1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
|
<?xml version='1.0'?> <!--*-nxml-*-->
<?xml-stylesheet type="text/xsl" href="http://docbook.sourceforge.net/release/xsl/current/xhtml/docbook.xsl"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY % entities SYSTEM "common.ent" >
%entities;
]>
<!--
SPDX-License-Identifier: GFDL-1.1-no-invariants-or-later
NetworkManager.conf(5) manual page
Copyright 2010 - 2023 Red Hat, Inc.
-->
<refentry id="NetworkManager.conf">
<refentryinfo>
<title>NetworkManager.conf</title>
<author>NetworkManager developers</author>
</refentryinfo>
<refmeta>
<refentrytitle>NetworkManager.conf</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo class="source">NetworkManager</refmiscinfo>
<refmiscinfo class="manual">Configuration</refmiscinfo>
<refmiscinfo class="version">&NM_VERSION;</refmiscinfo>
</refmeta>
<refnamediv>
<refname>NetworkManager.conf</refname>
<refpurpose>NetworkManager configuration file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<para><filename>/etc/NetworkManager/NetworkManager.conf</filename>,
<filename>/etc/NetworkManager/conf.d/<replaceable>name</replaceable>.conf</filename>,
<filename>/run/NetworkManager/conf.d/<replaceable>name</replaceable>.conf</filename>,
<filename>/usr/lib/NetworkManager/conf.d/<replaceable>name</replaceable>.conf</filename>,
<filename>/var/lib/NetworkManager/NetworkManager-intern.conf</filename>
</para>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para><literal>NetworkManager.conf</literal> is the configuration file for NetworkManager. It is used
to set up various aspects of NetworkManager's behavior. The
location of the main file and configuration directories may be changed
through use of the <option>--config</option>, <option>--config-dir</option>,
<option>--system-config-dir</option>, and <option>--intern-config</option>
argument for NetworkManager, respectively.
</para>
<para>If a default <literal>NetworkManager.conf</literal> is
provided by your distribution's packages, you should not modify
it, since your changes may get overwritten by package
updates. Instead, you can add additional <literal>.conf</literal>
files to the <literal>/etc/NetworkManager/conf.d</literal> directory.
These will be read in order, with later files overriding earlier ones.
Packages might install further configuration snippets to <literal>/usr/lib/NetworkManager/conf.d</literal>.
This directory is parsed first, even before <literal>NetworkManager.conf</literal>.
Scripts can also put per-boot configuration into <literal>/run/NetworkManager/conf.d</literal>.
This directory is parsed second, also before <literal>NetworkManager.conf</literal>.
The loading of a file <literal>/run/NetworkManager/conf.d/<replaceable>name</replaceable>.conf</literal>
can be prevented by adding a file <literal>/etc/NetworkManager/conf.d/<replaceable>name</replaceable>.conf</literal>.
Likewise, a file <literal>/usr/lib/NetworkManager/conf.d/<replaceable>name</replaceable>.conf</literal>
can be shadowed by putting a file of the same name to either <literal>/etc/NetworkManager/conf.d</literal>
or <literal>/run/NetworkManager/conf.d</literal>.
</para>
<para>
NetworkManager can overwrite certain user configuration options via D-Bus or other internal
operations. In this case it writes those changes to <literal>/var/lib/NetworkManager/NetworkManager-intern.conf</literal>.
This file is not intended to be modified by the user, but it is read last and can shadow
user configuration from <literal>NetworkManager.conf</literal>.
</para>
<para>
Certain settings from the configuration can be reloaded at runtime either by sending SIGHUP signal or via
D-Bus' Reload call.
</para>
<para>
NetworkManager does not require any configuration in <literal>NetworkManager.conf</literal>. Depending
on your use case, you may remove all files to restore the default configuration (factory reset). But
note that your distribution or other packages may drop configuration snippets for NetworkManager, such
that they are part of the factory default.
</para>
</refsect1>
<refsect1>
<title>File Format</title>
<para>
The configuration file format is so-called key file (sort of
ini-style format). It consists of sections (groups) of
key-value pairs. Lines beginning with a '#' and blank lines are
considered comments. Sections are started by a header line
containing the section enclosed in '[' and ']', and ended
implicitly by the start of the next section or the end of the
file. Each key-value pair must be contained in a section.
</para>
<para>
For keys that take a list of devices as their value, you can
specify devices by their MAC addresses or interface names, or
"*" to specify all devices. See <xref linkend="device-spec"/>
below.
</para>
<para>
A simple configuration file looks like this:
<programlisting>
[main]
plugins=keyfile
</programlisting>
</para>
<para>
As an extension to the normal keyfile format, you can also
append a value to a previously-set list-valued key by doing:
<programlisting>
plugins+=another-plugin
plugins-=remove-me
</programlisting>
</para>
</refsect1>
<refsect1>
<title><literal>main</literal> section</title>
<variablelist>
<varlistentry>
<term><varname>plugins</varname></term>
<listitem>
<para>
Lists system settings plugin names separated by ','. These
plugins are used to read and write system-wide
connection profiles. When multiple plugins are specified, the
connections are read from all listed plugins. When writing
connections, the plugins will be asked to save the
connection in the order listed here; if the first plugin
cannot write out that connection type (or can't write out
any connections) the next plugin is tried, etc. If none of
the plugins can save the connection, an error is returned
to the user.
</para>
<para>
The default value and the number of available plugins is
distro-specific. See <xref linkend="settings-plugins"/>
below for the available plugins.
Note that NetworkManager's native <literal>keyfile</literal>
plugin is always appended to the end of this list (if it doesn't
already appear earlier in the list).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>monitor-connection-files</varname></term>
<listitem><para>This setting is deprecated and has no effect. Profiles
from disk are never automatically reloaded. Use for example <literal>nmcli connection (re)load</literal>
for that.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>auth-polkit</varname></term>
<listitem><para>Whether the system uses PolicyKit for authorization.
If <literal>true</literal>, non-root requests are authorized using PolicyKit.
Requests from root (user ID zero) are always granted without asking PolicyKit.
If <literal>false</literal>, all requests will be allowed and PolicyKit is
not used. If set to <literal>root-only</literal> PolicyKit is not used and
all requests except root are denied.
The default value is <literal>&NM_CONFIG_DEFAULT_MAIN_AUTH_POLKIT_TEXT;</literal>.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>dhcp</varname></term>
<listitem><para>This key sets up what DHCP client
NetworkManager will use. Allowed values are
<literal>dhclient</literal>, <literal>dhcpcd</literal>, and
<literal>internal</literal>. The <literal>dhclient</literal>
and <literal>dhcpcd</literal> options require the indicated
clients to be installed. The <literal>internal</literal>
option uses a built-in DHCP client which is not currently as
featureful as the external clients.</para>
<para>If this key is missing, it defaults to <literal>&NM_CONFIG_DEFAULT_MAIN_DHCP;</literal>.
If the chosen plugin is not available, clients are looked for
in this order: <literal>dhclient</literal>, <literal>dhcpcd</literal>,
<literal>internal</literal>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>no-auto-default</varname></term>
<listitem><para>Specify devices for which
NetworkManager shouldn't create default wired connection
(Auto eth0). By default, NetworkManager creates a temporary
wired connection for any Ethernet device that is managed and
doesn't have a connection configured. List a device in this
option to inhibit creating the default connection for the
device. May have the special value <literal>*</literal> to
apply to all devices.</para>
<para>When the default wired connection is deleted or saved
to a new persistent connection by a plugin, the device is
added to a list in the file
<filename>&nmstatedir;/no-auto-default.state</filename>
to prevent creating the default connection for that device
again.</para>
<para>See <xref linkend="device-spec"/> for the syntax how to
specify a device.
</para>
<para>
Example:
<programlisting>
no-auto-default=00:22:68:5c:5d:c4,00:1e:65:ff:aa:ee
no-auto-default=eth0,eth1
no-auto-default=*
</programlisting>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>ignore-carrier</varname></term>
<listitem>
<para>
This setting is deprecated for the per-device setting
<literal>ignore-carrier</literal> which overwrites this setting
if specified (See <xref linkend="ignore-carrier"/>).
