NetworkManager.conf

NetworkManager.conf — NetworkManager configuration file

Synopsis

/etc/NetworkManager/NetworkManager.conf, /etc/NetworkManager/conf.d/name.conf, /usr/lib/NetworkManager/conf.d/name.conf, /var/lib/NetworkManager/NetworkManager-intern.conf

Description

NetworkManager.conf is the configuration file for NetworkManager. It is used to set up various aspects of NetworkManager's behavior. The location of the main file and configuration directories may be changed through use of the --config, --config-dir, --system-config-dir, and --intern-config argument for NetworkManager, respectively.

If a default NetworkManager.conf is provided by your distribution's packages, you should not modify it, since your changes may get overwritten by package updates. Instead, you can add additional .conf files to the /etc/NetworkManager/conf.d directory. These will be read in order, with later files overriding earlier ones. Packages might install further configuration snippets to /usr/lib/NetworkManager/conf.d. This directory is parsed first, even before NetworkManager.conf. The loading of a file /usr/lib/NetworkManager/conf.d/name.conf can be prevented by adding a file /etc/NetworkManager/conf.d/name.conf. In this case, the file from the etc configuration shadows the file from the system configuration directory.

NetworkManager can overwrite certain user configuration options via D-Bus or other internal operations. In this case it writes those changes to /var/lib/NetworkManager/NetworkManager-intern.conf. This file is not intended to be modified by the user, but it is read last and can shadow user configuration from NetworkManager.conf.

File Format

The configuration file format is so-called key file (sort of ini-style format). It consists of sections (groups) of key-value pairs. Lines beginning with a '#' and blank lines are considered comments. Sections are started by a header line containing the section enclosed in '[' and ']', and ended implicitly by the start of the next section or the end of the file. Each key-value pair must be contained in a section.

For keys that take a list of devices as their value, you can specify devices by their MAC addresses or interface names, or "*" to specify all devices. See the section called “Device List Format” below.

Minimal system settings configuration file looks like this:

[main]
plugins=keyfile

As an extension to the normal keyfile format, you can also append a value to a previously-set list-valued key by doing:

plugins+=another-plugin
plugins-=remove-me

main section

plugins

Lists system settings plugin names separated by ','. These plugins are used to read and write system-wide connections. When multiple plugins are specified, the connections are read from all listed plugins. When writing connections, the plugins will be asked to save the connection in the order listed here; if the first plugin cannot write out that connection type (or can't write out any connections) the next plugin is tried, etc. If none of the plugins can save the connection, an error is returned to the user.

If NetworkManager defines a distro-specific network-configuration plugin for your system, then that will normally be listed here. (See below for the available plugins.) Note that the keyfile plugin is always appended to the end of this list (if it doesn't already appear earlier in the list), so if there is no distro-specific plugin for your system then you can leave this key unset and NetworkManager will fall back to using keyfile.

monitor-connection-files

Whether the configured settings plugin(s) should set up file monitors and immediately pick up changes made to connection files while NetworkManager is running. This is disabled by default; NetworkManager will only read the connection files at startup, and when explicitly requested via the ReloadConnections D-Bus call. If this key is set to 'true', then NetworkManager will reload connection files any time they changed. Automatic reloading is not advised because there are race conditions involved and it depends on the way how the editor updates the file. In some situations, NetworkManager might first delete and add the connection anew, instead of updating the existing one. Also, NetworkManager might pick up incomplete settings while the user is still editing the files.

auth-polkit

Whether the system uses PolicyKit for authorization. If false, all requests will be allowed. If true, non-root requests are authorized using PolicyKit. The default value is true.

dhcp

This key sets up what DHCP client NetworkManager will use. Allowed values are dhclient, dhcpcd, and internal. The dhclient and dhcpcd options require the indicated clients to be installed. The internal option uses a built-in DHCP client which is not currently as featureful as the external clients.

If this key is missing, available DHCP clients are looked for in this order: dhclient, dhcpcd, internal.

no-auto-default

Specify devices for which NetworkManager shouldn't create default wired connection (Auto eth0). By default, NetworkManager creates a temporary wired connection for any Ethernet device that is managed and doesn't have a connection configured. List a device in this option to inhibit creating the default connection for the device. May have the special value * to apply to all devices.

