1NETWORKMANAGER.CONF(5)           Configuration          NETWORKMANAGER.CONF(5)
2
3
4

NAME

6       NetworkManager.conf - NetworkManager configuration file
7

SYNOPSIS

9       /etc/NetworkManager/NetworkManager.conf,
10       /etc/NetworkManager/conf.d/name.conf,
11       /run/NetworkManager/conf.d/name.conf,
12       /usr/lib/NetworkManager/conf.d/name.conf,
13       /var/lib/NetworkManager/NetworkManager-intern.conf
14

DESCRIPTION

16       NetworkManager.conf is the configuration file for NetworkManager. It is
17       used to set up various aspects of NetworkManager's behavior. The
18       location of the main file and configuration directories may be changed
19       through use of the --config, --config-dir, --system-config-dir, and
20       --intern-config argument for NetworkManager, respectively.
21
22       If a default NetworkManager.conf is provided by your distribution's
23       packages, you should not modify it, since your changes may get
24       overwritten by package updates. Instead, you can add additional .conf
25       files to the /etc/NetworkManager/conf.d directory. These will be read
26       in order, with later files overriding earlier ones. Packages might
27       install further configuration snippets to
28       /usr/lib/NetworkManager/conf.d. This directory is parsed first, even
29       before NetworkManager.conf. Scripts can also put per-boot configuration
30       into /run/NetworkManager/conf.d. This directory is parsed second, also
31       before NetworkManager.conf. The loading of a file
32       /run/NetworkManager/conf.d/name.conf can be prevented by adding a file
33       /etc/NetworkManager/conf.d/name.conf. Likewise, a file
34       /usr/lib/NetworkManager/conf.d/name.conf can be shadowed by putting a
35       file of the same name to either /etc/NetworkManager/conf.d or
36       /run/NetworkManager/conf.d.
37
38       NetworkManager can overwrite certain user configuration options via
39       D-Bus or other internal operations. In this case it writes those
40       changes to /var/lib/NetworkManager/NetworkManager-intern.conf. This
41       file is not intended to be modified by the user, but it is read last
42       and can shadow user configuration from NetworkManager.conf.
43
44       Certain settings from the configuration can be reloaded at runtime
45       either by sending SIGHUP signal or via D-Bus' Reload call.
46
47       NetworkManager does not require any configuration in
48       NetworkManager.conf. Depending on your use case, you may remove all
49       files to restore the default configuration (factory reset). But note
50       that your distribution or other packages may drop configuration
51       snippets for NetworkManager, such that they are part of the factory
52       default.
53

FILE FORMAT

55       The configuration file format is so-called key file (sort of ini-style
56       format). It consists of sections (groups) of key-value pairs. Lines
57       beginning with a '#' and blank lines are considered comments. Sections
58       are started by a header line containing the section enclosed in '[' and
59       ']', and ended implicitly by the start of the next section or the end
60       of the file. Each key-value pair must be contained in a section.
61
62       For keys that take a list of devices as their value, you can specify
63       devices by their MAC addresses or interface names, or "*" to specify
64       all devices. See the section called “Device List Format” below.
65
66       A simple configuration file looks like this:
67
68           [main]
69           plugins=keyfile
70
71       As an extension to the normal keyfile format, you can also append a
72       value to a previously-set list-valued key by doing:
73
74           plugins+=another-plugin
75           plugins-=remove-me
76
77

