nm-settings-ifcfg-rh

nm-settings-ifcfg-rh — Description of ifcfg-rh settings plugin

Description

NetworkManager is based on the concept of connection profiles that contain network configuration (see nm-settings-nmcli(5) for details). The profiles can be stored in various formats. NetworkManager uses plugins for reading and writing the data. The plugins can be configured in NetworkManager.conf(5).

The ifcfg-rh plugin is used on the Fedora and Red Hat Enterprise Linux distributions to read/write configuration from/to the traditional /etc/sysconfig/network-scripts/ifcfg-* files. Each NetworkManager connection maps to one ifcfg-* file, with possible usage of keys-* for passwords, route-* for static IPv4 routes and route6-* for static IPv6 routes. The plugin currently supports reading and writing Ethernet, Wi-Fi, InfiniBand, VLAN, Bond, Bridge, and Team connections. Unsupported connection types (such as WWAN, PPPoE, VPN, or ADSL) are handled by keyfile plugin (nm-settings-keyfile(5)). The main reason for using ifcfg-rh plugin is the compatibility with legacy configurations for ifup and ifdown (initscripts).

File Format

The ifcfg-rh config format is a simple text file containing VARIABLE="value" lines. The format is described in sysconfig.txt of initscripts package. Note that the configuration files may be sourced by initscripts, so they must be valid shell scripts. That means, for instance, that # character can be used for comments, strings with spaces must be quoted, special characters must be escaped, etc.

Users can create or modify the ifcfg-rh connection files manually, even if that is not the recommended way of managing the profiles. However, if they choose to do that, they must inform NetworkManager about their changes (for example via nmcli con (re)load).

Some ifcfg-rh configuration examples: 

Simple DHCP ethernet configuration:
NAME=ethernet
UUID=1c4ddf70-01bf-46d6-b04f-47e842bd98da
TYPE=Ethernet
BOOTPROTO=dhcp
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
ONBOOT=yes
            
Simple ethernet configuration with static IP:
TYPE=Ethernet
BOOTPROTO=none
IPADDR=10.1.0.25
PREFIX=24
GATEWAY=10.1.0.1
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=ethernet-em2
UUID=51bb3904-c0fc-4dfe-83b2-0a71e7928c13
DEVICE=em2
ONBOOT=yes
            
WPA2 Enterprise WLAN (TTLS with inner MSCHAPV2 authentication):
ESSID="CompanyWLAN"
MODE=Managed
KEY_MGMT=WPA-EAP
TYPE=Wireless
IEEE_8021X_EAP_METHODS=TTLS
IEEE_8021X_IDENTITY=joe
IEEE_8021X_PASSWORD_FLAGS=ask
IEEE_8021X_INNER_AUTH_METHODS=MSCHAPV2
IEEE_8021X_CA_CERT=/home/joe/.cert/company.crt
BOOTPROTO=dhcp
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
NAME=MyCompany
UUID=f79848ff-11a6-4810-9e1a-99039dea84c4
ONBOOT=yes
            
Bridge and bridge port configuration:
ifcfg-bridge:                                ifcfg-bridge-port:
NAME=bridge                                  NAME=bridge007-port-eth0
UUID=4be99ce0-c5b2-4764-8b77-ec226e440125    UUID=3ad56c4a-47e1-419b-b0d4-8ad86eb967a3
DEVICE=bridge007                             DEVICE=eth0
STP=yes                                      ONBOOT=yes
TYPE=Bridge                                  TYPE=Ethernet
BRIDGING_OPTS=priority=32768                 BRIDGE=bridge007
ONBOOT=yes
BOOTPROTO=dhcp

            
Bonding configuration:
ifcfg-BOND:                                  ifcfg-BOND-slave:
NAME=BOND                                    NAME=BOND-slave
UUID=b41888aa-924c-450c-b0f8-85a4f0a51b4a    UUID=9bb048e4-286a-4cc3-b104-007dbd20decb
DEVICE=bond100                               DEVICE=eth0
BONDING_OPTS="mode=balance-rr miimon=100"    ONBOOT=yes
TYPE=Bond                                    TYPE=Ethernet
BONDING_MASTER=yes                           MASTER=bond100
ONBOOT=yes                                   SLAVE=yes
BOOTPROTO=dhcp

            
Team and team port configuration:
ifcfg-my_team0:
DEVICE=team0
TEAM_CONFIG="{ \"device\": \"team0\", \"runner\": {\"name\": \"roundrobin\"}, \"ports\": {\"eth1\": {}, \"eth2\": {}} }"
DEVICETYPE=Team
BOOTPROTO=dhcp
NAME=team0-profile
UUID=1d3460a0-7b37-457f-a300-fe8d92da4807
ONBOOT=yes

ifcfg-my_team0_slave1:
NAME=team0-slave1
UUID=d5aed298-c567-4cc1-b808-6d38ecef9e64
DEVICE=eth1
ONBOOT=yes
TEAM_MASTER=team0
DEVICETYPE=TeamPort

ifcfg-my_team0_slave2:
NAME=team0-slave2
UUID=94e75f4e-e5ad-401c-8962-31e0ae5d2215
DEVICE=eth2
ONBOOT=yes
TEAM_MASTER=team0
DEVICETYPE=TeamPort
            

The UUID values in the config files must be unique. You can use uuidgen command line tool to generate such values. Alternatively, you can leave out UUID entirely. In that case NetworkManager will generate a UUID based on the file name.

Differences against initscripts

The main differences of NetworkManager ifcfg-rh plugin and traditional initscripts are:

NM_CONTROLLED=yes|no

NM_CONTROLLED is NetworkManager-specific variable used by NetworkManager for determining whether the device of the ifcfg file should be managed. NM_CONTROLLED=yes is supposed if the variable is not present in the file. Note that if you have more ifcfg files for a single device, NM_CONTROLLED=no in one of the files will cause the device not to be managed. The profile may not even be the active one.

New variables

NetworkManager has introduced some new variable, not present in initscripts, to be able to store data for its new features. The variables are marked as extensions in the tables below.

Semantic change of variables and differences

NetworkManager changes the semantics for a few variables and there are other behavioral differences.

  • PEERDNS - initscripts interpret PEERDNS=no to mean "never touch resolv.conf". NetworkManager interprets it to say "never add automatic (DHCP, PPP, VPN, etc.) nameservers to resolv.conf".

  • ONBOOT - initscripts use ONBOOT=yes to mark the devices that are to be activated during boot. NetworkManager extends this to also mean that this profile can be used for auto-connecting at any time.

  • BOOTPROTO - NetworkManager supports traditional values none (static), dhcp. But it also allows additional values to enable new addressing methods. They are autoip for IPv4 link-local addressing using Avahi daemon and shared for connection sharing. When shared is used, NetworkManager assigns the interface 10.42.0.1, or it uses the first static address, if configured.

  • HWADDR - initscripts compare the currently set hardware address of a device, while NetworkManager considers the permanent one.

