nm-settings-ifcfg-rh (5) - Linux Manuals

nm-settings-ifcfg-rh: Description of ifcfg-rh settings plugin

Command to display nm-settings-ifcfg-rh manual in Linux: $ man 5 nm-settings-ifcfg-rh

NAME

nm-settings-ifcfg-rh - Description of ifcfg-rh settings plugin

DESCRIPTION

NetworkManager is based on the concept of connection profiles that contain network configuration (see nm-settings (5) for details). The profiles can be stored in various formats. NetworkManager uses plugins for reading and writing the data. The plugins can be configured in NetworkManager.conf (5).

The ifcfg-rh plugin is used on the Fedora and Red Hat Enterprise Linux distributions to read/write configuration from/to the traditional /etc/sysconfig/network-scripts/ifcfg-* files. Each NetworkManager connection maps to one ifcfg-* file, with possible usage of keys-* for passwords, route-* for static IPv4 routes and route6-* for static IPv6 routes. The plugin currently supports reading and writing Ethernet, Wi-Fi, InfiniBand, VLAN, Bond, Bridge, and Team connections. Unsupported connection types (such as WWAN, PPPoE, VPN, or ADSL) are handled by keyfile plugin ( nm-settings-keyfile (5)). The main reason for using ifcfg-rh plugin is the compatibility with legacy configurations for ifup and ifdown (initscripts).

FILE FORMAT

The ifcfg-rh config format is a simple text file containing VARIABLE="value" lines. The format is described in sysconfig.txt of initscripts package. Note that the configuration files may be sourced by initscripts , so they must be valid shell scripts. That means, for instance, that # character can be used for comments, strings with spaces must be quoted, special characters must be escaped, etc.

Users can create or modify the ifcfg-rh connection files manually, even if that is not the recommended way of managing the profiles. However, if they choose to do that, they must inform NetworkManager about their changes (see monitor-connection-file in nm-settings (5), and nmcli con (re)load ).

Some ifcfg-rh configuration examples: .

Simple DHCP ethernet configuration: NAME=ethernet UUID=1c4ddf70-01bf-46d6-b04f-47e842bd98da TYPE=Ethernet BOOTPROTO=dhcp DEFROUTE=yes PEERDNS=yes PEERROUTES=yes IPV4_FAILURE_FATAL=no ONBOOT=yes

Simple ethernet configuration with static IP: TYPE=Ethernet BOOTPROTO=none IPADDR=10.1.0.25 PREFIX=24 GATEWAY=10.1.0.1 DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_PEERDNS=yes IPV6_PEERROUTES=yes IPV6_FAILURE_FATAL=no NAME=ethernet-em2 UUID=51bb3904-c0fc-4dfe-83b2-0a71e7928c13 DEVICE=em2 ONBOOT=yes

WPA2 Enterprise WLAN (TTLS with inner MSCHAPV2 authentication): ESSID="CompanyWLAN" MODE=Managed KEY_MGMT=WPA-EAP TYPE=Wireless IEEE_8021X_EAP_METHODS=TTLS IEEE_8021X_IDENTITY=joe IEEE_8021X_PASSWORD_FLAGS=ask IEEE_8021X_INNER_AUTH_METHODS=MSCHAPV2 IEEE_8021X_CA_CERT=/home/joe/.cert/company.crt BOOTPROTO=dhcp DEFROUTE=yes PEERDNS=yes PEERROUTES=yes IPV4_FAILURE_FATAL=no IPV6INIT=no NAME=MyCompany UUID=f79848ff-11a6-4810-9e1a-99039dea84c4 ONBOOT=yes

Bridge and bridge port configuration: ifcfg-bridge: ifcfg-bridge-port: NAME=bridge NAME=bridge007-port-eth0 UUID=4be99ce0-c5b2-4764-8b77-ec226e440125 UUID=3ad56c4a-47e1-419b-b0d4-8ad86eb967a3 DEVICE=bridge007 DEVICE=eth0 STP=yes ONBOOT=yes TYPE=Bridge TYPE=Ethernet BRIDGING_OPTS=priority=32768 BRIDGE=bridge007 ONBOOT=yes BOOTPROTO=dhcp

