NetworkManager.conf - NetworkManager configuration file




   NetworkManager.conf is the configuration file for NetworkManager. It is
   used to set up various aspects of NetworkManager's behavior. The
   location of the main file and configuration directories may be changed
   through use of the --config, --config-dir, --system-config-dir, and
   --intern-config argument for NetworkManager, respectively.

   If a default NetworkManager.conf is provided by your distribution's
   packages, you should not modify it, since your changes may get
   overwritten by package updates. Instead, you can add additional .conf
   files to the /etc/NetworkManager/conf.d directory. These will be read
   in order, with later files overriding earlier ones. Packages might
   install further configuration snippets to
   /usr/lib/NetworkManager/conf.d. This directory is parsed first, even
   before NetworkManager.conf. The loading of a file
   /usr/lib/NetworkManager/conf.d/name.conf can be prevented by adding a
   file /etc/NetworkManager/conf.d/name.conf. In this case, the file from
   the etc configuration shadows the file from the system configuration

   NetworkManager can overwrite certain user configuration options via
   D-Bus or other internal operations. In this case it writes those
   changes to /var/lib/NetworkManager/NetworkManager-intern.conf. This
   file is not intended to be modified by the user, but it is read last
   and can shadow user configuration from NetworkManager.conf.

   Certain settings from the configuration can be reloaded at runtime
   either by sending SIGHUP signal or via D-Bus' Reload call.


   The configuration file format is so-called key file (sort of ini-style
   format). It consists of sections (groups) of key-value pairs. Lines
   beginning with a '#' and blank lines are considered comments. Sections
   are started by a header line containing the section enclosed in '[' and
   ']', and ended implicitly by the start of the next section or the end
   of the file. Each key-value pair must be contained in a section.

   For keys that take a list of devices as their value, you can specify
   devices by their MAC addresses or interface names, or "*" to specify
   all devices. See the section called "Device List Format" below.

   Minimal system settings configuration file looks like this:


   As an extension to the normal keyfile format, you can also append a
   value to a previously-set list-valued key by doing:



       Lists system settings plugin names separated by ','. These plugins
       are used to read and write system-wide connections. When multiple
       plugins are specified, the connections are read from all listed
       plugins. When writing connections, the plugins will be asked to
       save the connection in the order listed here; if the first plugin
       cannot write out that connection type (or can't write out any
       connections) the next plugin is tried, etc. If none of the plugins
       can save the connection, an error is returned to the user.

       If NetworkManager defines a distro-specific network-configuration
       plugin for your system, then that will normally be listed here.
       (See below for the available plugins.) Note that the keyfile plugin
       is always appended to the end of this list (if it doesn't already
       appear earlier in the list), so if there is no distro-specific
       plugin for your system then you can leave this key unset and
       NetworkManager will fall back to using keyfile.

       Whether the configured settings plugin(s) should set up file
       monitors and immediately pick up changes made to connection files
       while NetworkManager is running. This is disabled by default;
       NetworkManager will only read the connection files at startup, and
       when explicitly requested via the ReloadConnections D-Bus call. If
       this key is set to 'true', then NetworkManager will reload
       connection files any time they changed. Automatic reloading is not
       advised because there are race conditions involved and it depends
       on the way how the editor updates the file. In some situations,
       NetworkManager might first delete and add the connection anew,
       instead of updating the existing one. Also, NetworkManager might
       pick up incomplete settings while the user is still editing the

       Whether the system uses PolicyKit for authorization. If false, all
       requests will be allowed. If true, non-root requests are authorized
       using PolicyKit. The default value is true.

       This key sets up what DHCP client NetworkManager will use. Allowed
       values are dhclient, dhcpcd, and internal. The dhclient and dhcpcd
       options require the indicated clients to be installed. The internal
       option uses a built-in DHCP client which is not currently as
       featureful as the external clients.

       If this key is missing, available DHCP clients are looked for in
       this order: dhclient, dhcpcd, internal.

       Specify devices for which NetworkManager shouldn't create default
       wired connection (Auto eth0). By default, NetworkManager creates a
       temporary wired connection for any Ethernet device that is managed
       and doesn't have a connection configured. List a device in this
       option to inhibit creating the default connection for the device.
       May have the special value * to apply to all devices.

