1NM-SETTINGS-NMCLI(5) Configuration NM-SETTINGS-NMCLI(5)
2
6 nm-settings-nmcli - Description of settings and properties of
7 NetworkManager connection profiles for nmcli
8
10 NetworkManager is based on a concept of connection profiles, sometimes
11 referred to as connections only. These connection profiles contain a
12 network configuration. When NetworkManager activates a connection
13 profile on a network device the configuration will be applied and an
14 active network connection will be established. Users are free to create
15 as many connection profiles as they see fit. Thus they are flexible in
16 having various network configurations for different networking needs.
17 NetworkManager provides an API for configuring connection profiles, for
19 activating them to configure the network, and inspecting the current
20 network configuration. The command line tool nmcli is a client
21 application to NetworkManager that uses this API. See nmcli(1) for
22 details.
23 With commands like nmcli connection add, nmcli connection modify and
25 nmcli connection show, connection profiles can be created, modified and
26 inspected. A profile consists of properties. On D-Bus this follows the
27 format as described by nm-settings-dbus(5), while this manual page
28 describes the settings format how they are expected by nmcli.
29 The settings and properties shown in tables below list all available
31 connection configuration options. However, note that not all settings
32 are applicable to all connection types. nmcli connection editor has
33 also a built-in describe command that can display description of
34 particular settings and properties of this page.
35 The setting and property can be abbreviated provided they are unique.
37 The list below also shows aliases that can be used unqualified instead
38 of the full name. For example connection.interface-name and ifname
39 refer to the same property.
40 connection setting
42 General Connection Profile Settings.
43 Properties:
45 auth-retries
47 The number of retries for the authentication. Zero means to try
48 indefinitely; -1 means to use a global default. If the global
49 default is not set, the authentication retries for 3 times before
50 failing the connection.
51 Currently, this only applies to 802-1x authentication.
53 Format: int32
55 autoconnect
57 Alias: autoconnect
58 Whether or not the connection should be automatically connected by
60 NetworkManager when the resources for the connection are available.
61 TRUE to automatically activate the connection, FALSE to require
62 manual intervention to activate the connection.
63 Autoconnect happens when the circumstances are suitable. That means
65 for example that the device is currently managed and not active.
66 Autoconnect thus never replaces or competes with an already active
67 profile.
68 Note that autoconnect is not implemented for VPN profiles. See
70 "secondaries" as an alternative to automatically connect VPN
71 profiles.
72 If multiple profiles are ready to autoconnect on the same device,
74 the one with the better "connection.autoconnect-priority" is
75 chosen. If the priorities are equal, then the most recently
76 connected profile is activated. If the profiles were not connected
77 earlier or their "connection.timestamp" is identical, the choice is
78 undefined.
79 Depending on "connection.multi-connect", a profile can
81 (auto)connect only once at a time or multiple times.
82 Format: boolean
84 autoconnect-priority
86 The autoconnect priority in range -999 to 999. If the connection is
87 set to autoconnect, connections with higher priority will be
88 preferred. The higher number means higher priority. Defaults to 0.
89 Note that this property only matters if there are more than one
90 candidate profile to select for autoconnect. In case of equal
91 priority, the profile used most recently is chosen.
92 Format: int32
94 autoconnect-retries
96 The number of times a connection should be tried when
97 autoactivating before giving up. Zero means forever, -1 means the
98 global default (4 times if not overridden). Setting this to 1 means
99 to try activation only once before blocking autoconnect. Note that
100 after a timeout, NetworkManager will try to autoconnect again.
101 Format: int32
103 autoconnect-slaves
105 Whether or not slaves of this connection should be automatically
106 brought up when NetworkManager activates this connection. This only
107 has a real effect for master connections. The properties
108 "autoconnect", "autoconnect-priority" and "autoconnect-retries" are
109 unrelated to this setting. The permitted values are: 0: leave slave
110 connections untouched, 1: activate all the slave connections with
111 this connection, -1: default. If -1 (default) is set, global
112 connection.autoconnect-slaves is read to determine the real value.
113 If it is default as well, this fallbacks to 0.
114 Format: NMSettingConnectionAutoconnectSlaves (int32)
116 dns-over-tls
118 Whether DNSOverTls (dns-over-tls) is enabled for the connection.
119 DNSOverTls is a technology which uses TLS to encrypt dns traffic.
120 The permitted values are: "yes" (2) use DNSOverTls and disabled
122 fallback, "opportunistic" (1) use DNSOverTls but allow fallback to
123 unencrypted resolution, "no" (0) don't ever use DNSOverTls. If
124 unspecified "default" depends on the plugin used. Systemd-resolved
125 uses global setting.
126 This feature requires a plugin which supports DNSOverTls.
128 Otherwise, the setting has no effect. One such plugin is
129 dns-systemd-resolved.
130 Format: int32
132 gateway-ping-timeout
134 If greater than zero, delay success of IP addressing until either
135 the timeout is reached, or an IP gateway replies to a ping.
136 Format: uint32
138 id
140 Alias: con-name
141 A human readable unique identifier for the connection, like "Work
143 Wi-Fi" or "T-Mobile 3G".
144 Format: string
146 interface-name
148 Alias: ifname
149 The name of the network interface this connection is bound to. If
151 not set, then the connection can be attached to any interface of
152 the appropriate type (subject to restrictions imposed by other
153 settings).
154 For software devices this specifies the name of the created device.
156 For connection types where interface names cannot easily be made
158 persistent (e.g. mobile broadband or USB Ethernet), this property
159 should not be used. Setting this property restricts the interfaces
160 a connection can be used with, and if interface names change or are
161 reordered the connection may be applied to the wrong interface.
162 Format: string
164 lldp
166 Whether LLDP is enabled for the connection.
167 Format: int32
169 llmnr
171 Whether Link-Local Multicast Name Resolution (LLMNR) is enabled for
172 the connection. LLMNR is a protocol based on the Domain Name System
173 (DNS) packet format that allows both IPv4 and IPv6 hosts to perform
174 name resolution for hosts on the same local link.
175 The permitted values are: "yes" (2) register hostname and resolving
177 for the connection, "no" (0) disable LLMNR for the interface,
178 "resolve" (1) do not register hostname but allow resolving of LLMNR
179 host names If unspecified, "default" ultimately depends on the DNS
180 plugin (which for systemd-resolved currently means "yes").
181 This feature requires a plugin which supports LLMNR. Otherwise, the
183 setting has no effect. One such plugin is dns-systemd-resolved.
184 Format: int32
186 master
188 Alias: master
189 Interface name of the master device or UUID of the master
191 connection.
192 Format: string
194 mdns
196 Whether mDNS is enabled for the connection.
197 The permitted values are: "yes" (2) register hostname and resolving
199 for the connection, "no" (0) disable mDNS for the interface,
200 "resolve" (1) do not register hostname but allow resolving of mDNS
201 host names and "default" (-1) to allow lookup of a global default
202 in NetworkManager.conf. If unspecified, "default" ultimately
203 depends on the DNS plugin (which for systemd-resolved currently
204 means "no").
205 This feature requires a plugin which supports mDNS. Otherwise, the
207 setting has no effect. One such plugin is dns-systemd-resolved.
208 Format: int32
210 metered
212 Whether the connection is metered.
213 When updating this property on a currently activated connection,
215 the change takes effect immediately.
216 Format: NMMetered (int32)
218 mptcp-flags
220 Whether to configure MPTCP endpoints and the address flags. If
221 MPTCP is enabled in NetworkManager, it will configure the addresses
222 of the interface as MPTCP endpoints. Note that IPv4 loopback
223 addresses (127.0.0.0/8), IPv4 link local addresses
224 (169.254.0.0/16), the IPv6 loopback address (::1), IPv6 link local
225 addresses (fe80::/10), IPv6 unique local addresses (ULA, fc00::/7)
226 and IPv6 privacy extension addresses (rfc3041, ipv6.ip6-privacy)
227 will be excluded from being configured as endpoints.
228 If "disabled" (0x1), MPTCP handling for the interface is disabled
230 and no endpoints are registered.
231 The "enabled" (0x2) flag means that MPTCP handling is enabled. This
233 flag can also be implied from the presence of other flags.
234 Even when enabled, MPTCP handling will by default still be disabled
236 unless "/proc/sys/net/mptcp/enabled" sysctl is on. NetworkManager
237 does not change the sysctl and this is up to the administrator or
238 distribution. To configure endpoints even if the sysctl is
239 disabled, "also-without-sysctl" (0x4) flag can be used. In that
240 case, NetworkManager doesn't look at the sysctl and configures
241 endpoints regardless.
242 Even when enabled, NetworkManager will only configure MPTCP
244 endpoints for a certain address family, if there is a unicast
245 default route (0.0.0.0/0 or ::/0) in the main routing table. The
246 flag "also-without-default-route" (0x8) can override that.
247 When MPTCP handling is enabled then endpoints are configured with
249 the specified address flags "signal" (0x10), "subflow" (0x20),
250 "backup" (0x40), "fullmesh" (0x80). See ip-mptcp(8) manual for
251 additional information about the flags.
252 If the flags are zero (0x0), the global connection default from
254 NetworkManager.conf is honored. If still unspecified, the fallback
255 is "enabled,subflow". Note that this means that MPTCP is by default
256 done depending on the "/proc/sys/net/mptcp/enabled" sysctl.
257 NetworkManager does not change the MPTCP limits nor enable MPTCP
259 via "/proc/sys/net/mptcp/enabled". That is a host configuration
260 which the admin can change via sysctl and ip-mptcp.
261 Strict reverse path filtering (rp_filter) breaks many MPTCP use
263 cases, so when MPTCP handling for IPv4 addresses on the interface
264 is enabled, NetworkManager would loosen the strict reverse path
265 filtering (1) to the loose setting (2).
266 Format: uint32
268 mud-url
270 If configured, set to a Manufacturer Usage Description (MUD) URL
271 that points to manufacturer-recommended network policies for IoT
272 devices. It is transmitted as a DHCPv4 or DHCPv6 option. The value
273 must be a valid URL starting with "https://".
274 The special value "none" is allowed to indicate that no MUD URL is
276 used.
277 If the per-profile value is unspecified (the default), a global
279 connection default gets consulted. If still unspecified, the
280 ultimate default is "none".
281 Format: string
283 multi-connect
285 Specifies whether the profile can be active multiple times at a
286 particular moment. The value is of type NMConnectionMultiConnect.
287 Format: int32
289 permissions
291 An array of strings defining what access a given user has to this
292 connection. If this is NULL or empty, all users are allowed to
293 access this connection; otherwise users are allowed if and only if
294 they are in this list. When this is not empty, the connection can
295 be active only when one of the specified users is logged into an
296 active session. Each entry is of the form "[type]:[id]:[reserved]";
297 for example, "user:dcbw:blah".
298 At this time only the "user" [type] is allowed. Any other values
300 are ignored and reserved for future use. [id] is the username that
301 this permission refers to, which may not contain the ":" character.
302 Any [reserved] information present must be ignored and is reserved
303 for future use. All of [type], [id], and [reserved] must be valid
304 UTF-8.
305 Format: array of string
307 read-only
309 FALSE if the connection can be modified using the provided settings
310 service's D-Bus interface with the right privileges, or TRUE if the
311 connection is read-only and cannot be modified.
312 Format: boolean
314 secondaries
316 List of connection UUIDs that should be activated when the base
317 connection itself is activated. Currently, only VPN connections are
318 supported.
319 Format: array of string
321 slave-type
323 Alias: slave-type
324 Setting name of the device type of this slave's master connection
326 (eg, "bond"), or NULL if this connection is not a slave.
327 Format: string
329 stable-id
331 This represents the identity of the connection used for various
332 purposes. It allows to configure multiple profiles to share the
333 identity. Also, the stable-id can contain placeholders that are
334 substituted dynamically and deterministically depending on the
335 context.
336 The stable-id is used for generating IPv6 stable private addresses
338 with ipv6.addr-gen-mode=stable-privacy. It is also used to seed the
339 generated cloned MAC address for ethernet.cloned-mac-address=stable
340 and wifi.cloned-mac-address=stable. It is also used as DHCP client
341 identifier with ipv4.dhcp-client-id=stable and to derive the DHCP
342 DUID with ipv6.dhcp-duid=stable-[llt,ll,uuid].
343 Note that depending on the context where it is used, other
345 parameters are also seeded into the generation algorithm. For
346 example, a per-host key is commonly also included, so that
347 different systems end up generating different IDs. Or with
348 ipv6.addr-gen-mode=stable-privacy, also the device's name is
349 included, so that different interfaces yield different addresses.
350 The per-host key is the identity of your machine and stored in
351 /var/lib/NetworkManager/secret_key. See NetworkManager(8) manual
352 about the secret-key and the host identity.
353 The '$' character is treated special to perform dynamic
355 substitutions at runtime. Currently, supported are "${CONNECTION}",
356 "${DEVICE}", "${MAC}", "${BOOT}", "${RANDOM}". These effectively
357 create unique IDs per-connection, per-device, per-boot, or every
358 time. Note that "${DEVICE}" corresponds to the interface name of
359 the device and "${MAC}" is the permanent MAC address of the device.
360 Any unrecognized patterns following '$' are treated verbatim,
361 however are reserved for future use. You are thus advised to avoid
362 '$' or escape it as "$$". For example, set it to
363 "${CONNECTION}-${BOOT}-${DEVICE}" to create a unique id for this
364 connection that changes with every reboot and differs depending on
365 the interface where the profile activates.
366 If the value is unset, a global connection default is consulted. If
368 the value is still unset, the default is similar to "${CONNECTION}"
369 and uses a unique, fixed ID for the connection.
370 Format: string
372 timestamp
374 The time, in seconds since the Unix Epoch, that the connection was
375 last _successfully_ fully activated.
376 NetworkManager updates the connection timestamp periodically when
378 the connection is active to ensure that an active connection has
379 the latest timestamp. The property is only meant for reading
380 (changes to this property will not be preserved).
381 Format: uint64
383 type
385 Alias: type
386 Base type of the connection. For hardware-dependent connections,
388 should contain the setting name of the hardware-type specific
389 setting (ie, "802-3-ethernet" or "802-11-wireless" or "bluetooth",
390 etc), and for non-hardware dependent connections like VPN or
391 otherwise, should contain the setting name of that setting type
392 (ie, "vpn" or "bridge", etc).
393 Format: string
395 uuid
397 A universally unique identifier for the connection, for example
398 generated with libuuid. It should be assigned when the connection
399 is created, and never changed as long as the connection still
400 applies to the same network. For example, it should not be changed
401 when the "id" property or NMSettingIP4Config changes, but might
402 need to be re-created when the Wi-Fi SSID, mobile broadband network
403 provider, or "type" property changes.
404 The UUID must be in the format
406 "2815492f-7e56-435e-b2e9-246bd7cdc664" (ie, contains only
407 hexadecimal characters and "-").
408 Format: a valid RFC4122 universally unique identifier (UUID).
410 wait-activation-delay
412 Time in milliseconds to wait for connection to be considered
413 activated. The wait will start after the pre-up dispatcher event.
414 The value 0 means no wait time. The default value is -1, which
416 currently has the same meaning as no wait time.
417 Format: int32
419 wait-device-timeout
421 Timeout in milliseconds to wait for device at startup. During boot,
422 devices may take a while to be detected by the driver. This
423 property will cause to delay NetworkManager-wait-online.service and
424 nm-online to give the device a chance to appear. This works by
425 waiting for the given timeout until a compatible device for the
426 profile is available and managed.
427 The value 0 means no wait time. The default value is -1, which
429 currently has the same meaning as no wait time.
430 Format: int32
432 zone
434 The trust level of a the connection. Free form case-insensitive
435 string (for example "Home", "Work", "Public"). NULL or unspecified
436 zone means the connection will be placed in the default zone as
437 defined by the firewall.
438 When updating this property on a currently activated connection,
440 the change takes effect immediately.
441 Format: string
443 6lowpan setting
445 6LoWPAN Settings.
446 Properties:
448 parent
450 Alias: dev
451 If given, specifies the parent interface name or parent connection
453 UUID from which this 6LowPAN interface should be created.
454 Format: string
456 802-1x setting
458 IEEE 802.1x Authentication Settings.
459 Properties:
461 altsubject-matches
463 List of strings to be matched against the altSubjectName of the
464 certificate presented by the authentication server. If the list is
465 empty, no verification of the server certificate's altSubjectName
466 is performed.
467 Format: array of string
469 anonymous-identity
471 Anonymous identity string for EAP authentication methods. Used as
472 the unencrypted identity with EAP types that support different
473 tunneled identity like EAP-TTLS.
474 Format: string
476 auth-timeout
478 A timeout for the authentication. Zero means the global default; if
479 the global default is not set, the authentication timeout is 25
480 seconds.
