Provided by: network-manager_1.4.4-1ubuntu3_amd64 bug


       NetworkManager.conf - NetworkManager configuration file




       NetworkManager.conf is the configuration file for NetworkManager. It is
       used to set up various aspects of NetworkManager's behavior. The
       location of the main file and configuration directories may be changed
       through use of the --config, --config-dir, --system-config-dir, and
       --intern-config argument for NetworkManager, respectively.

       If a default NetworkManager.conf is provided by your distribution's
       packages, you should not modify it, since your changes may get
       overwritten by package updates. Instead, you can add additional .conf
       files to the /etc/NetworkManager/conf.d directory. These will be read
       in order, with later files overriding earlier ones. Packages might
       install further configuration snippets to
       /usr/lib/NetworkManager/conf.d. This directory is parsed first, even
       before NetworkManager.conf. The loading of a file
       /usr/lib/NetworkManager/conf.d/name.conf can be prevented by adding a
       file /etc/NetworkManager/conf.d/name.conf. In this case, the file from
       the etc configuration shadows the file from the system configuration

       NetworkManager can overwrite certain user configuration options via
       D-Bus or other internal operations. In this case it writes those
       changes to /var/lib/NetworkManager/NetworkManager-intern.conf. This
       file is not intended to be modified by the user, but it is read last
       and can shadow user configuration from NetworkManager.conf.

       Certain settings from the configuration can be reloaded at runtime
       either by sending SIGHUP signal or via D-Bus' Reload call.


       The configuration file format is so-called key file (sort of ini-style
       format). It consists of sections (groups) of key-value pairs. Lines
       beginning with a '#' and blank lines are considered comments. Sections
       are started by a header line containing the section enclosed in '[' and
       ']', and ended implicitly by the start of the next section or the end
       of the file. Each key-value pair must be contained in a section.

       For keys that take a list of devices as their value, you can specify
       devices by their MAC addresses or interface names, or "*" to specify
       all devices. See the section called “Device List Format” below.

       Minimal system settings configuration file looks like this:


       As an extension to the normal keyfile format, you can also append a
       value to a previously-set list-valued key by doing:



           Lists system settings plugin names separated by ','. These plugins
           are used to read and write system-wide connections. When multiple
           plugins are specified, the connections are read from all listed
           plugins. When writing connections, the plugins will be asked to
           save the connection in the order listed here; if the first plugin
           cannot write out that connection type (or can't write out any
           connections) the next plugin is tried, etc. If none of the plugins
           can save the connection, an error is returned to the user.

           If NetworkManager defines a distro-specific network-configuration
           plugin for your system, then that will normally be listed here.
           (See below for the available plugins.) Note that the keyfile plugin
           is always appended to the end of this list (if it doesn't already
           appear earlier in the list), so if there is no distro-specific
           plugin for your system then you can leave this key unset and
           NetworkManager will fall back to using keyfile.

           Whether the configured settings plugin(s) should set up file
           monitors and immediately pick up changes made to connection files
           while NetworkManager is running. This is disabled by default;
           NetworkManager will only read the connection files at startup, and
           when explicitly requested via the ReloadConnections D-Bus call. If
           this key is set to 'true', then NetworkManager will reload
           connection files any time they changed. Automatic reloading is not
           advised because there are race conditions involved and it depends
           on the way how the editor updates the file. In some situations,
           NetworkManager might first delete and add the connection anew,
           instead of updating the existing one. Also, NetworkManager might
           pick up incomplete settings while the user is still editing the

           Whether the system uses PolicyKit for authorization. If false, all
           requests will be allowed. If true, non-root requests are authorized
           using PolicyKit. The default value is true.

           This key sets up what DHCP client NetworkManager will use. Allowed
           values are dhclient, dhcpcd, and internal. The dhclient and dhcpcd
           options require the indicated clients to be installed. The internal
           option uses a built-in DHCP client which is not currently as
           featureful as the external clients.

           If this key is missing, available DHCP clients are looked for in
           this order: dhclient, dhcpcd, internal.

           Specify devices for which NetworkManager shouldn't create default
           wired connection (Auto eth0). By default, NetworkManager creates a
           temporary wired connection for any Ethernet device that is managed
           and doesn't have a connection configured. List a device in this
           option to inhibit creating the default connection for the device.
           May have the special value * to apply to all devices.

           When the default wired connection is deleted or saved to a new
           persistent connection by a plugin, the device is added to a list in
           the file /var/run/NetworkManager/no-auto-default.state to prevent
           creating the default connection for that device again.