       When the default wired connection is deleted or saved to a new
       persistent connection by a plugin, the device is added to a list in
       the file /var/run/NetworkManager/no-auto-default.state to prevent
       creating the default connection for that device again.

       See the section called "Device List Format" for the syntax how to
       specify a device.



       This setting is deprecated for the per-device setting
       ignore-carrier which overwrites this setting if specified (See
       ???). Otherwise, it is a list of matches to specify for which
       device carrier should be ignored. See the section called "Device
       List Format" for the syntax how to specify a device.

       Specify devices for which NetworkManager will try to generate a
       connection based on initial configuration when the device only has
       an IPv6 link-local address.

       See the section called "Device List Format" for the syntax how to
       specify a device.

       When set to 'true', NetworkManager quits after performing initial
       network configuration but spawns small helpers to preserve DHCP
       leases and IPv6 addresses. This is useful in environments where
       network setup is more or less static or it is desirable to save
       process time but still handle some dynamic configurations. When
       this option is true, network configuration for WiFi, WWAN,
       Bluetooth, ADSL, and PPPoE interfaces cannot be preserved due to
       their use of external services, and these devices will be
       deconfigured when NetworkManager quits even though other
       interface's configuration may be preserved. Also, to preserve DHCP
       addresses the 'dhcp' option must be set to 'internal'. The default
       value of the 'configure-and-quit' option is 'false', meaning that
       NetworkManager will continue running after initial network
       configuration and continue responding to system and hardware
       events, D-Bus requests, and user commands.

       Set the DNS (resolv.conf) processing mode.

       default: NetworkManager will update resolv.conf to reflect the
       nameservers provided by currently active connections. This is the
       default if the key is not specified, unless the system is
       configured to use systemd-resolved; in this case the default is

       dnsmasq: NetworkManager will run dnsmasq as a local caching
       nameserver, using a "split DNS" configuration if you are connected
       to a VPN, and then update resolv.conf to point to the local

       unbound: NetworkManager will talk to unbound and dnssec-triggerd,
       providing a "split DNS" configuration with DNSSEC support. The
       /etc/resolv.conf will be managed by dnssec-trigger daemon.

       systemd-resolved: NetworkManager will push the DNS configuration to

       none: NetworkManager will not modify resolv.conf. This implies
       rc-manager unmanaged

       Set the resolv.conf management mode. The default value depends on
       NetworkManager build options, and this version of NetworkManager
       was build with a default of "symlink". Regardless of this setting,
       NetworkManager will always write resolv.conf to its runtime state

       symlink: NetworkManager will symlink /etc/resolv.conf to its
       private resolv.conf file in the runtime state directory. If
       /etc/resolv.conf already is a symlink pointing to a different
       location, the file will not be modified. This allows the user to
       disable managing by pointing the link /etc/resolv.conf to somewhere

       file: NetworkManager will write /etc/resolv.conf as file. If it
       finds a symlink, it will follow the symlink and update the target

       resolvconf: NetworkManager will run resolvconf to update the DNS

       netconfig: NetworkManager will run netconfig to update the DNS

       unmanaged: don't touch /etc/resolv.conf.

       none: deprecated alias for symlink.

       Comma separated list of options to aid debugging. This value will
       be combined with the environment variable NM_DEBUG. Currently the
       following values are supported:

       RLIMIT_CORE: set ulimit -c unlimited to write out core dumps.
       Beware, that a core dump can contain sensitive information such as
       passwords or configuration settings.

       fatal-warnings: set g_log_set_always_fatal() to core dump on
       warning messages from glib. This is equivalent to the
       --g-fatal-warnings command line option.


   This section contains keyfile-plugin-specific options, and is normally
   only used when you are not using any other distro-specific plugin.

       This key is deprecated and has no effect since the hostname is now
       stored in /etc/hostname or other system configuration files
       according to build options.

       The location where keyfiles are read and stored. This defaults to

       Set devices that should be ignored by NetworkManager.