481 Format: int32
483 ca-cert
485 Contains the CA certificate if used by the EAP method specified in
486 the "eap" property.
487 Certificate data is specified using a "scheme"; three are currently
489 supported: blob, path and pkcs#11 URL. When using the blob scheme
490 this property should be set to the certificate's DER encoded data.
491 When using the path scheme, this property should be set to the full
492 UTF-8 encoded path of the certificate, prefixed with the string
493 "file://" and ending with a terminating NUL byte. This property can
494 be unset even if the EAP method supports CA certificates, but this
495 allows man-in-the-middle attacks and is NOT recommended.
496 Note that enabling NMSetting8021x:system-ca-certs will override
498 this setting to use the built-in path, if the built-in path is not
499 a directory.
500 Format: byte array
502 ca-cert-password
504 The password used to access the CA certificate stored in "ca-cert"
505 property. Only makes sense if the certificate is stored on a
506 PKCS#11 token that requires a login.
507 Format: string
509 ca-cert-password-flags
511 Flags indicating how to handle the "ca-cert-password" property.
512 Format: NMSettingSecretFlags (uint32)
514 ca-path
516 UTF-8 encoded path to a directory containing PEM or DER formatted
517 certificates to be added to the verification chain in addition to
518 the certificate specified in the "ca-cert" property.
519 If NMSetting8021x:system-ca-certs is enabled and the built-in CA
521 path is an existing directory, then this setting is ignored.
522 Format: string
524 client-cert
526 Contains the client certificate if used by the EAP method specified
527 in the "eap" property.
528 Certificate data is specified using a "scheme"; two are currently
530 supported: blob and path. When using the blob scheme (which is
531 backwards compatible with NM 0.7.x) this property should be set to
532 the certificate's DER encoded data. When using the path scheme,
533 this property should be set to the full UTF-8 encoded path of the
534 certificate, prefixed with the string "file://" and ending with a
535 terminating NUL byte.
536 Format: byte array
538 client-cert-password
540 The password used to access the client certificate stored in
541 "client-cert" property. Only makes sense if the certificate is
542 stored on a PKCS#11 token that requires a login.
543 Format: string
545 client-cert-password-flags
547 Flags indicating how to handle the "client-cert-password" property.
548 Format: NMSettingSecretFlags (uint32)
550 domain-match
552 Constraint for server domain name. If set, this list of FQDNs is
553 used as a match requirement for dNSName element(s) of the
554 certificate presented by the authentication server. If a matching
555 dNSName is found, this constraint is met. If no dNSName values are
556 present, this constraint is matched against SubjectName CN using
557 the same comparison. Multiple valid FQDNs can be passed as a ";"
558 delimited list.
559 Format: string
561 domain-suffix-match
563 Constraint for server domain name. If set, this FQDN is used as a
564 suffix match requirement for dNSName element(s) of the certificate
565 presented by the authentication server. If a matching dNSName is
566 found, this constraint is met. If no dNSName values are present,
567 this constraint is matched against SubjectName CN using same suffix
568 match comparison. Since version 1.24, multiple valid FQDNs can be
569 passed as a ";" delimited list.
570 Format: string
572 eap
574 The allowed EAP method to be used when authenticating to the
575 network with 802.1x. Valid methods are: "leap", "md5", "tls",
576 "peap", "ttls", "pwd", and "fast". Each method requires different
577 configuration using the properties of this setting; refer to
578 wpa_supplicant documentation for the allowed combinations.
579 Format: array of string
581 identity
583 Identity string for EAP authentication methods. Often the user's
584 user or login name.
585 Format: string
587 optional
589 Whether the 802.1X authentication is optional. If TRUE, the
590 activation will continue even after a timeout or an authentication
591 failure. Setting the property to TRUE is currently allowed only for
592 Ethernet connections. If set to FALSE, the activation can continue
593 only after a successful authentication.
594 Format: boolean
596 pac-file
598 UTF-8 encoded file path containing PAC for EAP-FAST.
599 Format: string
601 password
603 UTF-8 encoded password used for EAP authentication methods. If both
604 the "password" property and the "password-raw" property are
605 specified, "password" is preferred.
606 Format: string
608 password-flags
610 Flags indicating how to handle the "password" property.
611 Format: NMSettingSecretFlags (uint32)
613 password-raw
615 Password used for EAP authentication methods, given as a byte array
616 to allow passwords in other encodings than UTF-8 to be used. If
617 both the "password" property and the "password-raw" property are
618 specified, "password" is preferred.
619 Format: byte array
621 password-raw-flags
623 Flags indicating how to handle the "password-raw" property.
624 Format: NMSettingSecretFlags (uint32)
626 phase1-auth-flags
628 Specifies authentication flags to use in "phase 1" outer
629 authentication using NMSetting8021xAuthFlags options. The
630 individual TLS versions can be explicitly disabled. TLS time checks
631 can be also disabled. If a certain TLS disable flag is not set, it
632 is up to the supplicant to allow or forbid it. The TLS options map
633 to tls_disable_tlsv1_x and tls_disable_time_checks settings. See
634 the wpa_supplicant documentation for more details.
635 Format: uint32
637 phase1-fast-provisioning
639 Enables or disables in-line provisioning of EAP-FAST credentials
640 when FAST is specified as the EAP method in the "eap" property.
641 Recognized values are "0" (disabled), "1" (allow unauthenticated
642 provisioning), "2" (allow authenticated provisioning), and "3"
643 (allow both authenticated and unauthenticated provisioning). See
644 the wpa_supplicant documentation for more details.
645 Format: string
647 phase1-peaplabel
649 Forces use of the new PEAP label during key derivation. Some RADIUS
650 servers may require forcing the new PEAP label to interoperate with
651 PEAPv1. Set to "1" to force use of the new PEAP label. See the
652 wpa_supplicant documentation for more details.
653 Format: string
655 phase1-peapver
657 Forces which PEAP version is used when PEAP is set as the EAP
658 method in the "eap" property. When unset, the version reported by
659 the server will be used. Sometimes when using older RADIUS servers,
660 it is necessary to force the client to use a particular PEAP
661 version. To do so, this property may be set to "0" or "1" to force
662 that specific PEAP version.
663 Format: string
665 phase2-altsubject-matches
667 List of strings to be matched against the altSubjectName of the
668 certificate presented by the authentication server during the inner
669 "phase 2" authentication. If the list is empty, no verification of
670 the server certificate's altSubjectName is performed.
671 Format: array of string
673 phase2-auth
675 Specifies the allowed "phase 2" inner authentication method when an
676 EAP method that uses an inner TLS tunnel is specified in the "eap"
677 property. For TTLS this property selects one of the supported
678 non-EAP inner methods: "pap", "chap", "mschap", "mschapv2" while
679 "phase2-autheap" selects an EAP inner method. For PEAP this selects
680 an inner EAP method, one of: "gtc", "otp", "md5" and "tls". Each
681 "phase 2" inner method requires specific parameters for successful
682 authentication; see the wpa_supplicant documentation for more
683 details. Both "phase2-auth" and "phase2-autheap" cannot be
684 specified.
685 Format: string
687 phase2-autheap
689 Specifies the allowed "phase 2" inner EAP-based authentication
690 method when TTLS is specified in the "eap" property. Recognized
691 EAP-based "phase 2" methods are "md5", "mschapv2", "otp", "gtc",
692 and "tls". Each "phase 2" inner method requires specific parameters
693 for successful authentication; see the wpa_supplicant documentation
694 for more details.
695 Format: string
697 phase2-ca-cert
699 Contains the "phase 2" CA certificate if used by the EAP method
700 specified in the "phase2-auth" or "phase2-autheap" properties.
701 Certificate data is specified using a "scheme"; three are currently
703 supported: blob, path and pkcs#11 URL. When using the blob scheme
704 this property should be set to the certificate's DER encoded data.
705 When using the path scheme, this property should be set to the full
706 UTF-8 encoded path of the certificate, prefixed with the string
707 "file://" and ending with a terminating NUL byte. This property can
708 be unset even if the EAP method supports CA certificates, but this
709 allows man-in-the-middle attacks and is NOT recommended.
710 Note that enabling NMSetting8021x:system-ca-certs will override
712 this setting to use the built-in path, if the built-in path is not
713 a directory.
714 Format: byte array
716 phase2-ca-cert-password
718 The password used to access the "phase2" CA certificate stored in
719 "phase2-ca-cert" property. Only makes sense if the certificate is
720 stored on a PKCS#11 token that requires a login.
721 Format: string
723 phase2-ca-cert-password-flags
725 Flags indicating how to handle the "phase2-ca-cert-password"
726 property.
727 Format: NMSettingSecretFlags (uint32)
729 phase2-ca-path
731 UTF-8 encoded path to a directory containing PEM or DER formatted
732 certificates to be added to the verification chain in addition to
733 the certificate specified in the "phase2-ca-cert" property.
734 If NMSetting8021x:system-ca-certs is enabled and the built-in CA
736 path is an existing directory, then this setting is ignored.
737 Format: string
739 phase2-client-cert
741 Contains the "phase 2" client certificate if used by the EAP method
742 specified in the "phase2-auth" or "phase2-autheap" properties.
743 Certificate data is specified using a "scheme"; two are currently
745 supported: blob and path. When using the blob scheme (which is
746 backwards compatible with NM 0.7.x) this property should be set to
747 the certificate's DER encoded data. When using the path scheme,
748 this property should be set to the full UTF-8 encoded path of the
749 certificate, prefixed with the string "file://" and ending with a
750 terminating NUL byte. This property can be unset even if the EAP
751 method supports CA certificates, but this allows man-in-the-middle
752 attacks and is NOT recommended.
753 Format: byte array
755 phase2-client-cert-password
757 The password used to access the "phase2" client certificate stored
758 in "phase2-client-cert" property. Only makes sense if the
759 certificate is stored on a PKCS#11 token that requires a login.
760 Format: string
762 phase2-client-cert-password-flags
764 Flags indicating how to handle the "phase2-client-cert-password"
765 property.
766 Format: NMSettingSecretFlags (uint32)
768 phase2-domain-match
770 Constraint for server domain name. If set, this list of FQDNs is
771 used as a match requirement for dNSName element(s) of the
772 certificate presented by the authentication server during the inner
773 "phase 2" authentication. If a matching dNSName is found, this
774 constraint is met. If no dNSName values are present, this
775 constraint is matched against SubjectName CN using the same
776 comparison. Multiple valid FQDNs can be passed as a ";" delimited
777 list.
778 Format: string
780 phase2-domain-suffix-match
782 Constraint for server domain name. If set, this FQDN is used as a
783 suffix match requirement for dNSName element(s) of the certificate
784 presented by the authentication server during the inner "phase 2"
785 authentication. If a matching dNSName is found, this constraint is
786 met. If no dNSName values are present, this constraint is matched
787 against SubjectName CN using same suffix match comparison. Since
788 version 1.24, multiple valid FQDNs can be passed as a ";" delimited
789 list.
790 Format: string
792 phase2-private-key
794 Contains the "phase 2" inner private key when the "phase2-auth" or
795 "phase2-autheap" property is set to "tls".
796 Key data is specified using a "scheme"; two are currently
798 supported: blob and path. When using the blob scheme and private
799 keys, this property should be set to the key's encrypted PEM
800 encoded data. When using private keys with the path scheme, this
801 property should be set to the full UTF-8 encoded path of the key,
802 prefixed with the string "file://" and ending with a terminating
803 NUL byte. When using PKCS#12 format private keys and the blob
804 scheme, this property should be set to the PKCS#12 data and the
805 "phase2-private-key-password" property must be set to password used
806 to decrypt the PKCS#12 certificate and key. When using PKCS#12
807 files and the path scheme, this property should be set to the full
808 UTF-8 encoded path of the key, prefixed with the string "file://"
809 and ending with a terminating NUL byte, and as with the blob scheme
810 the "phase2-private-key-password" property must be set to the
811 password used to decode the PKCS#12 private key and certificate.
812 Format: byte array
814 phase2-private-key-password
816 The password used to decrypt the "phase 2" private key specified in
817 the "phase2-private-key" property when the private key either uses
818 the path scheme, or is a PKCS#12 format key.
819 Format: string
821 phase2-private-key-password-flags
823 Flags indicating how to handle the "phase2-private-key-password"
824 property.
825 Format: NMSettingSecretFlags (uint32)
827 phase2-subject-match
829 Substring to be matched against the subject of the certificate
830 presented by the authentication server during the inner "phase 2"
831 authentication. When unset, no verification of the authentication
832 server certificate's subject is performed. This property provides
833 little security, if any, and should not be used.
834 This property is deprecated since version 1.2. Use
836 "phase2-domain-suffix-match" instead.
837 Format: string
839 pin
841 PIN used for EAP authentication methods.
842 Format: string
844 pin-flags
846 Flags indicating how to handle the "pin" property.
847 Format: NMSettingSecretFlags (uint32)
849 private-key
851 Contains the private key when the "eap" property is set to "tls".
852 Key data is specified using a "scheme"; two are currently
854 supported: blob and path. When using the blob scheme and private
855 keys, this property should be set to the key's encrypted PEM
856 encoded data. When using private keys with the path scheme, this
857 property should be set to the full UTF-8 encoded path of the key,
858 prefixed with the string "file://" and ending with a terminating
859 NUL byte. When using PKCS#12 format private keys and the blob
860 scheme, this property should be set to the PKCS#12 data and the
861 "private-key-password" property must be set to password used to
862 decrypt the PKCS#12 certificate and key. When using PKCS#12 files
863 and the path scheme, this property should be set to the full UTF-8
864 encoded path of the key, prefixed with the string "file://" and
865 ending with a terminating NUL byte, and as with the blob scheme the
866 "private-key-password" property must be set to the password used to
867 decode the PKCS#12 private key and certificate.
868 WARNING: "private-key" is not a "secret" property, and thus
870 unencrypted private key data using the BLOB scheme may be readable
871 by unprivileged users. Private keys should always be encrypted with
872 a private key password to prevent unauthorized access to
873 unencrypted private key data.
874 Format: byte array
876 private-key-password
878 The password used to decrypt the private key specified in the
879 "private-key" property when the private key either uses the path
880 scheme, or if the private key is a PKCS#12 format key.
881 Format: string
883 private-key-password-flags
885 Flags indicating how to handle the "private-key-password" property.
886 Format: NMSettingSecretFlags (uint32)
888 subject-match
890 Substring to be matched against the subject of the certificate
891 presented by the authentication server. When unset, no verification
892 of the authentication server certificate's subject is performed.
893 This property provides little security, if any, and should not be
894 used.
895 This property is deprecated since version 1.2. Use
897 "phase2-domain-suffix-match" instead.
898 Format: string
900 system-ca-certs
902 When TRUE, overrides the "ca-path" and "phase2-ca-path" properties
903 using the system CA directory specified at configure time with the
904 --system-ca-path switch. The certificates in this directory are
905 added to the verification chain in addition to any certificates
906 specified by the "ca-cert" and "phase2-ca-cert" properties. If the
907 path provided with --system-ca-path is rather a file name (bundle
908 of trusted CA certificates), it overrides "ca-cert" and
909 "phase2-ca-cert" properties instead (sets ca_cert/ca_cert2 options
910 for wpa_supplicant).
911 Format: boolean
913 adsl setting
915 ADSL Settings.
916 Properties:
918 encapsulation
920 Alias: encapsulation
921 Encapsulation of ADSL connection. Can be "vcmux" or "llc".
923 Format: string
925 password
927 Alias: password
928 Password used to authenticate with the ADSL service.
930 Format: string
932 password-flags
934 Flags indicating how to handle the "password" property.
935 Format: NMSettingSecretFlags (uint32)
937 protocol
939 Alias: protocol
940 ADSL connection protocol. Can be "pppoa", "pppoe" or "ipoatm".
942 Format: string
944 username
946 Alias: username
947 Username used to authenticate with the ADSL service.
949 Format: string
951 vci
953 VCI of ADSL connection
954 Format: uint32
956 vpi
958 VPI of ADSL connection
959 Format: uint32
961 bluetooth setting
963 Bluetooth Settings.
964 Properties:
966 bdaddr
968 Alias: addr
969 The Bluetooth address of the device.
971 Format: byte array
973 type
975 Alias: bt-type
976 Either "dun" for Dial-Up Networking connections or "panu" for
978 Personal Area Networking connections to devices supporting the NAP
979 profile.
980 Format: string
982 bond setting
984 Bonding Settings.
985 Properties:
987 options
989 Dictionary of key/value pairs of bonding options. Both keys and
990 values must be strings. Option names must contain only alphanumeric
991 characters (ie, [a-zA-Z0-9]).