Otherwise, it is a list of matches to specify for which device
carrier should be ignored. See <xref linkend="device-spec"/> for the
syntax how to specify a device. Note that master types like
bond, bridge, and team ignore carrier by default. You can however
revert that default using the "except:" specifier (or better,
use the per-device setting instead of the deprecated setting).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>assume-ipv6ll-only</varname></term>
<listitem>
<para>
Specify devices for which NetworkManager will try to
generate a connection based on initial configuration when
the device only has an IPv6 link-local address.
</para>
<para>See <xref linkend="device-spec"/> for the syntax how to
specify a device.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>configure-and-quit</varname></term>
<listitem>
<para>
This option is no longer useful to configure in NetworkManager.conf file.
It can however also be configured on the command line with the same
values, where it has some use.
</para>
<para>
When set to '<literal>initrd</literal>', NetworkManager does not connect
to D-Bus and quits after configuring the network. This is an implementation
detail how the NetworkManager module of dracut can run NetworkManager.
An alternative to this is having NetworkManager as a systemd service
with D-Bus in initrd.
</para>
<para>
The value '<literal>true</literal>' is unsupported since version 1.36.
Previously this was a mode where NetworkManager would quit after configuring
the network and run helper processes for DHCP and SLAAC.
</para>
<para>
Otherwise, NetworkManager runs a system service with D-Bus and does not
quit during normal operation.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>hostname-mode</varname></term>
<listitem>
<para>
Set the management mode of the hostname. This parameter will
affect only the transient hostname. If a valid static hostname is set,
NetworkManager will skip the update of the hostname despite the value of
this option. An hostname empty or equal to 'localhost', 'localhost6',
'localhost.localdomain' or 'localhost6.localdomain' is considered invalid.
</para>
<para><literal>default</literal>: NetworkManager will update the
hostname with the one provided via DHCP or reverse DNS lookup of the
IP address on the connection with the default route or on any
connection with the property hostname.only-from-default set to
'<literal>false</literal>'. Connections are considered in order of
increasing value of the <literal>hostname.priority</literal>
property. In case multiple connections have the same priority,
connections activated earlier are considered first. If no hostname can
be determined in such way, the hostname will be updated to the last
one set outside NetworkManager or to 'localhost.localdomain'.
</para>
<para><literal>dhcp</literal>: this is similar to
'<literal>default</literal>', with the difference that after trying to
get the DHCP hostname, reverse DNS lookup is not done. Note that
selecting this option is equivalent to setting the property
'<literal>hostname.from-dns-lookup</literal>' to
'<literal>false</literal>' globally for all connections in
NetworkManager.conf.
</para>
<para><literal>none</literal>: NetworkManager will not manage the transient
hostname and will never set it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>dns</varname></term>
<listitem><para>Set the DNS processing mode.</para>
<para>If the key is unspecified, <literal>default</literal> is used,
unless <filename>/etc/resolv.conf</filename> is a symlink to
<filename>/run/systemd/resolve/stub-resolv.conf</filename>,
<filename>/run/systemd/resolve/resolv.conf</filename>,
<filename>/lib/systemd/resolv.conf</filename> or
<filename>/usr/lib/systemd/resolv.conf</filename>.
In that case, <literal>systemd-resolved</literal> is chosen automatically.
</para>
<para><literal>default</literal>: NetworkManager will update
<filename>/etc/resolv.conf</filename> to reflect the nameservers
provided by currently active connections. The <literal>rc-manager</literal>
setting (below) controls how this is done.</para>
<para><literal>dnsmasq</literal>: NetworkManager will run
dnsmasq as a local caching nameserver, using "Conditional Forwarding"
if you are connected to a VPN, and then update
<filename>resolv.conf</filename> to point to the local
nameserver. It is possible to pass custom options to the
dnsmasq instance by adding them to files in the
"<filename>&sysconfdir;/NetworkManager/dnsmasq.d/</filename>"
directory. Note that when multiple upstream servers are
available, dnsmasq will initially contact them in parallel and
then use the fastest to respond, probing again other servers
after some time. This behavior can be modified passing the
'all-servers' or 'strict-order' options to dnsmasq (see the
manual page for more details).</para>
<para><literal>systemd-resolved</literal>: NetworkManager will
push the DNS configuration to systemd-resolved</para>
<para><literal>none</literal>: NetworkManager will not
modify resolv.conf. This implies
<literal>rc-manager</literal> <literal>unmanaged</literal></para>
<para>Note that the plugins <literal>dnsmasq</literal> and <literal>systemd-resolved</literal>
are caching local nameservers.
Hence, when NetworkManager writes <filename>&nmrundir;/resolv.conf</filename>
and <filename>/etc/resolv.conf</filename> (according to <literal>rc-manager</literal>
setting below), the name server there will be localhost only.
NetworkManager also writes a file <filename>&nmrundir;/no-stub-resolv.conf</filename>
that contains the original name servers pushed to the DNS plugin.</para>
<para>When using <literal>dnsmasq</literal> and <literal>systemd-resolved</literal>,
per-connection added dns servers will always be queried using
the device the connection has been activated on.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>rc-manager</varname></term>
<listitem>
<para>Set the <filename>resolv.conf</filename>
management mode. This option is about how NetworkManager writes to
<filename>/etc/resolv.conf</filename>, if at all.
The default value depends on NetworkManager build
options, and this version of NetworkManager was build with a default of
"<literal>&NM_CONFIG_DEFAULT_MAIN_RC_MANAGER;</literal>".
Regardless of this setting, NetworkManager will
always write its version of resolv.conf to its runtime state directory
as <filename>&nmrundir;/resolv.conf</filename>.
</para>
<para>If you configure <literal>dns=none</literal> or make <filename>/etc/resolv.conf</filename>
immutable with <literal>chattr +i</literal>, NetworkManager will ignore this setting and
always choose <literal>unmanaged</literal> (below).
</para>
<para><literal>auto</literal>: if systemd-resolved plugin is configured via
the <literal>dns</literal> setting or if it gets detected as main DNS plugin,
NetworkManager will update systemd-resolved without touching <filename>/etc/resolv.conf</filename>.
Alternatively, if <literal>resolvconf</literal> or <literal>netconfig</literal> are enabled
at compile time and the respective binary is found, NetworkManager will automatically use it.
Note that if you install or uninstall these binaries, you need to reload the
<literal>rc-manager</literal> setting with SIGHUP or
<literal>systemctl reload NetworkManager</literal>. As last fallback
it uses the <literal>symlink</literal> option (see next).
</para>
<para><literal>symlink</literal>: If <filename>/etc/resolv.conf</filename> is
a regular file or does not exist, NetworkManager will write the file directly.
If <filename>/etc/resolv.conf</filename> is instead a symlink, NetworkManager
will leave it alone. Unless the symlink points to the internal file
<filename>&nmrundir;/resolv.conf</filename>,
in which case the symlink will be updated to emit an inotify notification.
This allows the user to conveniently instruct NetworkManager not
to manage <filename>/etc/resolv.conf</filename> by replacing it with
a symlink.
</para>
<para><literal>file</literal>: NetworkManager will write
<filename>/etc/resolv.conf</filename> as regular file. If it finds
a symlink to an existing target, it will follow the symlink and
update the target instead. In no case will an existing symlink
be replaced by a file. Note that older versions of NetworkManager
behaved differently and would replace dangling symlinks with a
plain file.
</para>
<para><literal>resolvconf</literal>: NetworkManager will run
resolvconf to update the DNS configuration.</para>
<para><literal>netconfig</literal>: NetworkManager will run
netconfig to update the DNS configuration.</para>
<para><literal>unmanaged</literal>: don't touch
<filename>/etc/resolv.conf</filename>.</para>
<para><literal>none</literal>: deprecated alias for
<literal>symlink</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>systemd-resolved</varname></term>
<listitem><para>Additionally, send the connection DNS configuration to
<literal>systemd-resolved</literal>. Defaults to "<literal>true</literal>".