Bonding configuration: ifcfg-BOND: ifcfg-BOND-slave: NAME=BOND NAME=BOND-slave UUID=b41888aa-924c-450c-b0f8-85a4f0a51b4a UUID=9bb048e4-286a-4cc3-b104-007dbd20decb DEVICE=bond100 DEVICE=eth0 BONDING_OPTS="mode=balance-rr miimon=100" ONBOOT=yes TYPE=Bond TYPE=Ethernet BONDING_MASTER=yes MASTER=bond100 ONBOOT=yes SLAVE=yes BOOTPROTO=dhcp

Team and team port configuration: ifcfg-my_team0: DEVICE=team0 TEAM_CONFIG="< \"device\": \"team0\", \"runner\": , \"ports\": , \"eth2\": <>> >" DEVICETYPE=Team BOOTPROTO=dhcp NAME=team0-profile UUID=1d3460a0-7b37-457f-a300-fe8d92da4807 ONBOOT=yes ifcfg-my_team0_slave1: NAME=team0-slave1 UUID=d5aed298-c567-4cc1-b808-6d38ecef9e64 DEVICE=eth1 ONBOOT=yes TEAM_MASTER=team0 DEVICETYPE=TeamPort ifcfg-my_team0_slave2: NAME=team0-slave2 UUID=94e75f4e-e5ad-401c-8962-31e0ae5d2215 DEVICE=eth2 ONBOOT=yes TEAM_MASTER=team0 DEVICETYPE=TeamPort

The UUID values in the config files must be unique. You can use uuidgen command line tool to generate such values. Alternatively, you can leave out UUID entirely. In that case NetworkManager will generate a UUID based on the file name.

DIFFERENCES AGAINST INITSCRIPTS

The main differences of NetworkManager ifcfg-rh plugin and traditional initscripts are:

NM_CONTROLLED=yes|no NM_CONTROLLED is NetworkManager-specific variable used by NetworkManager for determining whether the device of the ifcfg file should be managed. NM_CONTROLLED=yes is supposed if the variable is not present in the file. Note that if you have more ifcfg files for a single device, NM_CONTROLLED=no in one of the files will cause the device not to be managed. The profile may not even be the active one.

New variables NetworkManager has introduced some new variable, not present in initscripts, to be able to store data for its new features. The variables are marked as extensions in the tables below.

Semantic change of variables NetworkManager had to slightly change the semantic for a few variables.

• PEERDNS - initscripts interpret PEERDNS=no to mean "never touch resolv.conf". NetworkManager interprets it to say "never add automatic (DHCP, PPP, VPN, etc.) nameservers to resolv.conf".

• ONBOOT - initscripts use ONBOOT=yes to mark the devices that are to be activated during boot. NetworkManager extents this to also mean that this profile can be used for auto-connecting at any time.

• BOOTPROTO - NetworkManager supports traditional values none (static), dhcp . But it also allows additional values to enable new addressing methods. They are autoip for IPv4 link-local addressing using Avahi daemon and shared for connection sharing. When shared is used, NetworkManager assigns the interface 10.42.0.1, or it uses the first static address, if configured.

• HWADDR - initscripts compare the currently set hardware address of a device, while NetworkManager considers the permanent one.

See the next section for detailed mapping of NetworkManager properties and ifcfg-rh variables. Variable names, format and usage differences in NetworkManager and initscripts are documented in the tables below.

DETAILS

ifcfg-rh plugin variables marked with (+) are NetworkManager specific extensions not understood by traditional initscripts.

Table 1. 802-1x setting

Allowed values: "LEAP", "PWD", "TLS", "PEAP", "TTLS", "FAST"
identity IEEE_8021X_IDENTITY (+) Identity for EAP authentication methods.

Example: IEEE_8021X_IDENTITY=itsme
anonymous-identity IEEE_8021X_ANON_IDENTITY (+) Anonymous identity for EAP authentication methods.
pac-file IEEE_8021X_PAC_FILE (+) File with PAC (Protected Access Credential) for EAP-FAST.

Example: IEEE_8021X_PAC_FILE=/home/joe/my-fast.pac
ca-cert IEEE_8021X_CA_CERT (+) CA certificate for EAP.

