1NETWORKMANAGER.CONF(5) Configuration NETWORKMANAGER.CONF(5)
2
3
4
6 NetworkManager.conf - NetworkManager configuration file
7
9 /etc/NetworkManager/NetworkManager.conf,
10 /etc/NetworkManager/conf.d/name.conf,
11 /run/NetworkManager/conf.d/name.conf,
12 /usr/lib/NetworkManager/conf.d/name.conf,
13 /var/lib/NetworkManager/NetworkManager-intern.conf
14
16 NetworkManager.conf is the configuration file for NetworkManager. It is
17 used to set up various aspects of NetworkManager's behavior. The
18 location of the main file and configuration directories may be changed
19 through use of the --config, --config-dir, --system-config-dir, and
20 --intern-config argument for NetworkManager, respectively.
21
22 If a default NetworkManager.conf is provided by your distribution's
23 packages, you should not modify it, since your changes may get
24 overwritten by package updates. Instead, you can add additional .conf
25 files to the /etc/NetworkManager/conf.d directory. These will be read
26 in order, with later files overriding earlier ones. Packages might
27 install further configuration snippets to
28 /usr/lib/NetworkManager/conf.d. This directory is parsed first, even
29 before NetworkManager.conf. Scripts can also put per-boot configuration
30 into /run/NetworkManager/conf.d. This directory is parsed second, also
31 before NetworkManager.conf. The loading of a file
32 /run/NetworkManager/conf.d/name.conf can be prevented by adding a file
33 /etc/NetworkManager/conf.d/name.conf. Likewise, a file
34 /usr/lib/NetworkManager/conf.d/name.conf can be shadowed by putting a
35 file of the same name to either /etc/NetworkManager/conf.d or
36 /run/NetworkManager/conf.d.
37
38 NetworkManager can overwrite certain user configuration options via
39 D-Bus or other internal operations. In this case it writes those
40 changes to /var/lib/NetworkManager/NetworkManager-intern.conf. This
41 file is not intended to be modified by the user, but it is read last
42 and can shadow user configuration from NetworkManager.conf.
43
44 Certain settings from the configuration can be reloaded at runtime
45 either by sending SIGHUP signal or via D-Bus' Reload call.
46
47 NetworkManager does not require any configuration in
48 NetworkManager.conf. Depending on your use case, you may remove all
49 files to restore the default configuration (factory reset). But note
50 that your distribution or other packages may drop configuration
51 snippets for NetworkManager, such that they are part of the factory
52 default.
53
55 The configuration file format is so-called key file (sort of ini-style
56 format). It consists of sections (groups) of key-value pairs. Lines
57 beginning with a '#' and blank lines are considered comments. Sections
58 are started by a header line containing the section enclosed in '[' and
59 ']', and ended implicitly by the start of the next section or the end
60 of the file. Each key-value pair must be contained in a section.
61
62 For keys that take a list of devices as their value, you can specify
63 devices by their MAC addresses or interface names, or "*" to specify
64 all devices. See the section called “Device List Format” below.
65
66 A simple configuration file looks like this:
67
68 [main]
69 plugins=keyfile
70
71 As an extension to the normal keyfile format, you can also append a
72 value to a previously-set list-valued key by doing:
73
74 plugins+=another-plugin
75 plugins-=remove-me
76
77
79 plugins
80 Lists system settings plugin names separated by ','. These plugins
81 are used to read and write system-wide connection profiles. When
82 multiple plugins are specified, the connections are read from all
83 listed plugins. When writing connections, the plugins will be asked
84 to save the connection in the order listed here; if the first
85 plugin cannot write out that connection type (or can't write out
86 any connections) the next plugin is tried, etc. If none of the
87 plugins can save the connection, an error is returned to the user.
88
89 The default value and the number of available plugins is
90 distro-specific. See the section called “PLUGINS” below for the
91 available plugins. Note that NetworkManager's native keyfile plugin
92 is always appended to the end of this list (if it doesn't already
93 appear earlier in the list).
94
95 monitor-connection-files
96 This setting is deprecated and has no effect. Profiles from disk
97 are never automatically reloaded. Use for example nmcli connection
98 (re)load for that.
99
100 auth-polkit
101 Whether the system uses PolicyKit for authorization. If true,
102 non-root requests are authorized using PolicyKit. Requests from
103 root (user ID zero) are always granted without asking PolicyKit. If
104 false, all requests will be allowed and PolicyKit is not used. If
105 set to root-only PolicyKit is not used and all requests except root
106 are denied. The default value is true.
107
108 dhcp
109 This key sets up what DHCP client NetworkManager will use. Allowed
110 values are dhclient, dhcpcd, and internal. The dhclient and dhcpcd
111 options require the indicated clients to be installed. The internal
112 option uses a built-in DHCP client which is not currently as
113 featureful as the external clients.
114
115 If this key is missing, it defaults to internal. If the chosen
116 plugin is not available, clients are looked for in this order:
117 dhclient, dhcpcd, internal.
118
119 no-auto-default
120 Specify devices for which NetworkManager shouldn't create default
121 wired connection (Auto eth0). By default, NetworkManager creates a
122 temporary wired connection for any Ethernet device that is managed
123 and doesn't have a connection configured. List a device in this
124 option to inhibit creating the default connection for the device.
125 May have the special value * to apply to all devices.
126
127 When the default wired connection is deleted or saved to a new
128 persistent connection by a plugin, the device is added to a list in
129 the file /var/lib/NetworkManager/no-auto-default.state to prevent
130 creating the default connection for that device again.
131
132 See the section called “Device List Format” for the syntax how to
133 specify a device.
134
135 Example:
136
137 no-auto-default=00:22:68:5c:5d:c4,00:1e:65:ff:aa:ee
138 no-auto-default=eth0,eth1
139 no-auto-default=*
140
141
142 ignore-carrier
143 This setting is deprecated for the per-device setting
144 ignore-carrier which overwrites this setting if specified (See
145 ignore-carrier). Otherwise, it is a list of matches to specify for
146 which device carrier should be ignored. See the section called
147 “Device List Format” for the syntax how to specify a device. Note
148 that master types like bond, bridge, and team ignore carrier by
149 default. You can however revert that default using the "except:"
150 specifier (or better, use the per-device setting instead of the
151 deprecated setting).