992 Format: dict of string to string
994 bridge setting
996 Bridging Settings.
997 Properties:
999 ageing-time
1001 Alias: ageing-time
1002 The Ethernet MAC address aging time, in seconds.
1004 Format: uint32
1006 forward-delay
1008 Alias: forward-delay
1009 The Spanning Tree Protocol (STP) forwarding delay, in seconds.
1011 Format: uint32
1013 group-address
1015 If specified, The MAC address of the multicast group this bridge
1016 uses for STP.
1017 The address must be a link-local address in standard Ethernet MAC
1019 address format, ie an address of the form 01:80:C2:00:00:0X, with X
1020 in [0, 4..F]. If not specified the default value is
1021 01:80:C2:00:00:00.
1022 Format: byte array
1024 group-forward-mask
1026 Alias: group-forward-mask
1027 A mask of group addresses to forward. Usually, group addresses in
1029 the range from 01:80:C2:00:00:00 to 01:80:C2:00:00:0F are not
1030 forwarded according to standards. This property is a mask of 16
1031 bits, each corresponding to a group address in that range that must
1032 be forwarded. The mask can't have bits 0, 1 or 2 set because they
1033 are used for STP, MAC pause frames and LACP.
1034 Format: uint32
1036 hello-time
1038 Alias: hello-time
1039 The Spanning Tree Protocol (STP) hello time, in seconds.
1041 Format: uint32
1043 mac-address
1045 Alias: mac
1046 If specified, the MAC address of bridge. When creating a new
1048 bridge, this MAC address will be set.
1049 If this field is left unspecified, the
1051 "ethernet.cloned-mac-address" is referred instead to generate the
1052 initial MAC address. Note that setting
1053 "ethernet.cloned-mac-address" anyway overwrites the MAC address of
1054 the bridge later while activating the bridge.
1055 This property is deprecated since version 1.12. Use the
1057 "cloned-mac-address" property instead.
1058 Format: byte array
1060 max-age
1062 Alias: max-age
1063 The Spanning Tree Protocol (STP) maximum message age, in seconds.
1065 Format: uint32
1067 multicast-hash-max
1069 Set maximum size of multicast hash table (value must be a power of
1070 2).
1071 Format: uint32
1073 multicast-last-member-count
1075 Set the number of queries the bridge will send before stopping
1076 forwarding a multicast group after a "leave" message has been
1077 received.
1078 Format: uint32
1080 multicast-last-member-interval
1082 Set interval (in deciseconds) between queries to find remaining
1083 members of a group, after a "leave" message is received.
1084 Format: uint64
1086 multicast-membership-interval
1088 Set delay (in deciseconds) after which the bridge will leave a
1089 group, if no membership reports for this group are received.
1090 Format: uint64
1092 multicast-querier
1094 Enable or disable sending of multicast queries by the bridge. If
1095 not specified the option is disabled.
1096 Format: boolean
1098 multicast-querier-interval
1100 If no queries are seen after this delay (in deciseconds) has
1101 passed, the bridge will start to send its own queries.
1102 Format: uint64
1104 multicast-query-interval
1106 Interval (in deciseconds) between queries sent by the bridge after
1107 the end of the startup phase.
1108 Format: uint64
1110 multicast-query-response-interval
1112 Set the Max Response Time/Max Response Delay (in deciseconds) for
1113 IGMP/MLD queries sent by the bridge.
1114 Format: uint64
1116 multicast-query-use-ifaddr
1118 If enabled the bridge's own IP address is used as the source
1119 address for IGMP queries otherwise the default of 0.0.0.0 is used.
1120 Format: boolean
1122 multicast-router
1124 Sets bridge's multicast router. Multicast-snooping must be enabled
1125 for this option to work.
1126 Supported values are: 'auto', 'disabled', 'enabled' to which kernel
1128 assigns the numbers 1, 0, and 2, respectively. If not specified the
1129 default value is 'auto' (1).
1130 Format: string
1132 multicast-snooping
1134 Alias: multicast-snooping
1135 Controls whether IGMP snooping is enabled for this bridge. Note
1137 that if snooping was automatically disabled due to hash collisions,
1138 the system may refuse to enable the feature until the collisions
1139 are resolved.
1140 Format: boolean
1142 multicast-startup-query-count
1144 Set the number of IGMP queries to send during startup phase.
1145 Format: uint32
1147 multicast-startup-query-interval
1149 Sets the time (in deciseconds) between queries sent out at startup
1150 to determine membership information.
1151 Format: uint64
1153 priority
1155 Alias: priority
1156 Sets the Spanning Tree Protocol (STP) priority for this bridge.
1158 Lower values are "better"; the lowest priority bridge will be
1159 elected the root bridge.
1160 Format: uint32
1162 stp
1164 Alias: stp
1165 Controls whether Spanning Tree Protocol (STP) is enabled for this
1167 bridge.
1168 Format: boolean
1170 vlan-default-pvid
1172 The default PVID for the ports of the bridge, that is the VLAN id
1173 assigned to incoming untagged frames.
1174 Format: uint32
1176 vlan-filtering
1178 Control whether VLAN filtering is enabled on the bridge.
1179 Format: boolean
1181 vlan-protocol
1183 If specified, the protocol used for VLAN filtering.
1184 Supported values are: '802.1Q', '802.1ad'. If not specified the
1186 default value is '802.1Q'.
1187 Format: string
1189 vlan-stats-enabled
1191 Controls whether per-VLAN stats accounting is enabled.
1192 Format: boolean
1194 vlans
1196 Array of bridge VLAN objects. In addition to the VLANs specified
1197 here, the bridge will also have the default-pvid VLAN configured by
1198 the bridge.vlan-default-pvid property.
1199 In nmcli the VLAN list can be specified with the following syntax:
1201 $vid [pvid] [untagged] [, $vid [pvid] [untagged]]...
1203 where $vid is either a single id between 1 and 4094 or a range,
1205 represented as a couple of ids separated by a dash.
1206 Format: array of vardict
1208 bridge-port setting
1210 Bridge Port Settings.
1211 Properties:
1213 hairpin-mode
1215 Alias: hairpin
1216 Enables or disables "hairpin mode" for the port, which allows
1218 frames to be sent back out through the port the frame was received
1219 on.
1220 Format: boolean
1222 path-cost
1224 Alias: path-cost
1225 The Spanning Tree Protocol (STP) port cost for destinations via
1227 this port.
1228 Format: uint32
1230 priority
1232 Alias: priority
1233 The Spanning Tree Protocol (STP) priority of this bridge port.
1235 Format: uint32
1237 vlans
1239 Array of bridge VLAN objects. In addition to the VLANs specified
1240 here, the port will also have the default-pvid VLAN configured on
1241 the bridge by the bridge.vlan-default-pvid property.
1242 In nmcli the VLAN list can be specified with the following syntax:
1244 $vid [pvid] [untagged] [, $vid [pvid] [untagged]]...
1246 where $vid is either a single id between 1 and 4094 or a range,
1248 represented as a couple of ids separated by a dash.
1249 Format: array of vardict
1251 cdma setting
1253 CDMA-based Mobile Broadband Settings.
1254 Properties:
1256 mtu
1258 If non-zero, only transmit packets of the specified size or
1259 smaller, breaking larger packets up into multiple frames.
1260 Format: uint32
1262 number
1264 The number to dial to establish the connection to the CDMA-based
1265 mobile broadband network, if any. If not specified, the default
1266 number (#777) is used when required.
1267 Format: string
1269 password
1271 Alias: password
1272 The password used to authenticate with the network, if required.
1274 Many providers do not require a password, or accept any password.
1275 But if a password is required, it is specified here.
1276 Format: string
1278 password-flags
1280 Flags indicating how to handle the "password" property.
1281 Format: NMSettingSecretFlags (uint32)
1283 username
1285 Alias: user
1286 The username used to authenticate with the network, if required.
1288 Many providers do not require a username, or accept any username.
1289 But if a username is required, it is specified here.
1290 Format: string
1292 dcb setting
1294 Data Center Bridging Settings.
1295 Properties:
1297 app-fcoe-flags
1299 Specifies the NMSettingDcbFlags for the DCB FCoE application. Flags
1300 may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1301 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1302 NM_SETTING_DCB_FLAG_WILLING (0x4).
1303 Format: NMSettingDcbFlags (uint32)
1305 app-fcoe-mode
1307 The FCoE controller mode; either "fabric" or "vn2vn".
1308 Since 1.34, NULL is the default and means "fabric". Before 1.34,
1310 NULL was rejected as invalid and the default was "fabric".
1311 Format: string
1313 app-fcoe-priority
1315 The highest User Priority (0 - 7) which FCoE frames should use, or
1316 -1 for default priority. Only used when the "app-fcoe-flags"
1317 property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1318 Format: int32
1320 app-fip-flags
1322 Specifies the NMSettingDcbFlags for the DCB FIP application. Flags
1323 may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1324 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1325 NM_SETTING_DCB_FLAG_WILLING (0x4).
1326 Format: NMSettingDcbFlags (uint32)
1328 app-fip-priority
1330 The highest User Priority (0 - 7) which FIP frames should use, or
1331 -1 for default priority. Only used when the "app-fip-flags"
1332 property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1333 Format: int32
1335 app-iscsi-flags
1337 Specifies the NMSettingDcbFlags for the DCB iSCSI application.
1338 Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1339 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1340 NM_SETTING_DCB_FLAG_WILLING (0x4).
1341 Format: NMSettingDcbFlags (uint32)
1343 app-iscsi-priority
1345 The highest User Priority (0 - 7) which iSCSI frames should use, or
1346 -1 for default priority. Only used when the "app-iscsi-flags"
1347 property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1348 Format: int32
1350 priority-bandwidth
1352 An array of 8 uint values, where the array index corresponds to the
1353 User Priority (0 - 7) and the value indicates the percentage of
1354 bandwidth of the priority's assigned group that the priority may
1355 use. The sum of all percentages for priorities which belong to the
1356 same group must total 100 percents.
1357 Format: array of uint32
1359 priority-flow-control
1361 An array of 8 boolean values, where the array index corresponds to
1362 the User Priority (0 - 7) and the value indicates whether or not
1363 the corresponding priority should transmit priority pause.
1364 Format: array of uint32
1366 priority-flow-control-flags
1368 Specifies the NMSettingDcbFlags for DCB Priority Flow Control
1369 (PFC). Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE
1370 (0x1), NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1371 NM_SETTING_DCB_FLAG_WILLING (0x4).
1372 Format: NMSettingDcbFlags (uint32)
1374 priority-group-bandwidth
1376 An array of 8 uint values, where the array index corresponds to the
1377 Priority Group ID (0 - 7) and the value indicates the percentage of
1378 link bandwidth allocated to that group. Allowed values are 0 - 100,
1379 and the sum of all values must total 100 percents.
1380 Format: array of uint32
1382 priority-group-flags
1384 Specifies the NMSettingDcbFlags for DCB Priority Groups. Flags may
1385 be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1386 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1387 NM_SETTING_DCB_FLAG_WILLING (0x4).
1388 Format: NMSettingDcbFlags (uint32)
1390 priority-group-id
1392 An array of 8 uint values, where the array index corresponds to the
1393 User Priority (0 - 7) and the value indicates the Priority Group
1394 ID. Allowed Priority Group ID values are 0 - 7 or 15 for the
1395 unrestricted group.
1396 Format: array of uint32
1398 priority-strict-bandwidth
1400 An array of 8 boolean values, where the array index corresponds to
1401 the User Priority (0 - 7) and the value indicates whether or not
1402 the priority may use all of the bandwidth allocated to its assigned
1403 group.
1404 Format: array of uint32
1406 priority-traffic-class
1408 An array of 8 uint values, where the array index corresponds to the
1409 User Priority (0 - 7) and the value indicates the traffic class (0
1410 - 7) to which the priority is mapped.
1411 Format: array of uint32
1413 ethtool setting
1415 Ethtool Ethernet Settings.
1416 Properties:
1418 coalesce-adaptive-rx
1420 coalesce-adaptive-tx
1422 coalesce-pkt-rate-high
1424 coalesce-pkt-rate-low
1426 coalesce-rx-frames
1428 coalesce-rx-frames-high
1430 coalesce-rx-frames-irq
1432 coalesce-rx-frames-low
1434 coalesce-rx-usecs
1436 coalesce-rx-usecs-high
1438 coalesce-rx-usecs-irq
1440 coalesce-rx-usecs-low
1442 coalesce-sample-interval
1444 coalesce-stats-block-usecs
1446 coalesce-tx-frames
1448 coalesce-tx-frames-high
1450 coalesce-tx-frames-irq
1452 coalesce-tx-frames-low
1454 coalesce-tx-usecs
1456 coalesce-tx-usecs-high
1458 coalesce-tx-usecs-irq
1460 coalesce-tx-usecs-low
1462 feature-esp-hw-offload
1464 feature-esp-tx-csum-hw-offload
1466 feature-fcoe-mtu
1468 feature-gro
1470 feature-gso
1472 feature-highdma
1474 feature-hw-tc-offload
1476 feature-l2-fwd-offload
1478 feature-loopback
1480 feature-lro
1482 feature-macsec-hw-offload
1484 feature-ntuple
1486 feature-rx
1488 feature-rx-all
1490 feature-rx-fcs
1492 feature-rx-gro-hw
1494 feature-rx-gro-list
1496 feature-rx-udp-gro-forwarding
1498 feature-rx-udp_tunnel-port-offload
1500 feature-rx-vlan-filter
1502 feature-rx-vlan-stag-filter
1504 feature-rx-vlan-stag-hw-parse
1506 feature-rxhash
1508 feature-rxvlan
1510 feature-sg
1512 feature-tls-hw-record
1514 feature-tls-hw-rx-offload
1516 feature-tls-hw-tx-offload
1518 feature-tso
1520 feature-tx
1522 feature-tx-checksum-fcoe-crc
1524 feature-tx-checksum-ip-generic
1526 feature-tx-checksum-ipv4
1528 feature-tx-checksum-ipv6
1530 feature-tx-checksum-sctp
1532 feature-tx-esp-segmentation
1534 feature-tx-fcoe-segmentation
1536 feature-tx-gre-csum-segmentation
1538 feature-tx-gre-segmentation
1540 feature-tx-gso-list
1542 feature-tx-gso-partial
1544 feature-tx-gso-robust
1546 feature-tx-ipxip4-segmentation
1548 feature-tx-ipxip6-segmentation
1550 feature-tx-nocache-copy
1552 feature-tx-scatter-gather
1554 feature-tx-scatter-gather-fraglist
1556 feature-tx-sctp-segmentation
1558 feature-tx-tcp-ecn-segmentation
1560 feature-tx-tcp-mangleid-segmentation
1562 feature-tx-tcp-segmentation
1564 feature-tx-tcp6-segmentation
1566 feature-tx-tunnel-remcsum-segmentation
1568 feature-tx-udp-segmentation
1570 feature-tx-udp_tnl-csum-segmentation
1572 feature-tx-udp_tnl-segmentation
1574 feature-tx-vlan-stag-hw-insert
1576 feature-txvlan
1578 pause-autoneg
1580 pause-rx
1582 pause-tx
1584 ring-rx
1586 ring-rx-jumbo
1588 ring-rx-mini
1590 ring-tx
1592 gsm setting
1594 GSM-based Mobile Broadband Settings.
1595 Properties:
1597 apn
1599 Alias: apn
1600 The GPRS Access Point Name specifying the APN used when
1602 establishing a data session with the GSM-based network. The APN
1603 often determines how the user will be billed for their network
1604 usage and whether the user has access to the Internet or just a
1605 provider-specific walled-garden, so it is important to use the
1606 correct APN for the user's mobile broadband plan. The APN may only
1607 be composed of the characters a-z, 0-9, ., and - per GSM 03.60
1608 Section 14.9.
1609 Format: string
1611 auto-config
1613 When TRUE, the settings such as APN, username, or password will
1614 default to values that match the network the modem will register to
1615 in the Mobile Broadband Provider database.
1616 Format: boolean
1618 device-id
1620 The device unique identifier (as given by the WWAN management
1621 service) which this connection applies to. If given, the connection
1622 will only apply to the specified device.
1623 Format: string
1625 home-only
1627 When TRUE, only connections to the home network will be allowed.
1628 Connections to roaming networks will not be made.
1629 Format: boolean
1631 mtu
1633 If non-zero, only transmit packets of the specified size or
1634 smaller, breaking larger packets up into multiple frames.
1635 Format: uint32
1637 network-id
1639 The Network ID (GSM LAI format, ie MCC-MNC) to force specific
1640 network registration. If the Network ID is specified,
1641 NetworkManager will attempt to force the device to register only on
1642 the specified network. This can be used to ensure that the device
1643 does not roam when direct roaming control of the device is not
1644 otherwise possible.