</para>
<para>Note that this setting has no effect if the main <varname>dns</varname>
plugin is already <literal>systemd-resolved</literal>. It is complementary to the
<varname>dns</varname> setting to configure systemd-resolved alongside the
main plugin.</para>
<para>If systemd-resolved is enabled, either via this setting or the main
DNS plugin, the connectivity check resolves the
hostname per-device.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>debug</varname></term>
<listitem><para>Comma separated list of options to aid
debugging. This value will be combined with the environment
variable <literal>NM_DEBUG</literal>. Currently, the following
values are supported:</para>
<para>
<literal>RLIMIT_CORE</literal>: set ulimit -c unlimited
to write out core dumps. Beware, that a core dump can contain
sensitive information such as passwords or configuration settings.
</para>
<para>
<literal>fatal-warnings</literal>: set g_log_set_always_fatal()
to core dump on warning messages from glib. This is equivalent
to the --g-fatal-warnings command line option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>autoconnect-retries-default</varname></term>
<listitem>
<para>
The number of times a connection activation should be
automatically tried before switching to another one. This
value applies only to connections that can auto-connect
and have a
<literal>connection.autoconnect-retries</literal> property
set to -1. If not specified, connections will be tried 4
times. Setting this value to 1 means to try activation once,
without retry.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>firewall-backend</varname></term>
<listitem>
<para>
The firewall backend for configuring masquerading
with shared mode.
Set to either <literal>iptables</literal>, <literal>nftables</literal>
or <literal>none</literal>.
<literal>iptables</literal> and <literal>nftables</literal>
require <literal>iptables</literal> and <literal>nft</literal>
application, respectively.
<literal>none</literal> means to skip firewall configuration if
the users wish to manage firewall themselves.
If unspecified, it will be auto detected.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>iwd-config-path</varname></term>
<listitem>
<para>
If the value is "auto" (the default), IWD is queried for its
current state directory when it appears on D-Bus -- the
directory where IWD keeps its network configuration files --
usually /var/lib/iwd. NetworkManager will then attempt to
write copies of new or modified Wi-Fi connection profiles,
converted into the IWD format, into this directory thus making
IWD connection properties editable. NM will overwrite existing
files without preserving their contents.
</para>
<para>
The path can also be overriden by pointing to a specific
existing and writable directory. On the other hand setting
this to an empty string or any other value disables the
profile conversion mechanism.
</para>
<para>
This mechanism allows editing connection profile settings such
as the 802.1x configuration using NetworkManager clients.
Without it such changes have no effect in IWD.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>migrate-ifcfg-rh</varname></term>
<listitem><para>Whether NetworkManager tries to automatically convert
any connection profile stored in ifcfg-rh format to the keyfile format.
Support for ifcfg-rh is deprecated and will be eventually removed. If
enabled, the migration is performed at every startup of the daemon.
The default value is <literal>&NM_CONFIG_DEFAULT_MAIN_MIGRATE_IFCFG_RH_TEXT;</literal>.
</para></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title><literal>keyfile</literal> section</title>
<para>This section contains keyfile-plugin-specific options, and
is normally only used when you are not using any other
distro-specific plugin.</para>
<para>
<variablelist>
<varlistentry>
<term><varname>hostname</varname></term>
<listitem><para>This key is deprecated and has no effect
since the hostname is now stored in <filename>/etc/hostname</filename>
or other system configuration files according to build options.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>path</varname></term>
<listitem>
<para>The location where keyfiles are read and stored.
This defaults to "<filename>&sysconfdir;/NetworkManager/system-connections</filename>".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>rename</varname></term>
<listitem>
<para>
NetworkManager automatically chooses a filename when storing
a new profile to disk. That name depends on the profile's name
(connection.id). When updating a profile's name, the file is
not renamed to not break scripts that rely on the filename
for the profile.
By setting this option to "true", NetworkManager renames
the keyfile on update of the profile, to follow the profile's
name. This defaults to "false".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>unmanaged-devices</varname></term>
<listitem>
<para>Set devices that should be ignored by NetworkManager.
</para>
<para>
A device unmanaged due to this option is strictly
unmanaged and cannot be overruled by using the API like
<command>nmcli device set $IFNAME managed yes</command>.
Also, a device that is unmanaged for other reasons, like
an udev rule, cannot be made managed with this option (e.g. by
using an <literal>except:</literal> specifier).
These two points make it different from the <literal>device*.managed</literal>
option which for that reason may be a better choice.
</para>
<para>See <xref linkend="device-spec"/> for the syntax on how to
specify a device.
</para>
<para>
Example:
<programlisting>
unmanaged-devices=interface-name:em4
unmanaged-devices=mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4;interface-name:eth2
</programlisting>
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1>
<title><literal>ifupdown</literal> section</title>
<para>This section contains ifupdown-specific options and thus only
has effect when using the <literal>ifupdown</literal> plugin.</para>
<para>
<variablelist>
<varlistentry>
<term><varname>managed</varname></term>
<listitem><para>If set to <literal>true</literal>, then
interfaces listed in
<filename>/etc/network/interfaces</filename> are managed by
NetworkManager. If set to <literal>false</literal>, then
any interface listed in
<filename>/etc/network/interfaces</filename> will be ignored
by NetworkManager. Remember that NetworkManager controls the
default route, so because the interface is ignored,
NetworkManager may assign the default route to some other
interface.</para>
<para>
The default value is <literal>false</literal>.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1>
<title><literal>logging</literal> section</title>
<para>
This section controls NetworkManager's logging.
Logging is very important to understand what NetworkManager is doing.
When you report a bug, do not unnecessarily filter or limit the log file.
Just enable <literal>level=TRACE</literal> and <literal>domains=ALL</literal>
to collect everything.
</para>
<para>
The recommended way for enabling logging is with a file <filename>/etc/NetworkManager/conf.d/95-logging.conf</filename>
that contains
<programlisting>
[logging]
level=TRACE
domains=ALL
</programlisting>
and restart the daemon with <command>systemctl restart NetworkManager</command>. Then
reproduce the problem. You can find the logs in syslog (for example
<command>journalctl</command>, or <command>journalctl -u NetworkManager</command>
to show only logs from NetworkManager).
</para>
<para>
Any settings here are overridden by the <option>--log-level</option>
and <option>--log-domains</option> command-line options.
Logging can also be reconfigured at runtime with
<command>nmcli general logging level "$LEVEL" domains "$DOMAINS"</command>.
However, often it is interesting to get a complete log from the
start. Especially, when debugging an issue, enable debug logging
in NetworkManager.conf and restart the service to enable verbose logging
early on.
</para>
<para>
By setting <option>nm.debug</option> on the kernel command line (either from
<filename>&nmrundir;/proc-cmdline</filename> or <filename>/proc/cmdline</filename>),
debug logging is enabled. This overrides both the command-line options and the settings
from NetworkManager.conf.
</para>
<para>
NetworkManager's logging aims not to contain private sensitive data
and you should be fine sharing the debug logs. Still, there will
be IP addresses and your network setup, if you consider that private
then review the log before sharing. However, try not to mangle the logfile
in a way that distorts the meaning too much.
</para>
<para>
NetworkManager uses syslog or systemd-journald, depending on configuration.
In any case, debug logs are verbose and might be rate limited
or filtered by the logging daemon. For systemd-journald, see
<literal>RateLimitIntervalSec</literal> and <literal>RateLimitBurst</literal>
in <literal>journald.conf</literal> manual for how to disable that.
</para>
<para>
<variablelist>
<varlistentry>
<term><varname>level</varname></term>
<listitem><para>The default logging verbosity level.
One of <literal>OFF</literal>, <literal>ERR</literal>,
<literal>WARN</literal>, <literal>INFO</literal>,
<literal>DEBUG</literal>, <literal>TRACE</literal>,
in order of verbosity.
</para>
<para>
<literal>OFF</literal> disables all logging. <literal>INFO</literal>
is the default verbosity for regular operation. <literal>TRACE</literal>
is for debugging.
</para>
<para>
The other levels are in most cases not useful. For example, <literal>DEBUG</literal>
is between <literal>TRACE</literal> and <literal>INFO</literal>, but it's too
verbose for regular operation and lacks possibly interesting messages for debugging.
Almost always, when debugging an issue or reporting a bug, collect full
level <literal>TRACE</literal> logs to get the full picture.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>domains</varname></term>
<listitem>
<para>Filter the messages by their topic. When debugging
an issue, it's better to collect all logs (<literal>ALL</literal> domain)
upfront. The unnecessary parts can always be ignored
later.
