1NETWORKMANAGER.CONF(5) Configuration NETWORKMANAGER.CONF(5)
2
6 NetworkManager.conf - NetworkManager configuration file
7
9 /etc/NetworkManager/NetworkManager.conf,
10 /etc/NetworkManager/conf.d/name.conf,
11 /run/NetworkManager/conf.d/name.conf,
12 /usr/lib/NetworkManager/conf.d/name.conf,
13 /var/lib/NetworkManager/NetworkManager-intern.conf
14
16 NetworkManager.conf is the configuration file for NetworkManager. It is
17 used to set up various aspects of NetworkManager's behavior. The
18 location of the main file and configuration directories may be changed
19 through use of the --config, --config-dir, --system-config-dir, and
20 --intern-config argument for NetworkManager, respectively.
21 If a default NetworkManager.conf is provided by your distribution's
23 packages, you should not modify it, since your changes may get
24 overwritten by package updates. Instead, you can add additional .conf
25 files to the /etc/NetworkManager/conf.d directory. These will be read
26 in order, with later files overriding earlier ones. Packages might
27 install further configuration snippets to
28 /usr/lib/NetworkManager/conf.d. This directory is parsed first, even
29 before NetworkManager.conf. Scripts can also put per-boot configuration
30 into /run/NetworkManager/conf.d. This directory is parsed second, also
31 before NetworkManager.conf. The loading of a file
32 /run/NetworkManager/conf.d/name.conf can be prevented by adding a file
33 /etc/NetworkManager/conf.d/name.conf. Likewise, a file
34 /usr/lib/NetworkManager/conf.d/name.conf can be shadowed by putting a
35 file of the same name to either /etc/NetworkManager/conf.d or
36 /run/NetworkManager/conf.d.
37 NetworkManager can overwrite certain user configuration options via
39 D-Bus or other internal operations. In this case it writes those
40 changes to /var/lib/NetworkManager/NetworkManager-intern.conf. This
41 file is not intended to be modified by the user, but it is read last
42 and can shadow user configuration from NetworkManager.conf.
43 Certain settings from the configuration can be reloaded at runtime
45 either by sending SIGHUP signal or via D-Bus' Reload call.
46 NetworkManager does not require any configuration in
48 NetworkManager.conf. Depending on your use case, you may remove all
49 files to restore the default configuration (factory reset). But note
50 that your distribution or other packages may drop configuration
51 snippets for NetworkManager, such that they are part of the factory
52 default.
53
55 The configuration file format is so-called key file (sort of ini-style
56 format). It consists of sections (groups) of key-value pairs. Lines
57 beginning with a '#' and blank lines are considered comments. Sections
58 are started by a header line containing the section enclosed in '[' and
59 ']', and ended implicitly by the start of the next section or the end
60 of the file. Each key-value pair must be contained in a section.
61 For keys that take a list of devices as their value, you can specify
63 devices by their MAC addresses or interface names, or "*" to specify
64 all devices. See the section called “Device List Format” below.
65 A simple configuration file looks like this:
67 [main]
69 plugins=keyfile
70 As an extension to the normal keyfile format, you can also append a
72 value to a previously-set list-valued key by doing:
73 plugins+=another-plugin
75 plugins-=remove-me
76
79 plugins
80 Lists system settings plugin names separated by ','. These plugins
81 are used to read and write system-wide connection profiles. When
82 multiple plugins are specified, the connections are read from all
83 listed plugins. When writing connections, the plugins will be asked
84 to save the connection in the order listed here; if the first
85 plugin cannot write out that connection type (or can't write out
86 any connections) the next plugin is tried, etc. If none of the
87 plugins can save the connection, an error is returned to the user.
88 The default value and the number of available plugins is
90 distro-specific. See the section called “PLUGINS” below for the
91 available plugins. Note that NetworkManager's native keyfile plugin
92 is always appended to the end of this list (if it doesn't already
93 appear earlier in the list).
94 monitor-connection-files
96 This setting is deprecated and has no effect. Profiles from disk
97 are never automatically reloaded. Use for example nmcli connection
98 (re)load for that.
99 auth-polkit
101 Whether the system uses PolicyKit for authorization. If true,
102 non-root requests are authorized using PolicyKit. Requests from
103 root (user ID zero) are always granted without asking PolicyKit. If
104 false, all requests will be allowed and PolicyKit is not used. If
105 set to root-only PolicyKit is not used and all requests except root
106 are denied. The default value is true.
107 dhcp
109 This key sets up what DHCP client NetworkManager will use. Allowed
110 values are dhclient, dhcpcd, and internal. The dhclient and dhcpcd
111 options require the indicated clients to be installed. The internal
112 option uses a built-in DHCP client which is not currently as
113 featureful as the external clients.
114 If this key is missing, it defaults to internal. If the chosen
116 plugin is not available, clients are looked for in this order:
117 dhclient, dhcpcd, internal.
118 no-auto-default
120 Specify devices for which NetworkManager shouldn't create default
121 wired connection (Auto eth0). By default, NetworkManager creates a
122 temporary wired connection for any Ethernet device that is managed
123 and doesn't have a connection configured. List a device in this
124 option to inhibit creating the default connection for the device.
125 May have the special value * to apply to all devices.
126 When the default wired connection is deleted or saved to a new
128 persistent connection by a plugin, the device is added to a list in
129 the file /var/lib/NetworkManager/no-auto-default.state to prevent
130 creating the default connection for that device again.
131 See the section called “Device List Format” for the syntax how to
133 specify a device.
134 Example:
136 no-auto-default=00:22:68:5c:5d:c4,00:1e:65:ff:aa:ee
138 no-auto-default=eth0,eth1
139 no-auto-default=*
140 ignore-carrier
143 This setting is deprecated for the per-device setting
144 ignore-carrier which overwrites this setting if specified (See
145 ignore-carrier). Otherwise, it is a list of matches to specify for
146 which device carrier should be ignored. See the section called
147 “Device List Format” for the syntax how to specify a device. Note
148 that master types like bond, bridge, and team ignore carrier by
149 default. You can however revert that default using the "except:"
150 specifier (or better, use the per-device setting instead of the
151 deprecated setting).
152 assume-ipv6ll-only
154 Specify devices for which NetworkManager will try to generate a
155 connection based on initial configuration when the device only has
156 an IPv6 link-local address.