           See the section called “Device List Format” for the syntax how to
           specify a device.



           This setting is deprecated for the per-device setting
           ignore-carrier which overwrites this setting if specified (See
           ???). Otherwise, it is a list of matches to specify for which
           device carrier should be ignored. See the section called “Device
           List Format” for the syntax how to specify a device.

           Specify devices for which NetworkManager will try to generate a
           connection based on initial configuration when the device only has
           an IPv6 link-local address.

           See the section called “Device List Format” for the syntax how to
           specify a device.

           When set to 'true', NetworkManager quits after performing initial
           network configuration but spawns small helpers to preserve DHCP
           leases and IPv6 addresses. This is useful in environments where
           network setup is more or less static or it is desirable to save
           process time but still handle some dynamic configurations. When
           this option is true, network configuration for WiFi, WWAN,
           Bluetooth, ADSL, and PPPoE interfaces cannot be preserved due to
           their use of external services, and these devices will be
           deconfigured when NetworkManager quits even though other
           interface's configuration may be preserved. Also, to preserve DHCP
           addresses the 'dhcp' option must be set to 'internal'. The default
           value of the 'configure-and-quit' option is 'false', meaning that
           NetworkManager will continue running after initial network
           configuration and continue responding to system and hardware
           events, D-Bus requests, and user commands.

           Set the DNS (resolv.conf) processing mode.

           default: NetworkManager will update resolv.conf to reflect the
           nameservers provided by currently active connections. This is the
           default if the key is not specified, unless the system is
           configured to use systemd-resolved; in this case the default is

           dnsmasq: NetworkManager will run dnsmasq as a local caching
           nameserver, using a "split DNS" configuration if you are connected
           to a VPN, and then update resolv.conf to point to the local

           unbound: NetworkManager will talk to unbound and dnssec-triggerd,
           providing a "split DNS" configuration with DNSSEC support. The
           /etc/resolv.conf will be managed by dnssec-trigger daemon.

           systemd-resolved: NetworkManager will push the DNS configuration to

           none: NetworkManager will not modify resolv.conf. This implies
           rc-manager unmanaged

           Set the resolv.conf management mode. The default value depends on
           NetworkManager build options, and this version of NetworkManager
           was build with a default of "symlink". Regardless of this setting,
           NetworkManager will always write resolv.conf to its runtime state

           symlink: NetworkManager will symlink /etc/resolv.conf to its
           private resolv.conf file in the runtime state directory. If
           /etc/resolv.conf already is a symlink pointing to a different
           location, the file will not be modified. This allows the user to
           disable managing by pointing the link /etc/resolv.conf to somewhere

           file: NetworkManager will write /etc/resolv.conf as file. If it
           finds a symlink, it will follow the symlink and update the target

           resolvconf: NetworkManager will run resolvconf to update the DNS

           netconfig: NetworkManager will run netconfig to update the DNS

           unmanaged: don't touch /etc/resolv.conf.

           none: deprecated alias for symlink.

           Comma separated list of options to aid debugging. This value will
           be combined with the environment variable NM_DEBUG. Currently the
           following values are supported:

           RLIMIT_CORE: set ulimit -c unlimited to write out core dumps.
           Beware, that a core dump can contain sensitive information such as
           passwords or configuration settings.

           fatal-warnings: set g_log_set_always_fatal() to core dump on
           warning messages from glib. This is equivalent to the
           --g-fatal-warnings command line option.


       This section contains keyfile-plugin-specific options, and is normally
       only used when you are not using any other distro-specific plugin.

           This key is deprecated and has no effect since the hostname is now
           stored in /etc/hostname or other system configuration files
           according to build options.

           The location where keyfiles are read and stored. This defaults to

           Set devices that should be ignored by NetworkManager.

           See the section called “Device List Format” for the syntax how to
           specify a device.




       This section contains ifupdown-specific options and thus only has
       effect when using the ifupdown plugin.

           If set to true, then interfaces listed in /etc/network/interfaces
           are managed by NetworkManager. If set to false, then any interface
           listed in /etc/network/interfaces will be ignored by
           NetworkManager. Remember that NetworkManager controls the default
           route, so because the interface is ignored, NetworkManager may
           assign the default route to some other interface.

           The default value is false.


       This section controls NetworkManager's logging. Any settings here are
       overridden by the --log-level and --log-domains command-line options.

           The default logging verbosity level. One of OFF, ERR, WARN, INFO,
           DEBUG, TRACE. The ERR level logs only critical errors. WARN logs
           warnings that may reflect operation. INFO logs various
           informational messages that are useful for tracking state and
           operations. DEBUG enables verbose logging for debugging purposes.
           TRACE enables even more verbose logging then DEBUG level.
           Subsequent levels also log all messages from earlier levels; thus
           setting the log level to INFO also logs error and warning messages.