</para>
<para>In the uncommon case to tune out certain topics, the following log
domains are available:
PLATFORM, RFKILL, ETHER, WIFI, BT, MB, DHCP4, DHCP6, PPP,
WIFI_SCAN, IP4, IP6, AUTOIP4, DNS, VPN, SHARING, SUPPLICANT,
AGENTS, SETTINGS, SUSPEND, CORE, DEVICE, OLPC, WIMAX,
INFINIBAND, FIREWALL, ADSL, BOND, VLAN, BRIDGE, DBUS_PROPS,
TEAM, CONCHECK, DCB, DISPATCH, AUDIT, SYSTEMD, VPN_PLUGIN,
PROXY.</para>
<para>In addition, these special domains can be used: NONE,
ALL, DEFAULT, DHCP, IP.</para>
<para>You can specify per-domain log level overrides by
adding a colon and a log level to any domain. E.g.,
"<literal>WIFI:DEBUG,WIFI_SCAN:OFF</literal>".
Another example is <literal>ALL,VPN_PLUGIN:TRACE</literal>
to enable all the logging there is (see about <literal>VPN_PLUGIN</literal>
below).
</para>
</listitem>
</varlistentry>
<varlistentry>
<para>Domain descriptions:
<simplelist type="horiz" columns="1">
<member>PLATFORM : OS (platform) operations</member>
<member>RFKILL : RFKill subsystem operations</member>
<member>ETHER : Ethernet device operations</member>
<member>WIFI : Wi-Fi device operations</member>
<member>BT : Bluetooth operations</member>
<member>MB : Mobile broadband operations</member>
<member>DHCP4 : DHCP for IPv4</member>
<member>DHCP6 : DHCP for IPv6</member>
<member>PPP : Point-to-point protocol operations</member>
<member>WIFI_SCAN : Wi-Fi scanning operations</member>
<member>IP4 : IPv4-related operations</member>
<member>IP6 : IPv6-related operations</member>
<member>AUTOIP4 : AutoIP operations</member>
<member>DNS : Domain Name System related operations</member>
<member>VPN : Virtual Private Network connections and operations</member>
<member>SHARING : Connection sharing. With TRACE level log queries for dnsmasq instance</member>
<member>SUPPLICANT : WPA supplicant related operations</member>
<member>AGENTS : Secret agents operations and communication</member>
<member>SETTINGS : Settings/config service operations</member>
<member>SUSPEND : Suspend/resume</member>
<member>CORE : Core daemon and policy operations</member>
<member>DEVICE : Activation and general interface operations</member>
<member>OLPC : OLPC Mesh device operations</member>
<member>WIMAX : WiMAX device operations</member>
<member>INFINIBAND : InfiniBand device operations</member>
<member>FIREWALL : FirewallD related operations</member>
<member>ADSL : ADSL device operations</member>
<member>BOND : Bonding operations</member>
<member>VLAN : VLAN operations</member>
<member>BRIDGE : Bridging operations</member>
<member>DBUS_PROPS : D-Bus property changes</member>
<member>TEAM : Teaming operations</member>
<member>CONCHECK : Connectivity check</member>
<member>DCB : Data Center Bridging (DCB) operations</member>
<member>DISPATCH : Dispatcher scripts</member>
<member>AUDIT : Audit records</member>
<member>SYSTEMD : Messages from internal libsystemd</member>
<member>VPN_PLUGIN : logging messages from VPN plugins</member>
<member>PROXY : logging messages for proxy handling</member>
<member> </member>
<member>NONE : when given by itself logging is disabled</member>
<member>ALL : all log domains</member>
<member>DEFAULT : default log domains</member>
<member>DHCP : shortcut for "DHCP4,DHCP6"</member>
<member>IP : shortcut for "IP4,IP6"</member>
<member> </member>
<member>HW : deprecated alias for "PLATFORM"</member>
</simplelist>
</para>
<para>
In general, the logfile should not contain passwords or private data. However,
you are always advised to check the file before posting it online or attaching
to a bug report. <literal>VPN_PLUGIN</literal> is special as it might reveal
private information of the VPN plugins with verbose levels. Therefore this domain
will be excluded when setting <literal>ALL</literal> or <literal>DEFAULT</literal>
to more verbose levels then <literal>INFO</literal>.
</para>
</varlistentry>
<varlistentry>
<term><varname>backend</varname></term>
<listitem><para>The logging backend. Supported values
are "<literal>syslog</literal>" and "<literal>journal</literal>".
When NetworkManager is started with "<literal>--debug</literal>"
in addition all messages will be printed to stderr.
If unspecified, the default is "<literal>&NM_CONFIG_DEFAULT_LOGGING_BACKEND_TEXT;</literal>".
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>audit</varname></term>
<listitem><para>Whether the audit records are delivered to
auditd, the audit daemon. If <literal>false</literal>, audit
records will be sent only to the NetworkManager logging
system. If set to <literal>true</literal>, they will be also
sent to auditd. The default value is <literal>&NM_CONFIG_DEFAULT_LOGGING_AUDIT_TEXT;</literal>.
</para></listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1>
<title><literal>connection</literal> section</title>
<para>Specify default values for connections.
</para>
<para>
Such default values are only consulted if the corresponding per-connection property
explicitly allows for that. That means, all these properties correspond to
a property of the connection profile (for example <literal>connection.mud-url</literal>).
Only if the per-profile property is set to a special value that indicates to use the
default, the default value from NetworkManager.conf is consulted. It depends on the
property, which is the special value that indicates fallback to the default, but it
usually is something like empty, unset values or special numeric values like 0 or -1.
That means the effectively used value can first always be configured for each profile,
and these default values only matter if the per-profile values explicitly indicates
to use the default from <literal>NetworkManager.conf</literal>.
</para>
<para>
Note that while nmcli supports various aliases and convenience features for configuring
properties, the settings in this section do not. For example, enum values usually only
can be configured via their numeric magic number.
</para>
<para>
Example:
<programlisting>
[connection]
ipv6.ip6-privacy=0
</programlisting>
</para>
<refsect2>
<title>Supported Properties</title>
<para>
Not all properties can be overwritten, only the following
properties are supported to have their default values configured
(see <link linkend='nm-settings-nmcli'><citerefentry><refentrytitle>nm-settings-nmcli</refentrytitle><manvolnum>5</manvolnum></citerefentry></link> for details).
</para>
<para>
<!-- The following comment is used by check-config-options.sh, don't remove it. -->
<!-- start connection defaults -->
<variablelist>
<varlistentry>
<term><varname>802-1x.auth-timeout</varname></term>
</varlistentry>
<varlistentry>
<term><varname>cdma.mtu</varname></term>
</varlistentry>
<varlistentry>
<term><varname>connection.auth-retries</varname></term>
<listitem><para>If left unspecified, the default value is 3 tries before failing the connection.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>connection.autoconnect-slaves</varname></term>
</varlistentry>
<varlistentry>
<term><varname>connection.mud-url</varname></term>
<listitem><para>If unspecified, MUD URL defaults to <literal>"none"</literal>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>connection.lldp</varname></term>
</varlistentry>
<varlistentry>
<term><varname>connection.llmnr</varname></term>
<listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is "yes" (2) and for all other plugins "no" (0).</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>connection.mdns</varname></term>
<listitem><para>
Currently only the systemd-resolve DNS plugin supports this setting.
If the setting is unspecified both in the profile and in the global
default here, then the default is determined by systemd-resolved.