       See the section called "Device List Format" for the syntax how to
       specify a device.




   This section contains ifupdown-specific options and thus only has
   effect when using the ifupdown plugin.

       If set to true, then interfaces listed in /etc/network/interfaces
       are managed by NetworkManager. If set to false, then any interface
       listed in /etc/network/interfaces will be ignored by
       NetworkManager. Remember that NetworkManager controls the default
       route, so because the interface is ignored, NetworkManager may
       assign the default route to some other interface.

       The default value is false.


   This section controls NetworkManager's logging. Any settings here are
   overridden by the --log-level and --log-domains command-line options.

       The default logging verbosity level. One of OFF, ERR, WARN, INFO,
       DEBUG, TRACE. The ERR level logs only critical errors. WARN logs
       warnings that may reflect operation. INFO logs various
       informational messages that are useful for tracking state and
       operations. DEBUG enables verbose logging for debugging purposes.
       TRACE enables even more verbose logging then DEBUG level.
       Subsequent levels also log all messages from earlier levels; thus
       setting the log level to INFO also logs error and warning messages.

       The following log domains are available: PLATFORM, RFKILL, ETHER,

       In addition, these special domains can be used: NONE, ALL, DEFAULT,
       DHCP, IP.

       You can specify per-domain log level overrides by adding a colon
       and a log level to any domain. E.g., "WIFI:DEBUG,WIFI_SCAN:OFF".

       Domain descriptions:
           PLATFORM    : OS (platform) operations
           RFKILL      : RFKill subsystem operations
           ETHER       : Ethernet device operations
           WIFI        : Wi-Fi device operations
           BT          : Bluetooth operations
           MB          : Mobile broadband operations
           DHCP4       : DHCP for IPv4
           DHCP6       : DHCP for IPv6
           PPP         : Point-to-point protocol operations
           WIFI_SCAN   : Wi-Fi scanning operations
           IP4         : IPv4-related operations
           IP6         : IPv6-related operations
           AUTOIP4     : AutoIP operations
           DNS         : Domain Name System related operations
           VPN         : Virtual Private Network connections and
           SHARING     : Connection sharing
           SUPPLICANT  : WPA supplicant related operations
           AGENTS      : Secret agents operations and communication
           SETTINGS    : Settings/config service operations
           SUSPEND     : Suspend/resume
           CORE        : Core daemon and policy operations
           DEVICE      : Activation and general interface operations
           OLPC        : OLPC Mesh device operations
           WIMAX       : WiMAX device operations
           INFINIBAND  : InfiniBand device operations
           FIREWALL    : FirewallD related operations
           ADSL        : ADSL device operations
           BOND        : Bonding operations
           VLAN        : VLAN operations
           BRIDGE      : Bridging operations
           DBUS_PROPS  : D-Bus property changes
           TEAM        : Teaming operations
           CONCHECK    : Connectivity check
           DCB         : Data Center Bridging (DCB) operations
           DISPATCH    : Dispatcher scripts
           AUDIT       : Audit records
           SYSTEMD     : Messages from internal libsystemd
           VPN_PLUGIN  : logging messages from VPN plugins

           NONE        : when given by itself logging is disabled
           ALL         : all log domains
           DEFAULT     : default log domains
           DHCP        : shortcut for "DHCP4,DHCP6"
           IP          : shortcut for "IP4,IP6"

           HW          : deprecated alias for "PLATFORM"

       In general, the logfile should not contain passwords or private
       data. However, you are always advised to check the file before
       posting it online or attaching to a bug report.  VPN_PLUGIN is
       special as it might reveal private information of the VPN plugins
       with verbose levels. Therefore this domain will be excluded when
       setting ALL or DEFAULT to more verbose levels then INFO.

       The logging backend. Supported values are "debug", "syslog",
       "journal". "debug" uses syslog and logs to standard error. If
       NetworkManager is started in debug mode (--debug) this option is
       ignored and "debug" is always used. Otherwise, the default is

       Whether the audit records are delivered to auditd, the audit
       daemon. If false, audit records will be sent only to the
       NetworkManager logging system. If set to true, they will be also
       sent to auditd. The default value is false.