157 See the section called “Device List Format” for the syntax how to
159 specify a device.
160 configure-and-quit
162 This option is no longer useful to configure in NetworkManager.conf
163 file. It can however also be configured on the command line with
164 the same values, where it has some use.
165 When set to 'initrd', NetworkManager does not connect to D-Bus and
167 quits after configuring the network. This is an implementation
168 detail how the NetworkManager module of dracut can run
169 NetworkManager. An alternative to this is having NetworkManager as
170 a systemd service with D-Bus in initrd.
171 The value 'true' is unsupported since version 1.36. Previously this
173 was a mode where NetworkManager would quit after configuring the
174 network and run helper processes for DHCP and SLAAC.
175 Otherwise, NetworkManager runs a system service with D-Bus and does
177 not quit during normal operation.
178 hostname-mode
180 Set the management mode of the hostname. This parameter will affect
181 only the transient hostname. If a valid static hostname is set,
182 NetworkManager will skip the update of the hostname despite the
183 value of this option. An hostname empty or equal to 'localhost',
184 'localhost6', 'localhost.localdomain' or 'localhost6.localdomain'
185 is considered invalid.
186 default: NetworkManager will update the hostname with the one
188 provided via DHCP or reverse DNS lookup of the IP address on the
189 connection with the default route or on any connection with the
190 property hostname.only-from-default set to 'false'. Connections are
191 considered in order of increasing value of the hostname.priority
192 property. In case multiple connections have the same priority,
193 connections activated earlier are considered first. If no hostname
194 can be determined in such way, the hostname will be updated to the
195 last one set outside NetworkManager or to 'localhost.localdomain'.
196 dhcp: this is similar to 'default', with the difference that after
198 trying to get the DHCP hostname, reverse DNS lookup is not done.
199 Note that selecting this option is equivalent to setting the
200 property 'hostname.from-dns-lookup' to 'false' globally for all
201 connections in NetworkManager.conf.
202 none: NetworkManager will not manage the transient hostname and
204 will never set it.
205 dns
207 Set the DNS processing mode.
208 If the key is unspecified, default is used, unless /etc/resolv.conf
210 is a symlink to /run/systemd/resolve/stub-resolv.conf,
211 /run/systemd/resolve/resolv.conf, /lib/systemd/resolv.conf or
212 /usr/lib/systemd/resolv.conf. In that case, systemd-resolved is
213 chosen automatically.
214 default: NetworkManager will update /etc/resolv.conf to reflect the
216 nameservers provided by currently active connections. The
217 rc-manager setting (below) controls how this is done.
218 dnsmasq: NetworkManager will run dnsmasq as a local caching
220 nameserver, using "Conditional Forwarding" if you are connected to
221 a VPN, and then update resolv.conf to point to the local
222 nameserver. It is possible to pass custom options to the dnsmasq
223 instance by adding them to files in the
224 "/etc/NetworkManager/dnsmasq.d/" directory. Note that when multiple
225 upstream servers are available, dnsmasq will initially contact them
226 in parallel and then use the fastest to respond, probing again
227 other servers after some time. This behavior can be modified
228 passing the 'all-servers' or 'strict-order' options to dnsmasq (see
229 the manual page for more details).
230 systemd-resolved: NetworkManager will push the DNS configuration to
232 systemd-resolved
233 none: NetworkManager will not modify resolv.conf. This implies
235 rc-manager unmanaged
236 Note that the plugins dnsmasq and systemd-resolved are caching
238 local nameservers. Hence, when NetworkManager writes
239 /run/NetworkManager/resolv.conf and /etc/resolv.conf (according to
240 rc-manager setting below), the name server there will be localhost
241 only. NetworkManager also writes a file
242 /run/NetworkManager/no-stub-resolv.conf that contains the original
243 name servers pushed to the DNS plugin.
244 When using dnsmasq and systemd-resolved per-connection added dns
246 servers will always be queried using the device the connection has
247 been activated on.
248 rc-manager
250 Set the resolv.conf management mode. This option is about how
251 NetworkManager writes to /etc/resolv.conf, if at all. The default
252 value depends on NetworkManager build options, and this version of
253 NetworkManager was build with a default of "auto". Regardless of
254 this setting, NetworkManager will always write its version of
255 resolv.conf to its runtime state directory as
256 /run/NetworkManager/resolv.conf.
257 If you configure dns=none or make /etc/resolv.conf immutable with
259 chattr +i, NetworkManager will ignore this setting and always
260 choose unmanaged (below).
261 auto: if systemd-resolved plugin is configured via the dns setting
263 or if it gets detected as main DNS plugin, NetworkManager will
264 update systemd-resolved without touching /etc/resolv.conf.
265 Alternatively, if resolvconf or netconfig are enabled at compile
266 time and the respective binary is found, NetworkManager will
267 automatically use it. Note that if you install or uninstall these
268 binaries, you need to reload the rc-manager setting with SIGHUP or
269 systemctl reload NetworkManager. As last fallback it uses the
270 symlink option (see next).
271 symlink: If /etc/resolv.conf is a regular file or does not exist,
273 NetworkManager will write the file directly. If /etc/resolv.conf is
274 instead a symlink, NetworkManager will leave it alone. Unless the
275 symlink points to the internal file
276 /run/NetworkManager/resolv.conf, in which case the symlink will be
277 updated to emit an inotify notification. This allows the user to
278 conveniently instruct NetworkManager not to manage /etc/resolv.conf
279 by replacing it with a symlink.
280 file: NetworkManager will write /etc/resolv.conf as regular file.
282 If it finds a symlink to an existing target, it will follow the
283 symlink and update the target instead. In no case will an existing
284 symlink be replaced by a file. Note that older versions of
285 NetworkManager behaved differently and would replace dangling
286 symlinks with a plain file.
287 resolvconf: NetworkManager will run resolvconf to update the DNS
289 configuration.
290 netconfig: NetworkManager will run netconfig to update the DNS
292 configuration.
293 unmanaged: don't touch /etc/resolv.conf.
295 none: deprecated alias for symlink.
297 systemd-resolved
299 Send the connection DNS configuration to systemd-resolved. Defaults
300 to "true".