1645 Format: string
1647 number
1649 Legacy setting that used to help establishing PPP data sessions for
1650 GSM-based modems.
1651 This property is deprecated since version 1.16. User-provided
1653 values for this setting are no longer used.
1654 Format: string
1656 password
1658 Alias: password
1659 The password used to authenticate with the network, if required.
1661 Many providers do not require a password, or accept any password.
1662 But if a password is required, it is specified here.
1663 Format: string
1665 password-flags
1667 Flags indicating how to handle the "password" property.
1668 Format: NMSettingSecretFlags (uint32)
1670 pin
1672 If the SIM is locked with a PIN it must be unlocked before any
1673 other operations are requested. Specify the PIN here to allow
1674 operation of the device.
1675 Format: string
1677 pin-flags
1679 Flags indicating how to handle the "pin" property.
1680 Format: NMSettingSecretFlags (uint32)
1682 sim-id
1684 The SIM card unique identifier (as given by the WWAN management
1685 service) which this connection applies to. If given, the connection
1686 will apply to any device also allowed by "device-id" which contains
1687 a SIM card matching the given identifier.
1688 Format: string
1690 sim-operator-id
1692 A MCC/MNC string like "310260" or "21601" identifying the specific
1693 mobile network operator which this connection applies to. If given,
1694 the connection will apply to any device also allowed by "device-id"
1695 and "sim-id" which contains a SIM card provisioned by the given
1696 operator.
1697 Format: string
1699 username
1701 Alias: user
1702 The username used to authenticate with the network, if required.
1704 Many providers do not require a username, or accept any username.
1705 But if a username is required, it is specified here.
1706 Format: string
1708 infiniband setting
1710 Infiniband Settings.
1711 Properties:
1713 mac-address
1715 Alias: mac
1716 If specified, this connection will only apply to the IPoIB device
1718 whose permanent MAC address matches. This property does not change
1719 the MAC address of the device (i.e. MAC spoofing).
1720 Format: byte array
1722 mtu
1724 Alias: mtu
1725 If non-zero, only transmit packets of the specified size or
1727 smaller, breaking larger packets up into multiple frames.
1728 Format: uint32
1730 p-key
1732 Alias: p-key
1733 The InfiniBand p-key to use for this device. A value of -1 means to
1735 use the default p-key (aka "the p-key at index 0"). Otherwise, it
1736 is a 16-bit unsigned integer, whose high bit 0x8000 is set if it is
1737 a "full membership" p-key. The values 0 and 0x8000 are not allowed.
1738 With the p-key set, the interface name is always "$parent.$p_key".
1740 Setting "connection.interface-name" to another name is not
1741 supported.
1742 Note that kernel will internally always set the full membership
1744 bit, although the interface name does not reflect that. Usually the
1745 user would want to configure a full membership p-key with 0x8000
1746 flag set.
1747 Format: int32
1749 parent
1751 Alias: parent
1752 The interface name of the parent device of this device. Normally
1754 NULL, but if the "p_key" property is set, then you must specify the
1755 base device by setting either this property or "mac-address".
1756 Format: string
1758 transport-mode
1760 Alias: transport-mode
1761 The IP-over-InfiniBand transport mode. Either "datagram" or
1763 "connected".
1764 Format: string
1766 ipv4 setting
1768 IPv4 Settings.
1769 Properties:
1771 addresses
1773 Alias: ip4
1774 Array of IP addresses.
1776 Format: a comma separated list of addresses
1778 auto-route-ext-gw
1780 VPN connections will default to add the route automatically unless
1781 this setting is set to FALSE.
1782 For other connection types, adding such an automatic route is
1784 currently not supported and setting this to TRUE has no effect.
1785 Format: NMTernary (int32)
1787 dad-timeout
1789 Timeout in milliseconds used to check for the presence of duplicate
1790 IP addresses on the network. If an address conflict is detected,
1791 the activation will fail. A zero value means that no duplicate
1792 address detection is performed, -1 means the default value (either
1793 configuration ipvx.dad-timeout override or zero). A value greater
1794 than zero is a timeout in milliseconds.
1795 The property is currently implemented only for IPv4.
1797 Format: int32
1799 dhcp-client-id
1801 A string sent to the DHCP server to identify the local machine
1802 which the DHCP server may use to customize the DHCP lease and
1803 options. When the property is a hex string ('aa:bb:cc') it is
1804 interpreted as a binary client ID, in which case the first byte is
1805 assumed to be the 'type' field as per RFC 2132 section 9.14 and the
1806 remaining bytes may be an hardware address (e.g.
1807 '01:xx:xx:xx:xx:xx:xx' where 1 is the Ethernet ARP type and the
1808 rest is a MAC address). If the property is not a hex string it is
1809 considered as a non-hardware-address client ID and the 'type' field
1810 is set to 0.
1811 The special values "mac" and "perm-mac" are supported, which use
1813 the current or permanent MAC address of the device to generate a
1814 client identifier with type ethernet (01). Currently, these options
1815 only work for ethernet type of links.
1816 The special value "ipv6-duid" uses the DUID from "ipv6.dhcp-duid"
1818 property as an RFC4361-compliant client identifier. As IAID it uses
1819 "ipv4.dhcp-iaid" and falls back to "ipv6.dhcp-iaid" if unset.
1820 The special value "duid" generates a RFC4361-compliant client
1822 identifier based on "ipv4.dhcp-iaid" and uses a DUID generated by
1823 hashing /etc/machine-id.
1824 The special value "stable" is supported to generate a type 0 client
1826 identifier based on the stable-id (see connection.stable-id) and a
1827 per-host key. If you set the stable-id, you may want to include the
1828 "${DEVICE}" or "${MAC}" specifier to get a per-device key.
1829 If unset, a globally configured default is used. If still unset,
1831 the default depends on the DHCP plugin.
1832 Format: string
1834 dhcp-fqdn
1836 If the "dhcp-send-hostname" property is TRUE, then the specified
1837 FQDN will be sent to the DHCP server when acquiring a lease. This
1838 property and "dhcp-hostname" are mutually exclusive and cannot be
1839 set at the same time.
1840 Format: string
1842 dhcp-hostname
1844 If the "dhcp-send-hostname" property is TRUE, then the specified
1845 name will be sent to the DHCP server when acquiring a lease. This
1846 property and "dhcp-fqdn" are mutually exclusive and cannot be set
1847 at the same time.
1848 Format: string
1850 dhcp-hostname-flags
1852 Flags for the DHCP hostname and FQDN.
1853 Currently, this property only includes flags to control the FQDN
1855 flags set in the DHCP FQDN option. Supported FQDN flags are
1856 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1857 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
1858 NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is
1859 set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the
1860 DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag
1861 is set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set,
1862 the standard FQDN flags are set in the request:
1863 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1864 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
1865 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6.
1866 When this property is set to the default value
1868 NM_DHCP_HOSTNAME_FLAG_NONE (0x0), a global default is looked up in
1869 NetworkManager configuration. If that value is unset or also
1870 NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
1871 described above are sent in the DHCP requests.
1872 Format: uint32
1874 dhcp-iaid
1876 A string containing the "Identity Association Identifier" (IAID)
1877 used by the DHCP client. The string can be a 32-bit number (either
1878 decimal, hexadecimal or or as colon separated hexadecimal numbers).
1879 Alternatively it can be set to the special values "mac",
1880 "perm-mac", "ifname" or "stable". When set to "mac" (or
1881 "perm-mac"), the last 4 bytes of the current (or permanent) MAC
1882 address are used as IAID. When set to "ifname", the IAID is
1883 computed by hashing the interface name. The special value "stable"
1884 can be used to generate an IAID based on the stable-id (see
1885 connection.stable-id), a per-host key and the interface name. When
1886 the property is unset, the value from global configuration is used;
1887 if no global default is set then the IAID is assumed to be
1888 "ifname".
1889 For DHCPv4, the IAID is only used with "ipv4.dhcp-client-id" values
1891 "duid" and "ipv6-duid" to generate the client-id.
1892 For DHCPv6, note that at the moment this property is only supported
1894 by the "internal" DHCPv6 plugin. The "dhclient" DHCPv6 plugin
1895 always derives the IAID from the MAC address.
1896 The actually used DHCPv6 IAID for a currently activated interface
1898 is exposed in the lease information of the device.
1899 Format: string
1901 dhcp-reject-servers
1903 Array of servers from which DHCP offers must be rejected. This
1904 property is useful to avoid getting a lease from misconfigured or
1905 rogue servers.
1906 For DHCPv4, each element must be an IPv4 address, optionally
1908 followed by a slash and a prefix length (e.g. "192.168.122.0/24").
1909 This property is currently not implemented for DHCPv6.
1911 Format: array of string
1913 dhcp-send-hostname
1915 If TRUE, a hostname is sent to the DHCP server when acquiring a
1916 lease. Some DHCP servers use this hostname to update DNS databases,
1917 essentially providing a static hostname for the computer. If the
1918 "dhcp-hostname" property is NULL and this property is TRUE, the
1919 current persistent hostname of the computer is sent.
1920 Format: boolean
1922 dhcp-timeout
1924 A timeout for a DHCP transaction in seconds. If zero (the default),
1925 a globally configured default is used. If still unspecified, a
1926 device specific timeout is used (usually 45 seconds).
1927 Set to 2147483647 (MAXINT32) for infinity.
1929 Format: int32
1931 dhcp-vendor-class-identifier
1933 The Vendor Class Identifier DHCP option (60). Special characters in
1934 the data string may be escaped using C-style escapes, nevertheless
1935 this property cannot contain nul bytes. If the per-profile value is
1936 unspecified (the default), a global connection default gets
1937 consulted. If still unspecified, the DHCP option is not sent to the
1938 server.
1939 Format: string
1941 dns
1943 Array of IP addresses of DNS servers.
1944 For DoT (DNS over TLS), the SNI server name can be specified by
1946 appending "#example.com" to the IP address of the DNS server. This
1947 currently only has effect when using systemd-resolved.
1948 Format: array of uint32
1950 dns-options
1952 Array of DNS options as described in man 5 resolv.conf.
1953 NULL means that the options are unset and left at the default. In
1955 this case NetworkManager will use default options. This is distinct
1956 from an empty list of properties.
1957 The currently supported options are "attempts", "debug", "edns0",
1959 "inet6", "ip6-bytestring", "ip6-dotint", "ndots", "no-aaaa",
1960 "no-check-names", "no-ip6-dotint", "no-reload", "no-tld-query",
1961 "rotate", "single-request", "single-request-reopen", "timeout",
1962 "trust-ad", "use-vc".
1963 The "trust-ad" setting is only honored if the profile contributes
1965 name servers to resolv.conf, and if all contributing profiles have
1966 "trust-ad" enabled.
1967 When using a caching DNS plugin (dnsmasq or systemd-resolved in
1969 NetworkManager.conf) then "edns0" and "trust-ad" are automatically
1970 added.
1971 Format: array of string
1973 dns-priority
1975 DNS servers priority.
1976 The relative priority for DNS servers specified by this setting. A
1978 lower numerical value is better (higher priority).
1979 Negative values have the special effect of excluding other
1981 configurations with a greater numerical priority value; so in
1982 presence of at least one negative priority, only DNS servers from
1983 connections with the lowest priority value will be used. To avoid
1984 all DNS leaks, set the priority of the profile that should be used
1985 to the most negative value of all active connections profiles.
1986 Zero selects a globally configured default value. If the latter is
1988 missing or zero too, it defaults to 50 for VPNs (including
1989 WireGuard) and 100 for other connections.
1990 Note that the priority is to order DNS settings for multiple active
1992 connections. It does not disambiguate multiple DNS servers within
1993 the same connection profile.
1994 When multiple devices have configurations with the same priority,
1996 VPNs will be considered first, then devices with the best (lowest
1997 metric) default route and then all other devices.
1998 When using dns=default, servers with higher priority will be on top
2000 of resolv.conf. To prioritize a given server over another one
2001 within the same connection, just specify them in the desired order.
2002 Note that commonly the resolver tries name servers in
2003 /etc/resolv.conf in the order listed, proceeding with the next
2004 server in the list on failure. See for example the "rotate" option
2005 of the dns-options setting. If there are any negative DNS
2006 priorities, then only name servers from the devices with that
2007 lowest priority will be considered.
2008 When using a DNS resolver that supports Conditional Forwarding or
2010 Split DNS (with dns=dnsmasq or dns=systemd-resolved settings), each
2011 connection is used to query domains in its search list. The search
2012 domains determine which name servers to ask, and the DNS priority
2013 is used to prioritize name servers based on the domain. Queries for
2014 domains not present in any search list are routed through
2015 connections having the '~.' special wildcard domain, which is added
2016 automatically to connections with the default route (or can be
2017 added manually). When multiple connections specify the same domain,
2018 the one with the best priority (lowest numerical value) wins. If a
2019 sub domain is configured on another interface it will be accepted
2020 regardless the priority, unless parent domain on the other
2021 interface has a negative priority, which causes the sub domain to
2022 be shadowed. With Split DNS one can avoid undesired DNS leaks by
2023 properly configuring DNS priorities and the search domains, so that
2024 only name servers of the desired interface are configured.
2025 Format: int32
2027 dns-search
2029 List of DNS search domains. Domains starting with a tilde ('~') are
2030 considered 'routing' domains and are used only to decide the
2031 interface over which a query must be forwarded; they are not used
2032 to complete unqualified host names.
2033 When using a DNS plugin that supports Conditional Forwarding or
2035 Split DNS, then the search domains specify which name servers to
2036 query. This makes the behavior different from running with plain
2037 /etc/resolv.conf. For more information see also the dns-priority
2038 setting.
2039 When set on a profile that also enabled DHCP, the DNS search list
2041 received automatically (option 119 for DHCPv4 and option 24 for
2042 DHCPv6) gets merged with the manual list. This can be prevented by
2043 setting "ignore-auto-dns". Note that if no DNS searches are
2044 configured, the fallback will be derived from the domain from DHCP
2045 (option 15).
2046 Format: array of string
2048 gateway
2050 Alias: gw4
2051 The gateway associated with this configuration. This is only
2053 meaningful if "addresses" is also set.
2054 Setting the gateway causes NetworkManager to configure a standard
2056 default route with the gateway as next hop. This is ignored if
2057 "never-default" is set. An alternative is to configure the default
2058 route explicitly with a manual route and /0 as prefix length.
2059 Note that the gateway usually conflicts with routing that
2061 NetworkManager configures for WireGuard interfaces, so usually it
2062 should not be set in that case. See "ip4-auto-default-route".
2063 Format: string
2065 ignore-auto-dns
2067 When "method" is set to "auto" and this property to TRUE,
2068 automatically configured name servers and search domains are
2069 ignored and only name servers and search domains specified in the
2070 "dns" and "dns-search" properties, if any, are used.
2071 Format: boolean
2073 ignore-auto-routes
2075 When "method" is set to "auto" and this property to TRUE,
2076 automatically configured routes are ignored and only routes
2077 specified in the "routes" property, if any, are used.
2078 Format: boolean
2080 link-local
2082 Enable and disable the IPv4 link-local configuration independently
2083 of the ipv4.method configuration. This allows a link-local address
2084 (169.254.x.y/16) to be obtained in addition to other addresses,
2085 such as those manually configured or obtained from a DHCP server.
2086 When set to "auto", the value is dependent on "ipv4.method". When
2088 set to "default", it honors the global connection default, before
2089 falling back to "auto". Note that if "ipv4.method" is "disabled",
2090 then link local addressing is always disabled too. The default is
2091 "default".
2092 Format: int32
2094 may-fail
2096 If TRUE, allow overall network configuration to proceed even if the
2097 configuration specified by this property times out. Note that at
2098 least one IP configuration must succeed or overall network
2099 configuration will still fail. For example, in IPv6-only networks,
2100 setting this property to TRUE on the NMSettingIP4Config allows the
2101 overall network configuration to succeed if IPv4 configuration
2102 fails but IPv6 configuration completes successfully.
2103 Format: boolean
2105 method
2107 IP configuration method.
2108 NMSettingIP4Config and NMSettingIP6Config both support "disabled",
2110 "auto", "manual", and "link-local". See the subclass-specific
2111 documentation for other values.
2112 In general, for the "auto" method, properties such as "dns" and
2114 "routes" specify information that is added on to the information
2115 returned from automatic configuration. The "ignore-auto-routes" and
2116 "ignore-auto-dns" properties modify this behavior.
2117 For methods that imply no upstream network, such as "shared" or
2119 "link-local", these properties must be empty.