See <literal>MulticastDNS=</literal> in
<citerefentry><refentrytitle>resolved.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>connection.mptcp-flags</varname></term>
<listitem><para>If unspecified, the fallback is 0x22 (<literal>"enabled,subflow"</literal>). Note that if sysctl <literal>/proc/sys/net/mptcp/enabled</literal> is disabled, NetworkManager will still not configure endpoints.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>connection.dns-over-tls</varname></term>
<listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is global setting and for all other plugins "no" (0).</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>connection.stable-id</varname></term>
</varlistentry>
<varlistentry>
<term><varname>ethernet.cloned-mac-address</varname></term>
<listitem><para>If left unspecified, it defaults to "preserve".</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ethernet.generate-mac-address-mask</varname></term>
</varlistentry>
<varlistentry>
<term><varname>ethernet.mtu</varname></term>
<listitem><para>If configured explicitly to 0, the MTU is not reconfigured during device activation unless it is required due to IPv6 constraints. If left unspecified, a DHCP/IPv6 SLAAC provided value is used or the MTU is not reconfigured during activation.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ethernet.wake-on-lan</varname></term>
</varlistentry>
<varlistentry>
<term><varname>gsm.mtu</varname></term>
</varlistentry>
<varlistentry>
<term><varname>hostname.from-dhcp</varname></term>
</varlistentry>
<varlistentry>
<term><varname>hostname.from-dns-lookup</varname></term>
</varlistentry>
<varlistentry>
<term><varname>hostname.only-from-default</varname></term>
</varlistentry>
<varlistentry>
<term><varname>hostname.priority</varname></term>
</varlistentry>
<varlistentry>
<term><varname>infiniband.mtu</varname></term>
<listitem><para>If configured explicitly to 0, the MTU is not reconfigured during device activation unless it is required due to IPv6 constraints. If left unspecified, a DHCP/IPv6 SLAAC provided value is used or the MTU is left unspecified on activation.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ip-tunnel.mtu</varname></term>
<listitem><para>If configured explicitly to 0, the MTU is not reconfigured during device activation unless it is required due to IPv6 constraints. If left unspecified, a DHCP/IPv6 SLAAC provided value is used or a default of 1500.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ipv4.dad-timeout</varname></term>
</varlistentry>
<varlistentry>
<term><varname>ipv4.dhcp-client-id</varname></term>
</varlistentry>
<varlistentry>
<term><varname>ipv4.dhcp-dscp</varname></term>
</varlistentry>
<varlistentry>
<term><varname>ipv4.dhcp-iaid</varname></term>
<listitem><para>If left unspecified, it defaults to "ifname".</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ipv4.dhcp-hostname-flags</varname></term>
<listitem><para>If left unspecified, the value 3 (fqdn-encoded,fqdn-serv-update) is used.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ipv4.dhcp-timeout</varname></term>
<listitem><para>If left unspecified, the default value for
the interface type is used.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ipv4.dhcp-vendor-class-identifier</varname></term>
<listitem><para>If left unspecified, the default is to not send the DHCP option to the server.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ipv4.dns-priority</varname></term>
<listitem><para>If unspecified or zero, use 50 for VPN profiles
and 100 for other profiles.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ipv4.required-timeout</varname></term>
</varlistentry>
<varlistentry>
<term><varname>ipv4.link-local</varname></term>
<listitem><para>If left unspecified, fallback to "auto" which makes it dependent on "ipv4.method" setting.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ipv4.route-metric</varname></term>
</varlistentry>
<varlistentry>
<term><varname>ipv4.route-table</varname></term>
<listitem><para>If left unspecified, routes are only added to the main table. Note that this
is different from explicitly selecting the main table 254, because of how NetworkManager
removes extraneous routes from the tables.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ipv6.addr-gen-mode</varname></term>
<listitem><para>If the per-profile setting is either "default" or "default-or-eui64", the
global default is used. If the default is unspecified, the fallback value is either "stable-privacy"
or "eui64", depending on whether the per-profile setting is "default" or "default-or-eui64, respectively.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ipv6.ra-timeout</varname></term>
<listitem><para>If left unspecified, the default value depends on the sysctl solicitation settings.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ipv6.dhcp-duid</varname></term>
<listitem><para>If left unspecified, it defaults to "lease".</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ipv6.dhcp-iaid</varname></term>
<listitem><para>If left unspecified, it defaults to "ifname".</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ipv6.dhcp-hostname-flags</varname></term>
<listitem><para>If left unspecified, the value 1 (fqdn-serv-update) is used.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ipv6.dhcp-timeout</varname></term>
<listitem><para>If left unspecified, the default value for
the interface type is used.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ipv6.dns-priority</varname></term>
<listitem><para>If unspecified or zero, use 50 for VPN profiles
and 100 for other profiles.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ipv6.ip6-privacy</varname></term>
<listitem><para>If <literal>ipv6.ip6-privacy</literal> is unset, use the content of
"/proc/sys/net/ipv6/conf/default/use_tempaddr" as last fallback.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>ipv6.required-timeout</varname></term>
</varlistentry>
<varlistentry>
<term><varname>ipv6.route-metric</varname></term>
</varlistentry>
<varlistentry>
<term><varname>ipv6.route-table</varname></term>
<listitem><para>If left unspecified, routes are only added to the main table. Note that this
is different from explicitly selecting the main table 254, because of how NetworkManager
removes extraneous routes from the tables.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>loopback.mtu</varname></term>
<listitem><para>If configured explicitly to 0, the MTU is not reconfigured during device activation unless it is required due to IPv6 constraints. If left unspecified, a DHCP/IPv6 SLAAC provided value is used or the MTU is left unspecified on activation.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>macsec.offload</varname></term>
</varlistentry>
<varlistentry>
<term><varname>sriov.autoprobe-drivers</varname></term>
<listitem><para>If left unspecified, drivers are autoprobed when the SR-IOV VF gets created.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>vpn.timeout</varname></term>
<listitem><para>If left unspecified, default value of 60 seconds is used.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>wifi.ap-isolation</varname></term>
<listitem><para>If left unspecified, AP isolation is disabled.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>wifi.cloned-mac-address</varname></term>
<listitem><para>If left unspecified, it defaults to "preserve".</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>wifi.generate-mac-address-mask</varname></term>
</varlistentry>
<varlistentry>
<term><varname>wifi.mac-address-randomization</varname></term>
<listitem><para>If left unspecified, MAC address randomization is disabled.
This setting is deprecated for <literal>wifi.cloned-mac-address</literal>.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>wifi.mtu</varname></term>
<listitem><para>If configured explicitly to 0, the MTU is not reconfigured during device activation unless it is required due to IPv6 constraints. If left unspecified, a DHCP/IPv6 SLAAC provided value is used or a default of 1500.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>wifi.powersave</varname></term>
<listitem><para>If left unspecified, the default value
"<literal>ignore</literal>" will be used.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>wifi-sec.pmf</varname></term>
<listitem><para>If left unspecified, the default value
"<literal>optional</literal>" will be used.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>wifi-sec.fils</varname></term>
<listitem><para>If left unspecified, the default value
"<literal>optional</literal>" will be used.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>wifi.wake-on-wlan</varname></term>
</varlistentry>
<varlistentry>
<term><varname>wireguard.mtu</varname></term>
</varlistentry>
</variablelist>
<!-- The following comment is used by check-config-options.sh, don't remove it. -->
<!-- end connection defaults -->
</para>
</refsect2>
<refsect2 id="connection-sections" xreflabel="“Sections” under the section called “CONNECTION SECTION”">
<title>Sections</title>
<para>
You can configure multiple <literal>connection</literal>
sections, by having different sections with a name that all start
with "connection".
Example:
<programlisting>
[connection]
ipv6.ip6-privacy=0
connection.autoconnect-slaves=1
vpn.timeout=120
[connection-wifi-wlan0]
match-device=interface-name:wlan0
ipv4.route-metric=50
[connection-wifi-other]
match-device=type:wifi
ipv4.route-metric=55
ipv6.ip6-privacy=1
</programlisting>
</para>
<para>
The sections within one file are considered in order of appearance, with the
exception that the <literal>[connection]</literal> section is always
considered last. In the example above, this order is <literal>[connection-wifi-wlan0]</literal>,
<literal>[connection-wlan-other]</literal>, and <literal>[connection]</literal>.
When checking for a default configuration value, the sections are searched until
the requested value is found.
In the example above, "ipv4.route-metric" for wlan0 interface is set to 50,
and for all other Wi-Fi typed interfaces to 55. Also, Wi-Fi devices would have
IPv6 private addresses enabled by default, but other devices would have it disabled.
Note that also "wlan0" gets "ipv6.ip6-privacy=1", because although the section
"[connection-wifi-wlan0]" matches the device, it does not contain that property
and the search continues.
</para>
<para>
When having different sections in multiple files, sections from files that are read
later have higher priority. So within one file the priority of the sections is
top-to-bottom. Across multiple files later definitions take precedence.