301 Note that this setting is complementary to the dns setting. You can
303 keep this enabled while using dns set to another DNS plugin
304 alongside systemd-resolved, or dns set to systemd-resolved to
305 configure the system resolver to use systemd-resolved.
306 If systemd-resolved is enabled, the connectivity check resolves the
308 hostname per-device.
309 debug
311 Comma separated list of options to aid debugging. This value will
312 be combined with the environment variable NM_DEBUG. Currently, the
313 following values are supported:
314 RLIMIT_CORE: set ulimit -c unlimited to write out core dumps.
316 Beware, that a core dump can contain sensitive information such as
317 passwords or configuration settings.
318 fatal-warnings: set g_log_set_always_fatal() to core dump on
320 warning messages from glib. This is equivalent to the
321 --g-fatal-warnings command line option.
322 autoconnect-retries-default
324 The number of times a connection activation should be automatically
325 tried before switching to another one. This value applies only to
326 connections that can auto-connect and have a
327 connection.autoconnect-retries property set to -1. If not
328 specified, connections will be tried 4 times. Setting this value to
329 1 means to try activation once, without retry.
330 slaves-order
332 This key specifies in which order slave connections are
333 auto-activated on boot or when the master activates them. Allowed
334 values are name (order connection by interface name, the default),
335 or index (order slaves by their kernel index).
336 firewall-backend
338 The firewall backend for configuring masquerading with shared mode.
339 Set to either iptables, nftables or none. iptables and nftables
340 require iptables and nft application, respectively. none means to
341 skip firewall configuration if the users wish to manage firewall
342 themselves. If unspecified, it will be auto detected.
343 iwd-config-path
345 If the value is "auto" (the default), IWD is queried for its
346 current state directory when it appears on D-Bus -- the directory
347 where IWD keeps its network configuration files -- usually
348 /var/lib/iwd. NetworkManager will then attempt to write copies of
349 new or modified Wi-Fi connection profiles, converted into the IWD
350 format, into this directory thus making IWD connection properties
351 editable. NM will overwrite existing files without preserving their
352 contents.
353 The path can also be overriden by pointing to a specific existing
355 and writable directory. On the other hand setting this to an empty
356 string or any other value disables the profile conversion
357 mechanism.
358 This mechanism allows editing connection profile settings such as
360 the 802.1x configuration using NetworkManager clients. Without it
361 such changes have no effect in IWD.
362
364 This section contains keyfile-plugin-specific options, and is normally
365 only used when you are not using any other distro-specific plugin.
366 hostname
368 This key is deprecated and has no effect since the hostname is now
369 stored in /etc/hostname or other system configuration files
370 according to build options.
371 path
373 The location where keyfiles are read and stored. This defaults to
374 "/etc/NetworkManager/system-connections".
375 unmanaged-devices
377 Set devices that should be ignored by NetworkManager.
378 A device unmanaged due to this option is strictly unmanaged and
380 cannot be overruled by using the API like nmcli device set $IFNAME
381 managed yes. Also, a device that is unmanaged for other reasons,
382 like an udev rule, cannot be made managed with this option (e.g. by
383 using an except: specifier). These two points make it different
384 from the device*.managed option which for that reason may be a
385 better choice.
386 See the section called “Device List Format” for the syntax on how
388 to specify a device.
389 Example:
391 unmanaged-devices=interface-name:em4
393 unmanaged-devices=mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4;interface-name:eth2
394
397 This section contains ifupdown-specific options and thus only has
398 effect when using the ifupdown plugin.
399 managed
401 If set to true, then interfaces listed in /etc/network/interfaces
402 are managed by NetworkManager. If set to false, then any interface
403 listed in /etc/network/interfaces will be ignored by
404 NetworkManager. Remember that NetworkManager controls the default
405 route, so because the interface is ignored, NetworkManager may
406 assign the default route to some other interface.
407 The default value is false.
409
411 This section controls NetworkManager's logging. Logging is very
412 important to understand what NetworkManager is doing. When you report a
413 bug, do not unnecessarily filter or limit the log file. Just enable
414 level=TRACE and domains=ALL to collect everything.
415 The recommended way for enabling logging is with a file
417 /etc/NetworkManager/conf.d/95-logging.conf that contains
418 [logging]
420 level=TRACE
421 domains=ALL
422 and restart the daemon with systemctl restart NetworkManager. Then
424 reproduce the problem. You can find the logs in syslog (for example
425 journalctl).
426 Any settings here are overridden by the --log-level and --log-domains
428 command-line options. Logging can also be reconfigured at runtime with
429 nmcli general logging level "$LEVEL" domains "$DOMAINS". However, often
430 it is interesting to get a complete log from the start. Especially,
431 when debugging an issue, enable debug logging in NetworkManager.conf
432 and restart the service to enable verbose logging early on.
433 By setting nm.debug on the kernel command line (either from
435 /run/NetworkManager/proc-cmdline or /proc/cmdline), debug logging is
436 enabled. This overrides both the command-line options and the settings
437 from NetworkManager.conf.
438 NetworkManager's logging aims not to contain private sensitive data and
440 you should be fine sharing the debug logs. Still, there will be IP
441 addresses and your network setup, if you consider that private then
442 review the log before sharing. However, try not to mangle the logfile
443 in a way that distorts the meaning too much.
444 NetworkManager uses syslog or systemd-journald, depending on
446 configuration. In any case, debug logs are verbose and might be rate
447 limited or filtered by the logging daemon. For systemd-journald, see
448 RateLimitIntervalSec and RateLimitBurst in journald.conf manual for how
449 to disable that.
450 level
452 The default logging verbosity level. One of OFF, ERR, WARN, INFO,
453 DEBUG, TRACE, in order of verbosity.
454 OFF disables all logging. INFO is the default verbosity for
456 regular operation. TRACE is for debugging.
457 The other levels are in most cases not useful. For example, DEBUG
459 is between TRACE and INFO, but it's too verbose for regular
460 operation and lacks possibly interesting messages for debugging.
461 Almost always, when debugging an issue or reporting a bug, collect
462 full level TRACE logs to get the full picture.
463 domains
465 Filter the messages by their topic. When debugging an issue, it's
466 better to collect all logs (ALL domain) upfront. The unnecessary
467 parts can always be ignored later.