   Specify default values for connections.



   Supported Properties
   Not all properties can be overwritten, only the following properties
   are supported to have their default values configured (see nm-
   settings(5) for details). A default value is only consulted if the
   corresponding per-connection value explicitly allows for that.



       If left unspecified, it defaults to "permanent".



       If left unspecified, the default value for the interface type is


       If ipv6.ip6-privacy is unset, use the content of
       "/proc/sys/net/ipv6/conf/default/use_tempaddr" as last fallback.


       If left unspecified, default value of 60 seconds is used.

       If left unspecified, it defaults to "permanent".


       If left unspecified, MAC address randomization is disabled. This
       setting is deprecated for wifi.cloned-mac-address.

       If left unspecified, the default value "ignore" will be used.

   You can configure multiple connection sections, by having different
   sections with a name that all start with "connection". Example:




   The sections within one file are considered in order of appearance,
   with the exception that the [connection] section is always considered
   last. In the example above, this order is [connection-wifi-wlan0],
   [connection-wlan-other], and [connection]. When checking for a default
   configuration value, the sections are searched until the requested
   value is found. In the example above, "ipv4.route-metric" for wlan0
   interface is set to 50, and for all other Wi-Fi typed interfaces to 55.
   Also, Wi-Fi devices would have IPv6 private addresses enabled by
   default, but other devices would have it disabled. Note that also
   "wlan0" gets "ipv6.ip6-privacy=1", because although the section
   "[connection-wifi-wlan0]" matches the device, it does not contain that
   property and the search continues.

   When having different sections in multiple files, sections from files
   that are read later have higher priority. So within one file the
   priority of the sections is top-to-bottom. Across multiple files later
   definitions take precedence.

   The following properties further control how a connection section

       An optional device spec that restricts when the section applies.
       See the section called "Device List Format" for the possible

       An optional boolean value which defaults to no. If the section
       matches (based on match-device), further sections will not be
       considered even if the property in question is not present. In the
       example above, if [connection-wifi-wlan0] would have stop-match set
       to yes, the device wlan0 would have ipv6.ip6-privacy property
       unspecified. That is, the search for the property would not
       continue in the connection sections [connection-wifi-other] or


   Contains per-device persistent configuration.



   Supported Properties
   The following properties can be configured per-device.

       Specify devices for which NetworkManager will (partially) ignore
       the carrier state. Normally, for device types that support
       carrier-detect, such as Ethernet and InfiniBand, NetworkManager
       will only allow a connection to be activated on the device if
       carrier is present (ie, a cable is plugged in), and it will
       deactivate the device if carrier drops for more than a few seconds.

       A device with carrier ignored will allow activating connections on
       that device even when it does not have carrier, provided that the
       connection uses only statically-configured IP addresses.
       Additionally, it will allow any active connection (whether static
       or dynamic) to remain active on the device when carrier is lost.

       Note that the "carrier" property of NMDevices and device D-Bus
       interfaces will still reflect the actual device state; it's just
       that NetworkManager will not make use of that information.

       This setting overwrites the deprecated main.ignore-carrier setting

       Configures MAC address randomization of a Wi-Fi device during
       scanning. This defaults to yes in which case a random,
       locally-administered MAC address will be used. The setting
       wifi.scan-generate-mac-address-mask allows to influence the
       generated MAC address to use certain vendor OUIs. If disabled, the
       MAC address during scanning is left unchanged to whatever is
       configured. For the configured MAC address while the device is
       associated, see instead the per-connection setting

       Like the per-connection settings ethernet.generate-mac-address-mask
       and wifi.generate-mac-address-mask, this allows to configure the
       generated MAC addresses during scanning. See nm-settings(5) for

   The [device] section works the same as the [connection] section. That
   is, multiple sections that all start with the prefix "device" can be
   specified. The settings "match-device" and "stop-match" are available
   to match a device section on a device. The order of multiple sections
   is also top-down within the file and later files overwrite previous
   settings. See the section called "Sections" for details.