  • NOZEROCONF - initscripts add an on-link route to 169.254.0.0/16 for ethernet profiles that don't explicitly opt-out by setting NOZEROCONF variable. NetworkManager does not do that. Instead a static, manual route with scope=253 (link) should be added to get that behavior.

See the next section for detailed mapping of NetworkManager properties and ifcfg-rh variables. Variable names, format and usage differences in NetworkManager and initscripts are documented in the tables below.

Details

ifcfg-rh plugin variables marked with (+) are NetworkManager specific extensions not understood by traditional initscripts.

Table 11. 802-11-wireless setting

Property Ifcfg-rh Variable Default Description
ssid ESSID   SSID of Wi-Fi network. Example: ESSID="Quick Net"
mode MODE   Wi-Fi network mode. Allowed values: Ad-Hoc, Managed (Auto) [case insensitive]
band BAND(+)   BAND alone is honored, but CHANNEL overrides BAND since it implies a band. Example: BAND=bg Allowed values: a, bg
channel CHANNEL   Channel used for the Wi-Fi communication. Channels greater than 14 mean "a" band, otherwise the band is "bg". Example: CHANNEL=6
bssid BSSID(+)   Restricts association only to a single AP. Example: BSSID=00:1E:BD:64:83:21
rate (none)   This property is deprecated and not handled by ifcfg-rh plugin.
tx-power (none)   This property is deprecated and not handled by ifcfg-rh plugin.
mac-address HWADDR   Hardware address of the device in traditional hex-digits-and-colons notation (e.g. 00:22:68:14:5A:05). Note that for initscripts this is the current MAC address of the device as found during ifup. For NetworkManager this is the permanent MAC address. Or in case no permanent MAC address exists, the MAC address initially configured on the device.
cloned-mac-address MACADDR   Cloned (spoofed) MAC address in traditional hex-digits-and-colons notation (e.g. 00:22:68:14:5A:99).
generate-mac-address-mask GENERATE_MAC_ADDRESS_MASK(+)   the MAC address mask for generating randomized and stable cloned-mac-address.
mac-address-blacklist HWADDR_BLACKLIST(+)   It denies usage of the connection for any device whose address is listed.
seen-bssids (none)   This is not a regular property that would be configured by the user. It is not handled by ifcfg-rh plugin.
mtu MTU   MTU of the wireless interface.
hidden SSID_HIDDEN(+)   Whether the network hides the SSID.
powersave POWERSAVE(+)   Enables or disables Wi-Fi power saving. Example: POWERSAVE=enable Allowed values: default, ignore, enable, disable
mac-address-randomization MAC_ADDRESS_RANDOMIZATION(+)   Enables or disables Wi-Fi MAC address randomization. Example: MAC_ADDRESS_RANDOMIZATION=always Allowed values: default, never, always
ap-isolation AP_ISOLATION(+) missing variable means global default Whether AP isolation is enabled Allowed values: "yes", "no"

Table 12. 802-11-wireless-security setting

Property Ifcfg-rh Variable Default Description
key-mgmt KEY_MGMT(+)   Key management method. Allowed values: none, ieee8021x, owe, wpa-psk, sae, wpa-eap, wpa-eap-suite-b-192
wep-tx-keyidx DEFAULTKEY 1 Index of active WEP key. Note that in ifcfg format the index starts counting at 1, while NetworkManager API otherwise is zero based. Allowed values: 1, 2, 3, 4
auth-alg SECURITYMODE(+)   Authentication algorithm for WEP. Allowed values: restricted, open, leap
proto WPA_ALLOW_WPA(+), WPA_ALLOW_WPA2(+) no Allowed WPA protocols, WPA and WPA2 (RSN). Allowed values: yes, no
pairwise CIPHER_PAIRWISE(+)   Restrict pairwise encryption algorithms, specified as a space separated list. Allowed values: CCMP, TKIP
group CIPHER_GROUP(+)   Restrict group/broadcast encryption algorithms, specified as a space separated list. Allowed values: CCMP, TKIP, WEP40, WEP104
pmf PMF(+)   Enables or disables PMF (802.11w) Example: PMF=required Allowed values: default, disable, optional, required
leap-username IEEE_8021X_IDENTITY(+)   Login name for LEAP.
wep-key0 KEY1, KEY_PASSPHRASE1(+)   The first WEP key (used in most networks). See also DEFAULTKEY for key index.
wep-key1 KEY2, KEY_PASSPHRASE2(+)   WEP key with index 1. See also DEFAULTKEY for key index.
wep-key2 KEY3, KEY_PASSPHRASE3(+)   WEP key with index 2. See also DEFAULTKEY for key index.
wep-key3 KEY4, KEY_PASSPHRASE4(+)   WEP key with index 3. See also DEFAULTKEY for key index.
wep-key-flags WEP_KEY_FLAGS(+)   Password flags for KEY<i>, KEY_PASSPHRASE<i> password. (see the section called “Secret flag types:” for _FLAGS values)
psk WPA_PSK   Pre-Shared-Key for WPA networks.
psk-flags WPA_PSK_FLAGS(+)   Password flags for WPA_PSK_FLAGS. (see the section called “Secret flag types:” for _FLAGS values) Example: WPA_PSK_FLAGS=user
leap-password IEEE_8021X_PASSWORD(+)   Password for LEAP. It can also go to "key-" lookaside file, or it can be owned by a secret agent.
leap-password-flags IEEE_8021X_PASSWORD_FLAGS(+)   Password flags for IEEE_8021X_PASSWORD_FLAGS. (see the section called “Secret flag types:” for _FLAGS values)
wep-key-type KEY<i> or KEY_PASSPHRASE<i>(+); KEY_TYPE(+)   KEY is used for "key" type (10 or 26 hexadecimal characters, or 5 or 13 character string prefixed with "s:"). KEY_PASSPHRASE is used for WEP passphrases. KEY_TYPE specifies the key type and can be either 'key' or 'passphrase'. KEY_TYPE is redundant and can be omitted. Example: KEY1=s:ahoj, KEY1=0a1c45bc02, KEY_PASSPHRASE1=mysupersecretkey
wps-method WPS_METHOD   Used to control the WPS methods to be used Valid values are "default", "auto", "disabled", "pin" and "pbc". If omitted, whatver the AP announces is used. Example: WPS_METHOD=disabled, WPS_METHOD="pin pbc"
fils FILS(+)   Enables or disables FILS (802.11ai) Example: FILS=required Allowed values: default, disable, optional, required