Example: IEEE_8021X_CA_CERT=/home/joe/cacert.crt
ca-path (none) The property is not handled by ifcfg-rh plugin.
subject-match IEEE_8021X_SUBJECT_MATCH (+) Substring to match subject of server certificate against.

Example: IEEE_8021X_SUBJECT_MATCH="Red Hat"
altsubject-matches IEEE_8021X_ALTSUBJECT_MATCHES (+) List of strings to be matched against the altSubjectName.

Example: IEEE_8021X_ALTSUBJECT_MATCHES="s1.domain.cc"
domain-suffix-match IEEE_8021X_DOMAIN_SUFFIX_MATCH (+) Suffix to match domain of server certificate against.
client-cert IEEE_8021X_CLIENT_CERT (+) Client certificate for EAP.

Example: IEEE_8021X_CLIENT_CERT=/home/joe/mycert.crt
phase1-peapver IEEE_8021X_PEAP_VERSION (+) Use to force a specific PEAP version.

Allowed values: 0, 1
phase1-peaplabel IEEE_8021X_PEAP_FORCE_NEW_LABEL (+) no Use to force the new PEAP label during key derivation.

Allowed values: yes, no
phase1-fast-provisioning IEEE_8021X_FAST_PROVISIONING (+) Enable in-line provisioning of EAP-FAST credentials.

Example: IEEE_8021X_FAST_PROVISIONING="allow-auth allow-unauth"

Allowed values: space-separated list of these values [allow-auth, allow-unauth]
phase1-auth-flags IEEE_8021X_PHASE1_AUTH_FLAGS (+) Authentication flags for the supplicant

Example: IEEE_8021X_PHASE1_AUTH_FLAGS="tls-1-0-disable tls-1-1-disable"

Allowed values: space-separated list of authentication flags names
phase2-auth IEEE_8021X_INNER_AUTH_METHODS (+) Inner non-EAP authentication methods. IEEE_8021X_INNER_AUTH_METHODS can contain values both for 'phase2-auth' and 'phase2-autheap' properties.

Allowed values: "PAP", "CHAP", "MSCHAP", "MSCHAPV2", "GTC", "OTP", "MD5" and "TLS"
phase2-autheap IEEE_8021X_INNER_AUTH_METHODS (+) Inner EAP-based authentication methods. Note that IEEE_8021X_INNER_AUTH_METHODS is also used for 'phase2-auth' values.

Example: IEEE_8021X_INNER_AUTH_METHODS="MSCHAPV2 EAP-TLS"

Allowed values: "EAP-MD5", "EAP-MSCHAPV2", "EAP-GTC", "EAP-OTP" and "EAP-TLS"
phase2-subject-match IEEE_8021X_PHASE2_SUBJECT_MATCH (+) Substring to match subject of server certificate against.

Example: IEEE_8021X_PHASE2_SUBJECT_MATCH="Red Hat"
phase2-altsubject-matches IEEE_8021X_PHASE2_ALTSUBJECT_MATCHES (+)
phase2-domain-suffix-match IEEE_8021X_PHASE2_DOMAIN_SUFFIX_MATCH (+) Suffix to match domain of server certificate for phase 2 against.
phase2-client-cert IEEE_8021X_INNER_CLIENT_CERT (+) Client certificate for inner EAP method.

Example: IEEE_8021X_INNER_CLIENT_CERT=/home/joe/mycert.crt
password IEEE_8021X_PASSWORD (+) UTF-8 encoded password used for EAP. It can also go to "key-" lookaside file, or it can be owned by a secret agent.
password-flags IEEE_8021X_PASSWORD_FLAGS (+) Password flags for IEEE_8021X_PASSWORD password. (see the section called "Secret flags" for _FLAGS values)
password-raw (none) The property is not handled by ifcfg-rh plugin.
password-raw-flags (none) The property is not handled by ifcfg-rh plugin.
private-key IEEE_8021X_PRIVATE_KEY (+) Private key for EAP-TLS.