When the default wired connection is deleted or saved to a new persistent connection by a plugin, the device is added to a list in the file /var/run/NetworkManager/no-auto-default.state to prevent creating the default connection for that device again.

See the section called “Device List Format” for the syntax how to specify a device.

Example:

no-auto-default=00:22:68:5c:5d:c4,00:1e:65:ff:aa:ee
no-auto-default=eth0,eth1
no-auto-default=*

ignore-carrier

Specify devices for which NetworkManager will (partially) ignore the carrier state. Normally, for device types that support carrier-detect, such as Ethernet and InfiniBand, NetworkManager will only allow a connection to be activated on the device if carrier is present (ie, a cable is plugged in), and it will deactivate the device if carrier drops for more than a few seconds.

Listing a device here will allow activating connections on that device even when it does not have carrier, provided that the connection uses only statically-configured IP addresses. Additionally, it will allow any active connection (whether static or dynamic) to remain active on the device when carrier is lost.

Note that the "carrier" property of NMDevices and device D-Bus interfaces will still reflect the actual device state; it's just that NetworkManager will not make use of that information.

See the section called “Device List Format” for the syntax how to specify a device.

assume-ipv6ll-only

Specify devices for which NetworkManager will try to generate a connection based on initial configuration when the device only has an IPv6 link-local address.

See the section called “Device List Format” for the syntax how to specify a device.

configure-and-quit

When set to 'true', NetworkManager quits after performing initial network configuration but spawns small helpers to preserve DHCP leases and IPv6 addresses. This is useful in environments where network setup is more or less static or it is desirable to save process time but still handle some dynamic configurations. When this option is true, network configuration for WiFi, WWAN, Bluetooth, ADSL, and PPPoE interfaces cannot be preserved due to their use of external services, and these devices will be deconfigured when NetworkManager quits even though other interface's configuration may be preserved. Also, to preserve DHCP addresses the 'dhcp' option must be set to 'internal'. The default value of the 'configure-and-quit' option is 'false', meaning that NetworkManager will continue running after initial network configuration and continue responding to system and hardware events, D-Bus requests, and user commands.

dns

Set the DNS (resolv.conf) processing mode.

default: The default if the key is not specified. NetworkManager will update resolv.conf to reflect the nameservers provided by currently active connections.

dnsmasq: NetworkManager will run dnsmasq as a local caching nameserver, using a "split DNS" configuration if you are connected to a VPN, and then update resolv.conf to point to the local nameserver.

unbound: NetworkManager will talk to unbound and dnssec-triggerd, providing a "split DNS" configuration with DNSSEC support. The /etc/resolv.conf will be managed by dnssec-trigger daemon.

none: NetworkManager will not modify resolv.conf. This implies rc-manager unmanaged

rc-manager

Set the resolv.conf management mode. The default value depends on how NetworkManager was built, whereas this version of NetworkManager was build with a default of "symlink". Regardless of this setting, NetworkManager will always write resolv.conf to its runtime state directory.

symlink: NetworkManager will symlink /etc/resolv.conf to its private resolv.conf file in the runtime state directory. If /etc/resolv.conf already is a symlink pointing to a different location, the file will not be modified. This allows the user to disable managing by pointing the link /etc/resolv.conf to somewhere else.

file: NetworkManager will write /etc/resolv.conf as file.

resolvconf: NetworkManager will run resolvconf to update the DNS configuration.

netconfig: NetworkManager will run netconfig to update the DNS configuration.

unmanaged: don't touch /etc/resolv.conf.

none: deprecated alias for symlink.

debug

Comma separated list of options to aid debugging. This value will be combined with the environment variable NM_DEBUG. Currently the following values are supported:

RLIMIT_CORE: set ulimit -c unlimited to write out core dumps. Beware, that a core dump can contain sensitive information such as passwords or configuration settings.

fatal-warnings: set g_log_set_always_fatal() to core dump on warning messages from glib. This is equivalent to the --g-fatal-warnings command line option.

keyfile section

This section contains keyfile-plugin-specific options, and is normally only used when you are not using any other distro-specific plugin.

hostname

This key is deprecated and has no effect since the hostname is now stored in /etc/hostname or other system configuration files according to build options.

path

The location where keyfiles are read and stored. This defaults to "/etc/NetworkManager/conf.d".

unmanaged-devices

Set devices that should be ignored by NetworkManager.