Table 13. 802-1x setting

Property Ifcfg-rh Variable Default Description
eap IEEE_8021X_EAP_METHODS(+)   EAP method for 802.1X authentication. Example: IEEE_8021X_EAP_METHODS=PEAP Allowed values: "LEAP", "PWD", "TLS", "PEAP", "TTLS", "FAST"
identity IEEE_8021X_IDENTITY(+)   Identity for EAP authentication methods. Example: IEEE_8021X_IDENTITY=itsme
anonymous-identity IEEE_8021X_ANON_IDENTITY(+)   Anonymous identity for EAP authentication methods.
pac-file IEEE_8021X_PAC_FILE(+)   File with PAC (Protected Access Credential) for EAP-FAST. Example: IEEE_8021X_PAC_FILE=/home/joe/my-fast.pac
ca-cert IEEE_8021X_CA_CERT(+)   CA certificate for EAP. Example: IEEE_8021X_CA_CERT=/home/joe/cacert.crt
ca-path IEEE_8021X_CA_PATH(+)   The search path for the certificate.
subject-match IEEE_8021X_SUBJECT_MATCH(+)   Substring to match subject of server certificate against. Example: IEEE_8021X_SUBJECT_MATCH="Red Hat"
altsubject-matches IEEE_8021X_ALTSUBJECT_MATCHES(+)   List of strings to be matched against the altSubjectName. Example: IEEE_8021X_ALTSUBJECT_MATCHES="s1.domain.cc"
domain-suffix-match IEEE_8021X_DOMAIN_SUFFIX_MATCH(+)   Suffix to match domain of server certificate against.
domain-match IEEE_8021X_DOMAIN_MATCH(+)   Value to match domain of server certificate against.
client-cert IEEE_8021X_CLIENT_CERT(+)   Client certificate for EAP. Example: IEEE_8021X_CLIENT_CERT=/home/joe/mycert.crt
phase1-peapver IEEE_8021X_PEAP_VERSION(+)   Use to force a specific PEAP version. Allowed values: 0, 1
phase1-peaplabel IEEE_8021X_PEAP_FORCE_NEW_LABEL(+) no Use to force the new PEAP label during key derivation. Allowed values: yes, no
phase1-fast-provisioning IEEE_8021X_FAST_PROVISIONING(+)   Enable in-line provisioning of EAP-FAST credentials. Example: IEEE_8021X_FAST_PROVISIONING="allow-auth allow-unauth" Allowed values: space-separated list of these values [allow-auth, allow-unauth]
phase1-auth-flags IEEE_8021X_PHASE1_AUTH_FLAGS(+)   Authentication flags for the supplicant Example: IEEE_8021X_PHASE1_AUTH_FLAGS="tls-1-0-disable tls-1-1-disable" Allowed values: space-separated list of authentication flags names
phase2-auth IEEE_8021X_INNER_AUTH_METHODS(+)   Inner non-EAP authentication methods for TTLS or the inner EAP authentication method for PEAP. IEEE_8021X_INNER_AUTH_METHODS can contain values both for 'phase2-auth' and 'phase2-autheap' properties. Example: IEEE_8021X_INNER_AUTH_METHODS=PAP Allowed values: "PAP", "CHAP", "MSCHAP", "MSCHAPV2", "GTC", "OTP", "MD5" and "TLS"
phase2-autheap IEEE_8021X_INNER_AUTH_METHODS(+)   Inner EAP-based authentication methods. Note that IEEE_8021X_INNER_AUTH_METHODS is also used for 'phase2-auth' values. Example: IEEE_8021X_INNER_AUTH_METHODS="MSCHAPV2 EAP-TLS" Allowed values: "EAP-MD5", "EAP-MSCHAPV2", "EAP-GTC", "EAP-OTP" and "EAP-TLS"
phase2-ca-path IEEE_8021X_PHASE2_CA_PATH(+)   The search path for the certificate.
phase2-subject-match IEEE_8021X_PHASE2_SUBJECT_MATCH(+)   Substring to match subject of server certificate against. Example: IEEE_8021X_PHASE2_SUBJECT_MATCH="Red Hat"
phase2-altsubject-matches IEEE_8021X_PHASE2_ALTSUBJECT_MATCHES(+)    
phase2-domain-suffix-match IEEE_8021X_PHASE2_DOMAIN_SUFFIX_MATCH(+)   Suffix to match domain of server certificate for phase 2 against.
phase2-domain-match IEEE_8021X_PHASE2_DOMAIN_MATCH(+)   Value to match domain of server certificate for phase 2 against.
phase2-client-cert IEEE_8021X_INNER_CLIENT_CERT(+)   Client certificate for inner EAP method. Example: IEEE_8021X_INNER_CLIENT_CERT=/home/joe/mycert.crt
password IEEE_8021X_PASSWORD(+)   UTF-8 encoded password used for EAP. It can also go to "key-" lookaside file, or it can be owned by a secret agent.
password-flags IEEE_8021X_PASSWORD_FLAGS(+)   Password flags for IEEE_8021X_PASSWORD password. (see the section called “Secret flag types:” for _FLAGS values)
password-raw IEEE_8021X_PASSWORD_RAW(+)   password used for EAP, encoded as a hexadecimal string. It can also go to "key-" lookaside file. Example: IEEE_8021X_PASSWORD_RAW=041c8320083aa4bf
password-raw-flags IEEE_8021X_PASSWORD_RAW_FLAGS(+)   The secret flags for password-raw.
private-key IEEE_8021X_PRIVATE_KEY(+)   Private key for EAP-TLS. Example: IEEE_8021X_PRIVATE_KEY=/home/joe/mykey.p12
private-key-password IEEE_8021X_PRIVATE_KEY_PASSWORD(+)   Password for IEEE_8021X_PRIVATE_KEY. It can also go to "key-" lookaside file, or it can be owned by a secret agent.
private-key-password-flags IEEE_8021X_PRIVATE_KEY_PASSWORD_FLAGS(+)   Password flags for IEEE_8021X_PRIVATE_KEY_PASSWORD password. (see the section called “Secret flag types:” for _FLAGS values)
phase2-private-key IEEE_8021X_INNER_PRIVATE_KEY(+)   Private key for inner authentication method for EAP-TLS.
phase2-private-key-password IEEE_8021X_INNER_PRIVATE_KEY_PASSWORD(+)   Password for IEEE_8021X_INNER_PRIVATE_KEY. It can also go to "key-" lookaside file, or it can be owned by a secret agent.
phase2-private-key-password-flags IEEE_8021X_INNER_PRIVATE_KEY_PASSWORD_FLAGS(+)   Password flags for IEEE_8021X_INNER_PRIVATE_KEY_PASSWORD password. (see the section called “Secret flag types:” for _FLAGS values)
pin IEEE_8021X_PIN(+)   The pin secret used for EAP authentication methods.
pin-flags IEEE_8021X_PIN_FLAGS(+)   The secret flags for the pin property.
system-ca-certs IEEE_8021X_SYSTEM_CA_CERTS(+)   a boolean value.
auth-timeout IEEE_8021X_AUTH_TIMEOUT(+) 0 Timeout in seconds for the 802.1X authentication. Zero means the global default or 25.
optional IEEE_8021X_OPTIONAL(+) default=no   whether the 802.1X authentication is optional