Example: IEEE_8021X_PRIVATE_KEY=/home/joe/mykey.p12
private-key-password IEEE_8021X_PRIVATE_KEY_PASSWORD (+) Password for IEEE_8021X_PRIVATE_KEY. It can also go to "key-" lookaside file, or it can be owned by a secret agent.
private-key-password-flags IEEE_8021X_PRIVATE_KEY_PASSWORD_FLAGS (+) Password flags for IEEE_8021X_PRIVATE_KEY_PASSWORD password. (see the section called "Secret flags" for _FLAGS values)
phase2-private-key IEEE_8021X_INNER_PRIVATE_KEY (+) Private key for inner authentication method for EAP-TLS.
phase2-private-key-password IEEE_8021X_INNER_PRIVATE_KEY_PASSWORD (+) Password for IEEE_8021X_INNER_PRIVATE_KEY. It can also go to "key-" lookaside file, or it can be owned by a secret agent.
phase2-private-key-password-flags IEEE_8021X_INNER_PRIVATE_KEY_PASSWORD_FLAGS (+) Password flags for IEEE_8021X_INNER_PRIVATE_KEY_PASSWORD password. (see the section called "Secret flags" for _FLAGS values)
pin (none) The property is not handled by ifcfg-rh plugin.
pin-flags (none) The property is not handled by ifcfg-rh plugin.
system-ca-certs (none) The property is not handled by ifcfg-rh plugin.
auth-timeout IEEE_8021X_AUTH_TIMEOUT (+) 0 Timeout in seconds for the 802.1X authentication. Zero means the global default or 25.

Table 2. bond setting

Example: BONDING_OPTS="miimon=100 mode=broadcast"

Table 3. bridge-port setting

Allowed values: 0 - 63
path-cost BRIDGING_OPTS: path_cost= 100 STP cost.

Allowed values: 1 - 65535
hairpin-mode BRIDGING_OPTS: hairpin_mode= yes Hairpin mode of the bridge port.

Table 4. bridge setting

Allowed values: 0 - 32768
forward-delay DELAY 15 STP forwarding delay.

Allowed values: 2 - 30
hello-time BRIDGING_OPTS: hello_time= 2 STP hello time.

Allowed values: 1 - 10
max-age BRIDGING_OPTS: max_age= 20 STP maximum message age.

Allowed values: 6 - 40
ageing-time BRIDGING_OPTS: ageing_time= 300 Ethernet MAC ageing time.

Allowed values: 0 - 1000000
multicast-snooping BRIDGING_OPTS: multicast_snooping= 1 IGMP snooping support.

Allowed values: 0 or 1

Table 5. connection setting

Example: TYPE=Ethernet; TYPE=Bond; TYPE=Bridge; DEVICETYPE=TeamPort

Allowed values: Ethernet, Wireless, InfiniBand, Bridge, Bond, Vlan, Team, TeamPort
permissions USERS (+) USERS restrict the access for this conenction to certain users only.

Example: USERS="joe bob"
autoconnect ONBOOT yes Whether the connection should be autoconnected (not only while booting).
autoconnect-priority AUTOCONNECT_PRIORITY (+) 0 Connection priority for automatic activation. Connections with higher numbers are preferred when selecting profiles for automatic activation.

Allowed values: -999 to 999
autoconnect-retries AUTOCONNECT_RETRIES (+) The number of times a connection should be autoactivated before giving up and switching to the next one.

Allowed values: -1 (use global default), 0 (forever) or a positive value
zone ZONE (+) Trust level of this connection. The string is usually used for a firewall.

Example: ZONE=Work
master MASTER, MASTER_UUID, TEAM_MASTER, TEAM_MASTER_UUID, BRIDGE, BRIDGE_UUID Reference to master connection. The variable used depends on the connection type and the value. In general, if the *_UUID variant is present, the variant without *_UUID is ignored. NetworkManager attempts to write both for compatibility with legacy tooling.
slave-type MASTER, MASTER_UUID, TEAM_MASTER, TEAM_MASTER_UUID, DEVICETYPE, BRIDGE, BRIDGE_UUID Slave type doesn't map directly to a variable, but it is recognized using different variables. MASTER and MASTER_UUID for bonding, TEAM_MASTER, TEAM_MASTER_UUID and DEVICETYPE for teaming, BRIDGE and BRIDGE_UUID for bridging.
autoconnect-slaves AUTOCONNECT-SLAVES (+) missing variable means global default Whether slaves of this connection should be auto-connected when this connection is activated.
secondaries SECONDARY_UUIDS (+) UUID of VPN connections that should be activated together with this connection.
gateway-ping-timeout GATEWAY_PING_TIMEOUT (+) 0 If greater than zero, the IP connectivity will be checked by pinging the gateway and waiting for the specified timeout (in seconds).