</para>
<para>
The following properties further control how a connection section applies.
<variablelist>
<varlistentry>
<term><varname>match-device</varname></term>
<listitem><para>An optional device spec that restricts
when the section applies. See <xref linkend="device-spec"/>
for the possible values.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>stop-match</varname></term>
<listitem><para>An optional boolean value which defaults to
<literal>no</literal>. If the section matches (based on
<literal>match-device</literal>), further sections will not be
considered even if the property in question is not present. In
the example above, if <literal>[connection-wifi-wlan0]</literal> would
have <literal>stop-match</literal> set to <literal>yes</literal>,
the device <literal>wlan0</literal> would have <literal>ipv6.ip6-privacy</literal>
property unspecified. That is, the search for the property would not continue
in the connection sections <literal>[connection-wifi-other]</literal>
or <literal>[connection]</literal>.
</para></listitem>
</varlistentry>
</variablelist>
</para>
</refsect2>
</refsect1>
<refsect1>
<title><literal>device</literal> section</title>
<para>Contains per-device persistent configuration.
</para>
<para>
Example:
<programlisting>
[device]
match-device=interface-name:eth3
managed=1
</programlisting>
</para>
<refsect2>
<title>Supported Properties</title>
<para>
The following properties can be configured per-device.
<variablelist>
<varlistentry id="managed">
<term><varname>managed</varname></term>
<listitem>
<para>
Whether the device is managed or not. A device can be
marked as managed via udev rules (ENV{NM_UNMANAGED}),
or via setting plugins (keyfile.unmanaged-devices).
This is yet another way. Note that this configuration
can be overruled at runtime via D-Bus. Also, it has
higher priority then udev rules.
</para>
</listitem>
</varlistentry>
<varlistentry id="carrier-wait-timeout">
<term><varname>carrier-wait-timeout</varname></term>
<listitem>
<para>
Specify the timeout for waiting for carrier in milliseconds.
The default is 6000 milliseconds.
This setting exists because certain drivers/hardware can take
a long time to detect whether the cable is plugged in.
</para>
<para>
When the device loses carrier, NetworkManager does not react
immediately. Instead, it waits for this timeout before considering
the link lost.
</para>
<para>
Also, on startup, NetworkManager considers the
device as busy for this time, as long as the device has no carrier.
This delays startup-complete signal and NetworkManager-wait-online.
Configuring this too high means to block NetworkManager-wait-online
longer than necessary when booting with cable unplugged. Configuring
it too low, means that NetworkManager will declare startup-complete too
soon, although carrier is about to come and auto-activation to kick in.
Note that if a profile only has static IP configuration or Layer 3 configuration
disabled, then it can already autoconnect without carrier on the device.
Once such a profile reaches full activated state, startup-complete
is considered as reached even if the device has no carrier yet.
</para>
</listitem>
</varlistentry>
<varlistentry id="ignore-carrier">
<term><varname>ignore-carrier</varname></term>
<listitem>
<para>
Specify devices for which NetworkManager will (partially)
ignore the carrier state. Normally, for
device types that support carrier-detect, such as Ethernet
and InfiniBand, NetworkManager will only allow a
connection to be activated on the device if carrier is
present (ie, a cable is plugged in), and it will
deactivate the device if carrier drops for more than a few
seconds.
</para>
<para>
A device with carrier ignored will allow activating connections on
that device even when it does not have carrier, provided
that the connection uses only statically-configured IP
addresses. Additionally, it will allow any active
connection (whether static or dynamic) to remain active on
the device when carrier is lost.
</para>
<para>
Note that the "carrier" property of NMDevices and device D-Bus
interfaces will still reflect the actual device state; it's just
that NetworkManager will not make use of that information.
</para>
<para>
Master types like bond, bridge and team ignore carrier by default,
while other device types react on carrier changes by default.
</para>
<para>
This setting overwrites the deprecated <literal>main.ignore-carrier</literal>
setting above.
</para>
</listitem>
</varlistentry>
<varlistentry id="keep-configuration">
<term><varname>keep-configuration</varname></term>
<listitem>
<para>
On startup, NetworkManager tries to not interfere with
interfaces that are already configured. It does so by
generating a in-memory connection based on the interface
current configuration.
</para>
<para>
If this generated connection matches one of the existing
persistent connections, the persistent connection gets
activated. If there is no match, the generated
connection gets activated as "external", which means
that the connection is considered as active, but
NetworkManager doesn't actually touch the interface.
</para>
<para>
It is possible to disable this behavior by setting
<literal>keep-configuration</literal> to
<literal>no</literal>. In this way, on startup
NetworkManager always tries to activate the most
suitable persistent connection (the one with highest
autoconnect-priority or, in case of a tie, the one
activated most recently).
</para>
<para>
Note that when NetworkManager gets restarted, it stores
the previous state in
<filename>/run/NetworkManager</filename>; in particular
it saves the UUID of the connection that was previously
active so that it can be activated again after the
restart. Therefore,
<literal>keep-configuration</literal> does not have
any effect on service restart.
</para>
</listitem>
</varlistentry>
<varlistentry id="allowed-connections">
<term><varname>allowed-connections</varname></term>
<listitem>
<para>
A list of connections that can be activated on the
device. See <xref linkend="connection-spec"/> for the
syntax to specify a connection. If this option is not
specified, all connections can be potentially activated
on the device, provided that the connection type and
other settings match.
</para>
<para>
A notable use case for this is to filter which
connections can be activated based on how they were
created; see the <literal>origin</literal> keyword in
<xref linkend="connection-spec"/>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>wifi.scan-rand-mac-address</varname></term>
<listitem>
<para>
Configures MAC address randomization of a Wi-Fi device during
scanning. This defaults to <literal>yes</literal> in which case
a random, locally-administered MAC address will be used.
The setting <literal>wifi.scan-generate-mac-address-mask</literal>
allows to influence the generated MAC address to use certain vendor
OUIs.
If disabled, the MAC address during scanning is left unchanged to
whatever is configured.
For the configured MAC address while the device is associated, see instead
the per-connection setting <literal>wifi.cloned-mac-address</literal>.
</para>
</listitem>
</varlistentry>
<varlistentry id="wifi.backend">
<term><varname>wifi.backend</varname></term>
<listitem>
<para>
Specify the Wi-Fi backend used for the device. Currently, supported
are <literal>wpa_supplicant</literal> and <literal>iwd</literal> (experimental).
If unspecified, the default is "<literal>&NM_CONFIG_DEFAULT_WIFI_BACKEND_TEXT;</literal>".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>wifi.scan-generate-mac-address-mask</varname></term>
<listitem>
<para>
Like the per-connection settings <literal>ethernet.generate-mac-address-mask</literal>
and <literal>wifi.generate-mac-address-mask</literal>, this allows to configure the
generated MAC addresses during scanning. See <citerefentry><refentrytitle>nm-settings-nmcli</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>wifi.iwd.autoconnect</varname></term>
<listitem>
<para>
If <literal>wifi.backend</literal> is <literal>iwd</literal>, setting this to
<literal>false</literal> forces IWD's autoconnect mechanism to be disabled for
this device and connections will only be initiated by NetworkManager whether
commanded by a client or automatically. Leaving it <literal>true</literal> (default)
stops NetworkManager from automatically initiating connections and allows
IWD to use its network ranking and scanning logic to decide the best networks
to autoconnect to next. Connections' <literal>autoconnect-priority</literal>,
<literal>autoconnect-retries</literal> settings will be ignored. Other settings
like <literal>permissions</literal> or <literal>multi-connect</literal> may interfere
with IWD connection attempts.
</para>
</listitem>
</varlistentry>
<varlistentry id="sriov-num-vfs">
<term><varname>sriov-num-vfs</varname></term>
<listitem>
<para>
Specify the number of virtual functions (VF) to enable
for a PCI physical device that supports single-root I/O
virtualization (SR-IOV).
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect2>
<refsect2>
<title>Sections</title>
<para>
The <literal>[device]</literal> section works the same as the <literal>[connection]</literal> section.
That is, multiple sections that all start with the prefix "device" can be specified.
The settings "match-device" and "stop-match" are available to match a device section
on a device. The order of multiple sections is also top-down within the file and
later files overwrite previous settings. See <xref linkend="connection-sections"/>
for details.