Table 14. 802-3-ethernet setting

Property Ifcfg-rh Variable Default Description
port (none)   The property is not saved by the plugin.
speed ETHTOOL_OPTS   Fixed speed for the ethernet link. It is added as "speed" parameter in the ETHTOOL_OPTS variable.
duplex ETHTOOL_OPTS   Fixed duplex mode for the ethernet link. It is added as "duplex" parameter in the ETHOOL_OPTS variable.
auto-negotiate ETHTOOL_OPTS   Whether link speed and duplex autonegotiation is enabled. It is not saved only if disabled and no values are provided for the "speed" and "duplex" parameters (skips link configuration).
mac-address HWADDR   Hardware address of the device in traditional hex-digits-and-colons notation (e.g. 00:22:68:14:5A:05). Note that for initscripts this is the current MAC address of the device as found during ifup. For NetworkManager this is the permanent MAC address. Or in case no permanent MAC address exists, the MAC address initially configured on the device.
cloned-mac-address MACADDR   Cloned (spoofed) MAC address in traditional hex-digits-and-colons notation (e.g. 00:22:68:14:5A:99).
generate-mac-address-mask GENERATE_MAC_ADDRESS_MASK(+)   the MAC address mask for generating randomized and stable cloned-mac-address.
mac-address-blacklist HWADDR_BLACKLIST(+)   It denies usage of the connection for any device whose address is listed. Example: HWADDR_BLACKLIST="00:22:68:11:69:08 00:11:22:11:44:55"
mtu MTU   MTU of the interface.
s390-subchannels SUBCHANNELS   Subchannels for IBM S390 hosts. Example: SUBCHANNELS=0.0.b00a,0.0.b00b,0.0.b00c
s390-nettype NETTYPE   Network type of the S390 host. Example: NETTYPE=qeth Allowed values: "qeth", "lcs" or "ctc"
s390-options OPTIONS and PORTNAME, CTCPROTO,   S390 device options. All options go to OPTIONS, except for "portname" and "ctcprot" that have their own variables.
wake-on-lan ETHTOOL_OPTS, ETHTOOL_WAKE_ON_LAN   Wake on Lan mode for ethernet. The setting "ignore" is expressed with "ETHTOOL_WAKE_ON_LAN=ignore". Otherwise, the "ETHTOOL_OPTS" variable is set with the value "wol" and several of the characters "p|u|m|b|a|g|s|f|d" as explained in the ethtool manual page.
wake-on-lan-password ETHTOOL_OPTS   Password for secure-on based Wake-on-Lan. It is added as "sopass" parameter in the ETHTOOL_OPTS variable. Example: ETHTOOL_OPTS="wol gs sopass 00:11:22:33:44:55"
accept-all-mac-addresses ACCEPT_ALL_MAC_ADDRESSES   Enforce the interface to accept all the packets.

Table 15. bond setting

Property Ifcfg-rh Variable Default Description
options BONDING_OPTS   Bonding options. Example: BONDING_OPTS="miimon=100 mode=broadcast"

Table 16. bond-port setting

Property Ifcfg-rh Variable Default Description
queue-id BOND_PORT_QUEUE_ID(+) 0 Queue ID. Allowed values: 0 - 65535
prio BOND_PORT_PRIO(+) 0 Port priority. Allowed values: -2147483648 - 2147483647

Table 17. bridge setting

Property Ifcfg-rh Variable Default Description
mac-address BRIDGE_MACADDR(+)   MAC address of the bridge. Note that this requires a recent kernel support, originally introduced in 3.15 upstream kernel) BRIDGE_MACADDR for bridges is an NM extension.
stp STP no Span tree protocol participation.
priority BRIDGING_OPTS: priority= 32768 STP priority. Allowed values: 0 - 32768
forward-delay DELAY 15 STP forwarding delay. Allowed values: 2 - 30
hello-time BRIDGING_OPTS: hello_time= 2 STP hello time. Allowed values: 1 - 10
max-age BRIDGING_OPTS: max_age= 20 STP maximum message age. Allowed values: 6 - 40
ageing-time BRIDGING_OPTS: ageing_time= 300 Ethernet MAC ageing time. Allowed values: 0 - 1000000
multicast-snooping BRIDGING_OPTS: multicast_snooping= 1 IGMP snooping support. Allowed values: 0 or 1
vlan-filtering BRIDGING_OPTS: vlan_filtering= 0 VLAN filtering support. Allowed values: 0 or 1
vlan-default-pvid BRIDGING_OPTS: default_pvid= 1 default VLAN PVID. Allowed values: 0 - 4094
vlans BRIDGE_VLANS   List of VLANs on the bridge Example: BRIDGE_VLANS="1 pvid untagged,20,300-400 untagged"
group-address BRIDGING_OPTS: group_address=   STP group address. Example: BRIDGING_OPTS="group_address=01:80:C2:00:00:0A"
vlan-protocol BRIDGING_OPTS: vlan_protocol=   VLAN filtering protocol. Example: BRIDGING_OPTS="vlan_protocol=802.1Q"
vlan-stats-enabled BRIDGING_OPTS: vlan_stats_enabled= 0 Example: BRIDGING_OPTS="vlan_stats_enabled=1"
multicast-router BRIDGING_OPTS: multicast_router= auto Example: BRIDGING_OPTS="multicast_router=enabled" Allowed values: auto, enabled, disabled
multicast-query-use-ifaddr BRIDGING_OPTS: multicast_query_use_ifaddr= 0 Example: BRIDGING_OPTS="multicast_query-use_ifaddr=1"
multicast-querier BRIDGING_OPTS: multicast_querier= 0 Example: BRIDGING_OPTS="multicast_querier=1"
multicast-hash-max BRIDGING_OPTS: multicast_hash_max= 4096 Example: BRIDGING_OPTS="multicast_hash_max=8192"
multicast-last-member-count BRIDGING_OPTS: multicast_last_member_count= 2 Example: BRIDGING_OPTS="multicast_last_member_count=4"
multicast-last-member-interval BRIDGING_OPTS: multicast_last_member_interval= 100 Example: BRIDGING_OPTS="multicast_last_member_interval=200"
multicast-membership-interval BRIDGING_OPTS: multicast_membership_interval= 26000 Example: BRIDGING_OPTS="multicast_membership_interval=16000"
multicast-querier-interval BRIDGING_OPTS: multicast_querier_interval= 25500 Example: BRIDGING_OPTS="multicast_querier_interval=20000"
multicast-query-interval BRIDGING_OPTS: multicast_query_interval= 12500 Example: BRIDGING_OPTS="multicast_query_interval=22500"
multicast-query-response-interval BRIDGING_OPTS: multicast_query_response_interval= 1000 Example: BRIDGING_OPTS="multicast_query_response_interval=2000"
multicast-startup-query-count BRIDGING_OPTS: multicast_startup_query_count= 2 Example: BRIDGING_OPTS="multicast_startup_query_count=4"
multicast-startup-query-interval BRIDGING_OPTS: multicast_startup_query_interval= 3125 Example: BRIDGING_OPTS="multicast_startup_query_interval=4000"