           The following log domains are available: PLATFORM, RFKILL, ETHER,

           In addition, these special domains can be used: NONE, ALL, DEFAULT,
           DHCP, IP.

           You can specify per-domain log level overrides by adding a colon
           and a log level to any domain. E.g., "WIFI:DEBUG,WIFI_SCAN:OFF".

           Domain descriptions:
               PLATFORM    : OS (platform) operations
               RFKILL      : RFKill subsystem operations
               ETHER       : Ethernet device operations
               WIFI        : Wi-Fi device operations
               BT          : Bluetooth operations
               MB          : Mobile broadband operations
               DHCP4       : DHCP for IPv4
               DHCP6       : DHCP for IPv6
               PPP         : Point-to-point protocol operations
               WIFI_SCAN   : Wi-Fi scanning operations
               IP4         : IPv4-related operations
               IP6         : IPv6-related operations
               AUTOIP4     : AutoIP operations
               DNS         : Domain Name System related operations
               VPN         : Virtual Private Network connections and
               SHARING     : Connection sharing
               SUPPLICANT  : WPA supplicant related operations
               AGENTS      : Secret agents operations and communication
               SETTINGS    : Settings/config service operations
               SUSPEND     : Suspend/resume
               CORE        : Core daemon and policy operations
               DEVICE      : Activation and general interface operations
               OLPC        : OLPC Mesh device operations
               WIMAX       : WiMAX device operations
               INFINIBAND  : InfiniBand device operations
               FIREWALL    : FirewallD related operations
               ADSL        : ADSL device operations
               BOND        : Bonding operations
               VLAN        : VLAN operations
               BRIDGE      : Bridging operations
               DBUS_PROPS  : D-Bus property changes
               TEAM        : Teaming operations
               CONCHECK    : Connectivity check
               DCB         : Data Center Bridging (DCB) operations
               DISPATCH    : Dispatcher scripts
               AUDIT       : Audit records
               SYSTEMD     : Messages from internal libsystemd
               VPN_PLUGIN  : logging messages from VPN plugins

               NONE        : when given by itself logging is disabled
               ALL         : all log domains
               DEFAULT     : default log domains
               DHCP        : shortcut for "DHCP4,DHCP6"
               IP          : shortcut for "IP4,IP6"

               HW          : deprecated alias for "PLATFORM"

           In general, the logfile should not contain passwords or private
           data. However, you are always advised to check the file before
           posting it online or attaching to a bug report.  VPN_PLUGIN is
           special as it might reveal private information of the VPN plugins
           with verbose levels. Therefore this domain will be excluded when
           setting ALL or DEFAULT to more verbose levels then INFO.

           The logging backend. Supported values are "debug", "syslog",
           "journal". "debug" uses syslog and logs to standard error. If
           NetworkManager is started in debug mode (--debug) this option is
           ignored and "debug" is always used. Otherwise, the default is

           Whether the audit records are delivered to auditd, the audit
           daemon. If false, audit records will be sent only to the
           NetworkManager logging system. If set to true, they will be also
           sent to auditd. The default value is false.


       Specify default values for connections.



   Supported Properties
       Not all properties can be overwritten, only the following properties
       are supported to have their default values configured (see nm-
       settings(5) for details). A default value is only consulted if the
       corresponding per-connection value explicitly allows for that.



           If left unspecified, it defaults to "permanent".



           If left unspecified, the default value for the interface type is


           If ipv6.ip6-privacy is unset, use the content of
           "/proc/sys/net/ipv6/conf/default/use_tempaddr" as last fallback.


           If left unspecified, default value of 60 seconds is used.

           If left unspecified, it defaults to "permanent".


           If left unspecified, MAC address randomization is disabled. This
           setting is deprecated for wifi.cloned-mac-address.

           If left unspecified, the default value "ignore" will be used.

       You can configure multiple connection sections, by having different
       sections with a name that all start with "connection". Example:




       The sections within one file are considered in order of appearance,
       with the exception that the [connection] section is always considered
       last. In the example above, this order is [connection-wifi-wlan0],
       [connection-wlan-other], and [connection]. When checking for a default
       configuration value, the sections are searched until the requested
       value is found. In the example above, "ipv4.route-metric" for wlan0
       interface is set to 50, and for all other Wi-Fi typed interfaces to 55.
       Also, Wi-Fi devices would have IPv6 private addresses enabled by
       default, but other devices would have it disabled. Note that also
       "wlan0" gets "ipv6.ip6-privacy=1", because although the section
       "[connection-wifi-wlan0]" matches the device, it does not contain that
       property and the search continues.