</para>
</refsect2>
</refsect1>
<refsect1>
<title><literal>connectivity</literal> section</title>
<para>This section controls NetworkManager's optional connectivity
checking functionality. This allows NetworkManager to detect
whether or not the system can actually access the internet or
whether it is behind a captive portal.</para>
<para>Connectivity checking serves two purposes. For one, it exposes
a connectivity state on D-Bus, which other applications may use. For example,
Gnome's portal helper uses this as signal to show a captive portal login
page.
The other use is that default-route of devices without global connectivity
get a penalty of +20000 to the route-metric. This has the purpose to give a
better default-route to devices that have global connectivity. For example,
when being connected to WWAN and to a Wi-Fi network which is behind a captive
portal, WWAN still gets preferred until login.</para>
<para>Note that your distribution might set <literal>/proc/sys/net/ipv4/conf/*/rp_filter</literal> to
strict filtering. That works badly with per-device connectivity checking,
which uses SO_BINDDEVICE to send requests on all devices. A strict rp_filter
setting will reject any response and the connectivity check on all but the
best route will fail.</para>
<para>
<variablelist>
<varlistentry>
<term><varname>enabled</varname></term>
<listitem><para>Whether connectivity check is enabled.
Note that to enable connectivity check, a valid uri must
also be configured. The value defaults to true, but since
the uri is unset by default, connectivity check may be disabled.
The main purpose of this option is to have a single flag
to disable connectivity check. Note that this setting can
also be set via D-Bus API at runtime. In that case, the value gets
stored in <filename>/var/lib/NetworkManager/NetworkManager-intern.conf</filename>
file.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>uri</varname></term>
<listitem><para>The URI of a web page to periodically
request when connectivity is being checked. This page
should return the header "X-NetworkManager-Status" with a
value of "online". Alternatively, its body content should
be set to "NetworkManager is online". The body content
check can be controlled by the <literal>response</literal>
option. If this option is blank or missing, connectivity
checking is disabled.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>interval</varname></term>
<listitem><para>Specified in seconds; controls how often
connectivity is checked when a network connection exists. If
set to 0 connectivity checking is disabled. If missing, the
default is 300 seconds.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>response</varname></term>
<listitem><para>If set, controls what body content
NetworkManager checks for when requesting the URI for
connectivity checking. Note that this only compares
that the HTTP response starts with the specifid text,
it does not compare the exact string. This behavior
might change in the future, so avoid relying on it.
If missing, the response defaults to "NetworkManager is online".
If set to empty, the HTTP server is expected to answer with
status code 204 or send no data.</para></listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1>
<title><literal>global-dns</literal> section</title>
<para>This section specifies DNS settings that are applied
globally, in addition to connection-specific ones.</para>
<para>
<variablelist>
<varlistentry>
<term><varname>searches</varname></term>
<listitem>
<para>
A list of search domains to be used during hostname lookup.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>options</varname></term>
<listitem>
<para>
A list of options to be passed to the hostname resolver.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1>
<title><literal>global-dns-domain</literal> sections</title>
<para>Sections with a name starting with the "global-dns-domain-"
prefix allow to define global DNS configuration for specific
domains. The part of section name after "global-dns-domain-"
specifies the domain name a section applies to (for example, a
section could be named "global-dns-domain-foobar.com"). More
specific domains have the precedence over less specific ones and
the default domain is represented by the wildcard "*".
To be valid, global DNS domains must include a section for the
default domain "*". When the global DNS domains are valid, the
name servers and domains defined globally override the ones from
active connections.
</para>
<para>
<variablelist>
<varlistentry>
<term><varname>servers</varname></term>
<listitem>
<para>
A list of addresses of DNS servers to be used for the given domain.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>options</varname></term>
<listitem>
<para>
A list of domain-specific DNS options. Not used at the moment.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1>
<title><literal>.config</literal> sections</title>
<para>This is a special section that contains options which apply
to the configuration file that contains the option.
</para>
<para>
<variablelist>
<varlistentry>
<term><varname>enable</varname></term>
<listitem>
<para>
Defaults to "<literal>true</literal>". If "<literal>false</literal>",
the configuration file will be skipped during loading.
Note that the main configuration file <literal>NetworkManager.conf</literal>
cannot be disabled.
<programlisting>
# always skip loading the config file
[.config]
enable=false
</programlisting>
</para>
<para>
You can also match against the version of NetworkManager. For example
the following are valid configurations:
<programlisting>
# only load on version 1.0.6
[.config]
enable=nm-version:1.0.6
# load on all versions 1.0.x, but not 1.2.x
[.config]
enable=nm-version:1.0
# only load on versions >= 1.1.6. This does not match
# with version 1.2.0 or 1.4.4. Only the last digit is considered.
[.config]
enable=nm-version-min:1.1.6
# only load on versions >= 1.2. Contrary to the previous
# example, this also matches with 1.2.0, 1.2.10, 1.4.4, etc.
[.config]
enable=nm-version-min:1.2
# Match against the maximum allowed version. The example matches
# versions 1.2.0, 1.2.2, 1.2.4. Again, only the last version digit
# is allowed to be smaller. So this would not match on 1.1.10.
[.config]
enable=nm-version-max:1.2.6
</programlisting>
</para>
<para>
You can also match against the value of the environment variable
<literal>NM_CONFIG_ENABLE_TAG</literal>, like:
<programlisting>
# only load the file when running NetworkManager with
# environment variable "NM_CONFIG_ENABLE_TAG=TAG1"
[.config]
enable=env:TAG1
</programlisting>
</para>
<para>
More then one match can be specified. The configuration will be
enabled if one of the predicates matches ("or"). The special prefix "except:" can
be used to negate the match. Note that if one except-predicate
matches, the entire configuration will be disabled.
In other words, a except predicate always wins over other predicates.
If the setting only consists of "except:" matches and none of the
negative conditions are satisfied, the configuration is still enabled.
<programlisting>
# enable the configuration either when the environment variable
# is present or the version is at least 1.2.0.
[.config]
enable=env:TAG2,nm-version-min:1.2
# enable the configuration for version >= 1.2.0, but disable
# it when the environment variable is set to "TAG3"
[.config]
enable=except:env:TAG3,nm-version-min:1.2
# enable the configuration on >= 1.3, >= 1.2.6, and >= 1.0.16.
# Useful if a certain feature is only present since those releases.
[.config]
enable=nm-version-min:1.3,nm-version-min:1.2.6,nm-version-min:1.0.16
</programlisting>
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1 id="settings-plugins">
<title>Plugins</title>
<para>
Settings plugins for reading and writing connection profiles. The number of
available plugins is distribution specific.
</para>
<variablelist>
<varlistentry>
<term><varname>keyfile</varname></term>
<listitem>
<para>
The <literal>keyfile</literal> plugin is the generic
plugin that supports all the connection types and
capabilities that NetworkManager has. It writes files out
in an .ini-style format in
<filename>/etc/NetworkManager/system-connections</filename>.
See <link linkend='nm-settings-keyfile'><citerefentry><refentrytitle>nm-settings-keyfile</refentrytitle><manvolnum>5</manvolnum></citerefentry></link>
for details about the file format.
</para>
<para>
The stored connection file may contain passwords, secrets and
private keys in plain text, so it will be made readable only to
root, and the plugin will ignore files that are readable or
writable by any user or group other than root. See "Secret flag types"
in <link linkend='nm-settings-nmcli'><citerefentry><refentrytitle>nm-settings-nmcli</refentrytitle><manvolnum>5</manvolnum></citerefentry></link>
for how to avoid storing passwords in plain text.
</para>
<para>
This plugin is always active, and will automatically be
used to store any connections that aren't supported by any
other active plugin.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>ifcfg-rh</varname></term>
<listitem>
<para>
This plugin is now deprecated; it can be used on the
Fedora and Red Hat Enterprise Linux distributions to read
and write configuration from the standard
<filename>/etc/sysconfig/network-scripts/ifcfg-*</filename>
files. It currently supports reading Ethernet, Wi-Fi,
InfiniBand, VLAN, Bond, Bridge, and Team connections.