Table 18. bridge-port setting

Property Ifcfg-rh Variable Default Description
priority BRIDGING_OPTS: priority= 32 STP priority. Allowed values: 0 - 63
path-cost BRIDGING_OPTS: path_cost= 100 STP cost. Allowed values: 1 - 65535
hairpin-mode BRIDGING_OPTS: hairpin_mode= yes Hairpin mode of the bridge port.
vlans BRIDGE_PORT_VLANS   List of VLANs on the bridge port Example: BRIDGE_PORT_VLANS="1 pvid untagged,20,300-400 untagged"

Table 19. connection setting

Property Ifcfg-rh Variable Default Description
id NAME(+)   User friendly name for the connection profile.
uuid UUID(+)   UUID for the connection profile. When missing, NetworkManager creates the UUID itself (by hashing the filename).
stable-id STABLE_ID(+)   Token to generate stable IDs.
interface-name DEVICE   Interface name of the device this profile is bound to. The variable can be left out when the profile should apply for more devices. Note that DEVICE can be required for some connection types.
type TYPE (DEVICETYPE, DEVICE)   Base type of the connection. DEVICETYPE is used for teaming connections. Example: TYPE=Ethernet; TYPE=Bond; TYPE=Bridge; DEVICETYPE=TeamPort Allowed values: Ethernet, Wireless, InfiniBand, Bridge, Bond, Vlan, Team, TeamPort
permissions USERS(+)   Restrict to certain users the access to this connection, and allow the connection to be active only when at least one of the specified users is logged into an active session. Example: USERS="joe bob"
autoconnect ONBOOT yes Whether the connection should be autoconnected (not only while booting).
autoconnect-priority AUTOCONNECT_PRIORITY(+) 0 Connection priority for automatic activation. Connections with higher numbers are preferred when selecting profiles for automatic activation. Example: AUTOCONNECT_PRIORITY=20 Allowed values: -999 to 999
autoconnect-retries AUTOCONNECT_RETRIES(+)   The number of times a connection should be autoactivated before giving up and switching to the next one. Example: AUTOCONNECT_RETRIES=1 Allowed values: -1 (use global default), 0 (forever) or a positive value
multi-connect MULTI_CONNECT(+)   whether the profile can be active on multiple devices at a given moment. The values are numbers corresponding to #NMConnectionMultiConnect enum. Example: MULTI_CONNECT=3
zone ZONE(+)   Trust level of this connection. The string is usually used for a firewall. Example: ZONE=Work
master MASTER, MASTER_UUID, TEAM_MASTER, TEAM_MASTER_UUID, BRIDGE, BRIDGE_UUID   Reference to master connection. The variable used depends on the connection type and the value. In general, if the *_UUID variant is present, the variant without *_UUID is ignored. NetworkManager attempts to write both for compatibility with legacy tooling.
slave-type MASTER, MASTER_UUID, TEAM_MASTER, TEAM_MASTER_UUID, DEVICETYPE, BRIDGE, BRIDGE_UUID   Slave type doesn't map directly to a variable, but it is recognized using different variables. MASTER and MASTER_UUID for bonding, TEAM_MASTER, TEAM_MASTER_UUID and DEVICETYPE for teaming, BRIDGE and BRIDGE_UUID for bridging.
autoconnect-slaves AUTOCONNECT_SLAVES(+) missing variable means global default Whether slaves of this connection should be auto-connected when this connection is activated.
secondaries SECONDARY_UUIDS(+)   UUID of VPN connections that should be activated together with this connection.
gateway-ping-timeout GATEWAY_PING_TIMEOUT(+) 0 If greater than zero, the IP connectivity will be checked by pinging the gateway and waiting for the specified timeout (in seconds). Example: GATEWAY_PING_TIMEOUT=5
metered CONNECTION_METERED(+)   Whether the device is metered Example: CONNECTION_METERED=yes Allowed values: yes,no,unknown
lldp LLDP(+) missing variable means global default whether LLDP is enabled for the connection Example: LLDP=no Allowed values: boolean value or 'rx'
auth-retries AUTH_RETRIES(+) 0 Number of retries for authentication.
mdns MDNS(+) missing variable means global default Whether or not mDNS is enabled for the connection Example: MDNS=yes Allowed values: yes,no,resolve
llmnr LLMNR(+) missing variable means global default Whether or not LLMNR is enabled for the connection Example: LLMNR=yes Allowed values: yes,no,resolve
dns-over-tls DNS_OVER_TLS(+) missing variable means global default Whether or not DNSOverTls is enabled for the connection Allowed values: yes,no,opportunistic
mptcp-flags MPTCP_FLAGS(+) missing variable means global default The MPTCP flags that indicate whether MPTCP is enabled and which flags to use for the address endpoints. Example: MPTCP_FLAGS="signal,subflow"
wait-device-timeout DEVTIMEOUT(+)   for initscripts compatibility, this variable must be a whole integer. If necessary, NetworkManager stores also a fractional component for the milliseconds. Example: DEVTIMEOUT=5 Allowed values: timeout in seconds.
mud-url MUD_URL   MUD_URL to be sent by device (See RFC 8520). Example: https://yourdevice.example.com/model.json Allowed values: a valid URL that points to recommended policy for this device
wait-activation-delay WAIT_ACTIVATION_DELAY(+)   Time in milliseconds to wait for connection to be considered activated. The wait will start after the pre-up dispatcher event. Example: WAIT_ACTIVATION_DELAY=5000 Allowed values: delay in milliseconds.

Table 20. dcb setting

Property Ifcfg-rh Variable Default Description
app-fcoe-flags DCB_APP_FCOE_ENABLE, DCB_APP_FCOE_ADVERTISE, DCB_APP_FCOE_WILLING no FCOE flags. Example: DCB_APP_FCOE_ENABLE=yes DCB_APP_FCOE_ADVERTISE=yes
app-fcoe-priority DCB_APP_FCOE_PRIORITY   Priority of FCoE frames. Allowed values: 0 - 7
app-fcoe-mode DCB_APP_FCOE_MODE fabric FCoE controller mode. Allowed values: fabric, vn2vn
app-iscsi-flags DCB_APP_ISCSI_ENABLE, DCB_APP_ISCSI_ADVERTISE, DCB_APP_ISCSI_WILLING no iSCSI flags.
app-iscsi-priority DCB_APP_ISCSI_PRIORITY   Priority of iSCSI frames. Allowed values: 0 - 7
app-fip-flags DCB_APP_FIP_ENABLE, DCB_APP_FIP_ADVERTISE, DCB_APP_FIP_WILLING no FIP flags.
app-fip-priority DCB_APP_FIP_PRIORITY   Priority of FIP frames. Allowed values: 0 - 7
priority-flow-control-flags DCB_PFC_ENABLE, DCB_PFC_ADVERTISE, DCB_PFC_WILLING no Priority flow control flags.
priority-flow-control DCB_PFC_UP   Priority flow control values. String of 8 "0" and "1", where "0". means "do not transmit priority pause", "1" means "transmit pause". Example: DCB_PFC_UP=01101110
priority-group-flags DCB_PG_ENABLE, DCB_PG_ADVERTISE, DCB_PG_WILLING no Priority groups flags.
priority-group-id DCB_PG_ID   Priority groups values. String of eight priorities (0 - 7) or "f" (unrestricted). Example: DCB_PG_ID=1205f173
priority-group-bandwidth DCB_PG_PCT   Priority groups values. Eight bandwidths (in percent), separated with commas. Example: DCB_PG_PCT=10,5,10,15,10,10,10,30
priority-bandwidth DCB_PG_UPPCT   Priority values. Eight bandwidths (in percent), separated with commas. The sum of the numbers must be 100. Example: DCB_PG_UPPCT=7,13,10,10,15,15,10,20
priority-strict-bandwidth DCB_PG_STRICT   Priority values. String of eight "0" or "1", where "0" means "may not utilize all bandwidth", "1" means "may utilize all bandwidth". Example: DCB_PG_STRICT=01101110
priority-traffic-class DCB_PG_UP2TC   Priority values. String of eight traffic class values (0 - 7). Example: DCB_PG_UP2TC=01623701