2120 For IPv4 method "shared", the IP subnet can be configured by adding
2122 one manual IPv4 address or otherwise 10.42.x.0/24 is chosen. Note
2123 that the shared method must be configured on the interface which
2124 shares the internet to a subnet, not on the uplink which is shared.
2125 Format: string
2127 never-default
2129 If TRUE, this connection will never be the default connection for
2130 this IP type, meaning it will never be assigned the default route
2131 by NetworkManager.
2132 Format: boolean
2134 replace-local-rule
2136 Connections will default to keep the autogenerated priority 0 local
2137 rule unless this setting is set to TRUE.
2138 Format: NMTernary (int32)
2140 required-timeout
2142 The minimum time interval in milliseconds for which dynamic IP
2143 configuration should be tried before the connection succeeds.
2144 This property is useful for example if both IPv4 and IPv6 are
2146 enabled and are allowed to fail. Normally the connection succeeds
2147 as soon as one of the two address families completes; by setting a
2148 required timeout for e.g. IPv4, one can ensure that even if IP6
2149 succeeds earlier than IPv4, NetworkManager waits some time for IPv4
2150 before the connection becomes active.
2151 Note that if "may-fail" is FALSE for the same address family, this
2153 property has no effect as NetworkManager needs to wait for the full
2154 DHCP timeout.
2155 A zero value means that no required timeout is present, -1 means
2157 the default value (either configuration ipvx.required-timeout
2158 override or zero).
2159 Format: int32
2161 route-metric
2163 The default metric for routes that don't explicitly specify a
2164 metric. The default value -1 means that the metric is chosen
2165 automatically based on the device type. The metric applies to
2166 dynamic routes, manual (static) routes that don't have an explicit
2167 metric setting, address prefix routes, and the default route. Note
2168 that for IPv6, the kernel accepts zero (0) but coerces it to 1024
2169 (user default). Hence, setting this property to zero effectively
2170 mean setting it to 1024. For IPv4, zero is a regular value for the
2171 metric.
2172 Format: int64
2174 route-table
2176 Enable policy routing (source routing) and set the routing table
2177 used when adding routes.
2178 This affects all routes, including device-routes, IPv4LL, DHCP,
2180 SLAAC, default-routes and static routes. But note that static
2181 routes can individually overwrite the setting by explicitly
2182 specifying a non-zero routing table.
2183 If the table setting is left at zero, it is eligible to be
2185 overwritten via global configuration. If the property is zero even
2186 after applying the global configuration value, policy routing is
2187 disabled for the address family of this connection.
2188 Policy routing disabled means that NetworkManager will add all
2190 routes to the main table (except static routes that explicitly
2191 configure a different table). Additionally, NetworkManager will not
2192 delete any extraneous routes from tables except the main table.
2193 This is to preserve backward compatibility for users who manage
2194 routing tables outside of NetworkManager.
2195 Format: uint32
2197 routes
2199 A list of IPv4 destination addresses, prefix length, optional IPv4
2200 next hop addresses, optional route metric, optional attribute. The
2201 valid syntax is: "ip[/prefix] [next-hop] [metric]
2202 [attribute=val]...[,ip[/prefix]...]". For example "192.0.2.0/24
2203 10.1.1.1 77, 198.51.100.0/24".
2204 Various attributes are supported:
2206 • "advmss" - an unsigned 32 bit integer.
2208 • "cwnd" - an unsigned 32 bit integer.
2210 • "initcwnd" - an unsigned 32 bit integer.
2212 • "initrwnd" - an unsigned 32 bit integer.
2214 • "lock-advmss" - a boolean value.
2216 • "lock-cwnd" - a boolean value.
2218 • "lock-initcwnd" - a boolean value.
2220 • "lock-initrwnd" - a boolean value.
2222 • "lock-mtu" - a boolean value.
2224 • "lock-window" - a boolean value.
2226 • "mtu" - an unsigned 32 bit integer.
2228 • "onlink" - a boolean value. The onlink flag is ignored for IPv4
2230 routes without a gateway. That also means, with a positive
2231 "weight" the route cannot merge with ECMP routes which are
2232 onlink and have a gateway.
2233 • "quickack" - a boolean value.
2235 • "rto_min" - an unsigned 32 bit integer. The value is in
2237 milliseconds.
2238 • "scope" - an unsigned 8 bit integer. IPv4 only.
2240 • "src" - an IPv4 address.
2242 • "table" - an unsigned 32 bit integer. The default depends on
2244 ipv4.route-table.
2245 • "tos" - an unsigned 8 bit integer. IPv4 only.
2247 • "type" - one of unicast, local, blackhole, unreachable,
2249 prohibit, throw. The default is unicast.
2250 • "weight" - an unsigned 32 bit integer ranging from 0 to 256. A
2252 non-zero weight indicates that the IPv4 route is an ECMP IPv4
2253 route. NetworkManager will automatically merge compatible ECMP
2254 routes into multi-hop routes. Setting to zero or omitting the
2255 attribute configures single hop routes that won't get merged.
2256 If the route finds no merge partner, it is configured as single
2257 hop route.
2258 Note that in NetworkManager, currently all nexthops of a ECMP
2260 route must share the same "onlink" flag in order to be
2261 mergable.
2262 • "window" - an unsigned 32 bit integer.
2264 For details see also `man ip-route`.
2266 Format: a comma separated list of routes
2268 routing-rules
2270 A comma separated list of routing rules for policy routing. The
2271 format is based on ip rule add syntax and mostly compatible. One
2272 difference is that routing rules in NetworkManager always need a
2273 fixed priority.
2274 Example: priority 5 from 192.167.4.0/24 table 45
2276 Format: a comma separated list of routing rules
2278 ipv6 setting
2280 IPv6 Settings.
2281 Properties:
2283 addr-gen-mode
2285 Configure method for creating the address for use with RFC4862 IPv6
2286 Stateless Address Autoconfiguration. The permitted values are:
2287 NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_EUI64 (0),
2288 NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_STABLE_PRIVACY (1).
2289 NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_DEFAULT_OR_EUI64 (2) or
2290 NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_DEFAULT (3).
2291 If the property is set to EUI64, the addresses will be generated
2293 using the interface tokens derived from hardware address. This
2294 makes the host part of the address to stay constant, making it
2295 possible to track host's presence when it changes networks. The
2296 address changes when the interface hardware is replaced.
2297 The value of stable-privacy enables use of cryptographically secure
2299 hash of a secret host-specific key along with the connection's
2300 stable-id and the network address as specified by RFC7217. This
2301 makes it impossible to use the address track host's presence, and
2302 makes the address stable when the network interface hardware is
2303 replaced.
2304 The special values "default" and "default-or-eui64" will fallback
2306 to the global connection default in as documented in
2307 NetworkManager.conf(5) manual. If the global default is not
2308 specified, the fallback value is "stable-privacy" or "eui64",
2309 respectively.
2310 For libnm, the property defaults to "default" since 1.40.
2312 Previously it defaulted to "stable-privacy". On D-Bus, the absence
2313 of an addr-gen-mode setting equals "default". For keyfile plugin,
2314 the absence of the setting on disk means "default-or-eui64" so that
2315 the property doesn't change on upgrade from older versions.
2316 Note that this setting is distinct from the Privacy Extensions as
2318 configured by "ip6-privacy" property and it does not affect the
2319 temporary addresses configured with this option.
2320 Format: int32
2322 addresses
2324 Alias: ip6
2325 Array of IP addresses.
2327 Format: a comma separated list of addresses
2329 auto-route-ext-gw
2331 VPN connections will default to add the route automatically unless
2332 this setting is set to FALSE.
2333 For other connection types, adding such an automatic route is
2335 currently not supported and setting this to TRUE has no effect.
2336 Format: NMTernary (int32)
2338 dhcp-duid
2340 A string containing the DHCPv6 Unique Identifier (DUID) used by the
2341 dhcp client to identify itself to DHCPv6 servers (RFC 3315). The
2342 DUID is carried in the Client Identifier option. If the property is
2343 a hex string ('aa:bb:cc') it is interpreted as a binary DUID and
2344 filled as an opaque value in the Client Identifier option.
2345 The special value "lease" will retrieve the DUID previously used
2347 from the lease file belonging to the connection. If no DUID is
2348 found and "dhclient" is the configured dhcp client, the DUID is
2349 searched in the system-wide dhclient lease file. If still no DUID
2350 is found, or another dhcp client is used, a global and permanent
2351 DUID-UUID (RFC 6355) will be generated based on the machine-id.
2352 The special values "llt" and "ll" will generate a DUID of type LLT
2354 or LL (see RFC 3315) based on the current MAC address of the
2355 device. In order to try providing a stable DUID-LLT, the time field
2356 will contain a constant timestamp that is used globally (for all
2357 profiles) and persisted to disk.
2358 The special values "stable-llt", "stable-ll" and "stable-uuid" will
2360 generate a DUID of the corresponding type, derived from the
2361 connection's stable-id and a per-host unique key. You may want to
2362 include the "${DEVICE}" or "${MAC}" specifier in the stable-id, in
2363 case this profile gets activated on multiple devices. So, the
2364 link-layer address of "stable-ll" and "stable-llt" will be a
2365 generated address derived from the stable id. The DUID-LLT time
2366 value in the "stable-llt" option will be picked among a static
2367 timespan of three years (the upper bound of the interval is the
2368 same constant timestamp used in "llt").
2369 When the property is unset, the global value provided for
2371 "ipv6.dhcp-duid" is used. If no global value is provided, the
2372 default "lease" value is assumed.
2373 Format: string
2375 dhcp-hostname
2377 If the "dhcp-send-hostname" property is TRUE, then the specified
2378 name will be sent to the DHCP server when acquiring a lease. This
2379 property and "dhcp-fqdn" are mutually exclusive and cannot be set
2380 at the same time.
2381 Format: string
2383 dhcp-hostname-flags
2385 Flags for the DHCP hostname and FQDN.
2386 Currently, this property only includes flags to control the FQDN
2388 flags set in the DHCP FQDN option. Supported FQDN flags are
2389 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
2390 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
2391 NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is
2392 set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the
2393 DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag
2394 is set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set,
2395 the standard FQDN flags are set in the request:
2396 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
2397 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
2398 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6.
2399 When this property is set to the default value
2401 NM_DHCP_HOSTNAME_FLAG_NONE (0x0), a global default is looked up in
2402 NetworkManager configuration. If that value is unset or also
2403 NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
2404 described above are sent in the DHCP requests.
2405 Format: uint32
2407 dhcp-iaid
2409 A string containing the "Identity Association Identifier" (IAID)
2410 used by the DHCP client. The string can be a 32-bit number (either
2411 decimal, hexadecimal or or as colon separated hexadecimal numbers).
2412 Alternatively it can be set to the special values "mac",
2413 "perm-mac", "ifname" or "stable". When set to "mac" (or
2414 "perm-mac"), the last 4 bytes of the current (or permanent) MAC
2415 address are used as IAID. When set to "ifname", the IAID is
2416 computed by hashing the interface name. The special value "stable"
2417 can be used to generate an IAID based on the stable-id (see
2418 connection.stable-id), a per-host key and the interface name. When
2419 the property is unset, the value from global configuration is used;
2420 if no global default is set then the IAID is assumed to be
2421 "ifname".
2422 For DHCPv4, the IAID is only used with "ipv4.dhcp-client-id" values
2424 "duid" and "ipv6-duid" to generate the client-id.
2425 For DHCPv6, note that at the moment this property is only supported
2427 by the "internal" DHCPv6 plugin. The "dhclient" DHCPv6 plugin
2428 always derives the IAID from the MAC address.
2429 The actually used DHCPv6 IAID for a currently activated interface
2431 is exposed in the lease information of the device.
2432 Format: string
2434 dhcp-send-hostname
2436 If TRUE, a hostname is sent to the DHCP server when acquiring a
2437 lease. Some DHCP servers use this hostname to update DNS databases,
2438 essentially providing a static hostname for the computer. If the
2439 "dhcp-hostname" property is NULL and this property is TRUE, the
2440 current persistent hostname of the computer is sent.
2441 Format: boolean
2443 dhcp-timeout
2445 A timeout for a DHCP transaction in seconds. If zero (the default),
2446 a globally configured default is used. If still unspecified, a
2447 device specific timeout is used (usually 45 seconds).
2448 Set to 2147483647 (MAXINT32) for infinity.
2450 Format: int32
2452 dns
2454 Array of IP addresses of DNS servers.
2455 For DoT (DNS over TLS), the SNI server name can be specified by
2457 appending "#example.com" to the IP address of the DNS server. This
2458 currently only has effect when using systemd-resolved.
2459 Format: array of byte array
2461 dns-options
2463 Array of DNS options as described in man 5 resolv.conf.
2464 NULL means that the options are unset and left at the default. In
2466 this case NetworkManager will use default options. This is distinct
2467 from an empty list of properties.
2468 The currently supported options are "attempts", "debug", "edns0",
2470 "inet6", "ip6-bytestring", "ip6-dotint", "ndots", "no-aaaa",
2471 "no-check-names", "no-ip6-dotint", "no-reload", "no-tld-query",
2472 "rotate", "single-request", "single-request-reopen", "timeout",
2473 "trust-ad", "use-vc".
2474 The "trust-ad" setting is only honored if the profile contributes
2476 name servers to resolv.conf, and if all contributing profiles have
2477 "trust-ad" enabled.
2478 When using a caching DNS plugin (dnsmasq or systemd-resolved in
2480 NetworkManager.conf) then "edns0" and "trust-ad" are automatically
2481 added.
2482 Format: array of string
2484 dns-priority
2486 DNS servers priority.
2487 The relative priority for DNS servers specified by this setting. A
2489 lower numerical value is better (higher priority).
2490 Negative values have the special effect of excluding other
2492 configurations with a greater numerical priority value; so in
2493 presence of at least one negative priority, only DNS servers from
2494 connections with the lowest priority value will be used. To avoid
2495 all DNS leaks, set the priority of the profile that should be used
2496 to the most negative value of all active connections profiles.
2497 Zero selects a globally configured default value. If the latter is
2499 missing or zero too, it defaults to 50 for VPNs (including
2500 WireGuard) and 100 for other connections.
2501 Note that the priority is to order DNS settings for multiple active
2503 connections. It does not disambiguate multiple DNS servers within
2504 the same connection profile.
2505 When multiple devices have configurations with the same priority,
2507 VPNs will be considered first, then devices with the best (lowest
2508 metric) default route and then all other devices.
2509 When using dns=default, servers with higher priority will be on top
2511 of resolv.conf. To prioritize a given server over another one
2512 within the same connection, just specify them in the desired order.
2513 Note that commonly the resolver tries name servers in
2514 /etc/resolv.conf in the order listed, proceeding with the next
2515 server in the list on failure. See for example the "rotate" option
2516 of the dns-options setting. If there are any negative DNS
2517 priorities, then only name servers from the devices with that
2518 lowest priority will be considered.
2519 When using a DNS resolver that supports Conditional Forwarding or
2521 Split DNS (with dns=dnsmasq or dns=systemd-resolved settings), each
2522 connection is used to query domains in its search list. The search
2523 domains determine which name servers to ask, and the DNS priority
2524 is used to prioritize name servers based on the domain. Queries for
2525 domains not present in any search list are routed through
2526 connections having the '~.' special wildcard domain, which is added
2527 automatically to connections with the default route (or can be
2528 added manually). When multiple connections specify the same domain,
2529 the one with the best priority (lowest numerical value) wins. If a
2530 sub domain is configured on another interface it will be accepted
2531 regardless the priority, unless parent domain on the other
2532 interface has a negative priority, which causes the sub domain to
2533 be shadowed. With Split DNS one can avoid undesired DNS leaks by
2534 properly configuring DNS priorities and the search domains, so that
2535 only name servers of the desired interface are configured.
2536 Format: int32
2538 dns-search
2540 List of DNS search domains. Domains starting with a tilde ('~') are
2541 considered 'routing' domains and are used only to decide the
2542 interface over which a query must be forwarded; they are not used
2543 to complete unqualified host names.
2544 When using a DNS plugin that supports Conditional Forwarding or
2546 Split DNS, then the search domains specify which name servers to
2547 query. This makes the behavior different from running with plain
2548 /etc/resolv.conf. For more information see also the dns-priority
2549 setting.
2550 When set on a profile that also enabled DHCP, the DNS search list
2552 received automatically (option 119 for DHCPv4 and option 24 for
2553 DHCPv6) gets merged with the manual list. This can be prevented by
2554 setting "ignore-auto-dns". Note that if no DNS searches are
2555 configured, the fallback will be derived from the domain from DHCP
2556 (option 15).
2557 Format: array of string
2559 gateway
2561 Alias: gw6
2562 The gateway associated with this configuration. This is only
2564 meaningful if "addresses" is also set.