MAIN SECTION

79       plugins
80           Lists system settings plugin names separated by ','. These plugins
81           are used to read and write system-wide connection profiles. When
82           multiple plugins are specified, the connections are read from all
83           listed plugins. When writing connections, the plugins will be asked
84           to save the connection in the order listed here; if the first
85           plugin cannot write out that connection type (or can't write out
86           any connections) the next plugin is tried, etc. If none of the
87           plugins can save the connection, an error is returned to the user.
88
89           The default value and the number of available plugins is
90           distro-specific. See the section called “PLUGINS” below for the
91           available plugins. Note that NetworkManager's native keyfile plugin
92           is always appended to the end of this list (if it doesn't already
93           appear earlier in the list).
94
95       monitor-connection-files
96           This setting is deprecated and has no effect. Profiles from disk
97           are never automatically reloaded. Use for example nmcli connection
98           (re)load for that.
99
100       auth-polkit
101           Whether the system uses PolicyKit for authorization. If true,
102           non-root requests are authorized using PolicyKit. Requests from
103           root (user ID zero) are always granted without asking PolicyKit. If
104           false, all requests will be allowed and PolicyKit is not used. If
105           set to root-only PolicyKit is not used and all requests except root
106           are denied. The default value is true.
107
108       dhcp
109           This key sets up what DHCP client NetworkManager will use. Allowed
110           values are dhclient, dhcpcd, and internal. The dhclient and dhcpcd
111           options require the indicated clients to be installed. The internal
112           option uses a built-in DHCP client which is not currently as
113           featureful as the external clients.
114
115           If this key is missing, it defaults to internal. If the chosen
116           plugin is not available, clients are looked for in this order:
117           dhclient, dhcpcd, internal.
118
119       no-auto-default
120           Specify devices for which NetworkManager shouldn't create default
121           wired connection (Auto eth0). By default, NetworkManager creates a
122           temporary wired connection for any Ethernet device that is managed
123           and doesn't have a connection configured. List a device in this
124           option to inhibit creating the default connection for the device.
125           May have the special value * to apply to all devices.
126
127           When the default wired connection is deleted or saved to a new
128           persistent connection by a plugin, the device is added to a list in
129           the file /var/lib/NetworkManager/no-auto-default.state to prevent
130           creating the default connection for that device again.
131
132           See the section called “Device List Format” for the syntax how to
133           specify a device.
134
135           Example:
136
137               no-auto-default=00:22:68:5c:5d:c4,00:1e:65:ff:aa:ee
138               no-auto-default=eth0,eth1
139               no-auto-default=*
140
141
142       ignore-carrier
143           This setting is deprecated for the per-device setting
144           ignore-carrier which overwrites this setting if specified (See
145           ignore-carrier). Otherwise, it is a list of matches to specify for
146           which device carrier should be ignored. See the section called
147           “Device List Format” for the syntax how to specify a device. Note
148           that master types like bond, bridge, and team ignore carrier by
149           default. You can however revert that default using the "except:"
150           specifier (or better, use the per-device setting instead of the
151           deprecated setting).
152
153       assume-ipv6ll-only
154           Specify devices for which NetworkManager will try to generate a
155           connection based on initial configuration when the device only has
156           an IPv6 link-local address.
157
158           See the section called “Device List Format” for the syntax how to
159           specify a device.
160
161       configure-and-quit
162           When set to 'true', NetworkManager quits after performing initial
163           network configuration but spawns small helpers to preserve DHCP
164           leases and IPv6 addresses. This is useful in environments where
165           network setup is more or less static or it is desirable to save
166           process time but still handle some dynamic configurations. When
167           this option is true, network configuration for Wi-Fi, WWAN,
168           Bluetooth, ADSL, and PPPoE interfaces cannot be preserved due to
169           their use of external services, and these devices will be
170           deconfigured when NetworkManager quits even though other
171           interface's configuration may be preserved. Also, to preserve DHCP
172           addresses the 'dhcp' option must be set to 'internal'. The default
173           value of the 'configure-and-quit' option is 'false', meaning that
174           NetworkManager will continue running after initial network
175           configuration and continue responding to system and hardware
176           events, D-Bus requests, and user commands.
177
178       hostname-mode
179           Set the management mode of the hostname. This parameter will affect
180           only the transient hostname. If a valid static hostname is set,
181           NetworkManager will skip the update of the hostname despite the
182           value of this option. An hostname empty or equal to 'localhost',
183           'localhost6', 'localhost.localdomain' or 'localhost6.localdomain'
184           is considered invalid.
185
186           default: NetworkManager will update the hostname with the one
187           provided via DHCP or reverse DNS lookup of the IP address on the
188           connection with the default route or on any connection with the
189           property hostname.only-from-default set to 'false'. Connections are
190           considered in order of increasing value of the hostname.priority
191           property. In case multiple connections have the same priority,
192           connections activated earlier are considered first. If no hostname
193           can be determined in such way, the hostname will be updated to the
194           last one set outside NetworkManager or to 'localhost.localdomain'.
195
196           dhcp: this is similar to 'default', with the difference that after
197           trying to get the DHCP hostname, reverse DNS lookup is not done.
198           Note that selecting this option is equivalent to setting the
199           property 'hostname.from-dns-lookup' to 'false' globally for all
200           connections in NetworkManager.conf.
201
202           none: NetworkManager will not manage the transient hostname and
203           will never set it.
204
205       dns
206           Set the DNS processing mode.
207
208           If the key is unspecified, default is used, unless /etc/resolv.conf
209           is a symlink to /run/systemd/resolve/stub-resolv.conf,
210           /run/systemd/resolve/resolv.conf, /lib/systemd/resolv.conf or
211           /usr/lib/systemd/resolv.conf. In that case, systemd-resolved is
212           chosen automatically.
213
214           default: NetworkManager will update /etc/resolv.conf to reflect the
215           nameservers provided by currently active connections. The
216           rc-manager setting (below) controls how this is done.
217
218           dnsmasq: NetworkManager will run dnsmasq as a local caching
219           nameserver, using "Conditional Forwarding" if you are connected to
220           a VPN, and then update resolv.conf to point to the local
221           nameserver. It is possible to pass custom options to the dnsmasq
222           instance by adding them to files in the
223           "/etc/NetworkManager/dnsmasq.d/" directory. Note that when multiple
224           upstream servers are available, dnsmasq will initially contact them
225           in parallel and then use the fastest to respond, probing again
226           other servers after some time. This behavior can be modified
227           passing the 'all-servers' or 'strict-order' options to dnsmasq (see
228           the manual page for more details).
229
230           systemd-resolved: NetworkManager will push the DNS configuration to
231           systemd-resolved
232
233           unbound: NetworkManager will talk to unbound and dnssec-triggerd,
234           using "Conditional Forwarding" with DNSSEC support.
235           /etc/resolv.conf will be managed by dnssec-trigger daemon. This
236           option is deprecated. Note that dnssec-trigger ships a
237           NetworkManager dispatcher script so this DNS plugin is not
238           necessary.
239
240           none: NetworkManager will not modify resolv.conf. This implies
241           rc-manager unmanaged
242
243           Note that the plugins dnsmasq, systemd-resolved and unbound are
244           caching local nameservers. Hence, when NetworkManager writes
245           /run/NetworkManager/resolv.conf and /etc/resolv.conf (according to
246           rc-manager setting below), the name server there will be localhost
247           only. NetworkManager also writes a file
248           /run/NetworkManager/no-stub-resolv.conf that contains the original
249           name servers pushed to the DNS plugin.
250
251           When using dnsmasq and systemd-resolved per-connection added dns
252           servers will always be queried using the device the connection has
253           been activated on.
254
255       rc-manager
256           Set the resolv.conf management mode. This option is about how
257           NetworkManager writes to /etc/resolv.conf, if at all. The default
258           value depends on NetworkManager build options, and this version of
259           NetworkManager was build with a default of "auto". Regardless of
260           this setting, NetworkManager will always write its version of
261           resolv.conf to its runtime state directory as
262           /run/NetworkManager/resolv.conf.
263
264           If you configure dns=none or make /etc/resolv.conf immutable with
265           chattr +i, NetworkManager will ignore this setting and always
266           choose unmanaged (below).
267
268           auto: if systemd-resolved plugin is configured via the dns setting
269           or if it gets detected as main DNS plugin, NetworkManager will
270           update systemd-resolved without touching /etc/resolv.conf.
271           Alternatively, if resolvconf or netconfig are enabled at compile
272           time and the respective binary is found, NetworkManager will
273           automatically use it. Note that if you install or uninstall these
274           binaries, you need to reload the rc-manager setting with SIGHUP or
275           systemctl reload NetworkManager. As last fallback it uses the
276           symlink option (see next).
277
278           symlink: If /etc/resolv.conf is a regular file or does not exist,
279           NetworkManager will write the file directly. If /etc/resolv.conf is
280           instead a symlink, NetworkManager will leave it alone. Unless the
281           symlink points to the internal file
282           /run/NetworkManager/resolv.conf, in which case the symlink will be
283           updated to emit an inotify notification. This allows the user to
284           conveniently instruct NetworkManager not to manage /etc/resolv.conf
285           by replacing it with a symlink.
286
287           file: NetworkManager will write /etc/resolv.conf as regular file.
288           If it finds a symlink to an existing target, it will follow the
289           symlink and update the target instead. In no case will an existing
290           symlink be replaced by a file. Note that older versions of
291           NetworkManager behaved differently and would replace dangling
292           symlinks with a plain file.
293
294           resolvconf: NetworkManager will run resolvconf to update the DNS
295           configuration.
296
297           netconfig: NetworkManager will run netconfig to update the DNS
298           configuration.
299
300           unmanaged: don't touch /etc/resolv.conf.
301
302           none: deprecated alias for symlink.
303
304       systemd-resolved
305           Send the connection DNS configuration to systemd-resolved. Defaults
306           to "true".
307
308           Note that this setting is complementary to the dns setting. You can
309           keep this enabled while using dns set to another DNS plugin
310           alongside systemd-resolved, or dns set to systemd-resolved to
311           configure the system resolver to use systemd-resolved.
312
313           If systemd-resolved is enabled, the connectivity check resolves the
314           hostname per-device.
315
316       debug
317           Comma separated list of options to aid debugging. This value will
318           be combined with the environment variable NM_DEBUG. Currently, the
319           following values are supported:
320
321           RLIMIT_CORE: set ulimit -c unlimited to write out core dumps.
322           Beware, that a core dump can contain sensitive information such as
323           passwords or configuration settings.
324
325           fatal-warnings: set g_log_set_always_fatal() to core dump on
326           warning messages from glib. This is equivalent to the
327           --g-fatal-warnings command line option.
328
329       autoconnect-retries-default
330           The number of times a connection activation should be automatically
331           tried before switching to another one. This value applies only to
332           connections that can auto-connect and have a
333           connection.autoconnect-retries property set to -1. If not
334           specified, connections will be tried 4 times. Setting this value to
335           1 means to try activation once, without retry.
336
337       slaves-order
338           This key specifies in which order slave connections are
339           auto-activated on boot or when the master activates them. Allowed
340           values are name (order connection by interface name, the default),
341           or index (order slaves by their kernel index).
342
343       firewall-backend
344           The firewall backend for configuring masquerading with shared mode.
345           Set to either iptables, nftables or none.  iptables and nftables
346           require iptables and nft application, respectively.  none means to
347           skip firewall configuration if the users wish to manage firewall
348           themselves. If unspecified, it will be auto detected.
349
350       iwd-config-path
351           If the value is "auto" (the default), IWD is queried for its
352           current state directory when it appears on D-Bus -- the directory
353           where IWD keeps its network configuration files -- usually
354           /var/lib/iwd. NetworkManager will then attempt to write copies of
355           new or modified Wi-Fi connection profiles, converted into the IWD
356           format, into this directory thus making IWD connection properties
357           editable. NM will overwrite existing files without preserving their
358           contents.
359
360           The path can also be overriden by pointing to a specific existing
361           and writable directory. On the other hand setting this to an empty
362           string or any other value disables the profile conversion
363           mechanism.
364
365           This mechanism allows editing connection profile settings such as
366           the 802.1x configuration using NetworkManager clients. Without it
367           such changes have no effect in IWD.
368