       When having different sections in multiple files, sections from files
       that are read later have higher priority. So within one file the
       priority of the sections is top-to-bottom. Across multiple files later
       definitions take precedence.

       The following properties further control how a connection section

           An optional device spec that restricts when the section applies.
           See the section called “Device List Format” for the possible

           An optional boolean value which defaults to no. If the section
           matches (based on match-device), further sections will not be
           considered even if the property in question is not present. In the
           example above, if [connection-wifi-wlan0] would have stop-match set
           to yes, the device wlan0 would have ipv6.ip6-privacy property
           unspecified. That is, the search for the property would not
           continue in the connection sections [connection-wifi-other] or


       Contains per-device persistent configuration.



   Supported Properties
       The following properties can be configured per-device.

           Specify devices for which NetworkManager will (partially) ignore
           the carrier state. Normally, for device types that support
           carrier-detect, such as Ethernet and InfiniBand, NetworkManager
           will only allow a connection to be activated on the device if
           carrier is present (ie, a cable is plugged in), and it will
           deactivate the device if carrier drops for more than a few seconds.

           A device with carrier ignored will allow activating connections on
           that device even when it does not have carrier, provided that the
           connection uses only statically-configured IP addresses.
           Additionally, it will allow any active connection (whether static
           or dynamic) to remain active on the device when carrier is lost.

           Note that the "carrier" property of NMDevices and device D-Bus
           interfaces will still reflect the actual device state; it's just
           that NetworkManager will not make use of that information.

           This setting overwrites the deprecated main.ignore-carrier setting

           Configures MAC address randomization of a Wi-Fi device during
           scanning. This defaults to yes in which case a random,
           locally-administered MAC address will be used. The setting
           wifi.scan-generate-mac-address-mask allows to influence the
           generated MAC address to use certain vendor OUIs. If disabled, the
           MAC address during scanning is left unchanged to whatever is
           configured. For the configured MAC address while the device is
           associated, see instead the per-connection setting

           Like the per-connection settings ethernet.generate-mac-address-mask
           and wifi.generate-mac-address-mask, this allows to configure the
           generated MAC addresses during scanning. See nm-settings(5) for

       The [device] section works the same as the [connection] section. That
       is, multiple sections that all start with the prefix "device" can be
       specified. The settings "match-device" and "stop-match" are available
       to match a device section on a device. The order of multiple sections
       is also top-down within the file and later files overwrite previous
       settings. See the section called “Sections” for details.


       This section controls NetworkManager's optional connectivity checking
       functionality. This allows NetworkManager to detect whether or not the
       system can actually access the internet or whether it is behind a
       captive portal.

           The URI of a web page to periodically request when connectivity is
           being checked. This page should return the header
           "X-NetworkManager-Status" with a value of "online". Alternatively,
           it's body content should be set to "NetworkManager is online". The
           body content check can be controlled by the response option. If
           this option is blank or missing, connectivity checking is disabled.

           Specified in seconds; controls how often connectivity is checked
           when a network connection exists. If set to 0 connectivity checking
           is disabled. If missing, the default is 300 seconds.

           If set controls what body content NetworkManager checks for when
           requesting the URI for connectivity checking. If missing, defaults
           to "NetworkManager is online"


       This section specifies global DNS settings that override
       connection-specific configuration.

           A list of search domains to be used during hostname lookup.

           A list of of options to be passed to the hostname resolver.


       Sections with a name starting with the "global-dns-domain-" prefix
       allow to define global DNS configuration for specific domains. The part
       of section name after "global-dns-domain-" specifies the domain name a
       section applies to. More specific domains have the precedence over less
       specific ones and the default domain is represented by the wildcard
       "*". A default domain section is mandatory.

           A list of addresses of DNS servers to be used for the given domain.

           A list of domain-specific DNS options. Not used at the moment.


       This is a special section that contains options which apply to the
       configuration file that contains the option.

           Defaults to "true". If "false", the configuration file will be
           skipped during loading. Note that the main configuration file
           NetworkManager.conf cannot be disabled.

               # always skip loading the config file

           You can also match against the version of NetworkManager. For
           example the following are valid configurations:

               # only load on version 1.0.6

               # load on all versions 1.0.x, but not 1.2.x

               # only load on versions >= 1.1.6. This does not match
               # with version 1.2.0 or 1.4.4. Only the last digit is considered.