Example: GATEWAY_PING_TIMEOUT=5
metered CONNECTION_METERED (+) Whether the device is metered

Allowed values: yes,no,unknown
lldp LLDP (+) missing variable means global default whether LLDP is enabled for the connection

Allowed values: boolean value or 'rx'

Table 6. dcb setting

Example: DCB_APP_FCOE_ENABLE=yes DCB_APP_FCOE_ADVERTISE=yes
app-fcoe-priority DCB_APP_FCOE_PRIORITY Priority of FCoE frames.

Allowed values: 0 - 7
app-fcoe-mode DCB_APP_FCOE_MODE fabric FCoE controller mode.

Allowed values: fabric, vn2vn
app-iscsi-flags DCB_APP_ISCSI_ENABLE, DCB_APP_ISCSI_ADVERTISE, DCB_APP_ISCSI_WILLING no iSCSI flags.
app-iscsi-priority DCB_APP_ISCSI_PRIORITY Priority of iSCSI frames.

Allowed values: 0 - 7
app-fip-flags DCB_APP_FIP_ENABLE, DCB_APP_FIP_ADVERTISE, DCB_APP_FIP_WILLING no FIP flags.
app-fip-priority DCB_APP_FIP_PRIORITY Priority of FIP frames.

Allowed values: 0 - 7
priority-flow-control-flags DCB_PFC_ENABLE, DCB_PFC_ADVERTISE, DCB_PFC_WILLING no Priority flow control flags.
priority-flow-control DCB_PFC_UP Priority flow control values. String of 8 "0" and "1", where "0". means "do not transmit priority pause", "1" means "transmit pause".

Example: DCB_PFC_UP=01101110
priority-group-flags DCB_PG_ENABLE, DCB_PG_ADVERTISE, DCB_PG_WILLING no Priority groups flags.
priority-group-id DCB_PG_ID Priority groups values. String of eight priorities (0 - 7) or "f" (unrestricted).

Example: DCB_PG_ID=1205f173
priority-group-bandwidth DCB_PG_PCT Priority groups values. Eight bandwidths (in percent), separated with commas.

Example: DCB_PG_PCT=10,5,10,15,10,10,10,30
priority-bandwidth DCB_PG_UPPCT Priority values. Eight bandwidths (in percent), separated with commas. The sum of the numbers must be 100.

Example: DCB_PG_UPPCT=7,13,10,10,15,15,10,20
priority-strict-bandwidth DCB_PG_STRICT Priority values. String of eight "0" or "1", where "0" means "may not utilize all bandwidth", "1" means "may utilize all bandwidth".

Example: DCB_PG_STRICT=01101110
priority-traffic-class DCB_PG_UP2TC Priority values. String of eight trafic class values (0 - 7).

Example: DCB_PG_UP2TC=01623701

All DCB related configuration is a NetworkManager extension. DCB=yes must be used explicitly to enable DCB so that the rest of the DCB_* variables can apply.

Table 7. dummy setting

Table 8. infiniband setting

Example: HWADDR=01:02:03:04:05:06:07:08:09:0A:01:02:03:04:05:06:07:08:09:11
mtu MTU MTU of the interface.
transport-mode CONNECTED_MODE CONNECTED_MODE=no CONNECTED_MODE=yes for "connected" mode, CONNECTED_MODE=no for "datagram" mode
p-key PKEY_ID (and PKEY=yes) PKEY=no InfiniBand P_Key. The value can be a hex number prefixed with "0x" or a decimal number. When PKEY_ID is specified, PHYSDEV and DEVICE also must be specified.

Example: PKEY=yes PKEY_ID=2 PHYSDEV=mlx4_ib0 DEVICE=mlx4_ib0.8002
parent PHYSDEV (PKEY=yes) PKEY=no InfiniBand parent device.