KEYFILE SECTION

370       This section contains keyfile-plugin-specific options, and is normally
371       only used when you are not using any other distro-specific plugin.
372
373       hostname
374           This key is deprecated and has no effect since the hostname is now
375           stored in /etc/hostname or other system configuration files
376           according to build options.
377
378       path
379           The location where keyfiles are read and stored. This defaults to
380           "/etc/NetworkManager/system-connections".
381
382       unmanaged-devices
383           Set devices that should be ignored by NetworkManager.
384
385           A device unmanaged due to this option is strictly unmanaged and
386           cannot be overruled by using the API like nmcli device set $IFNAME
387           managed yes. Also, a device that is unmanaged for other reasons,
388           like an udev rule, cannot be made managed with this option (e.g. by
389           using an except: specifier). These two points make it different
390           from the device*.managed option which for that reason may be a
391           better choice.
392
393           See the section called “Device List Format” for the syntax on how
394           to specify a device.
395
396           Example:
397
398               unmanaged-devices=interface-name:em4
399               unmanaged-devices=mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4;interface-name:eth2
400
401

IFUPDOWN SECTION

403       This section contains ifupdown-specific options and thus only has
404       effect when using the ifupdown plugin.
405
406       managed
407           If set to true, then interfaces listed in /etc/network/interfaces
408           are managed by NetworkManager. If set to false, then any interface
409           listed in /etc/network/interfaces will be ignored by
410           NetworkManager. Remember that NetworkManager controls the default
411           route, so because the interface is ignored, NetworkManager may
412           assign the default route to some other interface.
413
414           The default value is false.
415