468 In the uncommon case to tune out certain topics, the following log
470 domains are available: PLATFORM, RFKILL, ETHER, WIFI, BT, MB,
471 DHCP4, DHCP6, PPP, WIFI_SCAN, IP4, IP6, AUTOIP4, DNS, VPN, SHARING,
472 SUPPLICANT, AGENTS, SETTINGS, SUSPEND, CORE, DEVICE, OLPC, WIMAX,
473 INFINIBAND, FIREWALL, ADSL, BOND, VLAN, BRIDGE, DBUS_PROPS, TEAM,
474 CONCHECK, DCB, DISPATCH, AUDIT, SYSTEMD, VPN_PLUGIN, PROXY.
475 In addition, these special domains can be used: NONE, ALL, DEFAULT,
477 DHCP, IP.
478 You can specify per-domain log level overrides by adding a colon
480 and a log level to any domain. E.g., "WIFI:DEBUG,WIFI_SCAN:OFF".
481 Another example is ALL,VPN_PLUGIN:TRACE to enable all the logging
482 there is (see about VPN_PLUGIN below).
483 Domain descriptions:
485 PLATFORM : OS (platform) operations
486 RFKILL : RFKill subsystem operations
487 ETHER : Ethernet device operations
488 WIFI : Wi-Fi device operations
489 BT : Bluetooth operations
490 MB : Mobile broadband operations
491 DHCP4 : DHCP for IPv4
492 DHCP6 : DHCP for IPv6
493 PPP : Point-to-point protocol operations
494 WIFI_SCAN : Wi-Fi scanning operations
495 IP4 : IPv4-related operations
496 IP6 : IPv6-related operations
497 AUTOIP4 : AutoIP operations
498 DNS : Domain Name System related operations
499 VPN : Virtual Private Network connections and
500 operations
501 SHARING : Connection sharing. With TRACE level log queries
502 for dnsmasq instance
503 SUPPLICANT : WPA supplicant related operations
504 AGENTS : Secret agents operations and communication
505 SETTINGS : Settings/config service operations
506 SUSPEND : Suspend/resume
507 CORE : Core daemon and policy operations
508 DEVICE : Activation and general interface operations
509 OLPC : OLPC Mesh device operations
510 WIMAX : WiMAX device operations
511 INFINIBAND : InfiniBand device operations
512 FIREWALL : FirewallD related operations
513 ADSL : ADSL device operations
514 BOND : Bonding operations
515 VLAN : VLAN operations
516 BRIDGE : Bridging operations
517 DBUS_PROPS : D-Bus property changes
518 TEAM : Teaming operations
519 CONCHECK : Connectivity check
520 DCB : Data Center Bridging (DCB) operations
521 DISPATCH : Dispatcher scripts
522 AUDIT : Audit records
523 SYSTEMD : Messages from internal libsystemd
524 VPN_PLUGIN : logging messages from VPN plugins
525 PROXY : logging messages for proxy handling
526 NONE : when given by itself logging is disabled
528 ALL : all log domains
529 DEFAULT : default log domains
530 DHCP : shortcut for "DHCP4,DHCP6"
531 IP : shortcut for "IP4,IP6"
532 HW : deprecated alias for "PLATFORM"
534 In general, the logfile should not contain passwords or private
536 data. However, you are always advised to check the file before
537 posting it online or attaching to a bug report. VPN_PLUGIN is
538 special as it might reveal private information of the VPN plugins
539 with verbose levels. Therefore this domain will be excluded when
540 setting ALL or DEFAULT to more verbose levels then INFO.
541 backend
543 The logging backend. Supported values are "syslog" and "journal".
544 When NetworkManager is started with "--debug" in addition all
545 messages will be printed to stderr. If unspecified, the default is
546 "journal".
547 audit
549 Whether the audit records are delivered to auditd, the audit
550 daemon. If false, audit records will be sent only to the
551 NetworkManager logging system. If set to true, they will be also
552 sent to auditd. The default value is false.
553
555 Specify default values for connections.
556 Such default values are only consulted if the corresponding
558 per-connection property explicitly allows for that. That means, all
559 these properties correspond to a property of the connection profile
560 (for example connection.mud-url). Only if the per-profile property is
561 set to a special value that indicates to use the default, the default
562 value from NetworkManager.conf is consulted. It depends on the
563 property, which is the special value that indicates fallback to the
564 default, but it usually is something like empty, unset values or
565 special numeric values like 0 or -1. That means the effectively used
566 value can first always be configured for each profile, and these
567 default values only matter if the per-profile values explicitly
568 indicates to use the default from NetworkManager.conf.
569 Example:
571 [connection]
573 ipv6.ip6-privacy=0
574 Supported Properties
577 Not all properties can be overwritten, only the following properties
578 are supported to have their default values configured (see nm-
579 settings(5) for details).
580 802-1x.auth-timeout
582 cdma.mtu
584 connection.auth-retries
586 If left unspecified, the default value is 3 tries before failing
587 the connection.
588 connection.autoconnect-slaves
590 connection.mud-url
592 If unspecified, MUD URL defaults to "none".
593 connection.lldp
595 connection.llmnr
597 If unspecified, the ultimate default values depends on the DNS
598 plugin. With systemd-resolved the default currently is "yes" (2)
599 and for all other plugins "no" (0).
600 connection.mdns
602 If unspecified, the ultimate default values depends on the DNS
603 plugin. With systemd-resolved the default currently is "no" (0) and
604 for all other plugins also "no" (0).
605 connection.mptcp-flags
607 If unspecified, the fallback is 0x22 ("enabled,subflow"). Note that
608 if sysctl /proc/sys/net/mptcp/enabled is disabled, NetworkManager
609 will still not configure endpoints.
610 connection.dns-over-tls
612 If unspecified, the ultimate default values depends on the DNS
613 plugin. With systemd-resolved the default currently is global
614 setting and for all other plugins "no" (0).