152
153 assume-ipv6ll-only
154 Specify devices for which NetworkManager will try to generate a
155 connection based on initial configuration when the device only has
156 an IPv6 link-local address.
157
158 See the section called “Device List Format” for the syntax how to
159 specify a device.
160
161 configure-and-quit
162 When set to 'true', NetworkManager quits after performing initial
163 network configuration but spawns small helpers to preserve DHCP
164 leases and IPv6 addresses. This is useful in environments where
165 network setup is more or less static or it is desirable to save
166 process time but still handle some dynamic configurations. When
167 this option is true, network configuration for Wi-Fi, WWAN,
168 Bluetooth, ADSL, and PPPoE interfaces cannot be preserved due to
169 their use of external services, and these devices will be
170 deconfigured when NetworkManager quits even though other
171 interface's configuration may be preserved. Also, to preserve DHCP
172 addresses the 'dhcp' option must be set to 'internal'. The default
173 value of the 'configure-and-quit' option is 'false', meaning that
174 NetworkManager will continue running after initial network
175 configuration and continue responding to system and hardware
176 events, D-Bus requests, and user commands.
177
178 hostname-mode
179 Set the management mode of the hostname. This parameter will affect
180 only the transient hostname. If a valid static hostname is set,
181 NetworkManager will skip the update of the hostname despite the
182 value of this option. An hostname empty or equal to 'localhost',
183 'localhost6', 'localhost.localdomain' or 'localhost6.localdomain'
184 is considered invalid.
185
186 default: NetworkManager will update the hostname with the one
187 provided via DHCP or reverse DNS lookup of the IP address on the
188 connection with the default route or on any connection with the
189 property hostname.only-from-default set to 'false'. Connections are
190 considered in order of increasing value of the hostname.priority
191 property. In case multiple connections have the same priority,
192 connections activated earlier are considered first. If no hostname
193 can be determined in such way, the hostname will be updated to the
194 last one set outside NetworkManager or to 'localhost.localdomain'.
195
196 dhcp: this is similar to 'default', with the difference that after
197 trying to get the DHCP hostname, reverse DNS lookup is not done.
198 Note that selecting this option is equivalent to setting the
199 property 'hostname.from-dns-lookup' to 'false' globally for all
200 connections in NetworkManager.conf.
201
202 none: NetworkManager will not manage the transient hostname and
203 will never set it.
204
205 dns
206 Set the DNS processing mode.
207
208 If the key is unspecified, default is used, unless /etc/resolv.conf
209 is a symlink to /run/systemd/resolve/stub-resolv.conf,
210 /run/systemd/resolve/resolv.conf, /lib/systemd/resolv.conf or
211 /usr/lib/systemd/resolv.conf. In that case, systemd-resolved is
212 chosen automatically.
213
214 default: NetworkManager will update /etc/resolv.conf to reflect the
215 nameservers provided by currently active connections. The
216 rc-manager setting (below) controls how this is done.
217
218 dnsmasq: NetworkManager will run dnsmasq as a local caching
219 nameserver, using "Conditional Forwarding" if you are connected to
220 a VPN, and then update resolv.conf to point to the local
221 nameserver. It is possible to pass custom options to the dnsmasq
222 instance by adding them to files in the
223 "/etc/NetworkManager/dnsmasq.d/" directory. Note that when multiple
224 upstream servers are available, dnsmasq will initially contact them
225 in parallel and then use the fastest to respond, probing again
226 other servers after some time. This behavior can be modified
227 passing the 'all-servers' or 'strict-order' options to dnsmasq (see
228 the manual page for more details).
229
230 systemd-resolved: NetworkManager will push the DNS configuration to
231 systemd-resolved
232
233 unbound: NetworkManager will talk to unbound and dnssec-triggerd,
234 using "Conditional Forwarding" with DNSSEC support.
235 /etc/resolv.conf will be managed by dnssec-trigger daemon. This
236 option is deprecated. Note that dnssec-trigger ships a
237 NetworkManager dispatcher script so this DNS plugin is not
238 necessary.
239
240 none: NetworkManager will not modify resolv.conf. This implies
241 rc-manager unmanaged
242
243 Note that the plugins dnsmasq, systemd-resolved and unbound are
244 caching local nameservers. Hence, when NetworkManager writes
245 /run/NetworkManager/resolv.conf and /etc/resolv.conf (according to
246 rc-manager setting below), the name server there will be localhost
247 only. NetworkManager also writes a file
248 /run/NetworkManager/no-stub-resolv.conf that contains the original
249 name servers pushed to the DNS plugin.
250
251 When using dnsmasq and systemd-resolved per-connection added dns
252 servers will always be queried using the device the connection has
253 been activated on.
254
255 rc-manager
256 Set the resolv.conf management mode. This option is about how
257 NetworkManager writes to /etc/resolv.conf, if at all. The default
258 value depends on NetworkManager build options, and this version of
259 NetworkManager was build with a default of "auto". Regardless of
260 this setting, NetworkManager will always write its version of
261 resolv.conf to its runtime state directory as
262 /run/NetworkManager/resolv.conf.
263
264 If you configure dns=none or make /etc/resolv.conf immutable with
265 chattr +i, NetworkManager will ignore this setting and always
266 choose unmanaged (below).
267
268 auto: if systemd-resolved plugin is configured via the dns setting
269 or if it gets detected as main DNS plugin, NetworkManager will
270 update systemd-resolved without touching /etc/resolv.conf.
271 Alternatively, if resolvconf or netconfig are enabled at compile
272 time and the respective binary is found, NetworkManager will
273 automatically use it. Note that if you install or uninstall these
274 binaries, you need to reload the rc-manager setting with SIGHUP or
275 systemctl reload NetworkManager. As last fallback it uses the
276 symlink option (see next).