LOGGING SECTION

417       This section controls NetworkManager's logging. Any settings here are
418       overridden by the --log-level and --log-domains command-line options.
419
420       level
421           The default logging verbosity level. One of OFF, ERR, WARN, INFO,
422           DEBUG, TRACE. The ERR level logs only critical errors. WARN logs
423           warnings that may reflect operation. INFO logs various
424           informational messages that are useful for tracking state and
425           operations. DEBUG enables verbose logging for debugging purposes.
426           TRACE enables even more verbose logging then DEBUG level.
427           Subsequent levels also log all messages from earlier levels; thus
428           setting the log level to INFO also logs error and warning messages.
429
430       domains
431           The following log domains are available: PLATFORM, RFKILL, ETHER,
432           WIFI, BT, MB, DHCP4, DHCP6, PPP, WIFI_SCAN, IP4, IP6, AUTOIP4, DNS,
433           VPN, SHARING, SUPPLICANT, AGENTS, SETTINGS, SUSPEND, CORE, DEVICE,
434           OLPC, WIMAX, INFINIBAND, FIREWALL, ADSL, BOND, VLAN, BRIDGE,
435           DBUS_PROPS, TEAM, CONCHECK, DCB, DISPATCH, AUDIT, SYSTEMD,
436           VPN_PLUGIN, PROXY.
437
438           In addition, these special domains can be used: NONE, ALL, DEFAULT,
439           DHCP, IP.
440
441           You can specify per-domain log level overrides by adding a colon
442           and a log level to any domain. E.g., "WIFI:DEBUG,WIFI_SCAN:OFF".
443
444           Domain descriptions:
445               PLATFORM    : OS (platform) operations
446               RFKILL      : RFKill subsystem operations
447               ETHER       : Ethernet device operations
448               WIFI        : Wi-Fi device operations
449               BT          : Bluetooth operations
450               MB          : Mobile broadband operations
451               DHCP4       : DHCP for IPv4
452               DHCP6       : DHCP for IPv6
453               PPP         : Point-to-point protocol operations
454               WIFI_SCAN   : Wi-Fi scanning operations
455               IP4         : IPv4-related operations
456               IP6         : IPv6-related operations
457               AUTOIP4     : AutoIP operations
458               DNS         : Domain Name System related operations
459               VPN         : Virtual Private Network connections and
460               operations
461               SHARING     : Connection sharing. With TRACE level log queries
462               for dnsmasq instance
463               SUPPLICANT  : WPA supplicant related operations
464               AGENTS      : Secret agents operations and communication
465               SETTINGS    : Settings/config service operations
466               SUSPEND     : Suspend/resume
467               CORE        : Core daemon and policy operations
468               DEVICE      : Activation and general interface operations
469               OLPC        : OLPC Mesh device operations
470               WIMAX       : WiMAX device operations
471               INFINIBAND  : InfiniBand device operations
472               FIREWALL    : FirewallD related operations
473               ADSL        : ADSL device operations
474               BOND        : Bonding operations
475               VLAN        : VLAN operations
476               BRIDGE      : Bridging operations
477               DBUS_PROPS  : D-Bus property changes
478               TEAM        : Teaming operations
479               CONCHECK    : Connectivity check
480               DCB         : Data Center Bridging (DCB) operations
481               DISPATCH    : Dispatcher scripts
482               AUDIT       : Audit records
483               SYSTEMD     : Messages from internal libsystemd
484               VPN_PLUGIN  : logging messages from VPN plugins
485               PROXY       : logging messages for proxy handling
486
487               NONE        : when given by itself logging is disabled
488               ALL         : all log domains
489               DEFAULT     : default log domains
490               DHCP        : shortcut for "DHCP4,DHCP6"
491               IP          : shortcut for "IP4,IP6"
492
493               HW          : deprecated alias for "PLATFORM"
494
495           In general, the logfile should not contain passwords or private
496           data. However, you are always advised to check the file before
497           posting it online or attaching to a bug report.  VPN_PLUGIN is
498           special as it might reveal private information of the VPN plugins
499           with verbose levels. Therefore this domain will be excluded when
500           setting ALL or DEFAULT to more verbose levels then INFO.
501
502       backend
503           The logging backend. Supported values are "syslog" and "journal".
504           When NetworkManager is started with "--debug" in addition all
505           messages will be printed to stderr. If unspecified, the default is
506           "journal".
507
508       audit
509           Whether the audit records are delivered to auditd, the audit
510           daemon. If false, audit records will be sent only to the
511           NetworkManager logging system. If set to true, they will be also
512           sent to auditd. The default value is false.
513