Example: PHYSDEV=ib0

Table 9. ipv4 setting

Allowed values: none, dhcp (bootp), static, ibft, autoip, shared
dns DNS1, DNS2, . List of DNS servers. Even if NetworkManager supports many DNS servers, initscripts and resolver only care about the first three, usually.

Example: DNS1=1.2.3.4 DNS2=10.0.0.254 DNS3=8.8.8.8
dns-search DOMAIN List of DNS search domains.
addresses IPADDR, PREFIX, IPADDR1, PREFIX1, . List of static IP addresses.

Example: IPADDR=10.5.5.23 PREFIX=24 IPADDR1=1.1.1.2 PREFIX1=16
gateway GATEWAY Gateway IP address.

Example: GATEWAY=10.5.5.1
routes ADDRESS1, NETMASK1, GATEWAY1, METRIC1, OPTIONS1, . List of static routes. They are not stored in ifcfg-* file, but in route-* file instead.
ignore-auto-routes PEERROUTES (+) yes PEERROUTES has the opposite meaning as 'ignore-auto-routes' property.
ignore-auto-dns PEERDNS yes PEERDNS has the opposite meaning as 'ignore-auto-dns' property.
dhcp-send-hostname DHCP_SEND_HOSTNAME (+) yes Whether DHCP_HOSTNAME should be sent to the DHCP server.
dhcp-hostname DHCP_HOSTNAME Hostname to send to the DHCP server. When both DHCP_HOSTNAME and DHCP_FQDN are specified only the latter is used.
never-default DEFROUTE (GATEWAYDEV in /etc/sysconfig/network) yes DEFROUTE=no tells NetworkManager that this connection should not be assigned the default route. DEFROUTE has the opposite meaning as 'never-default' property.
may-fail IPV4_FAILURE_FATAL (+) no IPV4_FAILURE_FATAL has the opposite meaning as 'may-fail' property.
route-metric IPV4_ROUTE_METRIC (+) -1 IPV4_ROUTE_METRIC is the default IPv4 metric for routes on this connection. If set to -1, a default metric based on the device type is used.
dns-priority IPV4_DNS_PRIORITY (+) 0 The priority for DNS servers of this connection. Lower values have higher priority. If zero, the default value will be used (50 for VPNs, 100 for other connections). A negative value prevents DNS from other connections with greater values to be used.

Example: IPV4_DNS_PRIORITY=20
dhcp-client-id DHCP_CLIENT_ID (+) A string sent to the DHCP server to identify the local machine.

Example: DHCP_CLIENT_ID=ax-srv-1
dad-timeout ARPING_WAIT missing variable means global default (config override or 3) Timeout (in seconds) for performing DAD before configuring IPv4 addresses. 0 turns off the DAD completely, -1 means default value.

Example: ARPING_WAIT=2
dhcp-timeout IPV4_DHCP_TIMEOUT (+) A timeout after which the DHCP transaction fails in case of no response.

Example: IPV4_DHCP_TIMEOUT=10
dhcp-fqdn DHCP_FQDN FQDN to send to the DHCP server. When both DHCP_HOSTNAME and DHCP_FQDN are specified only the latter is used.

Example: DHCP_FQDN=foo.bar.com

Table 10. ipv6 setting

Example: IPV6ADDR=ab12:9876::1 IPV6ADDR_SECONDARIES="ab12:9876::2 ab12:9876::3"
gateway IPV6_DEFAULTGW Gateway IP address.