615 connection.stable-id
617 ethernet.cloned-mac-address
619 If left unspecified, it defaults to "preserve".
620 ethernet.generate-mac-address-mask
622 ethernet.mtu
624 If configured explicitly to 0, the MTU is not reconfigured during
625 device activation unless it is required due to IPv6 constraints. If
626 left unspecified, a DHCP/IPv6 SLAAC provided value is used or the
627 MTU is not reconfigured during activation.
628 ethernet.wake-on-lan
630 gsm.mtu
632 hostname.from-dhcp
634 hostname.from-dns-lookup
636 hostname.only-from-default
638 hostname.priority
640 infiniband.mtu
642 If configured explicitly to 0, the MTU is not reconfigured during
643 device activation unless it is required due to IPv6 constraints. If
644 left unspecified, a DHCP/IPv6 SLAAC provided value is used or the
645 MTU is left unspecified on activation.
646 ip-tunnel.mtu
648 If configured explicitly to 0, the MTU is not reconfigured during
649 device activation unless it is required due to IPv6 constraints. If
650 left unspecified, a DHCP/IPv6 SLAAC provided value is used or a
651 default of 1500.
652 ipv4.dad-timeout
654 ipv4.dhcp-client-id
656 ipv4.dhcp-iaid
658 If left unspecified, it defaults to "ifname".
659 ipv4.dhcp-hostname-flags
661 If left unspecified, the value 3 (fqdn-encoded,fqdn-serv-update) is
662 used.
663 ipv4.dhcp-timeout
665 If left unspecified, the default value for the interface type is
666 used.
667 ipv4.dhcp-vendor-class-identifier
669 If left unspecified, the default is to not send the DHCP option to
670 the server.
671 ipv4.dns-priority
673 If unspecified or zero, use 50 for VPN profiles and 100 for other
674 profiles.
675 ipv4.required-timeout
677 ipv4.link-local
679 If left unspecified, fallback to "auto" which makes it dependent on
680 "ipv4.method" setting.
681 ipv4.route-metric
683 ipv4.route-table
685 If left unspecified, routes are only added to the main table. Note
686 that this is different from explicitly selecting the main table
687 254, because of how NetworkManager removes extraneous routes from
688 the tables.
689 ipv6.addr-gen-mode
691 If the per-profile setting is either "default" or
692 "default-or-eui64", the global default is used. If the default is
693 unspecified, the fallback value is either "stable-privacy" or
694 "eui64", depending on whether the per-profile setting is "default"
695 or "default-or-eui64, respectively.
696 ipv6.ra-timeout
698 If left unspecified, the default value depends on the sysctl
699 solicitation settings.
700 ipv6.dhcp-duid
702 If left unspecified, it defaults to "lease".
703 ipv6.dhcp-iaid
705 If left unspecified, it defaults to "ifname".
706 ipv6.dhcp-hostname-flags
708 If left unspecified, the value 1 (fqdn-serv-update) is used.
709 ipv6.dhcp-timeout
711 If left unspecified, the default value for the interface type is
712 used.
713 ipv6.dns-priority
715 If unspecified or zero, use 50 for VPN profiles and 100 for other
716 profiles.
717 ipv6.ip6-privacy
719 If ipv6.ip6-privacy is unset, use the content of
720 "/proc/sys/net/ipv6/conf/default/use_tempaddr" as last fallback.
721 ipv6.required-timeout
723 ipv6.route-metric
725 ipv6.route-table
727 If left unspecified, routes are only added to the main table. Note
728 that this is different from explicitly selecting the main table
729 254, because of how NetworkManager removes extraneous routes from
730 the tables.
731 loopback.mtu
733 If configured explicitly to 0, the MTU is not reconfigured during
734 device activation unless it is required due to IPv6 constraints. If
735 left unspecified, a DHCP/IPv6 SLAAC provided value is used or the
736 MTU is left unspecified on activation.
737 sriov.autoprobe-drivers
739 If left unspecified, drivers are autoprobed when the SR-IOV VF gets
740 created.
741 vpn.timeout
743 If left unspecified, default value of 60 seconds is used.
744 wifi.ap-isolation
746 If left unspecified, AP isolation is disabled.
747 wifi.cloned-mac-address
749 If left unspecified, it defaults to "preserve".
750 wifi.generate-mac-address-mask
752 wifi.mac-address-randomization
754 If left unspecified, MAC address randomization is disabled. This
755 setting is deprecated for wifi.cloned-mac-address.
756 wifi.mtu
758 If configured explicitly to 0, the MTU is not reconfigured during
759 device activation unless it is required due to IPv6 constraints. If
760 left unspecified, a DHCP/IPv6 SLAAC provided value is used or a
761 default of 1500.
762 wifi.powersave
764 If left unspecified, the default value "ignore" will be used.
765 wifi-sec.pmf
767 If left unspecified, the default value "optional" will be used.
768 wifi-sec.fils
770 If left unspecified, the default value "optional" will be used.
771 wifi.wake-on-wlan
773 wireguard.mtu
775 Sections
778 You can configure multiple connection sections, by having different
779 sections with a name that all start with "connection". Example:
780 [connection]
782 ipv6.ip6-privacy=0
783 connection.autoconnect-slaves=1
784 vpn.timeout=120
785 [connection-wifi-wlan0]
787 match-device=interface-name:wlan0
788 ipv4.route-metric=50
789 [connection-wifi-other]
791 match-device=type:wifi
792 ipv4.route-metric=55
793 ipv6.ip6-privacy=1
794 The sections within one file are considered in order of appearance,
796 with the exception that the [connection] section is always considered
797 last. In the example above, this order is [connection-wifi-wlan0],
798 [connection-wlan-other], and [connection]. When checking for a default
799 configuration value, the sections are searched until the requested
800 value is found. In the example above, "ipv4.route-metric" for wlan0
801 interface is set to 50, and for all other Wi-Fi typed interfaces to 55.
802 Also, Wi-Fi devices would have IPv6 private addresses enabled by
803 default, but other devices would have it disabled. Note that also
804 "wlan0" gets "ipv6.ip6-privacy=1", because although the section
805 "[connection-wifi-wlan0]" matches the device, it does not contain that
806 property and the search continues.
807 When having different sections in multiple files, sections from files
809 that are read later have higher priority. So within one file the
810 priority of the sections is top-to-bottom. Across multiple files later
811 definitions take precedence.
812 The following properties further control how a connection section
814 applies.
815 match-device
817 An optional device spec that restricts when the section applies.
818 See the section called “Device List Format” for the possible
819 values.