CONNECTION SECTION

515       Specify default values for connections.
516
517       Such default values are only consulted if the corresponding
518       per-connection property explicitly allows for that. That means, all
519       these properties correspond to a property of the connection profile
520       (for example connection.mud-url). Only if the per-profile property is
521       set to a special value that indicates to use the default, the default
522       value from NetworkManager.conf is consulted. It depends on the
523       property, which is the special value that indicates fallback to the
524       default, but it usually is something like empty, unset values or
525       special numeric values like 0 or -1. That means the effectively used
526       value can first always be configured for each profile, and these
527       default values only matter if the per-profile values explicitly
528       indicates to use the default from NetworkManager.conf.
529
530       Example:
531
532           [connection]
533           ipv6.ip6-privacy=0
534
535
536   Supported Properties
537       Not all properties can be overwritten, only the following properties
538       are supported to have their default values configured (see nm-
539       settings(5) for details).
540
541       802-1x.auth-timeout
542
543       cdma.mtu
544
545       connection.auth-retries
546           If left unspecified, the default value is 3 tries before failing
547           the connection.
548
549       connection.autoconnect-slaves
550
551       connection.mud-url
552           If unspecified, MUD URL defaults to "none".
553
554       connection.lldp
555
556       connection.llmnr
557           If unspecified, the ultimate default values depends on the DNS
558           plugin. With systemd-resolved the default currently is "yes" (2)
559           and for all other plugins "no" (0).
560
561       connection.mdns
562           If unspecified, the ultimate default values depends on the DNS
563           plugin. With systemd-resolved the default currently is "no" (0) and
564           for all other plugins also "no" (0).
565
566       connection.stable-id
567
568       ethernet.cloned-mac-address
569           If left unspecified, it defaults to "preserve".
570
571       ethernet.generate-mac-address-mask
572
573       ethernet.mtu
574           If configured explicitly to 0, the MTU is not reconfigured during
575           device activation unless it is required due to IPv6 constraints. If
576           left unspecified, a DHCP/IPv6 SLAAC provided value is used or the
577           MTU is not reconfigured during activation.
578
579       ethernet.wake-on-lan
580
581       gsm.mtu
582
583       hostname.from-dhcp
584
585       hostname.from-dns-lookup
586
587       hostname.only-from-default
588
589       hostname.priority
590
591       infiniband.mtu
592           If configured explicitly to 0, the MTU is not reconfigured during
593           device activation unless it is required due to IPv6 constraints. If
594           left unspecified, a DHCP/IPv6 SLAAC provided value is used or the
595           MTU is left unspecified on activation.
596
597       ip-tunnel.mtu
598           If configured explicitly to 0, the MTU is not reconfigured during
599           device activation unless it is required due to IPv6 constraints. If
600           left unspecified, a DHCP/IPv6 SLAAC provided value is used or a
601           default of 1500.
602
603       ipv4.dad-timeout
604
605       ipv4.dhcp-client-id
606
607       ipv4.dhcp-iaid
608           If left unspecified, it defaults to "ifname".
609
610       ipv4.dhcp-hostname-flags
611           If left unspecified, the value 3 (fqdn-encoded,fqdn-serv-update) is
612           used.
613
614       ipv4.dhcp-timeout
615           If left unspecified, the default value for the interface type is
616           used.
617
618       ipv4.dhcp-vendor-class-identifier
619           If left unspecified, the default is to not send the DHCP option to
620           the server.
621
622       ipv4.dns-priority
623           If unspecified or zero, use 50 for VPN profiles and 100 for other
624           profiles.
625
626       ipv4.required-timeout
627
628       ipv4.route-metric
629
630       ipv4.route-table
631           If left unspecified, routes are only added to the main table. Note
632           that this is different from explicitly selecting the main table
633           254, because of how NetworkManager removes extraneous routes from
634           the tables.
635
636       ipv6.ra-timeout
637           If left unspecified, the default value depends on the sysctl
638           solicitation settings.
639
640       ipv6.dhcp-duid
641           If left unspecified, it defaults to "lease".
642
643       ipv6.dhcp-iaid
644           If left unspecified, it defaults to "ifname".
645
646       ipv6.dhcp-hostname-flags
647           If left unspecified, the value 1 (fqdn-serv-update) is used.
648
649       ipv6.dhcp-timeout
650           If left unspecified, the default value for the interface type is
651           used.
652
653       ipv6.dns-priority
654           If unspecified or zero, use 50 for VPN profiles and 100 for other
655           profiles.
656
657       ipv6.ip6-privacy
658           If ipv6.ip6-privacy is unset, use the content of
659           "/proc/sys/net/ipv6/conf/default/use_tempaddr" as last fallback.
660
661       ipv6.required-timeout
662
663       ipv6.route-metric
664
665       ipv6.route-table
666           If left unspecified, routes are only added to the main table. Note
667           that this is different from explicitly selecting the main table
668           254, because of how NetworkManager removes extraneous routes from
669           the tables.
670
671       sriov.autoprobe-drivers
672           If left unspecified, drivers are autoprobed when the SR-IOV VF gets
673           created.
674
675       vpn.timeout
676           If left unspecified, default value of 60 seconds is used.
677
678       wifi.ap-isolation
679           If left unspecified, AP isolation is disabled.
680
681       wifi.cloned-mac-address
682           If left unspecified, it defaults to "preserve".
683
684       wifi.generate-mac-address-mask
685
686       wifi.mac-address-randomization
687           If left unspecified, MAC address randomization is disabled. This
688           setting is deprecated for wifi.cloned-mac-address.
689
690       wifi.mtu
691           If configured explicitly to 0, the MTU is not reconfigured during
692           device activation unless it is required due to IPv6 constraints. If
693           left unspecified, a DHCP/IPv6 SLAAC provided value is used or a
694           default of 1500.
695
696       wifi.powersave
697           If left unspecified, the default value "ignore" will be used.
698
699       wifi-sec.pmf
700           If left unspecified, the default value "optional" will be used.
701
702       wifi-sec.fils
703           If left unspecified, the default value "optional" will be used.
704
705       wifi.wake-on-wlan
706
707       wireguard.mtu
708
709
710   Sections
711       You can configure multiple connection sections, by having different
712       sections with a name that all start with "connection". Example:
713
714           [connection]
715           ipv6.ip6-privacy=0
716           connection.autoconnect-slaves=1
717           vpn.timeout=120
718
719           [connection-wifi-wlan0]
720           match-device=interface-name:wlan0
721           ipv4.route-metric=50
722
723           [connection-wifi-other]
724           match-device=type:wifi
725           ipv4.route-metric=55
726           ipv6.ip6-privacy=1
727
728       The sections within one file are considered in order of appearance,
729       with the exception that the [connection] section is always considered
730       last. In the example above, this order is [connection-wifi-wlan0],
731       [connection-wlan-other], and [connection]. When checking for a default
732       configuration value, the sections are searched until the requested
733       value is found. In the example above, "ipv4.route-metric" for wlan0
734       interface is set to 50, and for all other Wi-Fi typed interfaces to 55.
735       Also, Wi-Fi devices would have IPv6 private addresses enabled by
736       default, but other devices would have it disabled. Note that also
737       "wlan0" gets "ipv6.ip6-privacy=1", because although the section
738       "[connection-wifi-wlan0]" matches the device, it does not contain that
739       property and the search continues.
740
741       When having different sections in multiple files, sections from files
742       that are read later have higher priority. So within one file the
743       priority of the sections is top-to-bottom. Across multiple files later
744       definitions take precedence.
745
746       The following properties further control how a connection section
747       applies.
748
749       match-device
750           An optional device spec that restricts when the section applies.
751           See the section called “Device List Format” for the possible
752           values.
753
754       stop-match
755           An optional boolean value which defaults to no. If the section
756           matches (based on match-device), further sections will not be
757           considered even if the property in question is not present. In the
758           example above, if [connection-wifi-wlan0] would have stop-match set
759           to yes, the device wlan0 would have ipv6.ip6-privacy property
760           unspecified. That is, the search for the property would not
761           continue in the connection sections [connection-wifi-other] or
762           [connection].
763