277
278 symlink: If /etc/resolv.conf is a regular file or does not exist,
279 NetworkManager will write the file directly. If /etc/resolv.conf is
280 instead a symlink, NetworkManager will leave it alone. Unless the
281 symlink points to the internal file
282 /run/NetworkManager/resolv.conf, in which case the symlink will be
283 updated to emit an inotify notification. This allows the user to
284 conveniently instruct NetworkManager not to manage /etc/resolv.conf
285 by replacing it with a symlink.
286
287 file: NetworkManager will write /etc/resolv.conf as regular file.
288 If it finds a symlink to an existing target, it will follow the
289 symlink and update the target instead. In no case will an existing
290 symlink be replaced by a file. Note that older versions of
291 NetworkManager behaved differently and would replace dangling
292 symlinks with a plain file.
293
294 resolvconf: NetworkManager will run resolvconf to update the DNS
295 configuration.
296
297 netconfig: NetworkManager will run netconfig to update the DNS
298 configuration.
299
300 unmanaged: don't touch /etc/resolv.conf.
301
302 none: deprecated alias for symlink.
303
304 systemd-resolved
305 Send the connection DNS configuration to systemd-resolved. Defaults
306 to "true".
307
308 Note that this setting is complementary to the dns setting. You can
309 keep this enabled while using dns set to another DNS plugin
310 alongside systemd-resolved, or dns set to systemd-resolved to
311 configure the system resolver to use systemd-resolved.
312
313 If systemd-resolved is enabled, the connectivity check resolves the
314 hostname per-device.
315
316 debug
317 Comma separated list of options to aid debugging. This value will
318 be combined with the environment variable NM_DEBUG. Currently, the
319 following values are supported:
320
321 RLIMIT_CORE: set ulimit -c unlimited to write out core dumps.
322 Beware, that a core dump can contain sensitive information such as
323 passwords or configuration settings.
324
325 fatal-warnings: set g_log_set_always_fatal() to core dump on
326 warning messages from glib. This is equivalent to the
327 --g-fatal-warnings command line option.
328
329 autoconnect-retries-default
330 The number of times a connection activation should be automatically
331 tried before switching to another one. This value applies only to
332 connections that can auto-connect and have a
333 connection.autoconnect-retries property set to -1. If not
334 specified, connections will be tried 4 times. Setting this value to
335 1 means to try activation once, without retry.
336
337 slaves-order
338 This key specifies in which order slave connections are
339 auto-activated on boot or when the master activates them. Allowed
340 values are name (order connection by interface name, the default),
341 or index (order slaves by their kernel index).
342
343 firewall-backend
344 The firewall backend for configuring masquerading with shared mode.
345 Set to either iptables, nftables or none. iptables and nftables
346 require iptables and nft application, respectively. none means to
347 skip firewall configuration if the users wish to manage firewall
348 themselves. If unspecified, it will be auto detected.
349
350 iwd-config-path
351 If the value is "auto" (the default), IWD is queried for its
352 current state directory when it appears on D-Bus -- the directory
353 where IWD keeps its network configuration files -- usually
354 /var/lib/iwd. NetworkManager will then attempt to write copies of
355 new or modified Wi-Fi connection profiles, converted into the IWD
356 format, into this directory thus making IWD connection properties
357 editable. NM will overwrite existing files without preserving their
358 contents.
359
360 The path can also be overriden by pointing to a specific existing
361 and writable directory. On the other hand setting this to an empty
362 string or any other value disables the profile conversion
363 mechanism.
364
365 This mechanism allows editing connection profile settings such as
366 the 802.1x configuration using NetworkManager clients. Without it
367 such changes have no effect in IWD.
368
370 This section contains keyfile-plugin-specific options, and is normally
371 only used when you are not using any other distro-specific plugin.
372
373 hostname
374 This key is deprecated and has no effect since the hostname is now
375 stored in /etc/hostname or other system configuration files
376 according to build options.
377
378 path
379 The location where keyfiles are read and stored. This defaults to
380 "/etc/NetworkManager/system-connections".
381
382 unmanaged-devices
383 Set devices that should be ignored by NetworkManager.
384
385 A device unmanaged due to this option is strictly unmanaged and
386 cannot be overruled by using the API like nmcli device set $IFNAME
387 managed yes. Also, a device that is unmanaged for other reasons,
388 like an udev rule, cannot be made managed with this option (e.g. by
389 using an except: specifier). These two points make it different
390 from the device*.managed option which for that reason may be a
391 better choice.
392
393 See the section called “Device List Format” for the syntax on how
394 to specify a device.
395
396 Example:
397
398 unmanaged-devices=interface-name:em4
399 unmanaged-devices=mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4;interface-name:eth2
400
401
403 This section contains ifupdown-specific options and thus only has
404 effect when using the ifupdown plugin.
405
406 managed
407 If set to true, then interfaces listed in /etc/network/interfaces
408 are managed by NetworkManager. If set to false, then any interface
409 listed in /etc/network/interfaces will be ignored by
410 NetworkManager. Remember that NetworkManager controls the default
411 route, so because the interface is ignored, NetworkManager may
412 assign the default route to some other interface.
413
414 The default value is false.
415
417 This section controls NetworkManager's logging. Any settings here are
418 overridden by the --log-level and --log-domains command-line options.
419
420 level
421 The default logging verbosity level. One of OFF, ERR, WARN, INFO,
422 DEBUG, TRACE. The ERR level logs only critical errors. WARN logs
423 warnings that may reflect operation. INFO logs various
424 informational messages that are useful for tracking state and
425 operations. DEBUG enables verbose logging for debugging purposes.
426 TRACE enables even more verbose logging then DEBUG level.
427 Subsequent levels also log all messages from earlier levels; thus
428 setting the log level to INFO also logs error and warning messages.