820 stop-match
822 An optional boolean value which defaults to no. If the section
823 matches (based on match-device), further sections will not be
824 considered even if the property in question is not present. In the
825 example above, if [connection-wifi-wlan0] would have stop-match set
826 to yes, the device wlan0 would have ipv6.ip6-privacy property
827 unspecified. That is, the search for the property would not
828 continue in the connection sections [connection-wifi-other] or
829 [connection].
830
832 Contains per-device persistent configuration.
833 Example:
835 [device]
837 match-device=interface-name:eth3
838 managed=1
839 Supported Properties
842 The following properties can be configured per-device.
843 managed
845 Whether the device is managed or not. A device can be marked as
846 managed via udev rules (ENV{NM_UNMANAGED}), or via setting plugins
847 (keyfile.unmanaged-devices). This is yet another way. Note that
848 this configuration can be overruled at runtime via D-Bus. Also, it
849 has higher priority then udev rules.
850 carrier-wait-timeout
852 Specify the timeout for waiting for carrier in milliseconds. The
853 default is 5000 milliseconds. This setting exists because certain
854 drivers/hardware can take a long time to detect whether the cable
855 is plugged in.
856 When the device loses carrier, NetworkManager does not react
858 immediately. Instead, it waits for this timeout before considering
859 the link lost.
860 Also, on startup, NetworkManager considers the device as busy for
862 this time, as long as the device has no carrier. This delays
863 startup-complete signal and NetworkManager-wait-online. Configuring
864 this too high means to block NetworkManager-wait-online longer than
865 necessary when booting with cable unplugged. Configuring it too
866 low, means that NetworkManager will declare startup-complete too
867 soon, although carrier is about to come and auto-activation to kick
868 in. Note that if a profile only has static IP configuration or
869 Layer 3 configuration disabled, then it can already autoconnect
870 without carrier on the device. Once such a profile reaches full
871 activated state, startup-complete is considered as reached even if
872 the device has no carrier yet.
873 ignore-carrier
875 Specify devices for which NetworkManager will (partially) ignore
876 the carrier state. Normally, for device types that support
877 carrier-detect, such as Ethernet and InfiniBand, NetworkManager
878 will only allow a connection to be activated on the device if
879 carrier is present (ie, a cable is plugged in), and it will
880 deactivate the device if carrier drops for more than a few seconds.
881 A device with carrier ignored will allow activating connections on
883 that device even when it does not have carrier, provided that the
884 connection uses only statically-configured IP addresses.
885 Additionally, it will allow any active connection (whether static
886 or dynamic) to remain active on the device when carrier is lost.
887 Note that the "carrier" property of NMDevices and device D-Bus
889 interfaces will still reflect the actual device state; it's just
890 that NetworkManager will not make use of that information.
891 Master types like bond, bridge and team ignore carrier by default,
893 while other device types react on carrier changes by default.
894 This setting overwrites the deprecated main.ignore-carrier setting
896 above.
897 keep-configuration
899 On startup, NetworkManager tries to not interfere with interfaces
900 that are already configured. It does so by generating a in-memory
901 connection based on the interface current configuration.
902 If this generated connection matches one of the existing persistent
904 connections, the persistent connection gets activated. If there is
905 no match, the generated connection gets activated as "external",
906 which means that the connection is considered as active, but
907 NetworkManager doesn't actually touch the interface.
908 It is possible to disable this behavior by setting
910 keep-configuration to no. In this way, on startup NetworkManager
911 always tries to activate the most suitable persistent connection
912 (the one with highest autoconnect-priority or, in case of a tie,
913 the one activated most recently).
914 Note that when NetworkManager gets restarted, it stores the
916 previous state in /run/NetworkManager; in particular it saves the
917 UUID of the connection that was previously active so that it can be
918 activated again after the restart. Therefore, keep-configuration
919 does not have any effect on service restart.
920 allowed-connections
922 A list of connections that can be activated on the device. See the
923 section called “Connection List Format” for the syntax to specify a
924 connection. If this option is not specified, all connections can be
925 potentially activated on the device, provided that the connection
926 type and other settings match.
927 A notable use case for this is to filter which connections can be
929 activated based on how they were created; see the origin keyword in
930 the section called “Connection List Format”.
931 wifi.scan-rand-mac-address
933 Configures MAC address randomization of a Wi-Fi device during
934 scanning. This defaults to yes in which case a random,
935 locally-administered MAC address will be used. The setting
936 wifi.scan-generate-mac-address-mask allows to influence the
937 generated MAC address to use certain vendor OUIs. If disabled, the
938 MAC address during scanning is left unchanged to whatever is
939 configured. For the configured MAC address while the device is
940 associated, see instead the per-connection setting
941 wifi.cloned-mac-address.
942 wifi.backend
944 Specify the Wi-Fi backend used for the device. Currently, supported
945 are wpa_supplicant and iwd (experimental). If unspecified, the
946 default is "wpa_supplicant".
947 wifi.scan-generate-mac-address-mask
949 Like the per-connection settings ethernet.generate-mac-address-mask
950 and wifi.generate-mac-address-mask, this allows to configure the
951 generated MAC addresses during scanning. See nm-settings(5) for
952 details.
953 wifi.iwd.autoconnect
955 If wifi.backend is iwd, setting this to false forces IWD's
956 autoconnect mechanism to be disabled for this device and
957 connections will only be initiated by NetworkManager whether
958 commanded by a client or automatically. Leaving it true (default)
959 stops NetworkManager from automatically initiating connections and
960 allows IWD to use its network ranking and scanning logic to decide
961 the best networks to autoconnect to next. Connections'
962 autoconnect-priority, autoconnect-retries settings will be ignored.
963 Other settings like permissions or multi-connect may interfere with
964 IWD connection attempts.
965 sriov-num-vfs
967 Specify the number of virtual functions (VF) to enable for a PCI
968 physical device that supports single-root I/O virtualization
969 (SR-IOV).
970 Sections
972 The [device] section works the same as the [connection] section. That
973 is, multiple sections that all start with the prefix "device" can be
974 specified. The settings "match-device" and "stop-match" are available
975 to match a device section on a device. The order of multiple sections
976 is also top-down within the file and later files overwrite previous
977 settings. See “Sections” under the section called “CONNECTION SECTION”
978 for details.
979
981 This section controls NetworkManager's optional connectivity checking
982 functionality. This allows NetworkManager to detect whether or not the
983 system can actually access the internet or whether it is behind a
984 captive portal.
