. That
813 is, multiple sections that all start with the prefix "device" can be
814 specified. The settings "match-device" and "stop-match" are available
815 to match a device section on a device. The order of multiple sections
816 is also top-down within the file and later files overwrite previous
817 settings. See “Sections” under the section called “CONNECTION SECTION”
818 for details.
819
821 This section controls NetworkManager's optional connectivity checking
822 functionality. This allows NetworkManager to detect whether or not the
823 system can actually access the internet or whether it is behind a
824 captive portal.
825 Connectivity checking serves two purposes. For one, it exposes a
827 connectivity state on D-Bus, which other applications may use. For
828 example, Gnome's portal helper uses this as signal to show a captive
829 portal login page. The other use is that default-route of devices
830 without global connectivity get a penalty of +20000 to the
831 route-metric. This has the purpose to give a better default-route to
832 devices that have global connectivity. For example, when being
833 connected to WWAN and to a Wi-Fi network which is behind a captive
834 portal, WWAN still gets preferred until login.
835 Note that your distribution might set
837 /proc/sys/net/ipv4/conf/*/rp_filter to strict filtering. That works
838 badly with per-device connectivity checking, which uses SO_BINDDEVICE
839 to send requests on all devices. A strict rp_filter setting will reject
840 any response and the connectivity check on all but the best route will
841 fail.
842 enabled
844 Whether connectivity check is enabled. Note that to enable
845 connectivity check, a valid uri must also be configured. The value
846 defaults to true, but since the uri is unset by default,
847 connectivity check may be disabled. The main purpose of this option
848 is to have a single flag to disable connectivity check. Note that
849 this setting can also be set via D-Bus API at runtime. In that
850 case, the value gets stored in
851 /var/lib/NetworkManager/NetworkManager-intern.conf file.
852 uri
854 The URI of a web page to periodically request when connectivity is
855 being checked. This page should return the header
856 "X-NetworkManager-Status" with a value of "online". Alternatively,
857 its body content should be set to "NetworkManager is online". The
858 body content check can be controlled by the response option. If
859 this option is blank or missing, connectivity checking is disabled.
860 interval
862 Specified in seconds; controls how often connectivity is checked
863 when a network connection exists. If set to 0 connectivity checking
864 is disabled. If missing, the default is 300 seconds.
865 response
867 If set, controls what body content NetworkManager checks for when
868 requesting the URI for connectivity checking. Note that this only
869 compares that the HTTP response starts with the specifid text, it
870 does not compare the exact string. This behavior might change in
871 the future, so avoid relying on it. If missing, the response
872 defaults to "NetworkManager is online". If set to empty, the HTTP
873 server is expected to answer with status code 204 or send no data.
874
876 This section specifies global DNS settings that override
877 connection-specific configuration.
878 searches
880 A list of search domains to be used during hostname lookup.
881 options
883 A list of options to be passed to the hostname resolver.
884
886 Sections with a name starting with the "global-dns-domain-" prefix
887 allow to define global DNS configuration for specific domains. The part
888 of section name after "global-dns-domain-" specifies the domain name a
889 section applies to. More specific domains have the precedence over less
890 specific ones and the default domain is represented by the wildcard
891 "*". A default domain section is mandatory.
892 servers
894 A list of addresses of DNS servers to be used for the given domain.
895 options
897 A list of domain-specific DNS options. Not used at the moment.
898
900 This is a special section that contains options which apply to the
901 configuration file that contains the option.
902 enable
904 Defaults to "true". If "false", the configuration file will be
905 skipped during loading. Note that the main configuration file
906 NetworkManager.conf cannot be disabled.
907 # always skip loading the config file
909 [.config]
910 enable=false
911 You can also match against the version of NetworkManager. For
913 example the following are valid configurations:
914 # only load on version 1.0.6
916 [.config]
917 enable=nm-version:1.0.6
918 # load on all versions 1.0.x, but not 1.2.x
920 [.config]
921 enable=nm-version:1.0
922 # only load on versions >= 1.1.6. This does not match
924 # with version 1.2.0 or 1.4.4. Only the last digit is considered.
925 [.config]
926 enable=nm-version-min:1.1.6
927 # only load on versions >= 1.2. Contrary to the previous
929 # example, this also matches with 1.2.0, 1.2.10, 1.4.4, etc.
930 [.config]
931 enable=nm-version-min:1.2
932 # Match against the maximum allowed version. The example matches
934 # versions 1.2.0, 1.2.2, 1.2.4. Again, only the last version digit
935 # is allowed to be smaller. So this would not match on 1.1.10.
936 [.config]
937 enable=nm-version-max:1.2.6
938 You can also match against the value of the environment variable
940 NM_CONFIG_ENABLE_TAG, like:
941 # always skip loading the file when running NetworkManager with
943 # environment variable "NM_CONFIG_ENABLE_TAG=TAG1"
944 [.config]
945 enable=env:TAG1
946 More then one match can be specified. The configuration will be
948 enabled if one of the predicates matches ("or"). The special prefix
949 "except:" can be used to negate the match. Note that if one
950 except-predicate matches, the entire configuration will be
951 disabled. In other words, a except predicate always wins over other
952 predicates. If the setting only consists of "except:" matches and
953 none of the negative conditions are satisfied, the configuration is
954 still enabled.
955 # enable the configuration either when the environment variable
957 # is present or the version is at least 1.2.0.