429
430 domains
431 The following log domains are available: PLATFORM, RFKILL, ETHER,
432 WIFI, BT, MB, DHCP4, DHCP6, PPP, WIFI_SCAN, IP4, IP6, AUTOIP4, DNS,
433 VPN, SHARING, SUPPLICANT, AGENTS, SETTINGS, SUSPEND, CORE, DEVICE,
434 OLPC, WIMAX, INFINIBAND, FIREWALL, ADSL, BOND, VLAN, BRIDGE,
435 DBUS_PROPS, TEAM, CONCHECK, DCB, DISPATCH, AUDIT, SYSTEMD,
436 VPN_PLUGIN, PROXY.
437
438 In addition, these special domains can be used: NONE, ALL, DEFAULT,
439 DHCP, IP.
440
441 You can specify per-domain log level overrides by adding a colon
442 and a log level to any domain. E.g., "WIFI:DEBUG,WIFI_SCAN:OFF".
443
444 Domain descriptions:
445 PLATFORM : OS (platform) operations
446 RFKILL : RFKill subsystem operations
447 ETHER : Ethernet device operations
448 WIFI : Wi-Fi device operations
449 BT : Bluetooth operations
450 MB : Mobile broadband operations
451 DHCP4 : DHCP for IPv4
452 DHCP6 : DHCP for IPv6
453 PPP : Point-to-point protocol operations
454 WIFI_SCAN : Wi-Fi scanning operations
455 IP4 : IPv4-related operations
456 IP6 : IPv6-related operations
457 AUTOIP4 : AutoIP operations
458 DNS : Domain Name System related operations
459 VPN : Virtual Private Network connections and
460 operations
461 SHARING : Connection sharing. With TRACE level log queries
462 for dnsmasq instance
463 SUPPLICANT : WPA supplicant related operations
464 AGENTS : Secret agents operations and communication
465 SETTINGS : Settings/config service operations
466 SUSPEND : Suspend/resume
467 CORE : Core daemon and policy operations
468 DEVICE : Activation and general interface operations
469 OLPC : OLPC Mesh device operations
470 WIMAX : WiMAX device operations
471 INFINIBAND : InfiniBand device operations
472 FIREWALL : FirewallD related operations
473 ADSL : ADSL device operations
474 BOND : Bonding operations
475 VLAN : VLAN operations
476 BRIDGE : Bridging operations
477 DBUS_PROPS : D-Bus property changes
478 TEAM : Teaming operations
479 CONCHECK : Connectivity check
480 DCB : Data Center Bridging (DCB) operations
481 DISPATCH : Dispatcher scripts
482 AUDIT : Audit records
483 SYSTEMD : Messages from internal libsystemd
484 VPN_PLUGIN : logging messages from VPN plugins
485 PROXY : logging messages for proxy handling
486
487 NONE : when given by itself logging is disabled
488 ALL : all log domains
489 DEFAULT : default log domains
490 DHCP : shortcut for "DHCP4,DHCP6"
491 IP : shortcut for "IP4,IP6"
492
493 HW : deprecated alias for "PLATFORM"
494
495 In general, the logfile should not contain passwords or private
496 data. However, you are always advised to check the file before
497 posting it online or attaching to a bug report. VPN_PLUGIN is
498 special as it might reveal private information of the VPN plugins
499 with verbose levels. Therefore this domain will be excluded when
500 setting ALL or DEFAULT to more verbose levels then INFO.
501
502 backend
503 The logging backend. Supported values are "syslog" and "journal".
504 When NetworkManager is started with "--debug" in addition all
505 messages will be printed to stderr. If unspecified, the default is
506 "journal".
507
508 audit
509 Whether the audit records are delivered to auditd, the audit
510 daemon. If false, audit records will be sent only to the
511 NetworkManager logging system. If set to true, they will be also
512 sent to auditd. The default value is false.
513
515 Specify default values for connections.
516
517 Such default values are only consulted if the corresponding
518 per-connection property explicitly allows for that. That means, all
519 these properties correspond to a property of the connection profile
520 (for example connection.mud-url). Only if the per-profile property is
521 set to a special value that indicates to use the default, the default
522 value from NetworkManager.conf is consulted. It depends on the
523 property, which is the special value that indicates fallback to the
524 default, but it usually is something like empty, unset values or
525 special numeric values like 0 or -1. That means the effectively used
526 value can first always be configured for each profile, and these
527 default values only matter if the per-profile values explicitly
528 indicates to use the default from NetworkManager.conf.
529
530 Example:
531
532 [connection]
533 ipv6.ip6-privacy=0
534
535
536 Supported Properties
537 Not all properties can be overwritten, only the following properties
538 are supported to have their default values configured (see nm-
539 settings(5) for details).
540
541 802-1x.auth-timeout
542
543 cdma.mtu
544
545 connection.auth-retries
546 If left unspecified, the default value is 3 tries before failing
547 the connection.
548
549 connection.autoconnect-slaves
550
551 connection.mud-url
552 If unspecified, MUD URL defaults to "none".
553
554 connection.lldp
555
556 connection.llmnr
557 If unspecified, the ultimate default values depends on the DNS
558 plugin. With systemd-resolved the default currently is "yes" (2)
559 and for all other plugins "no" (0).
560
561 connection.mdns
562 If unspecified, the ultimate default values depends on the DNS
563 plugin. With systemd-resolved the default currently is "no" (0) and
564 for all other plugins also "no" (0).
565
566 connection.stable-id
567
568 ethernet.cloned-mac-address
569 If left unspecified, it defaults to "preserve".
570
571 ethernet.generate-mac-address-mask
572
573 ethernet.mtu
574 If configured explicitly to 0, the MTU is not reconfigured during
575 device activation unless it is required due to IPv6 constraints. If
576 left unspecified, a DHCP/IPv6 SLAAC provided value is used or the
577 MTU is not reconfigured during activation.
578
579 ethernet.wake-on-lan
580
581 gsm.mtu
582
583 hostname.from-dhcp
584
585 hostname.from-dns-lookup
586
587 hostname.only-from-default
588
589 hostname.priority
590
591 infiniband.mtu
592 If configured explicitly to 0, the MTU is not reconfigured during
593 device activation unless it is required due to IPv6 constraints. If
594 left unspecified, a DHCP/IPv6 SLAAC provided value is used or the
595 MTU is left unspecified on activation.
596
597 ip-tunnel.mtu
598 If configured explicitly to 0, the MTU is not reconfigured during
599 device activation unless it is required due to IPv6 constraints. If
600 left unspecified, a DHCP/IPv6 SLAAC provided value is used or a
601 default of 1500.