DEVICE SECTION

765       Contains per-device persistent configuration.
766
767       Example:
768
769           [device]
770           match-device=interface-name:eth3
771           managed=1
772
773
774   Supported Properties
775       The following properties can be configured per-device.
776
777       managed
778           Whether the device is managed or not. A device can be marked as
779           managed via udev rules (ENV{NM_UNMANAGED}), or via setting plugins
780           (keyfile.unmanaged-devices). This is yet another way. Note that
781           this configuration can be overruled at runtime via D-Bus. Also, it
782           has higher priority then udev rules.
783
784       carrier-wait-timeout
785           Specify the timeout for waiting for carrier in milliseconds. The
786           default is 5000 milliseconds. This setting exists because certain
787           drivers/hardware can take a long time to detect whether the cable
788           is plugged in.
789
790           When the device loses carrier, NetworkManager does not react
791           immediately. Instead, it waits for this timeout before considering
792           the link lost.
793
794           Also, on startup, NetworkManager considers the device as busy for
795           this time, as long as the device has no carrier. This delays
796           startup-complete signal and NetworkManager-wait-online. Configuring
797           this too high means to block NetworkManager-wait-online longer than
798           necessary when booting with cable unplugged. Configuring it too
799           low, means that NetworkManager will declare startup-complete too
800           soon, although carrier is about to come and auto-activation to kick
801           in. Note that if a profile only has static IP configuration or
802           Layer 3 configuration disabled, then it can already autoconnect
803           without carrier on the device. Once such a profile reaches full
804           activated state, startup-complete is considered as reached even if
805           the device has no carrier yet.
806
807       ignore-carrier
808           Specify devices for which NetworkManager will (partially) ignore
809           the carrier state. Normally, for device types that support
810           carrier-detect, such as Ethernet and InfiniBand, NetworkManager
811           will only allow a connection to be activated on the device if
812           carrier is present (ie, a cable is plugged in), and it will
813           deactivate the device if carrier drops for more than a few seconds.
814
815           A device with carrier ignored will allow activating connections on
816           that device even when it does not have carrier, provided that the
817           connection uses only statically-configured IP addresses.
818           Additionally, it will allow any active connection (whether static
819           or dynamic) to remain active on the device when carrier is lost.
820
821           Note that the "carrier" property of NMDevices and device D-Bus
822           interfaces will still reflect the actual device state; it's just
823           that NetworkManager will not make use of that information.
824
825           Master types like bond, bridge and team ignore carrier by default,
826           while other device types react on carrier changes by default.
827
828           This setting overwrites the deprecated main.ignore-carrier setting
829           above.
830
831       keep-configuration
832           On startup, NetworkManager tries to not interfere with interfaces
833           that are already configured. It does so by generating a in-memory
834           connection based on the interface current configuration.
835
836           If this generated connection matches one of the existing persistent
837           connections, the persistent connection gets activated. If there is
838           no match, the generated connection gets activated as "external",
839           which means that the connection is considered as active, but
840           NetworkManager doesn't actually touch the interface.
841
842           It is possible to disable this behavior by setting
843           keep-configuration to no. In this way, on startup NetworkManager
844           always tries to activate the most suitable persistent connection
845           (the one with highest autoconnect-priority or, in case of a tie,
846           the one activated most recently).
847
848           Note that when NetworkManager gets restarted, it stores the
849           previous state in /run/NetworkManager; in particular it saves the
850           UUID of the connection that was previously active so that it can be
851           activated again after the restart. Therefore, keep-configuration
852           does not have any effect on service restart.
853
854       allowed-connections
855           A list of connections that can be activated on the device. See the
856           section called “Connection List Format” for the syntax to specify a
857           connection. If this option is not specified, all connections can be
858           potentially activated on the device, provided that the connection
859           type and other settings match.
860
861           A notable use case for this is to filter which connections can be
862           activated based on how they were created; see the origin keyword in
863           the section called “Connection List Format”.
864
865       wifi.scan-rand-mac-address
866           Configures MAC address randomization of a Wi-Fi device during
867           scanning. This defaults to yes in which case a random,
868           locally-administered MAC address will be used. The setting
869           wifi.scan-generate-mac-address-mask allows to influence the
870           generated MAC address to use certain vendor OUIs. If disabled, the
871           MAC address during scanning is left unchanged to whatever is
872           configured. For the configured MAC address while the device is
873           associated, see instead the per-connection setting
874           wifi.cloned-mac-address.
875
876       wifi.backend
877           Specify the Wi-Fi backend used for the device. Currently, supported
878           are wpa_supplicant and iwd (experimental).
879
880       wifi.scan-generate-mac-address-mask
881           Like the per-connection settings ethernet.generate-mac-address-mask
882           and wifi.generate-mac-address-mask, this allows to configure the
883           generated MAC addresses during scanning. See nm-settings(5) for
884           details.
885
886       wifi.iwd.autoconnect
887           If wifi.backend is iwd, setting this to false forces IWD's
888           autoconnect mechanism to be disabled for this device and
889           connections will only be initiated by NetworkManager whether
890           commanded by a client or automatically. Leaving it true (default)
891           stops NetworkManager from automatically initiating connections and
892           allows IWD to use its network ranking and scanning logic to decide
893           the best networks to autoconnect to next. Connections'
894           autoconnect-priority, autoconnect-retries settings will be ignored.
895           Other settings like permissions or multi-connect may interfere with
896           IWD connection attempts.
897
898       sriov-num-vfs
899           Specify the number of virtual functions (VF) to enable for a PCI
900           physical device that supports single-root I/O virtualization
901           (SR-IOV).
902
903   Sections
904       The [device] section works the same as the [connection] section. That
905       is, multiple sections that all start with the prefix "device" can be
906       specified. The settings "match-device" and "stop-match" are available
907       to match a device section on a device. The order of multiple sections
908       is also top-down within the file and later files overwrite previous
909       settings. See “Sections” under the section called “CONNECTION SECTION”
910       for details.
911