2565 Setting the gateway causes NetworkManager to configure a standard
2567 default route with the gateway as next hop. This is ignored if
2568 "never-default" is set. An alternative is to configure the default
2569 route explicitly with a manual route and /0 as prefix length.
2570 Note that the gateway usually conflicts with routing that
2572 NetworkManager configures for WireGuard interfaces, so usually it
2573 should not be set in that case. See "ip4-auto-default-route".
2574 Format: string
2576 ignore-auto-dns
2578 When "method" is set to "auto" and this property to TRUE,
2579 automatically configured name servers and search domains are
2580 ignored and only name servers and search domains specified in the
2581 "dns" and "dns-search" properties, if any, are used.
2582 Format: boolean
2584 ignore-auto-routes
2586 When "method" is set to "auto" and this property to TRUE,
2587 automatically configured routes are ignored and only routes
2588 specified in the "routes" property, if any, are used.
2589 Format: boolean
2591 ip6-privacy
2593 Configure IPv6 Privacy Extensions for SLAAC, described in RFC4941.
2594 If enabled, it makes the kernel generate a temporary IPv6 address
2595 in addition to the public one generated from MAC address via
2596 modified EUI-64. This enhances privacy, but could cause problems in
2597 some applications, on the other hand. The permitted values are: -1:
2598 unknown, 0: disabled, 1: enabled (prefer public address), 2:
2599 enabled (prefer temporary addresses).
2600 Having a per-connection setting set to "-1" (unknown) means
2602 fallback to global configuration "ipv6.ip6-privacy".
2603 If also global configuration is unspecified or set to "-1",
2605 fallback to read "/proc/sys/net/ipv6/conf/default/use_tempaddr".
2606 Note that this setting is distinct from the Stable Privacy
2608 addresses that can be enabled with the "addr-gen-mode" property's
2609 "stable-privacy" setting as another way of avoiding host tracking
2610 with IPv6 addresses.
2611 Format: NMSettingIP6ConfigPrivacy (int32)
2613 may-fail
2615 If TRUE, allow overall network configuration to proceed even if the
2616 configuration specified by this property times out. Note that at
2617 least one IP configuration must succeed or overall network
2618 configuration will still fail. For example, in IPv6-only networks,
2619 setting this property to TRUE on the NMSettingIP4Config allows the
2620 overall network configuration to succeed if IPv4 configuration
2621 fails but IPv6 configuration completes successfully.
2622 Format: boolean
2624 method
2626 IP configuration method.
2627 NMSettingIP4Config and NMSettingIP6Config both support "disabled",
2629 "auto", "manual", and "link-local". See the subclass-specific
2630 documentation for other values.
2631 In general, for the "auto" method, properties such as "dns" and
2633 "routes" specify information that is added on to the information
2634 returned from automatic configuration. The "ignore-auto-routes" and
2635 "ignore-auto-dns" properties modify this behavior.
2636 For methods that imply no upstream network, such as "shared" or
2638 "link-local", these properties must be empty.
2639 For IPv4 method "shared", the IP subnet can be configured by adding
2641 one manual IPv4 address or otherwise 10.42.x.0/24 is chosen. Note
2642 that the shared method must be configured on the interface which
2643 shares the internet to a subnet, not on the uplink which is shared.
2644 Format: string
2646 mtu
2648 Maximum transmission unit size, in bytes. If zero (the default),
2649 the MTU is set automatically from router advertisements or is left
2650 equal to the link-layer MTU. If greater than the link-layer MTU, or
2651 greater than zero but less than the minimum IPv6 MTU of 1280, this
2652 value has no effect.
2653 Format: uint32
2655 never-default
2657 If TRUE, this connection will never be the default connection for
2658 this IP type, meaning it will never be assigned the default route
2659 by NetworkManager.
2660 Format: boolean
2662 ra-timeout
2664 A timeout for waiting Router Advertisements in seconds. If zero
2665 (the default), a globally configured default is used. If still
2666 unspecified, the timeout depends on the sysctl settings of the
2667 device.
2668 Set to 2147483647 (MAXINT32) for infinity.
2670 Format: int32
2672 replace-local-rule
2674 Connections will default to keep the autogenerated priority 0 local
2675 rule unless this setting is set to TRUE.
2676 Format: NMTernary (int32)
2678 required-timeout
2680 The minimum time interval in milliseconds for which dynamic IP
2681 configuration should be tried before the connection succeeds.
2682 This property is useful for example if both IPv4 and IPv6 are
2684 enabled and are allowed to fail. Normally the connection succeeds
2685 as soon as one of the two address families completes; by setting a
2686 required timeout for e.g. IPv4, one can ensure that even if IP6
2687 succeeds earlier than IPv4, NetworkManager waits some time for IPv4
2688 before the connection becomes active.
2689 Note that if "may-fail" is FALSE for the same address family, this
2691 property has no effect as NetworkManager needs to wait for the full
2692 DHCP timeout.
2693 A zero value means that no required timeout is present, -1 means
2695 the default value (either configuration ipvx.required-timeout
2696 override or zero).
2697 Format: int32
2699 route-metric
2701 The default metric for routes that don't explicitly specify a
2702 metric. The default value -1 means that the metric is chosen
2703 automatically based on the device type. The metric applies to
2704 dynamic routes, manual (static) routes that don't have an explicit
2705 metric setting, address prefix routes, and the default route. Note
2706 that for IPv6, the kernel accepts zero (0) but coerces it to 1024
2707 (user default). Hence, setting this property to zero effectively
2708 mean setting it to 1024. For IPv4, zero is a regular value for the
2709 metric.
2710 Format: int64
2712 route-table
2714 Enable policy routing (source routing) and set the routing table
2715 used when adding routes.
2716 This affects all routes, including device-routes, IPv4LL, DHCP,
2718 SLAAC, default-routes and static routes. But note that static
2719 routes can individually overwrite the setting by explicitly
2720 specifying a non-zero routing table.
2721 If the table setting is left at zero, it is eligible to be
2723 overwritten via global configuration. If the property is zero even
2724 after applying the global configuration value, policy routing is
2725 disabled for the address family of this connection.
2726 Policy routing disabled means that NetworkManager will add all
2728 routes to the main table (except static routes that explicitly
2729 configure a different table). Additionally, NetworkManager will not
2730 delete any extraneous routes from tables except the main table.
2731 This is to preserve backward compatibility for users who manage
2732 routing tables outside of NetworkManager.
2733 Format: uint32
2735 routes
2737 A list of IPv6 destination addresses, prefix length, optional IPv6
2738 next hop addresses, optional route metric, optional attribute. The
2739 valid syntax is: "ip[/prefix] [next-hop] [metric]
2740 [attribute=val]...[,ip[/prefix]...]".
2741 Various attributes are supported:
2743 • "advmss" - an unsigned 32 bit integer.
2745 • "cwnd" - an unsigned 32 bit integer.
2747 • "from" - an IPv6 address with optional prefix. IPv6 only.
2749 • "initcwnd" - an unsigned 32 bit integer.
2751 • "initrwnd" - an unsigned 32 bit integer.
2753 • "lock-advmss" - a boolean value.
2755 • "lock-cwnd" - a boolean value.
2757 • "lock-initcwnd" - a boolean value.
2759 • "lock-initrwnd" - a boolean value.
2761 • "lock-mtu" - a boolean value.
2763 • "lock-window" - a boolean value.
2765 • "mtu" - an unsigned 32 bit integer.
2767 • "onlink" - a boolean value.
2769 • "quickack" - a boolean value.
2771 • "rto_min" - an unsigned 32 bit integer. The value is in
2773 milliseconds.
2774 • "src" - an IPv6 address.
2776 • "table" - an unsigned 32 bit integer. The default depends on
2778 ipv6.route-table.
2779 • "type" - one of unicast, local, blackhole, unreachable,
2781 prohibit, throw. The default is unicast.
2782 • "window" - an unsigned 32 bit integer.
2784 For details see also `man ip-route`.
2786 Format: a comma separated list of routes
2788 routing-rules
2790 A comma separated list of routing rules for policy routing. The
2791 format is based on ip rule add syntax and mostly compatible. One
2792 difference is that routing rules in NetworkManager always need a
2793 fixed priority.
2794 Example: priority 5 from 1:2:3::5/128 table 45
2796 Format: a comma separated list of routing rules
2798 token
2800 Configure the token for
2801 draft-chown-6man-tokenised-ipv6-identifiers-02 IPv6 tokenized
2802 interface identifiers. Useful with eui64 addr-gen-mode.
2803 Format: string
2805 ip-tunnel setting
2807 IP Tunneling Settings.
2808 Properties:
2810 encapsulation-limit
2812 How many additional levels of encapsulation are permitted to be
2813 prepended to packets. This property applies only to IPv6 tunnels.
2814 To disable this option, add NM_IP_TUNNEL_FLAG_IP6_IGN_ENCAP_LIMIT
2815 (0x1) to ip-tunnel flags.
2816 Format: uint32
2818 flags
2820 Tunnel flags. Currently, the following values are supported:
2821 NM_IP_TUNNEL_FLAG_IP6_IGN_ENCAP_LIMIT (0x1),
2822 NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_TCLASS (0x2),
2823 NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FLOWLABEL (0x4),
2824 NM_IP_TUNNEL_FLAG_IP6_MIP6_DEV (0x8),
2825 NM_IP_TUNNEL_FLAG_IP6_RCV_DSCP_COPY (0x10),
2826 NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FWMARK (0x20). They are valid only
2827 for IPv6 tunnels.
2828 Format: uint32
2830 flow-label
2832 The flow label to assign to tunnel packets. This property applies
2833 only to IPv6 tunnels.
2834 Format: uint32
2836 fwmark
2838 The fwmark value to assign to tunnel packets. This property can be
2839 set to a non zero value only on VTI and VTI6 tunnels.
2840 Format: uint32
2842 input-key
2844 The key used for tunnel input packets; the property is valid only
2845 for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
2846 Format: string
2848 local
2850 Alias: local
2851 The local endpoint of the tunnel; the value can be empty, otherwise
2853 it must contain an IPv4 or IPv6 address.
2854 Format: string
2856 mode
2858 Alias: mode
2859 The tunneling mode, for example NM_IP_TUNNEL_MODE_IPIP (1) or
2861 NM_IP_TUNNEL_MODE_GRE (2).
2862 Format: uint32
2864 mtu
2866 If non-zero, only transmit packets of the specified size or
2867 smaller, breaking larger packets up into multiple fragments.
2868 Format: uint32
2870 output-key
2872 The key used for tunnel output packets; the property is valid only
2873 for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
2874 Format: string
2876 parent
2878 Alias: dev
2879 If given, specifies the parent interface name or parent connection
2881 UUID the new device will be bound to so that tunneled packets will
2882 only be routed via that interface.
2883 Format: string
2885 path-mtu-discovery
2887 Whether to enable Path MTU Discovery on this tunnel.
2888 Format: boolean
2890 remote
2892 Alias: remote
2893 The remote endpoint of the tunnel; the value must contain an IPv4
2895 or IPv6 address.
2896 Format: string
2898 tos
2900 The type of service (IPv4) or traffic class (IPv6) field to be set
2901 on tunneled packets.
2902 Format: uint32
2904 ttl
2906 The TTL to assign to tunneled packets. 0 is a special value meaning
2907 that packets inherit the TTL value.
2908 Format: uint32
2910 macsec setting
2912 MACSec Settings.
2913 Properties:
2915 encrypt
2917 Alias: encrypt
2918 Whether the transmitted traffic must be encrypted.
2920 Format: boolean
2922 mka-cak
2924 Alias: cak
2925 The pre-shared CAK (Connectivity Association Key) for MACsec Key
2927 Agreement. Must be a string of 32 hexadecimal characters.
2928 Format: string
2930 mka-cak-flags
2932 Flags indicating how to handle the "mka-cak" property.
2933 Format: NMSettingSecretFlags (uint32)
2935 mka-ckn
2937 Alias: ckn
2938 The pre-shared CKN (Connectivity-association Key Name) for MACsec
2940 Key Agreement. Must be a string of hexadecimal characters with a
2941 even length between 2 and 64.
2942 Format: string
2944 mode
2946 Alias: mode
2947 Specifies how the CAK (Connectivity Association Key) for MKA
2949 (MACsec Key Agreement) is obtained.
2950 Format: int32
2952 parent
2954 Alias: dev
2955 If given, specifies the parent interface name or parent connection
2957 UUID from which this MACSEC interface should be created. If this
2958 property is not specified, the connection must contain an
2959 "802-3-ethernet" setting with a "mac-address" property.
2960 Format: string
2962 port
2964 Alias: port
2965 The port component of the SCI (Secure Channel Identifier), between
2967 1 and 65534.
2968 Format: int32
2970 send-sci
2972 Specifies whether the SCI (Secure Channel Identifier) is included
2973 in every packet.
2974 Format: boolean
2976 validation
2978 Specifies the validation mode for incoming frames.
2979 Format: int32
2981 macvlan setting
2983 MAC VLAN Settings.
2984 Properties:
2986 mode
2988 Alias: mode
2989 The macvlan mode, which specifies the communication mechanism
2991 between multiple macvlans on the same lower device.
2992 Format: uint32
2994 parent
2996 Alias: dev
2997 If given, specifies the parent interface name or parent connection
2999 UUID from which this MAC-VLAN interface should be created. If this
3000 property is not specified, the connection must contain an
3001 "802-3-ethernet" setting with a "mac-address" property.
3002 Format: string
3004 promiscuous
3006 Whether the interface should be put in promiscuous mode.
3007 Format: boolean
3009 tap
3011 Alias: tap
3012 Whether the interface should be a MACVTAP.
3014 Format: boolean
3016 match setting
3018 Match settings.
3019 Properties:
3021 driver
3023 A list of driver names to match. Each element is a shell wildcard
3024 pattern.
3025 See NMSettingMatch:interface-name for how special characters '|',
3027 '&', '!' and '\\' are used for optional and mandatory matches and
3028 inverting the pattern.
3029 Format: array of string
3031 interface-name
3033 A list of interface names to match. Each element is a shell
3034 wildcard pattern.
3035 An element can be prefixed with a pipe symbol (|) or an ampersand
3037 (&). The former means that the element is optional and the latter
3038 means that it is mandatory. If there are any optional elements,
3039 than the match evaluates to true if at least one of the optional
3040 element matches (logical OR). If there are any mandatory elements,
3041 then they all must match (logical AND). By default, an element is
3042 optional. This means that an element "foo" behaves the same as
3043 "|foo". An element can also be inverted with exclamation mark (!)
3044 between the pipe symbol (or the ampersand) and before the pattern.
3045 Note that "!foo" is a shortcut for the mandatory match "&!foo".
3046 Finally, a backslash can be used at the beginning of the element
3047 (after the optional special characters) to escape the start of the
3048 pattern. For example, "&\\!a" is an mandatory match for literally
3049 "!a".
3050 Format: array of string
3052 kernel-command-line
3054 A list of kernel command line arguments to match. This may be used
3055 to check whether a specific kernel command line option is set (or
3056 unset, if prefixed with the exclamation mark). The argument must
3057 either be a single word, or an assignment (i.e. two words, joined
3058 by "="). In the former case the kernel command line is searched for
3059 the word appearing as is, or as left hand side of an assignment. In
3060 the latter case, the exact assignment is looked for with right and
3061 left hand side matching. Wildcard patterns are not supported.
3062 See NMSettingMatch:interface-name for how special characters '|',
3064 '&', '!' and '\\' are used for optional and mandatory matches and
3065 inverting the match.
3066 Format: array of string
3068 path
3070 A list of paths to match against the ID_PATH udev property of
3071 devices. ID_PATH represents the topological persistent path of a
3072 device. It typically contains a subsystem string (pci, usb,
3073 platform, etc.) and a subsystem-specific identifier.
3074 For PCI devices the path has the form
3076 "pci-$domain:$bus:$device.$function", where each variable is an
3077 hexadecimal value; for example "pci-0000:0a:00.0".
3078 The path of a device can be obtained with "udevadm info
3080 /sys/class/net/$dev | grep ID_PATH=" or by looking at the "path"
3081 property exported by NetworkManager ("nmcli -f general.path device
3082 show $dev").
3083 Each element of the list is a shell wildcard pattern.
3085 See NMSettingMatch:interface-name for how special characters '|',
3087 '&', '!' and '\\' are used for optional and mandatory matches and
3088 inverting the pattern.
3089 Format: array of string
3091 802-11-olpc-mesh setting
3093 Alias: olpc-mesh
3094 OLPC Wireless Mesh Settings.
3096 Properties:
3098 channel
3100 Alias: channel
3101 Channel on which the mesh network to join is located.
3103 Format: uint32
3105 dhcp-anycast-address
3107 Alias: dhcp-anycast
3108 Anycast DHCP MAC address used when requesting an IP address via
3110 DHCP. The specific anycast address used determines which DHCP
3111 server class answers the request.