602
603 ipv4.dad-timeout
604
605 ipv4.dhcp-client-id
606
607 ipv4.dhcp-iaid
608 If left unspecified, it defaults to "ifname".
609
610 ipv4.dhcp-hostname-flags
611 If left unspecified, the value 3 (fqdn-encoded,fqdn-serv-update) is
612 used.
613
614 ipv4.dhcp-timeout
615 If left unspecified, the default value for the interface type is
616 used.
617
618 ipv4.dhcp-vendor-class-identifier
619 If left unspecified, the default is to not send the DHCP option to
620 the server.
621
622 ipv4.dns-priority
623 If unspecified or zero, use 50 for VPN profiles and 100 for other
624 profiles.
625
626 ipv4.required-timeout
627
628 ipv4.route-metric
629
630 ipv4.route-table
631 If left unspecified, routes are only added to the main table. Note
632 that this is different from explicitly selecting the main table
633 254, because of how NetworkManager removes extraneous routes from
634 the tables.
635
636 ipv6.ra-timeout
637 If left unspecified, the default value depends on the sysctl
638 solicitation settings.
639
640 ipv6.dhcp-duid
641 If left unspecified, it defaults to "lease".
642
643 ipv6.dhcp-iaid
644 If left unspecified, it defaults to "ifname".
645
646 ipv6.dhcp-hostname-flags
647 If left unspecified, the value 1 (fqdn-serv-update) is used.
648
649 ipv6.dhcp-timeout
650 If left unspecified, the default value for the interface type is
651 used.
652
653 ipv6.dns-priority
654 If unspecified or zero, use 50 for VPN profiles and 100 for other
655 profiles.
656
657 ipv6.ip6-privacy
658 If ipv6.ip6-privacy is unset, use the content of
659 "/proc/sys/net/ipv6/conf/default/use_tempaddr" as last fallback.
660
661 ipv6.required-timeout
662
663 ipv6.route-metric
664
665 ipv6.route-table
666 If left unspecified, routes are only added to the main table. Note
667 that this is different from explicitly selecting the main table
668 254, because of how NetworkManager removes extraneous routes from
669 the tables.
670
671 sriov.autoprobe-drivers
672 If left unspecified, drivers are autoprobed when the SR-IOV VF gets
673 created.
674
675 vpn.timeout
676 If left unspecified, default value of 60 seconds is used.
677
678 wifi.ap-isolation
679 If left unspecified, AP isolation is disabled.
680
681 wifi.cloned-mac-address
682 If left unspecified, it defaults to "preserve".
683
684 wifi.generate-mac-address-mask
685
686 wifi.mac-address-randomization
687 If left unspecified, MAC address randomization is disabled. This
688 setting is deprecated for wifi.cloned-mac-address.
689
690 wifi.mtu
691 If configured explicitly to 0, the MTU is not reconfigured during
692 device activation unless it is required due to IPv6 constraints. If
693 left unspecified, a DHCP/IPv6 SLAAC provided value is used or a
694 default of 1500.
695
696 wifi.powersave
697 If left unspecified, the default value "ignore" will be used.
698
699 wifi-sec.pmf
700 If left unspecified, the default value "optional" will be used.
701
702 wifi-sec.fils
703 If left unspecified, the default value "optional" will be used.
704
705 wifi.wake-on-wlan
706
707 wireguard.mtu
708
709
710 Sections
711 You can configure multiple connection sections, by having different
712 sections with a name that all start with "connection". Example:
713
714 [connection]
715 ipv6.ip6-privacy=0
716 connection.autoconnect-slaves=1
717 vpn.timeout=120
718
719 [connection-wifi-wlan0]
720 match-device=interface-name:wlan0
721 ipv4.route-metric=50
722
723 [connection-wifi-other]
724 match-device=type:wifi
725 ipv4.route-metric=55
726 ipv6.ip6-privacy=1
727
728 The sections within one file are considered in order of appearance,
729 with the exception that the [connection] section is always considered
730 last. In the example above, this order is [connection-wifi-wlan0],
731 [connection-wlan-other], and [connection]. When checking for a default
732 configuration value, the sections are searched until the requested
733 value is found. In the example above, "ipv4.route-metric" for wlan0
734 interface is set to 50, and for all other Wi-Fi typed interfaces to 55.
735 Also, Wi-Fi devices would have IPv6 private addresses enabled by
736 default, but other devices would have it disabled. Note that also
737 "wlan0" gets "ipv6.ip6-privacy=1", because although the section
738 "[connection-wifi-wlan0]" matches the device, it does not contain that
739 property and the search continues.
740
741 When having different sections in multiple files, sections from files
742 that are read later have higher priority. So within one file the
743 priority of the sections is top-to-bottom. Across multiple files later
744 definitions take precedence.
745
746 The following properties further control how a connection section
747 applies.
748
749 match-device
750 An optional device spec that restricts when the section applies.
751 See the section called “Device List Format” for the possible
752 values.
753
754 stop-match
755 An optional boolean value which defaults to no. If the section
756 matches (based on match-device), further sections will not be
757 considered even if the property in question is not present. In the
758 example above, if [connection-wifi-wlan0] would have stop-match set
759 to yes, the device wlan0 would have ipv6.ip6-privacy property
760 unspecified. That is, the search for the property would not
761 continue in the connection sections [connection-wifi-other] or
762 [connection].
763
765 Contains per-device persistent configuration.
766
767 Example:
768
769 [device]
770 match-device=interface-name:eth3
771 managed=1
772
773
774 Supported Properties
775 The following properties can be configured per-device.
776
777 managed
778 Whether the device is managed or not. A device can be marked as
779 managed via udev rules (ENV{NM_UNMANAGED}), or via setting plugins
780 (keyfile.unmanaged-devices). This is yet another way. Note that
781 this configuration can be overruled at runtime via D-Bus. Also, it
782 has higher priority then udev rules.