See the section called “Device List Format” for the syntax how to specify a device.

Example:

unmanaged-devices=interface-name:em4
unmanaged-devices=mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4;interface-name:eth2

ifupdown section

This section contains ifupdown-specific options and thus only has effect when using the ifupdown plugin.

managed

If set to true, then interfaces listed in /etc/network/interfaces are managed by NetworkManager. If set to false, then any interface listed in /etc/network/interfaces will be ignored by NetworkManager. Remember that NetworkManager controls the default route, so because the interface is ignored, NetworkManager may assign the default route to some other interface.

The default value is false.

logging section

This section controls NetworkManager's logging. Any settings here are overridden by the --log-level and --log-domains command-line options.

level

The default logging verbosity level. One of OFF, ERR, WARN, INFO, DEBUG, TRACE. The ERR level logs only critical errors. WARN logs warnings that may reflect operation. INFO logs various informational messages that are useful for tracking state and operations. DEBUG enables verbose logging for debugging purposes. TRACE enables even more verbose logging then DEBUG level. Subsequent levels also log all messages from earlier levels; thus setting the log level to INFO also logs error and warning messages.

domains

The following log domains are available: PLATFORM, RFKILL, ETHER, WIFI, BT, MB, DHCP4, DHCP6, PPP, WIFI_SCAN, IP4, IP6, AUTOIP4, DNS, VPN, SHARING, SUPPLICANT, AGENTS, SETTINGS, SUSPEND, CORE, DEVICE, OLPC, WIMAX, INFINIBAND, FIREWALL, ADSL, BOND, VLAN, BRIDGE, DBUS_PROPS, TEAM, CONCHECK, DCB, DISPATCH, AUDIT, SYSTEMD, VPN_PLUGIN.

In addition, these special domains can be used: NONE, ALL, DEFAULT, DHCP, IP.

You can specify per-domain log level overrides by adding a colon and a log level to any domain. E.g., "WIFI:DEBUG,WIFI_SCAN:OFF".

backend

The logging backend. Supported values are "debug", "syslog", "journal". "debug" uses syslog and logs to standard error. If NetworkManager is started in debug mode (--debug) this option is ignored and "debug" is always used. Otherwise, the default is "journal".

audit

Whether the audit records are delivered to auditd, the audit daemon. If false, audit records will be sent only to the NetworkManager logging system. If set to true, they will be also sent to auditd. The default value is true.

connection section

Specify default values for connections.

Example:

[connection]
ipv6.ip6-privacy=0

Supported Properties

Not all properties can be overwritten, only the following properties are supported to have their default values configured (see nm-settings(5) for details). A default value is only consulted if the corresponding per-connection value explicitly allows for that.

connection.autoconnect-slaves

connection.lldp

ethernet.wake-on-lan

ipv4.dad-timeout

ipv4.dhcp-timeout

If left unspecified, the default value for the interface type is used.

ipv4.route-metric

ipv6.ip6-privacy

If ipv6.ip6-privacy is unset, use the content of "/proc/sys/net/ipv6/conf/default/use_tempaddr" as last fallback.

ipv6.route-metric

vpn.timeout

If left unspecified, default value of 60 seconds is used.

wifi.mac-address-randomization

If left unspecified, MAC address randomization is disabled.

wifi.powersave

If left unspecified, the default value "ignore" will be used.