985 Connectivity checking serves two purposes. For one, it exposes a
987 connectivity state on D-Bus, which other applications may use. For
988 example, Gnome's portal helper uses this as signal to show a captive
989 portal login page. The other use is that default-route of devices
990 without global connectivity get a penalty of +20000 to the
991 route-metric. This has the purpose to give a better default-route to
992 devices that have global connectivity. For example, when being
993 connected to WWAN and to a Wi-Fi network which is behind a captive
994 portal, WWAN still gets preferred until login.
995 Note that your distribution might set
997 /proc/sys/net/ipv4/conf/*/rp_filter to strict filtering. That works
998 badly with per-device connectivity checking, which uses SO_BINDDEVICE
999 to send requests on all devices. A strict rp_filter setting will reject
1000 any response and the connectivity check on all but the best route will
1001 fail.
1002 enabled
1004 Whether connectivity check is enabled. Note that to enable
1005 connectivity check, a valid uri must also be configured. The value
1006 defaults to true, but since the uri is unset by default,
1007 connectivity check may be disabled. The main purpose of this option
1008 is to have a single flag to disable connectivity check. Note that
1009 this setting can also be set via D-Bus API at runtime. In that
1010 case, the value gets stored in
1011 /var/lib/NetworkManager/NetworkManager-intern.conf file.
1012 uri
1014 The URI of a web page to periodically request when connectivity is
1015 being checked. This page should return the header
1016 "X-NetworkManager-Status" with a value of "online". Alternatively,
1017 its body content should be set to "NetworkManager is online". The
1018 body content check can be controlled by the response option. If
1019 this option is blank or missing, connectivity checking is disabled.
1020 interval
1022 Specified in seconds; controls how often connectivity is checked
1023 when a network connection exists. If set to 0 connectivity checking
1024 is disabled. If missing, the default is 300 seconds.
1025 response
1027 If set, controls what body content NetworkManager checks for when
1028 requesting the URI for connectivity checking. Note that this only
1029 compares that the HTTP response starts with the specifid text, it
1030 does not compare the exact string. This behavior might change in
1031 the future, so avoid relying on it. If missing, the response
1032 defaults to "NetworkManager is online". If set to empty, the HTTP
1033 server is expected to answer with status code 204 or send no data.
1034
1036 This section specifies DNS settings that are applied globally, in
1037 addition to connection-specific ones.
1038 searches
1040 A list of search domains to be used during hostname lookup.
1041 options
1043 A list of options to be passed to the hostname resolver.
1044
1046 Sections with a name starting with the "global-dns-domain-" prefix
1047 allow to define global DNS configuration for specific domains. The part
1048 of section name after "global-dns-domain-" specifies the domain name a
1049 section applies to (for example, a section could be named
1050 "global-dns-domain-foobar.com"). More specific domains have the
1051 precedence over less specific ones and the default domain is
1052 represented by the wildcard "*". To be valid, global DNS domains must
1053 include a section for the default domain "*". When the global DNS
1054 domains are valid, the name servers and domains defined globally
1055 override the ones from active connections.
1056 servers
1058 A list of addresses of DNS servers to be used for the given domain.
1059 options
1061 A list of domain-specific DNS options. Not used at the moment.
1062
1064 This is a special section that contains options which apply to the
1065 configuration file that contains the option.
1066 enable
1068 Defaults to "true". If "false", the configuration file will be
1069 skipped during loading. Note that the main configuration file
1070 NetworkManager.conf cannot be disabled.
1071 # always skip loading the config file
1073 [.config]
1074 enable=false
1075 You can also match against the version of NetworkManager. For
1077 example the following are valid configurations:
1078 # only load on version 1.0.6
1080 [.config]
1081 enable=nm-version:1.0.6
1082 # load on all versions 1.0.x, but not 1.2.x
1084 [.config]
1085 enable=nm-version:1.0
1086 # only load on versions >= 1.1.6. This does not match
1088 # with version 1.2.0 or 1.4.4. Only the last digit is considered.
1089 [.config]
1090 enable=nm-version-min:1.1.6
1091 # only load on versions >= 1.2. Contrary to the previous
1093 # example, this also matches with 1.2.0, 1.2.10, 1.4.4, etc.
1094 [.config]
1095 enable=nm-version-min:1.2
1096 # Match against the maximum allowed version. The example matches
1098 # versions 1.2.0, 1.2.2, 1.2.4. Again, only the last version digit
1099 # is allowed to be smaller. So this would not match on 1.1.10.
1100 [.config]
1101 enable=nm-version-max:1.2.6
1102 You can also match against the value of the environment variable
1104 NM_CONFIG_ENABLE_TAG, like:
1105 # only load the file when running NetworkManager with
1107 # environment variable "NM_CONFIG_ENABLE_TAG=TAG1"
1108 [.config]
1109 enable=env:TAG1
1110 More then one match can be specified. The configuration will be
1112 enabled if one of the predicates matches ("or"). The special prefix
1113 "except:" can be used to negate the match. Note that if one
1114 except-predicate matches, the entire configuration will be
1115 disabled. In other words, a except predicate always wins over other
1116 predicates. If the setting only consists of "except:" matches and
1117 none of the negative conditions are satisfied, the configuration is
1118 still enabled.
1119 # enable the configuration either when the environment variable
1121 # is present or the version is at least 1.2.0.
1122 [.config]
1123 enable=env:TAG2,nm-version-min:1.2
1124 # enable the configuration for version >= 1.2.0, but disable
1126 # it when the environment variable is set to "TAG3"
1127 [.config]
1128 enable=except:env:TAG3,nm-version-min:1.2
1129 # enable the configuration on >= 1.3, >= 1.2.6, and >= 1.0.16.
1131 # Useful if a certain feature is only present since those releases.
1132 [.config]
1133 enable=nm-version-min:1.3,nm-version-min:1.2.6,nm-version-min:1.0.16
1134
1137 Settings plugins for reading and writing connection profiles. The
1138 number of available plugins is distribution specific.
1139 keyfile
1141 The keyfile plugin is the generic plugin that supports all the
1142 connection types and capabilities that NetworkManager has. It
1143 writes files out in an .ini-style format in
1144 /etc/NetworkManager/system-connections. See nm-settings-keyfile(5)
1145 for details about the file format.