783
784 carrier-wait-timeout
785 Specify the timeout for waiting for carrier in milliseconds. The
786 default is 5000 milliseconds. This setting exists because certain
787 drivers/hardware can take a long time to detect whether the cable
788 is plugged in.
789
790 When the device loses carrier, NetworkManager does not react
791 immediately. Instead, it waits for this timeout before considering
792 the link lost.
793
794 Also, on startup, NetworkManager considers the device as busy for
795 this time, as long as the device has no carrier. This delays
796 startup-complete signal and NetworkManager-wait-online. Configuring
797 this too high means to block NetworkManager-wait-online longer than
798 necessary when booting with cable unplugged. Configuring it too
799 low, means that NetworkManager will declare startup-complete too
800 soon, although carrier is about to come and auto-activation to kick
801 in. Note that if a profile only has static IP configuration or
802 Layer 3 configuration disabled, then it can already autoconnect
803 without carrier on the device. Once such a profile reaches full
804 activated state, startup-complete is considered as reached even if
805 the device has no carrier yet.
806
807 ignore-carrier
808 Specify devices for which NetworkManager will (partially) ignore
809 the carrier state. Normally, for device types that support
810 carrier-detect, such as Ethernet and InfiniBand, NetworkManager
811 will only allow a connection to be activated on the device if
812 carrier is present (ie, a cable is plugged in), and it will
813 deactivate the device if carrier drops for more than a few seconds.
814
815 A device with carrier ignored will allow activating connections on
816 that device even when it does not have carrier, provided that the
817 connection uses only statically-configured IP addresses.
818 Additionally, it will allow any active connection (whether static
819 or dynamic) to remain active on the device when carrier is lost.
820
821 Note that the "carrier" property of NMDevices and device D-Bus
822 interfaces will still reflect the actual device state; it's just
823 that NetworkManager will not make use of that information.
824
825 Master types like bond, bridge and team ignore carrier by default,
826 while other device types react on carrier changes by default.
827
828 This setting overwrites the deprecated main.ignore-carrier setting
829 above.
830
831 keep-configuration
832 On startup, NetworkManager tries to not interfere with interfaces
833 that are already configured. It does so by generating a in-memory
834 connection based on the interface current configuration.
835
836 If this generated connection matches one of the existing persistent
837 connections, the persistent connection gets activated. If there is
838 no match, the generated connection gets activated as "external",
839 which means that the connection is considered as active, but
840 NetworkManager doesn't actually touch the interface.
841
842 It is possible to disable this behavior by setting
843 keep-configuration to no. In this way, on startup NetworkManager
844 always tries to activate the most suitable persistent connection
845 (the one with highest autoconnect-priority or, in case of a tie,
846 the one activated most recently).
847
848 Note that when NetworkManager gets restarted, it stores the
849 previous state in /run/NetworkManager; in particular it saves the
850 UUID of the connection that was previously active so that it can be
851 activated again after the restart. Therefore, keep-configuration
852 does not have any effect on service restart.
853
854 allowed-connections
855 A list of connections that can be activated on the device. See the
856 section called “Connection List Format” for the syntax to specify a
857 connection. If this option is not specified, all connections can be
858 potentially activated on the device, provided that the connection
859 type and other settings match.
860
861 A notable use case for this is to filter which connections can be
862 activated based on how they were created; see the origin keyword in
863 the section called “Connection List Format”.
864
865 wifi.scan-rand-mac-address
866 Configures MAC address randomization of a Wi-Fi device during
867 scanning. This defaults to yes in which case a random,
868 locally-administered MAC address will be used. The setting
869 wifi.scan-generate-mac-address-mask allows to influence the
870 generated MAC address to use certain vendor OUIs. If disabled, the
871 MAC address during scanning is left unchanged to whatever is
872 configured. For the configured MAC address while the device is
873 associated, see instead the per-connection setting
874 wifi.cloned-mac-address.
875
876 wifi.backend
877 Specify the Wi-Fi backend used for the device. Currently, supported
878 are wpa_supplicant and iwd (experimental).
879
880 wifi.scan-generate-mac-address-mask
881 Like the per-connection settings ethernet.generate-mac-address-mask
882 and wifi.generate-mac-address-mask, this allows to configure the
883 generated MAC addresses during scanning. See nm-settings(5) for
884 details.
885
886 wifi.iwd.autoconnect
887 If wifi.backend is iwd, setting this to false forces IWD's
888 autoconnect mechanism to be disabled for this device and
889 connections will only be initiated by NetworkManager whether
890 commanded by a client or automatically. Leaving it true (default)
891 stops NetworkManager from automatically initiating connections and
892 allows IWD to use its network ranking and scanning logic to decide
893 the best networks to autoconnect to next. Connections'
894 autoconnect-priority, autoconnect-retries settings will be ignored.
895 Other settings like permissions or multi-connect may interfere with
896 IWD connection attempts.
897
898 sriov-num-vfs
899 Specify the number of virtual functions (VF) to enable for a PCI
900 physical device that supports single-root I/O virtualization
901 (SR-IOV).
902
903 Sections
904 The [device] section works the same as the [connection] section. That
905 is, multiple sections that all start with the prefix "device" can be
906 specified. The settings "match-device" and "stop-match" are available
907 to match a device section on a device. The order of multiple sections
908 is also top-down within the file and later files overwrite previous
909 settings. See “Sections” under the section called “CONNECTION SECTION”
910 for details.
911
913 This section controls NetworkManager's optional connectivity checking
914 functionality. This allows NetworkManager to detect whether or not the
915 system can actually access the internet or whether it is behind a
916 captive portal.
917
918 Connectivity checking serves two purposes. For one, it exposes a
919 connectivity state on D-Bus, which other applications may use. For
920 example, Gnome's portal helper uses this as signal to show a captive
921 portal login page. The other use is that default-route of devices
922 without global connectivity get a penalty of +20000 to the
923 route-metric. This has the purpose to give a better default-route to
924 devices that have global connectivity. For example, when being
925 connected to WWAN and to a Wi-Fi network which is behind a captive
926 portal, WWAN still gets preferred until login.