3112 This is currently only implemented by dhclient DHCP plugin.
3114 Format: byte array
3116 ssid
3118 Alias: ssid
3119 SSID of the mesh network to join.
3121 Format: byte array
3123 ovs-bridge setting
3125 OvsBridge Link Settings.
3126 Properties:
3128 datapath-type
3130 The data path type. One of "system", "netdev" or empty.
3131 Format: string
3133 fail-mode
3135 The bridge failure mode. One of "secure", "standalone" or empty.
3136 Format: string
3138 mcast-snooping-enable
3140 Enable or disable multicast snooping.
3141 Format: boolean
3143 rstp-enable
3145 Enable or disable RSTP.
3146 Format: boolean
3148 stp-enable
3150 Enable or disable STP.
3151 Format: boolean
3153 ovs-dpdk setting
3155 OvsDpdk Link Settings.
3156 Properties:
3158 devargs
3160 Open vSwitch DPDK device arguments.
3161 Format: string
3163 n-rxq
3165 Open vSwitch DPDK number of rx queues. Defaults to zero which means
3166 to leave the parameter in OVS unspecified and effectively
3167 configures one queue.
3168 Format: uint32
3170 n-rxq-desc
3172 The rx queue size (number of rx descriptors) for DPDK ports. Must
3173 be zero or a power of 2 between 1 and 4096, and supported by the
3174 hardware. Defaults to zero which means to leave the parameter in
3175 OVS unspecified and effectively configures 2048 descriptors.
3176 Format: uint32
3178 n-txq-desc
3180 The tx queue size (number of tx descriptors) for DPDK ports. Must
3181 be zero or a power of 2 between 1 and 4096, and supported by the
3182 hardware. Defaults to zero which means to leave the parameter in
3183 OVS unspecified and effectively configures 2048 descriptors.
3184 Format: uint32
3186 ovs-interface setting
3188 Open vSwitch Interface Settings.
3189 Properties:
3191 ofport-request
3193 Open vSwitch openflow port number. Defaults to zero which means
3194 that port number will not be specified and it will be chosen
3195 randomly by ovs. OpenFlow ports are the network interfaces for
3196 passing packets between OpenFlow processing and the rest of the
3197 network. OpenFlow switches connect logically to each other via
3198 their OpenFlow ports.
3199 Format: uint32
3201 type
3203 The interface type. Either "internal", "system", "patch", "dpdk",
3204 or empty.
3205 Format: string
3207 ovs-patch setting
3209 OvsPatch Link Settings.
3210 Properties:
3212 peer
3214 Specifies the name of the interface for the other side of the
3215 patch. The patch on the other side must also set this interface as
3216 peer.
3217 Format: string
3219 ovs-port setting
3221 OvsPort Link Settings.
3222 Properties:
3224 bond-downdelay
3226 The time port must be inactive in order to be considered down.
3227 Format: uint32
3229 bond-mode
3231 Bonding mode. One of "active-backup", "balance-slb", or
3232 "balance-tcp".
3233 Format: string
3235 bond-updelay
3237 The time port must be active before it starts forwarding traffic.
3238 Format: uint32
3240 lacp
3242 LACP mode. One of "active", "off", or "passive".
3243 Format: string
3245 tag
3247 The VLAN tag in the range 0-4095.
3248 Format: uint32
3250 trunks
3252 A list of VLAN ranges that this port trunks.
3253 The property is valid only for ports with mode "trunk",
3255 "native-tagged", or "native-untagged port". If it is empty, the
3256 port trunks all VLANs.
3257 Format: array of vardict
3259 vlan-mode
3261 The VLAN mode. One of "access", "native-tagged", "native-untagged",
3262 "trunk", "dot1q-tunnel" or unset.
3263 Format: string
3265 ppp setting
3267 Point-to-Point Protocol Settings.
3268 Properties:
3270 baud
3272 If non-zero, instruct pppd to set the serial port to the specified
3273 baudrate. This value should normally be left as 0 to automatically
3274 choose the speed.
3275 Format: uint32
3277 crtscts
3279 If TRUE, specify that pppd should set the serial port to use
3280 hardware flow control with RTS and CTS signals. This value should
3281 normally be set to FALSE.
3282 Format: boolean
3284 lcp-echo-failure
3286 If non-zero, instruct pppd to presume the connection to the peer
3287 has failed if the specified number of LCP echo-requests go
3288 unanswered by the peer. The "lcp-echo-interval" property must also
3289 be set to a non-zero value if this property is used.
3290 Format: uint32
3292 lcp-echo-interval
3294 If non-zero, instruct pppd to send an LCP echo-request frame to the
3295 peer every n seconds (where n is the specified value). Note that
3296 some PPP peers will respond to echo requests and some will not, and
3297 it is not possible to autodetect this.
3298 Format: uint32
3300 mppe-stateful
3302 If TRUE, stateful MPPE is used. See pppd documentation for more
3303 information on stateful MPPE.
3304 Format: boolean
3306 mru
3308 If non-zero, instruct pppd to request that the peer send packets no
3309 larger than the specified size. If non-zero, the MRU should be
3310 between 128 and 16384.
3311 Format: uint32
3313 mtu
3315 If non-zero, instruct pppd to send packets no larger than the
3316 specified size.
3317 Format: uint32
3319 no-vj-comp
3321 If TRUE, Van Jacobsen TCP header compression will not be requested.
3322 Format: boolean
3324 noauth
3326 If TRUE, do not require the other side (usually the PPP server) to
3327 authenticate itself to the client. If FALSE, require authentication
3328 from the remote side. In almost all cases, this should be TRUE.
3329 Format: boolean
3331 nobsdcomp
3333 If TRUE, BSD compression will not be requested.
3334 Format: boolean
3336 nodeflate
3338 If TRUE, "deflate" compression will not be requested.
3339 Format: boolean
3341 refuse-chap
3343 If TRUE, the CHAP authentication method will not be used.
3344 Format: boolean
3346 refuse-eap
3348 If TRUE, the EAP authentication method will not be used.
3349 Format: boolean
3351 refuse-mschap
3353 If TRUE, the MSCHAP authentication method will not be used.
3354 Format: boolean
3356 refuse-mschapv2
3358 If TRUE, the MSCHAPv2 authentication method will not be used.
3359 Format: boolean
3361 refuse-pap
3363 If TRUE, the PAP authentication method will not be used.
3364 Format: boolean
3366 require-mppe
3368 If TRUE, MPPE (Microsoft Point-to-Point Encryption) will be
3369 required for the PPP session. If either 64-bit or 128-bit MPPE is
3370 not available the session will fail. Note that MPPE is not used on
3371 mobile broadband connections.
3372 Format: boolean
3374 require-mppe-128
3376 If TRUE, 128-bit MPPE (Microsoft Point-to-Point Encryption) will be
3377 required for the PPP session, and the "require-mppe" property must
3378 also be set to TRUE. If 128-bit MPPE is not available the session
3379 will fail.
3380 Format: boolean
3382 pppoe setting
3384 PPP-over-Ethernet Settings.
3385 Properties:
3387 parent
3389 Alias: parent
3390 If given, specifies the parent interface name on which this PPPoE
3392 connection should be created. If this property is not specified,
3393 the connection is activated on the interface specified in
3394 "interface-name" of NMSettingConnection.
3395 Format: string
3397 password
3399 Alias: password
3400 Password used to authenticate with the PPPoE service.
3402 Format: string
3404 password-flags
3406 Flags indicating how to handle the "password" property.
3407 Format: NMSettingSecretFlags (uint32)
3409 service
3411 Alias: service
3412 If specified, instruct PPPoE to only initiate sessions with access
3414 concentrators that provide the specified service. For most
3415 providers, this should be left blank. It is only required if there
3416 are multiple access concentrators or a specific service is known to
3417 be required.
3418 Format: string
3420 username
3422 Alias: username
3423 Username used to authenticate with the PPPoE service.
3425 Format: string
3427 proxy setting
3429 WWW Proxy Settings.
3430 Properties:
3432 browser-only
3434 Alias: browser-only
3435 Whether the proxy configuration is for browser only.
3437 Format: boolean
3439 method
3441 Alias: method
3442 Method for proxy configuration, Default is
3444 NM_SETTING_PROXY_METHOD_NONE (0)
3445 Format: int32
3447 pac-script
3449 Alias: pac-script
3450 PAC script for the connection. This is an UTF-8 encoded javascript
3452 code that defines a FindProxyForURL() function.
3453 Format: string
3455 pac-url
3457 Alias: pac-url
3458 PAC URL for obtaining PAC file.
3460 Format: string
3462 serial setting
3464 Serial Link Settings.
3465 Properties:
3467 baud
3469 Speed to use for communication over the serial port. Note that this
3470 value usually has no effect for mobile broadband modems as they
3471 generally ignore speed settings and use the highest available
3472 speed.
3473 Format: uint32
3475 bits
3477 Byte-width of the serial communication. The 8 in "8n1" for example.
3478 Format: uint32
3480 parity
3482 Parity setting of the serial port.
3483 Format: NMSettingSerialParity (byte)
3485 send-delay
3487 Time to delay between each byte sent to the modem, in microseconds.
3488 Format: uint64
3490 stopbits
3492 Number of stop bits for communication on the serial port. Either 1
3493 or 2. The 1 in "8n1" for example.
3494 Format: uint32
3496 sriov setting
3498 SR-IOV settings.
3499 Properties:
3501 autoprobe-drivers
3503 Whether to autoprobe virtual functions by a compatible driver.
3504 If set to NM_TERNARY_TRUE (1), the kernel will try to bind VFs to a
3506 compatible driver and if this succeeds a new network interface will
3507 be instantiated for each VF.
3508 If set to NM_TERNARY_FALSE (0), VFs will not be claimed and no
3510 network interfaces will be created for them.
3511 When set to NM_TERNARY_DEFAULT (-1), the global default is used; in
3513 case the global default is unspecified it is assumed to be
3514 NM_TERNARY_TRUE (1).
3515 Format: NMTernary (int32)
3517 total-vfs
3519 The total number of virtual functions to create.
3520 Note that when the sriov setting is present NetworkManager enforces
3522 the number of virtual functions on the interface (also when it is
3523 zero) during activation and resets it upon deactivation. To prevent
3524 any changes to SR-IOV parameters don't add a sriov setting to the
3525 connection.
3526 Format: uint32
3528 vfs
3530 Array of virtual function descriptors.
3531 Each VF descriptor is a dictionary mapping attribute names to
3533 GVariant values. The 'index' entry is mandatory for each VF.
3534 When represented as string a VF is in the form:
3536 "INDEX [ATTR=VALUE[ ATTR=VALUE]...]".
3538 for example:
3540 "2 mac=00:11:22:33:44:55 spoof-check=true".
3542 Multiple VFs can be specified using a comma as separator.
3544 Currently, the following attributes are supported: mac,
3545 spoof-check, trust, min-tx-rate, max-tx-rate, vlans.
3546 The "vlans" attribute is represented as a semicolon-separated list
3548 of VLAN descriptors, where each descriptor has the form
3549 "ID[.PRIORITY[.PROTO]]".
3551 PROTO can be either 'q' for 802.1Q (the default) or 'ad' for
3553 802.1ad.
3554 Format: array of vardict
3556 tc setting
3558 Linux Traffic Control Settings.
3559 Properties:
3561 qdiscs
3563 Array of TC queueing disciplines. qdisc is a basic block in the
3564 Linux traffic control subsystem
3565 Each qdisc can be specified by the following attributes:
3567 handle HANDLE
3569 specifies the qdisc handle. A qdisc, which potentially can have
3570 children, gets assigned a major number, called a 'handle',
3571 leaving the minor number namespace available for classes. The
3572 handle is expressed as '10:'. It is customary to explicitly
3573 assign a handle to qdiscs expected to have children.
3574 parent HANDLE
3576 specifies the handle of the parent qdisc the current qdisc must
3577 be attached to.
3578 root
3580 specifies that the qdisc is attached to the root of device.
3581 KIND
3583 this is the qdisc kind. NetworkManager currently supports the
3584 following kinds: fq_codel, sfq, tbf. Each qdisc kind has a
3585 different set of parameters, described below. There are also
3586 some kinds like pfifo, pfifo_fast, prio supported by
3587 NetworkManager but their parameters are not supported by
3588 NetworkManager.
3589 Parameters for 'fq_codel':
3591 limit U32
3593 the hard limit on the real queue size. When this limit is
3594 reached, incoming packets are dropped. Default is 10240
3595 packets.
3596 memory_limit U32
3598 sets a limit on the total number of bytes that can be queued in
3599 this FQ-CoDel instance. The lower of the packet limit of the
3600 limit parameter and the memory limit will be enforced. Default
3601 is 32 MB.
3602 flows U32
3604 the number of flows into which the incoming packets are
3605 classified. Due to the stochastic nature of hashing, multiple
3606 flows may end up being hashed into the same slot. Newer flows
3607 have priority over older ones. This parameter can be set only
3608 at load time since memory has to be allocated for the hash
3609 table. Default value is 1024.
3610 target U32
3612 the acceptable minimum standing/persistent queue delay. This
3613 minimum delay is identified by tracking the local minimum queue
3614 delay that packets experience. The unit of measurement is
3615 microsecond(us). Default value is 5ms.
3616 interval U32
3618 used to ensure that the measured minimum delay does not become
3619 too stale. The minimum delay must be experienced in the last
3620 epoch of length .B interval. It should be set on the order of
3621 the worst-case RTT through the bottleneck to give endpoints
3622 sufficient time to react. Default value is 100ms.
3623 quantum U32
3625 the number of bytes used as 'deficit' in the fair queuing
3626 algorithm. Default is set to 1514 bytes which corresponds to
3627 the Ethernet MTU plus the hardware header length of 14 bytes.
3628 ecn BOOL
3630 can be used to mark packets instead of dropping them. ecn is
3631 turned on by default.
3632 ce_threshold U32
3634 sets a threshold above which all packets are marked with ECN
3635 Congestion Experienced. This is useful for DCTCP-style
3636 congestion control algorithms that require marking at very
3637 shallow queueing thresholds.
3638 Parameters for 'sfq':
3640 divisor U32
3642 can be used to set a different hash table size, available from
3643 kernel 2.6.39 onwards. The specified divisor must be a power of
3644 two and cannot be larger than 65536. Default value: 1024.
3645 limit U32
3647 Upper limit of the SFQ. Can be used to reduce the default
3648 length of 127 packets.
3649 depth U32
3651 Limit of packets per flow. Default to 127 and can be lowered.
3652 perturb_period U32
3654 Interval in seconds for queue algorithm perturbation. Defaults
3655 to 0, which means that no perturbation occurs. Do not set too
3656 low for each perturbation may cause some packet reordering or
3657 losses. Advised value: 60 This value has no effect when
3658 external flow classification is used. Its better to increase
3659 divisor value to lower risk of hash collisions.
3660 quantum U32
3662 Amount of bytes a flow is allowed to dequeue during a round of
3663 the round robin process. Defaults to the MTU of the interface
3664 which is also the advised value and the minimum value.
3665 flows U32
3667 Default value is 127.
3668 Parameters for 'tbf':
3670 rate U64
3672 Bandwidth or rate. These parameters accept a floating point
3673 number, possibly followed by either a unit (both SI and IEC
3674 units supported), or a float followed by a percent character to
3675 specify the rate as a percentage of the device's speed.
3676 burst U32
3678 Also known as buffer or maxburst. Size of the bucket, in bytes.
3679 This is the maximum amount of bytes that tokens can be
3680 available for instantaneously. In general, larger shaping rates
3681 require a larger buffer. For 10mbit/s on Intel, you need at
3682 least 10kbyte buffer if you want to reach your configured rate!
3683 If your buffer is too small, packets may be dropped because
3685 more tokens arrive per timer tick than fit in your bucket. The
3686 minimum buffer size can be calculated by dividing the rate by
3687 HZ.
3688 Token usage calculations are performed using a table which by
3690 default has a resolution of 8 packets. This resolution can be
3691 changed by specifying the cell size with the burst. For
3692 example, to specify a 6000 byte buffer with a 16 byte cell
3693 size, set a burst of 6000/16. You will probably never have to
3694 set this. Must be an integral power of 2.
3695 limit U32
3697 Limit is the number of bytes that can be queued waiting for
3698 tokens to become available.
3699 latency U32
3701 specifies the maximum amount of time a packet can sit in the
3702 TBF. The latency calculation takes into account the size of the
3703 bucket, the rate and possibly the peakrate (if set). The
3704 latency and limit are mutually exclusive.