1146 The stored connection file may contain passwords, secrets and
1148 private keys in plain text, so it will be made readable only to
1149 root, and the plugin will ignore files that are readable or
1150 writable by any user or group other than root. See "Secret flag
1151 types" in nm-settings(5) for how to avoid storing passwords in
1152 plain text.
1153 This plugin is always active, and will automatically be used to
1155 store any connections that aren't supported by any other active
1156 plugin.
1157 ifcfg-rh
1159 This plugin is used on the Fedora and Red Hat Enterprise Linux
1160 distributions to read and write configuration from the standard
1161 /etc/sysconfig/network-scripts/ifcfg-* files. It currently supports
1162 reading Ethernet, Wi-Fi, InfiniBand, VLAN, Bond, Bridge, and Team
1163 connections. Enabling ifcfg-rh implicitly enables ibft plugin, if
1164 it is available. This can be disabled by adding no-ibft. See
1165 /usr/share/doc/initscripts/sysconfig.txt and nm-settings-ifcfg-
1166 rh(5) for more information about the ifcfg file format.
1167 ifupdown
1169 This plugin is used on the Debian and Ubuntu distributions, and
1170 reads Ethernet and Wi-Fi connections from /etc/network/interfaces.
1171 This plugin is read-only; any connections (of any type) added from
1173 within NetworkManager when you are using this plugin will be saved
1174 using the keyfile plugin instead.
1175 ibft, no-ibft
1177 These plugins are deprecated and their selection has no effect.
1178 This is now handled by nm-initrd-generator.
1179 ifcfg-suse, ifnet
1181 These plugins are deprecated and their selection has no effect. The
1182 keyfile plugin should be used instead.
1183
1185 Device List Format
1186 The configuration options main.no-auto-default, main.ignore-carrier,
1187 keyfile.unmanaged-devices, connection*.match-device and
1188 device*.match-device select devices based on a list of matchings.
1189 Devices can be specified using the following format:
1190 *
1192 Matches every device.
1193 IFNAME
1195 Case sensitive match of interface name of the device. Globbing is
1196 not supported.
1197 HWADDR
1199 Match the permanent MAC address of the device. Globbing is not
1200 supported
1201 interface-name:IFNAME, interface-name:~IFNAME
1203 Case sensitive match of interface name of the device. Simple
1204 globbing is supported with * and ?. Ranges and escaping is not
1205 supported.
1206 interface-name:=IFNAME
1208 Case sensitive match of interface name of the device. Globbing is
1209 disabled and IFNAME is taken literally.
1210 mac:HWADDR
1212 Match the permanent MAC address of the device. Globbing is not
1213 supported
1214 s390-subchannels:HWADDR
1216 Match the device based on the subchannel address. Globbing is not
1217 supported
1218 type:TYPE
1220 Match the device type. Valid type names are as reported by "nmcli
1221 -f GENERAL.TYPE device show". Globbing is not supported.
1222 driver:DRIVER
1224 Match the device driver as reported by "nmcli -f
1225 GENERAL.DRIVER,GENERAL.DRIVER-VERSION device show". "DRIVER" must
1226 match the driver name exactly and does not support globbing.
1227 Optionally, a driver version may be specified separated by '/'.
1228 Globbing is supported for the version.
1229 dhcp-plugin:DHCP
1231 Match the configured DHCP plugin "main.dhcp".
1232 except:SPEC
1234 Negative match of a device. SPEC must be explicitly qualified with
1235 a prefix such as interface-name:. A negative match has higher
1236 priority then the positive matches above.
1237 If there is a list consisting only of negative matches, the
1239 behavior is the same as if there is also match-all. That means, if
1240 none of all the negative matches is satisfied, the overall result
1241 is still a positive match. That means, "except:interface-name:eth0"
1242 is the same as "*,except:interface-name:eth0".
1243 SPEC[,;]SPEC
1245 Multiple specs can be concatenated with commas or semicolons. The
1246 order does not matter as matches are either inclusive or negative
1247 (except:), with negative matches having higher priority.
1248 Backslash is supported to escape the separators ';' and ',', and to
1250 express special characters such as newline ('\n'), tabulator
1251 ('\t'), whitespace ('\s') and backslash ('\\'). The globbing of
1252 interface names cannot be escaped. Whitespace is not a separator
1253 but will be trimmed between two specs (unless escaped as '\s').
1254 Example:
1256 interface-name:em4
1258 mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4;interface-name:eth2
1259 interface-name:vboxnet*,except:interface-name:vboxnet2
1260 *,except:mac:00:22:68:1c:59:b1
1261 Connection List Format
1264 Connections can be specified using the following format:
1265 *
1267 Matches every connection.
1268 uuid:UUID
1270 Match the connection by UUID, for example
1271 "uuid:83037490-1d17-4986-a397-01f1db3a7fc2"
1272 id=ID
1274 Match the connection by name.
1275 origin:ORIGIN
1277 Match the connection by origin, stored in the
1278 org.freedesktop.NetworkManager.origin tag of the user setting. For
1279 example, use "except:origin:nm-initrd-generator" to forbid
1280 activation of connections created by the initrd generator.
1281 except:SPEC
1283 Negative match of a connection. A negative match has higher
1284 priority then the positive matches above.
1285 If there is a list consisting only of negative matches, the
1287 behavior is the same as if there is also match-all. That means, if
1288 none of all the negative matches is satisfied, the overall result
1289 is still a positive match.
1290 SPEC[,;]SPEC
1292 Multiple specs can be concatenated with commas or semicolons. The
1293 order does not matter as matches are either inclusive or negative
1294 (except:), with negative matches having higher priority.
1295 Backslash is supported to escape the separators ';' and ',', and to
1297 express special characters such as newline ('\n'), tabulator
1298 ('\t'), whitespace ('\s') and backslash ('\\'). Whitespace is not a
1299 separator but will be trimmed between two specs (unless escaped as
1300 '\s').
1301
1303 NetworkManager(8), nmcli(1), nmcli-examples(7), nm-online(1), nm-
1304 settings(5), nm-applet(1), nm-connection-editor(1)
1305NetworkManager 1.42.8 NETWORKMANAGER.CONF(5)