Sections

You can configure multiple connection sections, by having different sections with a name that all start with "connection". Example:

[connection]
ipv6.ip6-privacy=0
connection.autoconnect-slaves=1
vpn.timeout=120

[connection-wifi-wlan0]
match-device=interface-name:wlan0
ipv4.route-metric=50

[connection-wifi-other]
match-device=type:wifi
ipv4.route-metric=55
ipv6.ip6-privacy=1

The sections within one file are considered in order of appearance, with the exception that the [connection] section is always considered last. In the example above, this order is [connection-wifi-wlan0], [connection-wlan-other], and [connection]. When checking for a default configuration value, the sections are searched until the requested value is found. In the example above, "ipv4.route-metric" for wlan0 interface is set to 50, and for all other Wi-Fi typed interfaces to 55. Also, Wi-Fi devices would have IPv6 private addresses enabled by default, but other devices would have it disabled. Note that also "wlan0" gets "ipv6.ip6-privacy=1", because although the section "[connection-wifi-wlan0]" matches the device, it does not contain that property and the search continues.

When having different sections in multiple files, sections from files that are read later have higher priority. So within one file the priority of the sections is top-to-bottom. Across multiple files later definitions take precedence.

The following properties further control how a connection section applies.

match-device

An optional device spec that restricts when the section applies. See the section called “Device List Format” for the possible values.

stop-match

An optional boolean value which defaults to no. If the section matches (based on match-device), further sections will not be considered even if the property in question is not present. In the example above, if [connection-wifi-wlan0] would have stop-match set to yes, the device wlan0 would have ipv6.ip6-privacy property unspecified. That is, the search for the property would not continue in the connection sections [connection-wifi-other] or [connection].

connectivity section

This section controls NetworkManager's optional connectivity checking functionality. This allows NetworkManager to detect whether or not the system can actually access the internet or whether it is behind a captive portal.

uri

The URI of a web page to periodically request when connectivity is being checked. This page should return the header "X-NetworkManager-Status" with a value of "online". Alternatively, it's body content should be set to "NetworkManager is online". The body content check can be controlled by the response option. If this option is blank or missing, connectivity checking is disabled.

interval

Specified in seconds; controls how often connectivity is checked when a network connection exists. If set to 0 connectivity checking is disabled. If missing, the default is 300 seconds.

response

If set controls what body content NetworkManager checks for when requesting the URI for connectivity checking. If missing, defaults to "NetworkManager is online"

global-dns section

This section specifies global DNS settings that override connection-specific configuration.

searches

A list of search domains to be used during hostname lookup.

options

A list of of options to be passed to the hostname resolver.

global-dns-domain sections

Sections with a name starting with the "global-dns-domain-" prefix allow to define global DNS configuration for specific domains. The part of section name after "global-dns-domain-" specifies the domain name a section applies to. More specific domains have the precedence over less specific ones and the default domain is represented by the wildcard "*". A default domain section is mandatory.

servers

A list of addresses of DNS servers to be used for the given domain.

options

A list of domain-specific DNS options. Not used at the moment.

.config sections

This is a special section that contains options which apply to the configuration file that contains the option.

enable

Defaults to "true". If "false", the configuration file will be skipped during loading. Note that the main configuration file NetworkManager.conf cannot be disabled.

# always skip loading the config file
[.config]
enable=false

You can also match against the version of NetworkManager. For example the following are valid configurations:

# only load on version 1.0.6
[.config]
enable=nm-version:1.0.6

# load on all versions 1.0.x, but not 1.2.x
[.config]
enable=nm-version:1.0

# only load on versions >= 1.1.6. This does not match
# with version 1.2.0 or 1.4.4. Only the last digit is considered.
[.config]
enable=nm-version-min:1.1.6

# only load on versions >= 1.2. Contrary to the previous
# example, this also matches with 1.2.0, 1.2.10, 1.4.4, etc.
[.config]
enable=nm-version-min:1.2

# Match against the maximum allowed version. The example matches
# versions 1.2.0, 1.2.2, 1.2.4. Again, only the last version digit
# is allowed to be smaller. So this would not match match on 1.1.10.
[.config]
enable=nm-version-max:1.2.6

You can also match against the value of the environment variable NM_CONFIG_ENABLE_TAG, like:

# always skip loading the file when running NetworkManager with
# environment variable "NM_CONFIG_ENABLE_TAG=TAG1"
[.config]
enable=env:TAG1

More then one match can be specified. The configuration will be enabled if one of the predicates matches ("or"). The special prefix "except:" can be used to negate the match. Note that if one except-predicate matches, the entire configuration will be disabled. In other words, a except predicate always wins over other predicates.