958 [.config]
959 enable=env:TAG2,nm-version-min:1.2
960 # enable the configuration for version >= 1.2.0, but disable
962 # it when the environment variable is set to "TAG3"
963 [.config]
964 enable=except:env:TAG3,nm-version-min:1.2
965 # enable the configuration on >= 1.3, >= 1.2.6, and >= 1.0.16.
967 # Useful if a certain feature is only present since those releases.
968 [.config]
969 enable=nm-version-min:1.3,nm-version-min:1.2.6,nm-version-min:1.0.16
970
973 Settings plugins for reading and writing connection profiles. The
974 number of available plugins is distribution specific.
975 keyfile
977 The keyfile plugin is the generic plugin that supports all the
978 connection types and capabilities that NetworkManager has. It
979 writes files out in an .ini-style format in
980 /etc/NetworkManager/system-connections. See nm-settings-keyfile(5)
981 for details about the file format.
982 The stored connection file may contain passwords, secrets and
984 private keys in plain text, so it will be made readable only to
985 root, and the plugin will ignore files that are readable or
986 writable by any user or group other than root. See "Secret flag
987 types" in nm-settings(5) for how to avoid storing passwords in
988 plain text.
989 This plugin is always active, and will automatically be used to
991 store any connections that aren't supported by any other active
992 plugin.
993 ifcfg-rh
995 This plugin is used on the Fedora and Red Hat Enterprise Linux
996 distributions to read and write configuration from the standard
997 /etc/sysconfig/network-scripts/ifcfg-* files. It currently supports
998 reading Ethernet, Wi-Fi, InfiniBand, VLAN, Bond, Bridge, and Team
999 connections. Enabling ifcfg-rh implicitly enables ibft plugin, if
1000 it is available. This can be disabled by adding no-ibft. See
1001 /usr/share/doc/initscripts/sysconfig.txt and nm-settings-ifcfg-
1002 rh(5) for more information about the ifcfg file format.
1003 ifupdown
1005 This plugin is used on the Debian and Ubuntu distributions, and
1006 reads Ethernet and Wi-Fi connections from /etc/network/interfaces.
1007 This plugin is read-only; any connections (of any type) added from
1009 within NetworkManager when you are using this plugin will be saved
1010 using the keyfile plugin instead.
1011 ibft, no-ibft
1013 These plugins are deprecated and their selection has no effect.
1014 This is now handled by nm-initrd-generator.
1015 ifcfg-suse, ifnet
1017 These plugins are deprecated and their selection has no effect. The
1018 keyfile plugin should be used instead.
1019
1021 Device List Format
1022 The configuration options main.no-auto-default, main.ignore-carrier,
1023 keyfile.unmanaged-devices, connection*.match-device and
1024 device*.match-device select devices based on a list of matchings.
1025 Devices can be specified using the following format:
1026 *
1028 Matches every device.
1029 IFNAME
1031 Case sensitive match of interface name of the device. Globbing is
1032 not supported.
1033 HWADDR
1035 Match the permanent MAC address of the device. Globbing is not
1036 supported
1037 interface-name:IFNAME, interface-name:~IFNAME
1039 Case sensitive match of interface name of the device. Simple
1040 globbing is supported with * and ?. Ranges and escaping is not
1041 supported.
1042 interface-name:=IFNAME
1044 Case sensitive match of interface name of the device. Globbing is
1045 disabled and IFNAME is taken literally.
1046 mac:HWADDR
1048 Match the permanent MAC address of the device. Globbing is not
1049 supported
1050 s390-subchannels:HWADDR
1052 Match the device based on the subchannel address. Globbing is not
1053 supported
1054 type:TYPE
1056 Match the device type. Valid type names are as reported by "nmcli
1057 -f GENERAL.TYPE device show". Globbing is not supported.
1058 driver:DRIVER
1060 Match the device driver as reported by "nmcli -f
1061 GENERAL.DRIVER,GENERAL.DRIVER-VERSION device show". "DRIVER" must
1062 match the driver name exactly and does not support globbing.
1063 Optionally, a driver version may be specified separated by '/'.
1064 Globbing is supported for the version.
1065 dhcp-plugin:DHCP
1067 Match the configured DHCP plugin "main.dhcp".
1068 except:SPEC
1070 Negative match of a device. SPEC must be explicitly qualified with
1071 a prefix such as interface-name:. A negative match has higher
1072 priority then the positive matches above.
1073 If there is a list consisting only of negative matches, the
1075 behavior is the same as if there is also match-all. That means, if
1076 none of all the negative matches is satisfied, the overall result
1077 is still a positive match. That means, "except:interface-name:eth0"
1078 is the same as "*,except:interface-name:eth0".
1079 SPEC[,;]SPEC
1081 Multiple specs can be concatenated with commas or semicolons. The
1082 order does not matter as matches are either inclusive or negative
1083 (except:), with negative matches having higher priority.
1084 Backslash is supported to escape the separators ';' and ',', and to
1086 express special characters such as newline ('\n'), tabulator
1087 ('\t'), whitespace ('\s') and backslash ('\\'). The globbing of
1088 interface names cannot be escaped. Whitespace is not a separator
1089 but will be trimmed between two specs (unless escaped as '\s').
1090 Example:
1092 interface-name:em4
1094 mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4;interface-name:eth2
1095 interface-name:vboxnet*,except:interface-name:vboxnet2
1096 *,except:mac:00:22:68:1c:59:b1
1097
1100 NetworkManager(8), nmcli(1), nmcli-examples(7), nm-online(1), nm-
1101 settings(5), nm-applet(1), nm-connection-editor(1)
1102NetworkManager 1.30.4 NETWORKMANAGER.CONF(5)