All DCB related configuration is a NetworkManager extension. DCB=yes must be used explicitly to enable DCB so that the rest of the DCB_* variables can apply.

Table 21. ethtool setting

Property Ifcfg-rh Variable Default Description

Table 22. hostname setting

Property Ifcfg-rh Variable Default Description
priority HOSTNAME_PRIORITY(+) missing variable means global value or 100 hostname priority Example: HOSTNAME_PRIORITY=50
from-dhcp HOSTNAME_FROM_DHCP(+) missing variable means global default or 1 whether the system hostname can be determined from DHCP Example: HOSTNAME_FROM_DHCP=0,1
from-dns-lookup HOSTNAME_FROM_DNS_LOOKUP(+) missing variable means global default or 1 whether the system hostname can be determined from reverse DNS lookup Example: HOSTNAME_FROM_DNS_LOOKUP=0,1
only-best-device HOSTNAME_ONLY_FROM_DEFAULT(+) missing variable means global default or 1 whether the hostname can be determined only from devices with the default route Example: HOSTNAME_ONLY_FROM_DEFAULT=0,1

Table 23. hsr setting

Property Ifcfg-rh Variable Default Description

Table 24. infiniband setting

Property Ifcfg-rh Variable Default Description
mac-address HWADDR   IBoIP 20-byte hardware address of the device (in traditional hex-digits-and-colons notation). Note that for initscripts this is the current MAC address of the device as found during ifup. For NetworkManager this is the permanent MAC address. Or in case no permanent MAC address exists, the MAC address initially configured on the device. Example: HWADDR=01:02:03:04:05:06:07:08:09:0A:01:02:03:04:05:06:07:08:09:11
mtu MTU   MTU of the interface.
transport-mode CONNECTED_MODE CONNECTED_MODE=no CONNECTED_MODE=yes for "connected" mode, CONNECTED_MODE=no for "datagram" mode
p-key PKEY_ID or PKEY_ID_NM(*) (requires PKEY=yes) PKEY=no InfiniBand P_Key. The value can be a hex number prefixed with "0x" or a decimal number. When PKEY_ID is specified, PHYSDEV must be specified. Note that ifcfg-rh format will always automatically set the full membership flag 0x8000 for the PKEY_ID variable. To express IDs without the full membership flag, use PKEY_ID_NM. Note that kernel internally treats the interface as having the full membership flag set, this mainly affects the interface name. For the ifcfg file to be supported by initscripts' ifup-ib, the DEVICE= must always be set. NetworkManager does not require that. Example: PKEY=yes PKEY_ID=2 PHYSDEV=mlx4_ib0 DEVICE=mlx4_ib0.8002
parent PHYSDEV (PKEY=yes) PKEY=no InfiniBand parent device. Example: PHYSDEV=ib0

Table 25. ipv4 setting

Property Ifcfg-rh Variable Default Description
method BOOTPROTO none Method used for IPv4 protocol configuration. Allowed values: none, dhcp (bootp), static, ibft, autoip, shared
dns DNS1, DNS2, ...   List of DNS servers. Even if NetworkManager supports many DNS servers, initscripts and resolver only care about the first three, usually. Example: DNS1=1.2.3.4 DNS2=10.0.0.254 DNS3=8.8.8.8
dns-search DOMAIN   List of DNS search domains.
addresses IPADDR, PREFIX (NETMASK), IPADDR1, PREFIX1 (NETMASK1), ...   List of static IP addresses. Example: IPADDR=10.5.5.23 PREFIX=24 IPADDR1=1.1.1.2 PREFIX1=16
gateway GATEWAY   Gateway IP address. Example: GATEWAY=10.5.5.1
routes ADDRESS1, NETMASK1, GATEWAY1, METRIC1, OPTIONS1, ...   List of static routes. They are not stored in ifcfg-* file, but in route-* file instead.
ignore-auto-routes PEERROUTES(+) yes PEERROUTES has the opposite meaning as 'ignore-auto-routes' property.
ignore-auto-dns PEERDNS yes PEERDNS has the opposite meaning as 'ignore-auto-dns' property.
dhcp-send-hostname DHCP_SEND_HOSTNAME(+) yes Whether DHCP_HOSTNAME should be sent to the DHCP server.
dhcp-hostname DHCP_HOSTNAME   Hostname to send to the DHCP server. When both DHCP_HOSTNAME and DHCP_FQDN are specified only the latter is used.
never-default DEFROUTE (GATEWAYDEV in /etc/sysconfig/network) yes DEFROUTE=no tells NetworkManager that this connection should not be assigned the default route. DEFROUTE has the opposite meaning as 'never-default' property.
may-fail IPV4_FAILURE_FATAL(+) no IPV4_FAILURE_FATAL has the opposite meaning as 'may-fail' property.
route-metric IPV4_ROUTE_METRIC(+) -1 IPV4_ROUTE_METRIC is the default IPv4 metric for routes on this connection. If set to -1, a default metric based on the device type is used.
route-table IPV4_ROUTE_TABLE(+) 0 IPV4_ROUTE_TABLE enables policy-routing and sets the default routing table.
dns-options RES_OPTIONS(+)   List of DNS options to be added to /etc/resolv.conf Example: RES_OPTIONS=ndots:2 timeout:3
dns-priority IPV4_DNS_PRIORITY(+) 0 The priority for DNS servers of this connection. Lower values have higher priority. If zero, the default value will be used (50 for VPNs, 100 for other connections). A negative value prevents DNS from other connections with greater values to be used. Example: IPV4_DNS_PRIORITY=20
auto-route-ext-gw IPV4_AUTO_ROUTE_EXT_GW(+) yes VPN connections will default to add the route automatically unless this setting is set to FALSE. For other connection types, adding such an automatic route is currently not supported and setting this to TRUE has no effect.
replace-local-rule IPV4_REPLACE_LOCAL_RULE(+) no Connections will default to keep the autogenerated priority 0 local rule unless this setting is set to TRUE.
dhcp-client-id DHCP_CLIENT_ID(+)   A string sent to the DHCP server to identify the local machine. A binary value can be specified using hex notation ('aa:bb:cc'). Example: DHCP_CLIENT_ID=ax-srv-1; DHCP_CLIENT_ID=01:44:44:44:44:44:44
dad-timeout ACD_TIMEOUT(+), ARPING_WAIT missing variable means global default (config override or zero) Timeout (in milliseconds for ACD_TIMEOUT or in seconds for ARPING_WAIT) for address conflict detection before configuring IPv4 addresses. 0 turns off the ACD completely, -1 means default value. Example: ACD_TIMEOUT=2000 or ARPING_WAIT=2
dhcp-timeout IPV4_DHCP_TIMEOUT(+)   A timeout after which the DHCP transaction fails in case of no response. Example: IPV4_DHCP_TIMEOUT=10
dhcp-hostname-flags DHCP_HOSTNAME_FLAGS   flags for the DHCP hostname and FQDN properties Example: DHCP_HOSTNAME_FLAGS=5
dhcp-fqdn DHCP_FQDN   FQDN to send to the DHCP server. When both DHCP_HOSTNAME and DHCP_FQDN are specified only the latter is used. Example: DHCP_FQDN=foo.bar.com
dhcp-vendor-class-identifier DHCP_VENDOR_CLASS_IDENTIFIER(+)   The Vendor Class Identifier DHCP option (60). Example: DHCP_VENDOR_CLASS_IDENTIFIER=foo
link-local IPV4_LINK_LOCAL(+)   Configure link-local IP address in interaction with method Example: IPV4_LINK_LOCAL=auto