927
928 Note that your distribution might set
929 /proc/sys/net/ipv4/conf/*/rp_filter to strict filtering. That works
930 badly with per-device connectivity checking, which uses SO_BINDDEVICE
931 to send requests on all devices. A strict rp_filter setting will reject
932 any response and the connectivity check on all but the best route will
933 fail.
934
935 enabled
936 Whether connectivity check is enabled. Note that to enable
937 connectivity check, a valid uri must also be configured. The value
938 defaults to true, but since the uri is unset by default,
939 connectivity check may be disabled. The main purpose of this option
940 is to have a single flag to disable connectivity check. Note that
941 this setting can also be set via D-Bus API at runtime. In that
942 case, the value gets stored in
943 /var/lib/NetworkManager/NetworkManager-intern.conf file.
944
945 uri
946 The URI of a web page to periodically request when connectivity is
947 being checked. This page should return the header
948 "X-NetworkManager-Status" with a value of "online". Alternatively,
949 its body content should be set to "NetworkManager is online". The
950 body content check can be controlled by the response option. If
951 this option is blank or missing, connectivity checking is disabled.
952
953 interval
954 Specified in seconds; controls how often connectivity is checked
955 when a network connection exists. If set to 0 connectivity checking
956 is disabled. If missing, the default is 300 seconds.
957
958 response
959 If set, controls what body content NetworkManager checks for when
960 requesting the URI for connectivity checking. Note that this only
961 compares that the HTTP response starts with the specifid text, it
962 does not compare the exact string. This behavior might change in
963 the future, so avoid relying on it. If missing, the response
964 defaults to "NetworkManager is online". If set to empty, the HTTP
965 server is expected to answer with status code 204 or send no data.
966
968 This section specifies global DNS settings that override
969 connection-specific configuration.
970
971 searches
972 A list of search domains to be used during hostname lookup.
973
974 options
975 A list of options to be passed to the hostname resolver.
976
978 Sections with a name starting with the "global-dns-domain-" prefix
979 allow to define global DNS configuration for specific domains. The part
980 of section name after "global-dns-domain-" specifies the domain name a
981 section applies to. More specific domains have the precedence over less
982 specific ones and the default domain is represented by the wildcard
983 "*". A default domain section is mandatory.
984
985 servers
986 A list of addresses of DNS servers to be used for the given domain.
987
988 options
989 A list of domain-specific DNS options. Not used at the moment.
990
992 This is a special section that contains options which apply to the
993 configuration file that contains the option.
994
995 enable
996 Defaults to "true". If "false", the configuration file will be
997 skipped during loading. Note that the main configuration file
998 NetworkManager.conf cannot be disabled.
999
1000 # always skip loading the config file
1001 [.config]
1002 enable=false
1003
1004 You can also match against the version of NetworkManager. For
1005 example the following are valid configurations:
1006
1007 # only load on version 1.0.6
1008 [.config]
1009 enable=nm-version:1.0.6
1010
1011 # load on all versions 1.0.x, but not 1.2.x
1012 [.config]
1013 enable=nm-version:1.0
1014
1015 # only load on versions >= 1.1.6. This does not match
1016 # with version 1.2.0 or 1.4.4. Only the last digit is considered.
1017 [.config]
1018 enable=nm-version-min:1.1.6
1019
1020 # only load on versions >= 1.2. Contrary to the previous
1021 # example, this also matches with 1.2.0, 1.2.10, 1.4.4, etc.
1022 [.config]
1023 enable=nm-version-min:1.2
1024
1025 # Match against the maximum allowed version. The example matches
1026 # versions 1.2.0, 1.2.2, 1.2.4. Again, only the last version digit
1027 # is allowed to be smaller. So this would not match on 1.1.10.
1028 [.config]
1029 enable=nm-version-max:1.2.6
1030
1031 You can also match against the value of the environment variable
1032 NM_CONFIG_ENABLE_TAG, like:
1033
1034 # always skip loading the file when running NetworkManager with
1035 # environment variable "NM_CONFIG_ENABLE_TAG=TAG1"
1036 [.config]
1037 enable=env:TAG1
1038
1039 More then one match can be specified. The configuration will be
1040 enabled if one of the predicates matches ("or"). The special prefix
1041 "except:" can be used to negate the match. Note that if one
1042 except-predicate matches, the entire configuration will be
1043 disabled. In other words, a except predicate always wins over other
1044 predicates. If the setting only consists of "except:" matches and
1045 none of the negative conditions are satisfied, the configuration is
1046 still enabled.
1047
1048 # enable the configuration either when the environment variable
1049 # is present or the version is at least 1.2.0.
1050 [.config]
1051 enable=env:TAG2,nm-version-min:1.2
1052
1053 # enable the configuration for version >= 1.2.0, but disable
1054 # it when the environment variable is set to "TAG3"
1055 [.config]
1056 enable=except:env:TAG3,nm-version-min:1.2
1057
1058 # enable the configuration on >= 1.3, >= 1.2.6, and >= 1.0.16.
1059 # Useful if a certain feature is only present since those releases.
1060 [.config]
1061 enable=nm-version-min:1.3,nm-version-min:1.2.6,nm-version-min:1.0.16
1062
1063
1065 Settings plugins for reading and writing connection profiles. The
1066 number of available plugins is distribution specific.
1067
1068 keyfile
1069 The keyfile plugin is the generic plugin that supports all the
1070 connection types and capabilities that NetworkManager has. It
1071 writes files out in an .ini-style format in
1072 /etc/NetworkManager/system-connections. See nm-settings-keyfile(5)
1073 for details about the file format.
1074
1075 The stored connection file may contain passwords, secrets and
1076 private keys in plain text, so it will be made readable only to
1077 root, and the plugin will ignore files that are readable or
1078 writable by any user or group other than root. See "Secret flag
1079 types" in nm-settings(5) for how to avoid storing passwords in
1080 plain text.
1081
1082 This plugin is always active, and will automatically be used to
1083 store any connections that aren't supported by any other active
1084 plugin.