CONNECTIVITY SECTION

913       This section controls NetworkManager's optional connectivity checking
914       functionality. This allows NetworkManager to detect whether or not the
915       system can actually access the internet or whether it is behind a
916       captive portal.
917
918       Connectivity checking serves two purposes. For one, it exposes a
919       connectivity state on D-Bus, which other applications may use. For
920       example, Gnome's portal helper uses this as signal to show a captive
921       portal login page. The other use is that default-route of devices
922       without global connectivity get a penalty of +20000 to the
923       route-metric. This has the purpose to give a better default-route to
924       devices that have global connectivity. For example, when being
925       connected to WWAN and to a Wi-Fi network which is behind a captive
926       portal, WWAN still gets preferred until login.
927
928       Note that your distribution might set
929       /proc/sys/net/ipv4/conf/*/rp_filter to strict filtering. That works
930       badly with per-device connectivity checking, which uses SO_BINDDEVICE
931       to send requests on all devices. A strict rp_filter setting will reject
932       any response and the connectivity check on all but the best route will
933       fail.
934
935       enabled
936           Whether connectivity check is enabled. Note that to enable
937           connectivity check, a valid uri must also be configured. The value
938           defaults to true, but since the uri is unset by default,
939           connectivity check may be disabled. The main purpose of this option
940           is to have a single flag to disable connectivity check. Note that
941           this setting can also be set via D-Bus API at runtime. In that
942           case, the value gets stored in
943           /var/lib/NetworkManager/NetworkManager-intern.conf file.
944
945       uri
946           The URI of a web page to periodically request when connectivity is
947           being checked. This page should return the header
948           "X-NetworkManager-Status" with a value of "online". Alternatively,
949           its body content should be set to "NetworkManager is online". The
950           body content check can be controlled by the response option. If
951           this option is blank or missing, connectivity checking is disabled.
952
953       interval
954           Specified in seconds; controls how often connectivity is checked
955           when a network connection exists. If set to 0 connectivity checking
956           is disabled. If missing, the default is 300 seconds.
957
958       response
959           If set, controls what body content NetworkManager checks for when
960           requesting the URI for connectivity checking. Note that this only
961           compares that the HTTP response starts with the specifid text, it
962           does not compare the exact string. This behavior might change in
963           the future, so avoid relying on it. If missing, the response
964           defaults to "NetworkManager is online". If set to empty, the HTTP
965           server is expected to answer with status code 204 or send no data.
966

GLOBAL-DNS SECTION

968       This section specifies global DNS settings that override
969       connection-specific configuration.
970
971       searches
972           A list of search domains to be used during hostname lookup.
973
974       options
975           A list of options to be passed to the hostname resolver.
976

GLOBAL-DNS-DOMAIN SECTIONS

978       Sections with a name starting with the "global-dns-domain-" prefix
979       allow to define global DNS configuration for specific domains. The part
980       of section name after "global-dns-domain-" specifies the domain name a
981       section applies to. More specific domains have the precedence over less
982       specific ones and the default domain is represented by the wildcard
983       "*". A default domain section is mandatory.
984
985       servers
986           A list of addresses of DNS servers to be used for the given domain.
987
988       options
989           A list of domain-specific DNS options. Not used at the moment.
990

.CONFIG SECTIONS

992       This is a special section that contains options which apply to the
993       configuration file that contains the option.
994
995       enable
996           Defaults to "true". If "false", the configuration file will be
997           skipped during loading. Note that the main configuration file
998           NetworkManager.conf cannot be disabled.
999
1000               # always skip loading the config file
1001               [.config]
1002               enable=false
1003
1004           You can also match against the version of NetworkManager. For
1005           example the following are valid configurations:
1006
1007               # only load on version 1.0.6
1008               [.config]
1009               enable=nm-version:1.0.6
1010
1011               # load on all versions 1.0.x, but not 1.2.x
1012               [.config]
1013               enable=nm-version:1.0
1014
1015               # only load on versions >= 1.1.6. This does not match
1016               # with version 1.2.0 or 1.4.4. Only the last digit is considered.
1017               [.config]
1018               enable=nm-version-min:1.1.6
1019
1020               # only load on versions >= 1.2. Contrary to the previous
1021               # example, this also matches with 1.2.0, 1.2.10, 1.4.4, etc.
1022               [.config]
1023               enable=nm-version-min:1.2
1024
1025               # Match against the maximum allowed version. The example matches
1026               # versions 1.2.0, 1.2.2, 1.2.4. Again, only the last version digit
1027               # is allowed to be smaller. So this would not match on 1.1.10.
1028               [.config]
1029               enable=nm-version-max:1.2.6
1030
1031           You can also match against the value of the environment variable
1032           NM_CONFIG_ENABLE_TAG, like:
1033
1034               # always skip loading the file when running NetworkManager with
1035               # environment variable "NM_CONFIG_ENABLE_TAG=TAG1"
1036               [.config]
1037               enable=env:TAG1
1038
1039           More then one match can be specified. The configuration will be
1040           enabled if one of the predicates matches ("or"). The special prefix
1041           "except:" can be used to negate the match. Note that if one
1042           except-predicate matches, the entire configuration will be
1043           disabled. In other words, a except predicate always wins over other
1044           predicates. If the setting only consists of "except:" matches and
1045           none of the negative conditions are satisfied, the configuration is
1046           still enabled.
1047
1048               # enable the configuration either when the environment variable
1049               # is present or the version is at least 1.2.0.
1050               [.config]
1051               enable=env:TAG2,nm-version-min:1.2
1052
1053               # enable the configuration for version >= 1.2.0, but disable
1054               # it when the environment variable is set to "TAG3"
1055               [.config]
1056               enable=except:env:TAG3,nm-version-min:1.2
1057
1058               # enable the configuration on >= 1.3, >= 1.2.6, and >= 1.0.16.
1059               # Useful if a certain feature is only present since those releases.
1060               [.config]
1061               enable=nm-version-min:1.3,nm-version-min:1.2.6,nm-version-min:1.0.16
1062
1063