Enabling <literal>ifcfg-rh</literal> implicitly enables
<literal>ibft</literal> plugin, if it is available.
This can be disabled by adding <literal>no-ibft</literal>.
See <filename>/usr/share/doc/initscripts/sysconfig.txt</filename>
and <link linkend='nm-settings-ifcfg-rh'><citerefentry><refentrytitle>nm-settings-ifcfg-rh</refentrytitle><manvolnum>5</manvolnum></citerefentry></link>
for more information about the ifcfg file format.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>ifupdown</varname></term>
<listitem>
<para>
This plugin is used on the Debian and Ubuntu
distributions, and reads Ethernet and Wi-Fi connections
from <filename>/etc/network/interfaces</filename>.
</para>
<para>
This plugin is read-only; any connections (of any type)
added from within NetworkManager when you are using this
plugin will be saved using the <literal>keyfile</literal>
plugin instead.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>ibft</varname>, <varname>no-ibft</varname></term>
<listitem>
<para>
These plugins are deprecated and their selection has no effect.
This is now handled by nm-initrd-generator.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>ifcfg-suse</varname>, <varname>ifnet</varname></term>
<listitem>
<para>
These plugins are deprecated and their selection has no effect.
The <literal>keyfile</literal> plugin should be used
instead.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Appendix</title>
<refsect2 id="device-spec">
<title>Device List Format</title>
<para>
The configuration options <literal>main.no-auto-default</literal>, <literal>main.ignore-carrier</literal>,
<literal>keyfile.unmanaged-devices</literal>, <literal>connection*.match-device</literal> and
<literal>device*.match-device</literal> select devices based on a list of matchings.
Devices can be specified using the following format:
</para>
<para>
<variablelist>
<varlistentry>
<term>*</term>
<listitem><para>Matches every device.</para></listitem>
</varlistentry>
<varlistentry>
<term>IFNAME</term>
<listitem><para>Case sensitive match of interface name of the device. Globbing is not supported.</para></listitem>
</varlistentry>
<varlistentry>
<term>HWADDR</term>
<listitem><para>Match the permanent MAC address of the device. Globbing is not supported</para></listitem>
</varlistentry>
<varlistentry>
<term>interface-name:IFNAME</term>
<term>interface-name:~IFNAME</term>
<listitem><para>Case sensitive match of interface name of the device. Simple globbing is supported with
<literal>*</literal> and <literal>?</literal>. Ranges and escaping is not supported.</para></listitem>
</varlistentry>
<varlistentry>
<term>interface-name:=IFNAME</term>
<listitem><para>Case sensitive match of interface name of the device. Globbing is disabled and <literal>IFNAME</literal>
is taken literally.</para></listitem>
</varlistentry>
<varlistentry>
<term>mac:HWADDR</term>
<listitem><para>Match the permanent MAC address of the device. Globbing is not supported</para></listitem>
</varlistentry>
<varlistentry>
<term>s390-subchannels:HWADDR</term>
<listitem><para>Match the device based on the subchannel address. Globbing is not supported</para></listitem>
</varlistentry>
<varlistentry>
<term>type:TYPE</term>
<listitem><para>Match the device type. Valid type names are as reported by "<literal>nmcli -f GENERAL.TYPE device show</literal>".
Globbing is not supported.</para></listitem>
</varlistentry>
<varlistentry>
<term>driver:DRIVER</term>
<listitem><para>Match the device driver as reported by "<literal>nmcli -f GENERAL.DRIVER,GENERAL.DRIVER-VERSION device show</literal>".
"<literal>DRIVER</literal>" must match the driver name exactly and does not support globbing.
Optionally, a driver version may be specified separated by '/'. Globbing is supported for the version.
</para></listitem>
</varlistentry>
<varlistentry>
<term>dhcp-plugin:DHCP</term>
<listitem><para>Match the configured DHCP plugin "<literal>main.dhcp</literal>".
</para></listitem>
</varlistentry>
<varlistentry>
<term>except:SPEC</term>
<listitem><para>Negative match of a device. <literal>SPEC</literal> must be explicitly qualified with
a prefix such as <literal>interface-name:</literal>. A negative match has higher priority then the positive
matches above.</para>
<para>If there is a list consisting only of negative matches, the behavior is the same as if there
is also match-all. That means, if none of all the negative matches is satisfied, the overall result is
still a positive match. That means, <literal>"except:interface-name:eth0"</literal> is the same as
<literal>"*,except:interface-name:eth0"</literal>.</para></listitem>
</varlistentry>
<varlistentry>
<term>SPEC[,;]SPEC</term>
<listitem><para>Multiple specs can be concatenated with commas or semicolons. The order does not matter as
matches are either inclusive or negative (<literal>except:</literal>), with negative matches having higher
priority.
</para>
<para>Backslash is supported to escape the separators ';' and ',', and to express special
characters such as newline ('\n'), tabulator ('\t'), whitespace ('\s') and backslash ('\\'). The globbing of
interface names cannot be escaped. Whitespace is not a separator but will be trimmed between
two specs (unless escaped as '\s').
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
<para>
Example:
<programlisting>
interface-name:em4
mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4;interface-name:eth2
interface-name:vboxnet*,except:interface-name:vboxnet2
*,except:mac:00:22:68:1c:59:b1
</programlisting>
</para>
</refsect2>
<refsect2 id="connection-spec">
<title>Connection List Format</title>
<para>
Connections can be specified using the following format:
</para>
<para>
<variablelist>
<varlistentry>
<term>*</term>
<listitem><para>Matches every connection.</para></listitem>
</varlistentry>
<varlistentry>
<term>uuid:UUID</term>
<listitem><para>Match the connection by UUID, for example
<literal>"uuid:83037490-1d17-4986-a397-01f1db3a7fc2"</literal></para></listitem>
</varlistentry>
<varlistentry>
<term>id=ID</term>
<listitem><para>Match the connection by name.</para></listitem>
</varlistentry>
<varlistentry>
<term>origin:ORIGIN</term>
<listitem><para>Match the connection by origin, stored in the
<literal>org.freedesktop.NetworkManager.origin</literal> tag of the user setting. For example, use
<literal>"except:origin:nm-initrd-generator"</literal> to forbid activation of connections created by the
initrd generator.</para></listitem>
</varlistentry>
<varlistentry>
<term>except:SPEC</term>
<listitem><para>Negative match of a connection. A negative match has higher priority then the positive
matches above.</para>
<para>If there is a list consisting only of negative matches, the behavior is the same as if there is also
match-all. That means, if none of all the negative matches is satisfied, the overall result is still a
positive match.</para></listitem>
</varlistentry>
<varlistentry>
<term>SPEC[,;]SPEC</term>
<listitem><para>Multiple specs can be concatenated with commas or semicolons. The order does not matter as
matches are either inclusive or negative (<literal>except:</literal>), with negative matches having higher
priority.</para>
<para>Backslash is supported to escape the separators ';' and ',', and to express special characters such as
newline ('\n'), tabulator ('\t'), whitespace ('\s') and backslash ('\\'). Whitespace is not a separator but
will be trimmed between two specs (unless escaped as '\s').</para></listitem>
</varlistentry>
</variablelist>
</para>
</refsect2>
</refsect1>
<refsect1>
<title>See Also</title>
<para>
<link linkend='NetworkManager'><citerefentry><refentrytitle>NetworkManager</refentrytitle><manvolnum>8</manvolnum></citerefentry></link>,
<link linkend='nmcli'><citerefentry><refentrytitle>nmcli</refentrytitle><manvolnum>1</manvolnum></citerefentry></link>,
<link linkend='nmcli-examples'><citerefentry><refentrytitle>nmcli-examples</refentrytitle><manvolnum>7</manvolnum></citerefentry></link>,
<link linkend='nm-online'><citerefentry><refentrytitle>nm-online</refentrytitle><manvolnum>1</manvolnum></citerefentry></link>,
<link linkend='nm-settings-nmcli'><citerefentry><refentrytitle>nm-settings-nmcli</refentrytitle><manvolnum>5</manvolnum></citerefentry></link>,
<citerefentry><refentrytitle>nm-applet</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>nm-connection-editor</refentrytitle><manvolnum>1</manvolnum></citerefentry>
</para>
</refsect1>
</refentry>
|