1085
1086 ifcfg-rh
1087 This plugin is used on the Fedora and Red Hat Enterprise Linux
1088 distributions to read and write configuration from the standard
1089 /etc/sysconfig/network-scripts/ifcfg-* files. It currently supports
1090 reading Ethernet, Wi-Fi, InfiniBand, VLAN, Bond, Bridge, and Team
1091 connections. Enabling ifcfg-rh implicitly enables ibft plugin, if
1092 it is available. This can be disabled by adding no-ibft. See
1093 /usr/share/doc/initscripts/sysconfig.txt and nm-settings-ifcfg-
1094 rh(5) for more information about the ifcfg file format.
1095
1096 ifupdown
1097 This plugin is used on the Debian and Ubuntu distributions, and
1098 reads Ethernet and Wi-Fi connections from /etc/network/interfaces.
1099
1100 This plugin is read-only; any connections (of any type) added from
1101 within NetworkManager when you are using this plugin will be saved
1102 using the keyfile plugin instead.
1103
1104 ibft, no-ibft
1105 These plugins are deprecated and their selection has no effect.
1106 This is now handled by nm-initrd-generator.
1107
1108 ifcfg-suse, ifnet
1109 These plugins are deprecated and their selection has no effect. The
1110 keyfile plugin should be used instead.
1111
1113 Device List Format
1114 The configuration options main.no-auto-default, main.ignore-carrier,
1115 keyfile.unmanaged-devices, connection*.match-device and
1116 device*.match-device select devices based on a list of matchings.
1117 Devices can be specified using the following format:
1118
1119 *
1120 Matches every device.
1121
1122 IFNAME
1123 Case sensitive match of interface name of the device. Globbing is
1124 not supported.
1125
1126 HWADDR
1127 Match the permanent MAC address of the device. Globbing is not
1128 supported
1129
1130 interface-name:IFNAME, interface-name:~IFNAME
1131 Case sensitive match of interface name of the device. Simple
1132 globbing is supported with * and ?. Ranges and escaping is not
1133 supported.
1134
1135 interface-name:=IFNAME
1136 Case sensitive match of interface name of the device. Globbing is
1137 disabled and IFNAME is taken literally.
1138
1139 mac:HWADDR
1140 Match the permanent MAC address of the device. Globbing is not
1141 supported
1142
1143 s390-subchannels:HWADDR
1144 Match the device based on the subchannel address. Globbing is not
1145 supported
1146
1147 type:TYPE
1148 Match the device type. Valid type names are as reported by "nmcli
1149 -f GENERAL.TYPE device show". Globbing is not supported.
1150
1151 driver:DRIVER
1152 Match the device driver as reported by "nmcli -f
1153 GENERAL.DRIVER,GENERAL.DRIVER-VERSION device show". "DRIVER" must
1154 match the driver name exactly and does not support globbing.
1155 Optionally, a driver version may be specified separated by '/'.
1156 Globbing is supported for the version.
1157
1158 dhcp-plugin:DHCP
1159 Match the configured DHCP plugin "main.dhcp".
1160
1161 except:SPEC
1162 Negative match of a device. SPEC must be explicitly qualified with
1163 a prefix such as interface-name:. A negative match has higher
1164 priority then the positive matches above.
1165
1166 If there is a list consisting only of negative matches, the
1167 behavior is the same as if there is also match-all. That means, if
1168 none of all the negative matches is satisfied, the overall result
1169 is still a positive match. That means, "except:interface-name:eth0"
1170 is the same as "*,except:interface-name:eth0".
1171
1172 SPEC[,;]SPEC
1173 Multiple specs can be concatenated with commas or semicolons. The
1174 order does not matter as matches are either inclusive or negative
1175 (except:), with negative matches having higher priority.
1176
1177 Backslash is supported to escape the separators ';' and ',', and to
1178 express special characters such as newline ('\n'), tabulator
1179 ('\t'), whitespace ('\s') and backslash ('\\'). The globbing of
1180 interface names cannot be escaped. Whitespace is not a separator
1181 but will be trimmed between two specs (unless escaped as '\s').
1182
1183 Example:
1184
1185 interface-name:em4
1186 mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4;interface-name:eth2
1187 interface-name:vboxnet*,except:interface-name:vboxnet2
1188 *,except:mac:00:22:68:1c:59:b1
1189
1190
1191 Connection List Format
1192 Connections can be specified using the following format:
1193
1194 *
1195 Matches every connection.
1196
1197 uuid:UUID
1198 Match the connection by UUID, for example
1199 "uuid:83037490-1d17-4986-a397-01f1db3a7fc2"
1200
1201 id=ID
1202 Match the connection by name.
1203
1204 origin:ORIGIN
1205 Match the connection by origin, stored in the
1206 org.freedesktop.NetworkManager.origin tag of the user setting. For
1207 example, use "except:origin:nm-initrd-generator" to forbid
1208 activation of connections created by the initrd generator.
1209
1210 except:SPEC
1211 Negative match of a connection. A negative match has higher
1212 priority then the positive matches above.
1213
1214 If there is a list consisting only of negative matches, the
1215 behavior is the same as if there is also match-all. That means, if
1216 none of all the negative matches is satisfied, the overall result
1217 is still a positive match.
1218
1219 SPEC[,;]SPEC
1220 Multiple specs can be concatenated with commas or semicolons. The
1221 order does not matter as matches are either inclusive or negative
1222 (except:), with negative matches having higher priority.
1223
1224 Backslash is supported to escape the separators ';' and ',', and to
1225 express special characters such as newline ('\n'), tabulator
1226 ('\t'), whitespace ('\s') and backslash ('\\'). Whitespace is not a
1227 separator but will be trimmed between two specs (unless escaped as
1228 '\s').
1229
1231 NetworkManager(8), nmcli(1), nmcli-examples(7), nm-online(1), nm-
1232 settings(5), nm-applet(1), nm-connection-editor(1)
1233
1234
1235
1236NetworkManager 1.32.12 NETWORKMANAGER.CONF(5)