               # only load on versions >= 1.2. Contrary to the previous
               # example, this also matches with 1.2.0, 1.2.10, 1.4.4, etc.

               # Match against the maximum allowed version. The example matches
               # versions 1.2.0, 1.2.2, 1.2.4. Again, only the last version digit
               # is allowed to be smaller. So this would not match match on 1.1.10.

           You can also match against the value of the environment variable
           NM_CONFIG_ENABLE_TAG, like:

               # always skip loading the file when running NetworkManager with
               # environment variable "NM_CONFIG_ENABLE_TAG=TAG1"

           More then one match can be specified. The configuration will be
           enabled if one of the predicates matches ("or"). The special prefix
           "except:" can be used to negate the match. Note that if one
           except-predicate matches, the entire configuration will be
           disabled. In other words, a except predicate always wins over other

               # enable the configuration either when the environment variable
               # is present or the version is at least 1.2.0.

               # enable the configuration for version >= 1.2.0, but disable
               # it when the environment variable is set to "TAG3"

               # enable the configuration on >= 1.3, >= 1.2.6, and >= 1.0.16.
               # Useful if a certain feature is only present since those releases.


           The keyfile plugin is the generic plugin that supports all the
           connection types and capabilities that NetworkManager has. It
           writes files out in an .ini-style format in

           The stored connection file may contain passwords and private keys,
           so it will be made readable only to root, and the plugin will
           ignore files that are readable or writable by any user or group
           other than root.

           This plugin is always active, and will automatically be used to
           store any connections that aren't supported by any other active

           This plugin is used on the Fedora and Red Hat Enterprise Linux
           distributions to read and write configuration from the standard
           /etc/sysconfig/network-scripts/ifcfg-* files. It currently supports
           reading Ethernet, Wi-Fi, InfiniBand, VLAN, Bond, Bridge, and Team
           connections. Enabling ifcfg-rh implicitly enables ibft plugin, if
           it is available. This can be disabled by adding no-ibft.

           This plugin is deprecated and its selection has no effect. The
           keyfile plugin should be used instead.

           This plugin is used on the Debian and Ubuntu distributions, and
           reads Ethernet and Wi-Fi connections from /etc/network/interfaces.

           This plugin is read-only; any connections (of any type) added from
           within NetworkManager when you are using this plugin will be saved
           using the keyfile plugin instead.

       ibft, no-ibft
           This plugin allows to read iBFT configuration (iSCSI Boot Firmware
           Table). The configuration is read using /sbin/iscsiadm. Users are
           expected to configure iBFT connections via the firmware interfaces.
           If ibft support is available, it is automatically enabled after
           ifcfg-rh. This can be disabled by no-ibft. You can also explicitly
           specify ibft to load the plugin without ifcfg-rh or to change the
           plugin order.

           Note that ibft plugin uses /sbin/iscsiadm and thus requires
           CAP_SYS_ADMIN capability.


   Device List Format
       The configuration options, main.ignore-carrier,
       keyfile.unmanaged-devices, connection*.match-device and
       device*.match-device select devices based on a list of matchings.
       Devices can be specified using the following format:

           Matches every device.

           Case sensitive match of interface name of the device. Globbing is
           not supported.

           Match the permanent MAC address of the device. Globbing is not

       interface-name:IFNAME, interface-name:~IFNAME
           Case sensitive match of interface name of the device. Simple
           globbing is supported with * and ?. Ranges and escaping is not

           Case sensitive match of interface name of the device. Globbing is
           disabled and IFNAME is taken literally.

           Match the permanent MAC address of the device. Globbing is not

           Match the device based on the subchannel address. Globbing is not

           Match the device type. Valid type names are as reported by "nmcli
           -f GENERAL.TYPE device show". Globbing is not supported.

           Negative match of a device.  SPEC must be explicitly qualified with
           a prefix such as interface-name:. A negative match has higher
           priority then the positive matches above.

           Multiple specs can be concatenated with commas or semicolons. The
           order does not matter as matches are either inclusive or negative
           (except:), with negative matches having higher priority.

           Backslash is supported to escape the separators ';' and ',', and to
           express special characters such as newline ('\n'), tabulator
           ('\t'), whitespace ('\s') and backslash ('\\'). The globbing of
           interface names cannot be escaped. Whitespace is not a separator
           but will be trimmed between two specs (unless escaped as '\s').




       NetworkManager(8), nmcli(1), nmcli-examples(7), nm-online(1), nm-
       settings(5), nm-applet(1), nm-connection-editor(1)