Example: IPV6_DEFAULTGW=abbe::1
routes (none) List of static routes. They are not stored in ifcfg-* file, but in route6-* file instead in the form of command line for 'ip route add'.
ignore-auto-routes IPV6_PEERROUTES (+) yes IPV6_PEERROUTES has the opposite meaning as 'ignore-auto-routes' property.
ignore-auto-dns IPV6_PEERDNS (+) yes IPV6_PEERDNS has the opposite meaning as 'ignore-auto-dns' property.
dhcp-hostname DHCP_HOSTNAME Hostname to send the DHCP server.
never-default IPV6_DEFROUTE (+) , (and IPV6_DEFAULTGW, IPV6_DEFAULTDEV in /etc/sysconfig/network) IPV6_DEFROUTE=yes (when no variable specified) IPV6_DEFROUTE=no tells NetworkManager that this connection should not be assigned the default IPv6 route. IPV6_DEFROUTE has the opposite meaning as 'never-default' property.
may-fail IPV6_FAILURE_FATAL (+) no IPV6_FAILURE_FATAL has the opposite meaning as 'may-fail' property.
route-metric IPV6_ROUTE_METRIC (+) -1 IPV6_ROUTE_METRIC is the default IPv6 metric for routes on this connection. If set to -1, a default metric based on the device type is used.
dns-priority IPV6_DNS_PRIORITY (+) 0 The priority for DNS servers of this connection. Lower values have higher priority. If zero, the default value will be used (50 for VPNs, 100 for other connections). A negative value prevents DNS from other connections with greater values to be used.

Example: IPV6_DNS_PRIORITY=20
ip6-privacy IPV6_PRIVACY, IPV6_PRIVACY_PREFER_PUBLIC_IP (+) no Configure IPv6 Privacy Extensions for SLAAC (RFC4941).

Example: IPV6_PRIVACY=rfc3041 IPV6_PRIVACY_PREFER_PUBLIC_IP=yes

Allowed values: IPV6_PRIVACY: no, yes (rfc3041 or rfc4941); IPV6_PRIVACY_PREFER_PUBLIC_IP: yes, no
addr-gen-mode IPV6_ADDR_GEN_MODE eui64 Configure IPv6 Stable Privacy addressing for SLAAC (RFC7217).

Allowed values: IPV6_ADDR_GEN_MODE: eui64, stable-privacy
token IPV6_TOKEN The IPv6 tokenized interface identifier token

Example: IPV6_TOKEN=::53

Table 11. macsec setting

Table 12. proxy setting

Allowed values: none, auto
browser-only BROWSER_ONLY (+) no Whether the proxy configuration is for browser only.
pac-url PAC_URL (+) URL for PAC file.

Example: PAC_URL=http://wpad.mycompany.com/wpad.dat
pac-script PAC_SCRIPT (+) Path of the PAC script.

Example: PAC_SCRIPT=/home/joe/proxy.pac

Table 13. team-port setting

Table 14. team setting

Table 15. user setting

Table 16. 802-3-ethernet setting

Example: HWADDR_BLACKLIST="00:22:68:11:69:08 00:11:22:11:44:55"
mtu MTU MTU of the interface.
s390-subchannels SUBCHANNELS Subchannels for IBM S390 hosts.

Example: SUBCHANNELS=0.0.b00a,0.0.b00b,0.0.b00c
s390-nettype NETTYPE Network type of the S390 host.

Allowed values: "qeth", "lcs" or "ctc"
s390-options OPTIONS and PORTNAME, CTCPROTO, S390 device options. All options go to OPTIONS, except for "portname" and "ctcprot" that have their own variables.

Table 17. 802-11-wireless-security setting

Allowed values: IEEE8021X, WPA-PSK, WPA-EAP
wep-tx-keyidx DEFAULTKEY 1 Index of active WEP key.

Allowed values: 1, 2, 3, 4
auth-alg SECURITYMODE (+) Authentication algorithm for WEP.

Allowed values: restricted, open, leap
proto WPA_ALLOW_WPA (+) , WPA_ALLOW_WPA2 (+) no Allowed WPA protocols, WPA and WPA2 (RSN).

Allowed values: yes, no
pairwise CIPHER_PAIRWISE (+) Restrict pairwise encryption algorithms, specified as a space separated list.

Allowed values: CCMP, TKIP
group CIPHER_GROUP (+) Restrict group/broadcast encryption algorithms, specified as a space separated list.