   This section controls NetworkManager's optional connectivity checking
   functionality. This allows NetworkManager to detect whether or not the
   system can actually access the internet or whether it is behind a
   captive portal.

       The URI of a web page to periodically request when connectivity is
       being checked. This page should return the header
       "X-NetworkManager-Status" with a value of "online". Alternatively,
       it's body content should be set to "NetworkManager is online". The
       body content check can be controlled by the response option. If
       this option is blank or missing, connectivity checking is disabled.

       Specified in seconds; controls how often connectivity is checked
       when a network connection exists. If set to 0 connectivity checking
       is disabled. If missing, the default is 300 seconds.

       If set controls what body content NetworkManager checks for when
       requesting the URI for connectivity checking. If missing, defaults
       to "NetworkManager is online"


   This section specifies global DNS settings that override
   connection-specific configuration.

       A list of search domains to be used during hostname lookup.

       A list of of options to be passed to the hostname resolver.


   Sections with a name starting with the "global-dns-domain-" prefix
   allow to define global DNS configuration for specific domains. The part
   of section name after "global-dns-domain-" specifies the domain name a
   section applies to. More specific domains have the precedence over less
   specific ones and the default domain is represented by the wildcard
   "*". A default domain section is mandatory.

       A list of addresses of DNS servers to be used for the given domain.

       A list of domain-specific DNS options. Not used at the moment.


   This is a special section that contains options which apply to the
   configuration file that contains the option.

       Defaults to "true". If "false", the configuration file will be
       skipped during loading. Note that the main configuration file
       NetworkManager.conf cannot be disabled.

           # always skip loading the config file

       You can also match against the version of NetworkManager. For
       example the following are valid configurations:

           # only load on version 1.0.6

           # load on all versions 1.0.x, but not 1.2.x

           # only load on versions >= 1.1.6. This does not match
           # with version 1.2.0 or 1.4.4. Only the last digit is considered.

           # only load on versions >= 1.2. Contrary to the previous
           # example, this also matches with 1.2.0, 1.2.10, 1.4.4, etc.

           # Match against the maximum allowed version. The example matches
           # versions 1.2.0, 1.2.2, 1.2.4. Again, only the last version digit
           # is allowed to be smaller. So this would not match match on 1.1.10.

       You can also match against the value of the environment variable
       NM_CONFIG_ENABLE_TAG, like:

           # always skip loading the file when running NetworkManager with
           # environment variable "NM_CONFIG_ENABLE_TAG=TAG1"

       More then one match can be specified. The configuration will be
       enabled if one of the predicates matches ("or"). The special prefix
       "except:" can be used to negate the match. Note that if one
       except-predicate matches, the entire configuration will be
       disabled. In other words, a except predicate always wins over other

           # enable the configuration either when the environment variable
           # is present or the version is at least 1.2.0.

           # enable the configuration for version >= 1.2.0, but disable
           # it when the environment variable is set to "TAG3"

           # enable the configuration on >= 1.3, >= 1.2.6, and >= 1.0.16.
           # Useful if a certain feature is only present since those releases.


       The keyfile plugin is the generic plugin that supports all the
       connection types and capabilities that NetworkManager has. It
       writes files out in an .ini-style format in

       The stored connection file may contain passwords and private keys,
       so it will be made readable only to root, and the plugin will
       ignore files that are readable or writable by any user or group
       other than root.

       This plugin is always active, and will automatically be used to
       store any connections that aren't supported by any other active

       This plugin is used on the Fedora and Red Hat Enterprise Linux
       distributions to read and write configuration from the standard
       /etc/sysconfig/network-scripts/ifcfg-* files. It currently supports
       reading Ethernet, Wi-Fi, InfiniBand, VLAN, Bond, Bridge, and Team
       connections. Enabling ifcfg-rh implicitly enables ibft plugin, if
       it is available. This can be disabled by adding no-ibft.

       This plugin is deprecated and its selection has no effect. The
       keyfile plugin should be used instead.

       This plugin is used on the Debian and Ubuntu distributions, and
       reads Ethernet and Wi-Fi connections from /etc/network/interfaces.