PLUGINS

1065       Settings plugins for reading and writing connection profiles. The
1066       number of available plugins is distribution specific.
1067
1068       keyfile
1069           The keyfile plugin is the generic plugin that supports all the
1070           connection types and capabilities that NetworkManager has. It
1071           writes files out in an .ini-style format in
1072           /etc/NetworkManager/system-connections. See nm-settings-keyfile(5)
1073           for details about the file format.
1074
1075           The stored connection file may contain passwords, secrets and
1076           private keys in plain text, so it will be made readable only to
1077           root, and the plugin will ignore files that are readable or
1078           writable by any user or group other than root. See "Secret flag
1079           types" in nm-settings(5) for how to avoid storing passwords in
1080           plain text.
1081
1082           This plugin is always active, and will automatically be used to
1083           store any connections that aren't supported by any other active
1084           plugin.
1085
1086       ifcfg-rh
1087           This plugin is used on the Fedora and Red Hat Enterprise Linux
1088           distributions to read and write configuration from the standard
1089           /etc/sysconfig/network-scripts/ifcfg-* files. It currently supports
1090           reading Ethernet, Wi-Fi, InfiniBand, VLAN, Bond, Bridge, and Team
1091           connections. Enabling ifcfg-rh implicitly enables ibft plugin, if
1092           it is available. This can be disabled by adding no-ibft. See
1093           /usr/share/doc/initscripts/sysconfig.txt and nm-settings-ifcfg-
1094           rh(5) for more information about the ifcfg file format.
1095
1096       ifupdown
1097           This plugin is used on the Debian and Ubuntu distributions, and
1098           reads Ethernet and Wi-Fi connections from /etc/network/interfaces.
1099
1100           This plugin is read-only; any connections (of any type) added from
1101           within NetworkManager when you are using this plugin will be saved
1102           using the keyfile plugin instead.
1103
1104       ibft, no-ibft
1105           These plugins are deprecated and their selection has no effect.
1106           This is now handled by nm-initrd-generator.
1107
1108       ifcfg-suse, ifnet
1109           These plugins are deprecated and their selection has no effect. The
1110           keyfile plugin should be used instead.
1111

APPENDIX

1113   Device List Format
1114       The configuration options main.no-auto-default, main.ignore-carrier,
1115       keyfile.unmanaged-devices, connection*.match-device and
1116       device*.match-device select devices based on a list of matchings.
1117       Devices can be specified using the following format:
1118
1119       *
1120           Matches every device.
1121
1122       IFNAME
1123           Case sensitive match of interface name of the device. Globbing is
1124           not supported.
1125
1126       HWADDR
1127           Match the permanent MAC address of the device. Globbing is not
1128           supported
1129
1130       interface-name:IFNAME, interface-name:~IFNAME
1131           Case sensitive match of interface name of the device. Simple
1132           globbing is supported with * and ?. Ranges and escaping is not
1133           supported.
1134
1135       interface-name:=IFNAME
1136           Case sensitive match of interface name of the device. Globbing is
1137           disabled and IFNAME is taken literally.
1138
1139       mac:HWADDR
1140           Match the permanent MAC address of the device. Globbing is not
1141           supported
1142
1143       s390-subchannels:HWADDR
1144           Match the device based on the subchannel address. Globbing is not
1145           supported
1146
1147       type:TYPE
1148           Match the device type. Valid type names are as reported by "nmcli
1149           -f GENERAL.TYPE device show". Globbing is not supported.
1150
1151       driver:DRIVER
1152           Match the device driver as reported by "nmcli -f
1153           GENERAL.DRIVER,GENERAL.DRIVER-VERSION device show". "DRIVER" must
1154           match the driver name exactly and does not support globbing.
1155           Optionally, a driver version may be specified separated by '/'.
1156           Globbing is supported for the version.
1157
1158       dhcp-plugin:DHCP
1159           Match the configured DHCP plugin "main.dhcp".
1160
1161       except:SPEC
1162           Negative match of a device.  SPEC must be explicitly qualified with
1163           a prefix such as interface-name:. A negative match has higher
1164           priority then the positive matches above.
1165
1166           If there is a list consisting only of negative matches, the
1167           behavior is the same as if there is also match-all. That means, if
1168           none of all the negative matches is satisfied, the overall result
1169           is still a positive match. That means, "except:interface-name:eth0"
1170           is the same as "*,except:interface-name:eth0".
1171
1172       SPEC[,;]SPEC
1173           Multiple specs can be concatenated with commas or semicolons. The
1174           order does not matter as matches are either inclusive or negative
1175           (except:), with negative matches having higher priority.
1176
1177           Backslash is supported to escape the separators ';' and ',', and to
1178           express special characters such as newline ('\n'), tabulator
1179           ('\t'), whitespace ('\s') and backslash ('\\'). The globbing of
1180           interface names cannot be escaped. Whitespace is not a separator
1181           but will be trimmed between two specs (unless escaped as '\s').
1182
1183       Example:
1184
1185           interface-name:em4
1186           mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4;interface-name:eth2
1187           interface-name:vboxnet*,except:interface-name:vboxnet2
1188           *,except:mac:00:22:68:1c:59:b1
1189
1190
1191   Connection List Format
1192       Connections can be specified using the following format:
1193
1194       *
1195           Matches every connection.
1196
1197       uuid:UUID
1198           Match the connection by UUID, for example
1199           "uuid:83037490-1d17-4986-a397-01f1db3a7fc2"
1200
1201       id=ID
1202           Match the connection by name.
1203
1204       origin:ORIGIN
1205           Match the connection by origin, stored in the
1206           org.freedesktop.NetworkManager.origin tag of the user setting. For
1207           example, use "except:origin:nm-initrd-generator" to forbid
1208           activation of connections created by the initrd generator.
1209
1210       except:SPEC
1211           Negative match of a connection. A negative match has higher
1212           priority then the positive matches above.
1213
1214           If there is a list consisting only of negative matches, the
1215           behavior is the same as if there is also match-all. That means, if
1216           none of all the negative matches is satisfied, the overall result
1217           is still a positive match.
1218
1219       SPEC[,;]SPEC
1220           Multiple specs can be concatenated with commas or semicolons. The
1221           order does not matter as matches are either inclusive or negative
1222           (except:), with negative matches having higher priority.
1223
1224           Backslash is supported to escape the separators ';' and ',', and to
1225           express special characters such as newline ('\n'), tabulator
1226           ('\t'), whitespace ('\s') and backslash ('\\'). Whitespace is not a
1227           separator but will be trimmed between two specs (unless escaped as
1228           '\s').
1229

SEE ALSO

1231       NetworkManager(8), nmcli(1), nmcli-examples(7), nm-online(1), nm-
1232       settings(5), nm-applet(1), nm-connection-editor(1)
1233
1234
1235
1236NetworkManager 1.32.12                                  NETWORKMANAGER.CONF(5)
Impressum