Allowed values: CCMP, TKIP, WEP40, WEP104
leap-username IEEE_8021X_IDENTITY (+) Login name for LEAP.
wep-key0 KEY1, KEY_PASSPHRASE1 (+) The first WEP key (used in most networks). See also DEFAULTKEY for key index.
wep-key1 KEY2, KEY_PASSPHRASE2 (+) WEP key with index 1. See also DEFAULTKEY for key index.
wep-key2 KEY3, KEY_PASSPHRASE3 (+) WEP key with index 2. See also DEFAULTKEY for key index.
wep-key3 KEY4, KEY_PASSPHRASE4 (+) WEP key with index 3. See also DEFAULTKEY for key index.
wep-key-flags WEP_KEY_FLAGS (+) Password flags for KEY, KEY_PASSPHRASE password. (see the section called "Secret flags" for _FLAGS values)
psk WPA_PSK Pre-Shared-Key for WPA networks.
psk-flags WPA_PSK_FLAGS (+) Password flags for WPA_PSK_FLAGS. (see the section called "Secret flags" for _FLAGS values)

Example: WPA_PSK_FLAGS=user
leap-password IEEE_8021X_PASSWORD (+) Password for LEAP. It can also go to "key-" lookaside file, or it can be owned by a secret agent.
leap-password-flags IEEE_8021X_PASSWORD_FLAGS (+) Password flags for IEEE_8021X_PASSWORD_FLAGS. (see the section called "Secret flags" for _FLAGS values)
wep-key-type KEY or KEY_PASSPHRASE (+) KEY is used for "key" type (10 or 26 hexadecimal characters, or 5 or 13 character string prefixed with "s:"). KEY_PASSPHRASE is used for WEP passphrases.

Example: KEY1=s:ahoj, KEY1=0a1c45bc02, KEY_PASSPHRASE1=mysupersecretkey

Table 18. 802-11-wireless setting

Example: ESSID="Quick Net"
mode MODE Wi-Fi network mode.

Allowed values: Ad-Hoc, Managed (Auto) [case insensitive]
band BAND (+) BAND alone is honored, but CHANNEL overrides BAND since it implies a band.

Allowed values: a, bg
channel CHANNEL Channel used for the Wi-Fi communication. Channels greater than 14 mean "a" band, otherwise the band is "bg".

Example: CHANNEL=6
bssid BSSID (+) Restricts association only to a single AP.

Example: BSSID=00:1E:BD:64:83:21
rate (none) This property is not handled by ifcfg-rh plugin.
tx-power (none) This property is not handled by ifcfg-rh plugin.
mac-address HWADDR Hardware address of the device in traditional hex-digits-and-colons notation (e.g. 00:22:68:14:5A:05). Note that for initscripts this is the current MAC address of the device as found during ifup. For NetworkManager this is the permanent MAC address. Or in case no permanent MAC address exists, the MAC address initially configured on the device.
cloned-mac-address MACADDR Cloned (spoofed) MAC address in traditional hex-digits-and-colons notation (e.g. 00:22:68:14:5A:99).
generate-mac-address-mask GENERATE_MAC_ADDRESS_MASK (+) the MAC address mask for generating randomized and stable cloned-mac-address.
mac-address-blacklist HWADDR_BLACKLIST (+) It denies usage of the connection for any device whose address is listed.
seen-bssids (none) This property is not handled by ifcfg-rh plugin.
mtu MTU MTU of the wireless interface.
hidden SSID_HIDDEN (+) Whether the network hides the SSID.
powersave POWERSAVE (+) Enables or disables Wi-Fi power saving.

Allowed values: default, ignore, enable, disable
mac-address-randomization MAC_ADDRESS_RANDOMIZATION (+) Enables or disables Wi-Fi MAC address randomization.

Allowed values: default, never, always
security (none) This property is deprecated and not handled by ifcfg-rh-plugin.

The following settings are not supported by ifcfg-rh plugin:

adsl, bluetooth, ppp, pppoe, serial, generic, gsm, cdma, 802-11-olpc-mesh, wimax, vpn, macvlan, vxlan, tun, ip-tunnel

Secret flags

Each secret property in a NetworkManager setting has an associated flags property that describes how to handle that secret. In the fcfg-rh plugin variables for secret flags have a _FLAGS suffix. The variables contain one or more of the following values (space separated). Missing (or empty) *_FLAGS variable means that the password is owned by NetworkManager.

• user - a user-session secret agent is responsible for providing and storing this secret; when it is required, agents will be asked to provide it.

• ask - the associated password is not saved but it will be requested from the user each time it is required.

• unused - in some situations it cannot be automatically determined that a secret is required or not. This flag hints that the secret is not required and should not be requested from the user.