Table 26. ipv6 setting

Property Ifcfg-rh Variable Default Description
method IPV6INIT, IPV6FORWARDING, IPV6_AUTOCONF, DHCPV6C, IPV6_DISABLED IPV6INIT=yes; IPV6FORWARDING=no; IPV6_AUTOCONF=!IPV6FORWARDING, DHCPV6=no Method used for IPv6 protocol configuration. ignore ~ IPV6INIT=no; auto ~ IPV6_AUTOCONF=yes; dhcp ~ IPV6_AUTOCONF=no and DHCPV6C=yes; disabled ~ IPV6_DISABLED=yes
dns DNS1, DNS2, ...   List of DNS servers. NetworkManager uses the variables both for IPv4 and IPv6.
dns-search IPV6_DOMAIN(+)   List of DNS search domains.
addresses IPV6ADDR, IPV6ADDR_SECONDARIES   List of static IP addresses. Example: IPV6ADDR=ab12:9876::1 IPV6ADDR_SECONDARIES="ab12:9876::2 ab12:9876::3"
gateway IPV6_DEFAULTGW   Gateway IP address. Example: IPV6_DEFAULTGW=abbe::1
routes (none)   List of static routes. They are not stored in ifcfg-* file, but in route6-* file instead in the form of command line for 'ip route add'.
ignore-auto-routes IPV6_PEERROUTES(+) yes IPV6_PEERROUTES has the opposite meaning as 'ignore-auto-routes' property.
ignore-auto-dns IPV6_PEERDNS(+) yes IPV6_PEERDNS has the opposite meaning as 'ignore-auto-dns' property.
dhcp-hostname DHCPV6_HOSTNAME   Hostname to send the DHCP server.
dhcp-timeout IPV6_DHCP_TIMEOUT(+)   A timeout after which the DHCP transaction fails in case of no response. Example: IPV6_DHCP_TIMEOUT=10
dhcp-hostname-flags DHCPV6_HOSTNAME_FLAGS   flags for the DHCP hostname property Example: DHCPV6_HOSTNAME_FLAGS=5
never-default IPV6_DEFROUTE(+), (and IPV6_DEFAULTGW, IPV6_DEFAULTDEV in /etc/sysconfig/network) IPV6_DEFROUTE=yes (when no variable specified) IPV6_DEFROUTE=no tells NetworkManager that this connection should not be assigned the default IPv6 route. IPV6_DEFROUTE has the opposite meaning as 'never-default' property.
may-fail IPV6_FAILURE_FATAL(+) no IPV6_FAILURE_FATAL has the opposite meaning as 'may-fail' property.
route-metric IPV6_ROUTE_METRIC(+) -1 IPV6_ROUTE_METRIC is the default IPv6 metric for routes on this connection. If set to -1, a default metric based on the device type is used.
route-table IPV6_ROUTE_TABLE(+) 0 IPV6_ROUTE_TABLE enables policy-routing and sets the default routing table.
dns-priority IPV6_DNS_PRIORITY(+) 0 The priority for DNS servers of this connection. Lower values have higher priority. If zero, the default value will be used (50 for VPNs, 100 for other connections). A negative value prevents DNS from other connections with greater values to be used. Example: IPV6_DNS_PRIORITY=20
dns-options IPV6_RES_OPTIONS(+)   List of DNS options to be added to /etc/resolv.conf Example: IPV6_RES_OPTIONS=ndots:2 timeout:3
auto-route-ext-gw IPV6_AUTO_ROUTE_EXT_GW(+) yes VPN connections will default to add the route automatically unless this setting is set to FALSE. For other connection types, adding such an automatic route is currently not supported and setting this to TRUE has no effect.
replace-local-rule IPV6_REPLACE_LOCAL_RULE(+) no Connections will default to keep the autogenerated priority 0 local rule unless this setting is set to TRUE.
ip6-privacy IPV6_PRIVACY, IPV6_PRIVACY_PREFER_PUBLIC_IP(+) no Configure IPv6 Privacy Extensions for SLAAC (RFC4941). Example: IPV6_PRIVACY=rfc3041 IPV6_PRIVACY_PREFER_PUBLIC_IP=yes Allowed values: IPV6_PRIVACY: no, yes (rfc3041 or rfc4941); IPV6_PRIVACY_PREFER_PUBLIC_IP: yes, no
addr-gen-mode IPV6_ADDR_GEN_MODE "default-or-eui64" Configure IPv6 Stable Privacy addressing for SLAAC (RFC7217). Example: IPV6_ADDR_GEN_MODE=stable-privacy Allowed values: IPV6_ADDR_GEN_MODE: default, default-or-eui64, eui64, stable-privacy
token IPV6_TOKEN   The IPv6 tokenized interface identifier token Example: IPV6_TOKEN=::53
ra-timeout IPV6_RA_TIMEOUT(+)   A timeout for waiting Router Advertisements in seconds. Example: IPV6_RA_TIMEOUT=10
dhcp-duid DHCPV6_DUID(+)   A string sent to the DHCPv6 server to identify the local machine. Apart from the special values "lease", "stable-llt", "stable-ll", "stable-uuid", "llt" and "ll" a binary value in hex format is expected. An hex string where each octet is separated by a colon is also accepted. Example: DHCPV6_DUID=LL; DHCPV6_DUID=0301deadbeef0001; DHCPV6_DUID=03:01:de:ad:be:ef:00:01
dhcp-pd-hint DHCPV6_PD_HINT(+)   Hint for DHCPv6 prefix delegation Example: DHCPV6_PD_HINT=2001:db8:1111:2220::/60 DHCPV6_PD_HINT=::/60