# enable the configuration either when the environment variable
# is present or the version is at least 1.2.0.
[.config]
enable=env:TAG2,nm-version-min:1.2

# enable the configuration for version >= 1.2.0, but disable
# it when the environment variable is set to "TAG3"
[.config]
enable=except:env:TAG3,nm-version-min:1.2

# enable the configuration on >= 1.3, >= 1.2.6, and >= 1.0.16.
# Useful if a certain feature is only present since those releases.
[.config]
enable=nm-version-min:1.3,nm-version-min:1.2.6,nm-version-min:1.0.16

Plugins

keyfile

The keyfile plugin is the generic plugin that supports all the connection types and capabilities that NetworkManager has. It writes files out in an .ini-style format in /etc/NetworkManager/system-connections.

The stored connection file may contain passwords and private keys, so it will be made readable only to root, and the plugin will ignore files that are readable or writable by any user or group other than root.

This plugin is always active, and will automatically be used to store any connections that aren't supported by any other active plugin.

ifcfg-rh

This plugin is used on the Fedora and Red Hat Enterprise Linux distributions to read and write configuration from the standard /etc/sysconfig/network-scripts/ifcfg-* files. It currently supports reading Ethernet, Wi-Fi, InfiniBand, VLAN, Bond, Bridge, and Team connections. Enabling ifcfg-rh implicitly enables ibft plugin, if it is available. This can be disabled by adding no-ibft.

ifcfg-suse

This plugin is deprecated and its selection has no effect. The keyfile plugin should be used instead.

ifupdown

This plugin is used on the Debian and Ubuntu distributions, and reads Ethernet and Wi-Fi connections from /etc/network/interfaces.

This plugin is read-only; any connections (of any type) added from within NetworkManager when you are using this plugin will be saved using the keyfile plugin instead.

ibft, no-ibft

This plugin allows to read iBFT configuration (iSCSI Boot Firmware Table). The configuration is read using /sbin/iscsiadm. Users are expected to configure iBFT connections via the firmware interfaces. If ibft support is available, it is automatically enabled after ifcfg-rh. This can be disabled by no-ibft. You can also explicitly specify ibft to load the plugin without ifcfg-rh or to change the plugin order.

Appendix

Device List Format

The configuration options main.no-auto-default, main.ignore-carrier, and keyfile.unmanaged-devices select devices based on a list of matchings. Devices can be specified using the following format:

*

Matches every device.

IFNAME

Case sensitive match of interface name of the device. Globbing is not supported.

HWADDR

Match the MAC address of the device. Globbing is not supported

interface-name:IFNAME, interface-name:~IFNAME

Case sensitive match of interface name of the device. Simple globbing is supported with * and ?. Ranges and escaping is not supported.

interface-name:=IFNAME

Case sensitive match of interface name of the device. Globbing is disabled and IFNAME is taken literally.

mac:HWADDR

Match the MAC address of the device. Globbing is not supported

s390-subchannels:HWADDR

Match the device based on the subchannel address. Globbing is not supported

type:TYPE

Match the device type. Valid type names are as reported by "nmcli -f GENERAL.TYPE device show". Globbing is not supported.

except:SPEC

Negative match of a device. SPEC must be explicitly qualified with a prefix such as interface-name:. A negative match has higher priority then the positive matches above.

SPEC[,;]SPEC

Multiple specs can be concatenated with commas or semicolons. The order does not matter as matches are either inclusive or negative (except:), with negative matches having higher priority.

Backslash is supported to escape the separators ';' and ',', and to express special characters such as newline ('\n'), tabulator ('\t'), whitespace ('\s') and backslash ('\\'). The globbing of interface names cannot be escaped. Whitespace is not a separator but will be trimmed between two specs (unless escaped as '\s').

Example:

interface-name:em4
mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4;interface-name:eth2
interface-name:vboxnet*,except:interface-name:vboxnet2
*,except:mac:00:22:68:1c:59:b1

See Also

NetworkManager(8), nmcli(1), nmcli-examples(7), nm-online(1), nm-settings(5), nm-applet(1), nm-connection-editor(1)