       This plugin is read-only; any connections (of any type) added from
       within NetworkManager when you are using this plugin will be saved
       using the keyfile plugin instead.

   ibft, no-ibft
       This plugin allows to read iBFT configuration (iSCSI Boot Firmware
       Table). The configuration is read using /sbin/iscsiadm. Users are
       expected to configure iBFT connections via the firmware interfaces.
       If ibft support is available, it is automatically enabled after
       ifcfg-rh. This can be disabled by no-ibft. You can also explicitly
       specify ibft to load the plugin without ifcfg-rh or to change the
       plugin order.

       Note that ibft plugin uses /sbin/iscsiadm and thus requires
       CAP_SYS_ADMIN capability.


   Device List Format
   The configuration options, main.ignore-carrier,
   keyfile.unmanaged-devices, connection*.match-device and
   device*.match-device select devices based on a list of matchings.
   Devices can be specified using the following format:

       Matches every device.

       Case sensitive match of interface name of the device. Globbing is
       not supported.

       Match the permanent MAC address of the device. Globbing is not

   interface-name:IFNAME, interface-name:~IFNAME
       Case sensitive match of interface name of the device. Simple
       globbing is supported with * and ?. Ranges and escaping is not

       Case sensitive match of interface name of the device. Globbing is
       disabled and IFNAME is taken literally.

       Match the permanent MAC address of the device. Globbing is not

       Match the device based on the subchannel address. Globbing is not

       Match the device type. Valid type names are as reported by "nmcli
       -f GENERAL.TYPE device show". Globbing is not supported.

       Negative match of a device.  SPEC must be explicitly qualified with
       a prefix such as interface-name:. A negative match has higher
       priority then the positive matches above.

       Multiple specs can be concatenated with commas or semicolons. The
       order does not matter as matches are either inclusive or negative
       (except:), with negative matches having higher priority.

       Backslash is supported to escape the separators ';' and ',', and to
       express special characters such as newline ('\n'), tabulator
       ('\t'), whitespace ('\s') and backslash ('\\'). The globbing of
       interface names cannot be escaped. Whitespace is not a separator
       but will be trimmed between two specs (unless escaped as '\s').




   NetworkManager(8), nmcli(1), nmcli-examples(7), nm-online(1), nm-
   settings(5), nm-applet(1), nm-connection-editor(1)


Personal Opportunity - Free software gives you access to billions of dollars of software at no cost. Use this software for your business, personal use or to develop a profitable skill. Access to source code provides access to a level of capabilities/information that companies protect though copyrights. Open source is a core component of the Internet and it is available to you. Leverage the billions of dollars in resources and capabilities to build a career, establish a business or change the world. The potential is endless for those who understand the opportunity.

Business Opportunity - Goldman Sachs, IBM and countless large corporations are leveraging open source to reduce costs, develop products and increase their bottom lines. Learn what these companies know about open source and how open source can give you the advantage.

Free Software

Free Software provides computer programs and capabilities at no cost but more importantly, it provides the freedom to run, edit, contribute to, and share the software. The importance of free software is a matter of access, not price. Software at no cost is a benefit but ownership rights to the software and source code is far more significant.

Free Office Software - The Libre Office suite provides top desktop productivity tools for free. This includes, a word processor, spreadsheet, presentation engine, drawing and flowcharting, database and math applications. Libre Office is available for Linux or Windows.

Free Books

The Free Books Library is a collection of thousands of the most popular public domain books in an online readable format. The collection includes great classical literature and more recent works where the U.S. copyright has expired. These books are yours to read and use without restrictions.

Source Code - Want to change a program or know how it works? Open Source provides the source code for its programs so that anyone can use, modify or learn how to write those programs themselves. Visit the GNU source code repositories to download the source.


Study at Harvard, Stanford or MIT - Open edX provides free online courses from Harvard, MIT, Columbia, UC Berkeley and other top Universities. Hundreds of courses for almost all major subjects and course levels. Open edx also offers some paid courses and selected certifications.

Linux Manual Pages - A man or manual page is a form of software documentation found on Linux/Unix operating systems. Topics covered include computer programs (including library and system calls), formal standards and conventions, and even abstract concepts.