Table 27. match setting

Property Ifcfg-rh Variable Default Description
path MATCH_PATH   space-separated list of paths to match against the udev property ID_PATHS of devices Example: MATCH_PATH="pci-0000:01:00.0 pci-0000:0c:00.0"

Table 28. ovs-external-ids setting

Property Ifcfg-rh Variable Default Description

Table 29. ovs-other-config setting

Property Ifcfg-rh Variable Default Description

Table 30. proxy setting

Property Ifcfg-rh Variable Default Description
method PROXY_METHOD(+) none Method for proxy configuration. For "auto", WPAD is used for proxy configuration, or set the PAC file via PAC_URL or PAC_SCRIPT. Allowed values: none, auto
browser-only BROWSER_ONLY(+) no Whether the proxy configuration is for browser only.
pac-url PAC_URL(+)   URL for PAC file. Example: PAC_URL=http://wpad.mycompany.com/wpad.dat
pac-script PAC_SCRIPT(+)   The PAC script. This is an UTF-8 encoded javascript code that defines a FindProxyForURL() function. Example: PAC_SCRIPT="function FindProxyForURL (url, host) { return 'PROXY proxy.example.com:8080; DIRECT'; }"

Table 31. sriov setting

Property Ifcfg-rh Variable Default Description
total-vfs SRIOV_TOTAL_VFS(+)   The total number of virtual functions to create Example: SRIOV_TOTAL_VFS=16
vfs SRIOV_VF1(+), SRIOV_VF2(+), ...   SR-IOV virtual function descriptors Example: SRIOV_VF10="mac=00:11:22:33:44:55", ...
autoprobe-drivers SRIOV_AUTOPROBE_DRIVERS(+) missing variable means global default Whether to autoprobe virtual functions by a compatible driver Example: SRIOV_AUTOPROBE_DRIVERS=0,1

Table 32. tc setting

Property Ifcfg-rh Variable Default Description
qdiscs QDISC1(+), QDISC2(+), ..., TC_COMMIT(+)   Queueing disciplines to set on the interface. When no QDISC1, QDISC2, ..., FILTER1, FILTER2, ... keys are present, NetworkManager doesn't touch qdiscs and filters present on the interface, unless TC_COMMIT is set to 'yes'. Example: QDISC1=ingress, QDISC2="root handle 1234: fq_codel"
tfilters FILTER1(+), FILTER2(+), ..., TC_COMMIT(+)   Traffic filters to set on the interface. When no QDISC1, QDISC2, ..., FILTER1, FILTER2, ... keys are present, NetworkManager doesn't touch qdiscs and filters present on the interface, unless TC_COMMIT is set to 'yes'. Example: FILTER1="parent ffff: matchall action simple sdata Input", ...

Table 33. team setting

Property Ifcfg-rh Variable Default Description
config TEAM_CONFIG   Team configuration in JSON. See man teamd.conf for details.

Table 34. team-port setting

Property Ifcfg-rh Variable Default Description
config TEAM_PORT_CONFIG   Team port configuration in JSON. See man teamd.conf for details.

Table 35. user setting

Property Ifcfg-rh Variable Default Description
data NM_USER_*   each key/value pair is stored as a separate variable with name composed by concatenating NM_USER_ with the encoded key. The key is encoded by substituting lowercase letters with uppercase and prepending uppercase letters with an underscore. A dot is encoded as a double underscore. Remaining characters are encoded as underscore followed by a 3 digit octal representation of the character. Example: NM_USER_FOO__BAR=something

Table 36. vlan setting

Property Ifcfg-rh Variable Default Description
parent DEVICE or PHYSDEV   Parent interface of the VLAN.
id VLAN_ID, DEVICE.   VLAN identifier. If VLAN_ID is not set, it is attempted to be detected from the suffix of DEVICE=. Note that older versions of NetworkManager had a bug where they would prefer the detected ID from the DEVICE over VLAN_ID.
flags GVRP, MVRP, VLAN_FLAGS   VLAN flags. Allowed values: "yes or "no" for GVRP and MVRP; "LOOSE_BINDING" and "NO_REORDER_HDR" for VLAN_FLAGS
protocol VLAN_PROTOCOL   VLAN protocol. Example: VLAN_PROTOCOL="802.1ad"
ingress-priority-map VLAN_INGRESS_PRIORITY_MAP   Ingress priority mapping. Example: VLAN_INGRESS_PRIORITY_MAP=4:2,3:5
egress-priority-map VLAN_EGRESS_PRIORITY_MAP   Egress priority mapping. Example: VLAN_EGRESS_PRIORITY_MAP=5:4,4:1,3:7
interface-name PHYSDEV and VLAN_ID, or DEVICE   VLAN interface name. If all variables are set, parent device from PHYSDEV takes precedence over DEVICE, but VLAN id from DEVICE takes precedence over VLAN_ID. Example: PHYSDEV=eth0, VLAN_ID=12; or DEVICE=eth0.12

The following settings are not supported by ifcfg-rh plugin:

6lowpan, 802-11-olpc-mesh, adsl, bluetooth, cdma, dummy, generic, gsm, ip-tunnel, link, loopback, macsec, macvlan, ovs-bridge, ovs-dpdk, ovs-interface, ovs-patch, ovs-port, ppp, pppoe, serial, tun, veth, vpn, vrf, vxlan, wifi-p2p, wimax, wireguard, wpan

Secret flags

Each secret property in a NetworkManager setting has an associated flags property that describes how to handle that secret. In the ifcfg-rh plugin variables for secret flags have a _FLAGS suffix. The variables contain one or more of the following values (space separated). Missing (or empty) *_FLAGS variable means that the password is owned by NetworkManager.

  • user - a user-session secret agent is responsible for providing and storing this secret; when it is required, agents will be asked to provide it.

  • ask - the associated password is not saved but it will be requested from the user each time it is required.

  • unused - in some situations it cannot be automatically determined that a secret is required or not. This flag hints that the secret is not required and should not be requested from the user.

Files

/etc/sysconfig/network-scripts/ifcfg-*

/etc/sysconfig/network-scripts/keys-*

/etc/sysconfig/network-scripts/route-*

/etc/sysconfig/network-scripts/route6-*

/usr/share/doc/initscripts/sysconfig.txt

See Also

nm-settings-nmcli(5), nm-settings-keyfile(5), NetworkManager(8), NetworkManager.conf(5), nmcli(1), nmcli-examples(7)