3705 Format: GPtrArray(NMTCQdisc)
3707 tfilters
3709 Array of TC traffic filters. Traffic control can manage the packet
3710 content during classification by using filters.
3711 Each tfilters can be specified by the following attributes:
3713 handle HANDLE
3715 specifies the tfilters handle. A filter is used by a classful
3716 qdisc to determine in which class a packet will be enqueued. It
3717 is important to notice that filters reside within qdiscs.
3718 Therefore, see qdiscs handle for detailed information.
3719 parent HANDLE
3721 specifies the handle of the parent qdisc the current qdisc must
3722 be attached to.
3723 root
3725 specifies that the qdisc is attached to the root of device.
3726 KIND
3728 this is the tfilters kind. NetworkManager currently supports
3729 following kinds: mirred, simple. Each filter kind has a
3730 different set of actions, described below. There are also some
3731 other kinds like matchall, basic, u32 supported by
3732 NetworkManager.
3733 Actions for 'mirred':
3735 egress bool
3737 Define whether the packet should exit from the interface.
3738 ingress bool
3740 Define whether the packet should come into the interface.
3741 mirror bool
3743 Define whether the packet should be copied to the destination
3744 space.
3745 redirect bool
3747 Define whether the packet should be moved to the destination
3748 space.
3749 Action for 'simple':
3751 sdata char[32]
3753 The actual string to print.
3754 Format: GPtrArray(NMTCTfilter)
3756 team setting
3758 Teaming Settings.
3759 Properties:
3761 config
3763 Alias: config
3764 The JSON configuration for the team network interface. The property
3766 should contain raw JSON configuration data suitable for teamd,
3767 because the value is passed directly to teamd. If not specified,
3768 the default configuration is used. See man teamd.conf for the
3769 format details.
3770 Format: string
3772 link-watchers
3774 Link watchers configuration for the connection: each link watcher
3775 is defined by a dictionary, whose keys depend upon the selected
3776 link watcher. Available link watchers are 'ethtool', 'nsna_ping'
3777 and 'arp_ping' and it is specified in the dictionary with the key
3778 'name'. Available keys are: ethtool: 'delay-up', 'delay-down',
3779 'init-wait'; nsna_ping: 'init-wait', 'interval', 'missed-max',
3780 'target-host'; arp_ping: all the ones in nsna_ping and
3781 'source-host', 'validate-active', 'validate-inactive',
3782 'send-always'. See teamd.conf man for more details.
3783 Format: array of vardict
3785 mcast-rejoin-count
3787 Corresponds to the teamd mcast_rejoin.count.
3788 Format: int32
3790 mcast-rejoin-interval
3792 Corresponds to the teamd mcast_rejoin.interval.
3793 Format: int32
3795 notify-peers-count
3797 Corresponds to the teamd notify_peers.count.
3798 Format: int32
3800 notify-peers-interval
3802 Corresponds to the teamd notify_peers.interval.
3803 Format: int32
3805 runner
3807 Corresponds to the teamd runner.name. Permitted values are:
3808 "roundrobin", "broadcast", "activebackup", "loadbalance", "lacp",
3809 "random".
3810 Format: string
3812 runner-active
3814 Corresponds to the teamd runner.active.
3815 Format: boolean
3817 runner-agg-select-policy
3819 Corresponds to the teamd runner.agg_select_policy.
3820 Format: string
3822 runner-fast-rate
3824 Corresponds to the teamd runner.fast_rate.
3825 Format: boolean
3827 runner-hwaddr-policy
3829 Corresponds to the teamd runner.hwaddr_policy.
3830 Format: string
3832 runner-min-ports
3834 Corresponds to the teamd runner.min_ports.
3835 Format: int32
3837 runner-sys-prio
3839 Corresponds to the teamd runner.sys_prio.
3840 Format: int32
3842 runner-tx-balancer
3844 Corresponds to the teamd runner.tx_balancer.name.
3845 Format: string
3847 runner-tx-balancer-interval
3849 Corresponds to the teamd runner.tx_balancer.interval.
3850 Format: int32
3852 runner-tx-hash
3854 Corresponds to the teamd runner.tx_hash.
3855 Format: array of string
3857 team-port setting
3859 Team Port Settings.
3860 Properties:
3862 config
3864 Alias: config
3865 The JSON configuration for the team port. The property should
3867 contain raw JSON configuration data suitable for teamd, because the
3868 value is passed directly to teamd. If not specified, the default
3869 configuration is used. See man teamd.conf for the format details.
3870 Format: string
3872 lacp-key
3874 Corresponds to the teamd ports.PORTIFNAME.lacp_key.
3875 Format: int32
3877 lacp-prio
3879 Corresponds to the teamd ports.PORTIFNAME.lacp_prio.
3880 Format: int32
3882 link-watchers
3884 Link watchers configuration for the connection: each link watcher
3885 is defined by a dictionary, whose keys depend upon the selected
3886 link watcher. Available link watchers are 'ethtool', 'nsna_ping'
3887 and 'arp_ping' and it is specified in the dictionary with the key
3888 'name'. Available keys are: ethtool: 'delay-up', 'delay-down',
3889 'init-wait'; nsna_ping: 'init-wait', 'interval', 'missed-max',
3890 'target-host'; arp_ping: all the ones in nsna_ping and
3891 'source-host', 'validate-active', 'validate-inactive',
3892 'send-always'. See teamd.conf man for more details.
3893 Format: array of vardict
3895 prio
3897 Corresponds to the teamd ports.PORTIFNAME.prio.
3898 Format: int32
3900 queue-id
3902 Corresponds to the teamd ports.PORTIFNAME.queue_id. When set to -1
3903 means the parameter is skipped from the json config.
3904 Format: int32
3906 sticky
3908 Corresponds to the teamd ports.PORTIFNAME.sticky.
3909 Format: boolean
3911 tun setting
3913 Tunnel Settings.
3914 Properties:
3916 group
3918 Alias: group
3919 The group ID which will own the device. If set to NULL everyone
3921 will be able to use the device.
3922 Format: string
3924 mode
3926 Alias: mode
3927 The operating mode of the virtual device. Allowed values are
3929 NM_SETTING_TUN_MODE_TUN (1) to create a layer 3 device and
3930 NM_SETTING_TUN_MODE_TAP (2) to create an Ethernet-like layer 2 one.
3931 Format: uint32
3933 multi-queue
3935 Alias: multi-queue
3936 If the property is set to TRUE, the interface will support multiple
3938 file descriptors (queues) to parallelize packet sending or
3939 receiving. Otherwise, the interface will only support a single
3940 queue.
3941 Format: boolean
3943 owner
3945 Alias: owner
3946 The user ID which will own the device. If set to NULL everyone will
3948 be able to use the device.
3949 Format: string
3951 pi
3953 Alias: pi
3954 If TRUE the interface will prepend a 4 byte header describing the
3956 physical interface to the packets.
3957 Format: boolean
3959 vnet-hdr
3961 Alias: vnet-hdr
3962 If TRUE the IFF_VNET_HDR the tunnel packets will include a virtio
3964 network header.
3965 Format: boolean
3967 vlan setting
3969 VLAN Settings.
3970 Properties:
3972 egress-priority-map
3974 Alias: egress
3975 For outgoing packets, a list of mappings from Linux SKB priorities
3977 to 802.1p priorities. The mapping is given in the format "from:to"
3978 where both "from" and "to" are unsigned integers, ie "7:3".
3979 Format: array of string
3981 flags
3983 Alias: flags
3984 One or more flags which control the behavior and features of the
3986 VLAN interface. Flags include NM_VLAN_FLAG_REORDER_HEADERS (0x1)
3987 (reordering of output packet headers), NM_VLAN_FLAG_GVRP (0x2) (use
3988 of the GVRP protocol), and NM_VLAN_FLAG_LOOSE_BINDING (0x4) (loose
3989 binding of the interface to its master device's operating state).
3990 NM_VLAN_FLAG_MVRP (0x8) (use of the MVRP protocol).
3991 The default value of this property is NM_VLAN_FLAG_REORDER_HEADERS,
3993 but it used to be 0. To preserve backward compatibility, the
3994 default-value in the D-Bus API continues to be 0 and a missing
3995 property on D-Bus is still considered as 0.
3996 Format: NMVlanFlags (uint32)
3998 id
4000 Alias: id
4001 The VLAN identifier that the interface created by this connection
4003 should be assigned. The valid range is from 0 to 4094, without the
4004 reserved id 4095.
4005 Format: uint32
4007 ingress-priority-map
4009 Alias: ingress
4010 For incoming packets, a list of mappings from 802.1p priorities to
4012 Linux SKB priorities. The mapping is given in the format "from:to"
4013 where both "from" and "to" are unsigned integers, ie "7:3".
4014 Format: array of string
4016 parent
4018 Alias: dev
4019 If given, specifies the parent interface name or parent connection
4021 UUID from which this VLAN interface should be created. If this
4022 property is not specified, the connection must contain an
4023 "802-3-ethernet" setting with a "mac-address" property.
4024 Format: string
4026 protocol
4028 Specifies the VLAN protocol to use for encapsulation.
4029 Supported values are: '802.1Q', '802.1ad'. If not specified the
4031 default value is '802.1Q'.
4032 Format: string
4034 vpn setting
4036 VPN Settings.
4037 Properties:
4039 data
4041 Dictionary of key/value pairs of VPN plugin specific data. Both
4042 keys and values must be strings.
4043 Format: dict of string to string
4045 persistent
4047 If the VPN service supports persistence, and this property is TRUE,
4048 the VPN will attempt to stay connected across link changes and
4049 outages, until explicitly disconnected.
4050 Format: boolean
4052 secrets
4054 Dictionary of key/value pairs of VPN plugin specific secrets like
4055 passwords or private keys. Both keys and values must be strings.
4056 Format: dict of string to string
4058 service-type
4060 Alias: vpn-type
4061 D-Bus service name of the VPN plugin that this setting uses to
4063 connect to its network. i.e. org.freedesktop.NetworkManager.vpnc
4064 for the vpnc plugin.
4065 Format: string
4067 timeout
4069 Timeout for the VPN service to establish the connection. Some
4070 services may take quite a long time to connect. Value of 0 means a
4071 default timeout, which is 60 seconds (unless overridden by
4072 vpn.timeout in configuration file). Values greater than zero mean
4073 timeout in seconds.
4074 Format: uint32
4076 user-name
4078 Alias: user
4079 If the VPN connection requires a user name for authentication, that
4081 name should be provided here. If the connection is available to
4082 more than one user, and the VPN requires each user to supply a
4083 different name, then leave this property empty. If this property is
4084 empty, NetworkManager will automatically supply the username of the
4085 user which requested the VPN connection.
4086 Format: string
4088 vrf setting
4090 VRF settings.
4091 Properties:
4093 table
4095 Alias: table
4096 The routing table for this VRF.
4098 Format: uint32
4100 vxlan setting
4102 VXLAN Settings.
4103 Properties:
4105 ageing
4107 Specifies the lifetime in seconds of FDB entries learnt by the
4108 kernel.
4109 Format: uint32
4111 destination-port
4113 Alias: destination-port
4114 Specifies the UDP destination port to communicate to the remote
4116 VXLAN tunnel endpoint.
4117 Format: uint32
4119 id
4121 Alias: id
4122 Specifies the VXLAN Network Identifier (or VXLAN Segment
4124 Identifier) to use.
4125 Format: uint32
4127 l2-miss
4129 Specifies whether netlink LL ADDR miss notifications are generated.
4130 Format: boolean
4132 l3-miss
4134 Specifies whether netlink IP ADDR miss notifications are generated.
4135 Format: boolean
4137 learning
4139 Specifies whether unknown source link layer addresses and IP
4140 addresses are entered into the VXLAN device forwarding database.
4141 Format: boolean
4143 limit
4145 Specifies the maximum number of FDB entries. A value of zero means
4146 that the kernel will store unlimited entries.
4147 Format: uint32
4149 local
4151 Alias: local
4152 If given, specifies the source IP address to use in outgoing
4154 packets.
4155 Format: string
4157 parent
4159 Alias: dev
4160 If given, specifies the parent interface name or parent connection
4162 UUID.
4163 Format: string
4165 proxy
4167 Specifies whether ARP proxy is turned on.
4168 Format: boolean
4170 remote
4172 Alias: remote
4173 Specifies the unicast destination IP address to use in outgoing
4175 packets when the destination link layer address is not known in the
4176 VXLAN device forwarding database, or the multicast IP address to
4177 join.
4178 Format: string
4180 rsc
4182 Specifies whether route short circuit is turned on.
4183 Format: boolean
4185 source-port-max
4187 Alias: source-port-max
4188 Specifies the maximum UDP source port to communicate to the remote
4190 VXLAN tunnel endpoint.
4191 Format: uint32
4193 source-port-min
4195 Alias: source-port-min
4196 Specifies the minimum UDP source port to communicate to the remote
4198 VXLAN tunnel endpoint.
4199 Format: uint32
4201 tos
4203 Specifies the TOS value to use in outgoing packets.
4204 Format: uint32
4206 ttl
4208 Specifies the time-to-live value to use in outgoing packets.
4209 Format: uint32
4211 wifi-p2p setting
4213 Wi-Fi P2P Settings.
4214 Properties:
4216 peer
4218 Alias: peer
4219 The P2P device that should be connected to. Currently, this is the
4221 only way to create or join a group.
4222 Format: string
4224 wfd-ies
4226 The Wi-Fi Display (WFD) Information Elements (IEs) to set.
4227 Wi-Fi Display requires a protocol specific information element to
4229 be set in certain Wi-Fi frames. These can be specified here for the
4230 purpose of establishing a connection. This setting is only useful
4231 when implementing a Wi-Fi Display client.
4232 Format: byte array
4234 wps-method
4236 Flags indicating which mode of WPS is to be used.
4237 There's little point in changing the default setting as
4239 NetworkManager will automatically determine the best method to use.
4240 Format: uint32
4242 wimax setting
4244 WiMax Settings.
4245 Properties:
4247 mac-address
4249 Alias: mac
4250 If specified, this connection will only apply to the WiMAX device
4252 whose MAC address matches. This property does not change the MAC
4253 address of the device (known as MAC spoofing).
4254 This property is deprecated since version 1.2. WiMAX is no longer
4256 supported.
4257 Format: byte array
4259 network-name
4261 Alias: nsp
4262 Network Service Provider (NSP) name of the WiMAX network this
4264 connection should use.
4265 This property is deprecated since version 1.2. WiMAX is no longer
4267 supported.
4268 Format: string
4270 802-3-ethernet setting
4272 Alias: ethernet
4273 Wired Ethernet Settings.
4275 Properties:
4277 accept-all-mac-addresses
4279 When TRUE, setup the interface to accept packets for all MAC
4280 addresses. This is enabling the kernel interface flag IFF_PROMISC.
4281 When FALSE, the interface will only accept the packets with the
4282 interface destination mac address or broadcast.
4283 Format: NMTernary (int32)
4285 auto-negotiate
4287 When TRUE, enforce auto-negotiation of speed and duplex mode. If
4288 "speed" and "duplex" properties are both specified, only that
4289 single mode will be advertised and accepted during the link
4290 auto-negotiation process: this works only for BASE-T 802.3
4291 specifications and is useful for enforcing gigabits modes, as in
4292 these cases link negotiation is mandatory. When FALSE, "speed" and
4293 "duplex" properties should be both set or link configuration will
4294 be skipped.
4295 Format: boolean
4297 cloned-mac-address
4299 Alias: cloned-mac
4300 If specified, request that the device use this MAC address instead.
4302 This is known as MAC cloning or spoofing.
4303 Beside explicitly specifying a MAC address, the special values
4305 "preserve", "permanent", "random" and "stable" are supported.
4306 "preserve" means not to touch the MAC address on activation.
4307 "permanent" means to use the permanent hardware address if the
4308 device has one (otherwise this is treated as "preserve"). "random"
4309 creates a random MAC address on each connect. "stable" creates a
4310 hashed MAC address based on connection.stable-id and a machine
4311 dependent key.
4312 If unspecified, the value can be overwritten via global defaults,
4314 see manual of NetworkManager.conf. If still unspecified, it
4315 defaults to "preserve" (older versions of NetworkManager may use a
4316 different default value).
4317 On D-Bus, this field is expressed as "assigned-mac-address" or the
4319 deprecated "cloned-mac-address".
4320 Format: byte array
4322 duplex
4324 When a value is set, either "half" or "full", configures the device
4325 to use the specified duplex mode. If "auto-negotiate" is "yes" the
4326 specified duplex mode will be the only one advertised during link
4327 negotiation: this works only for BASE-T 802.3 specifications and is
4328 useful for enforcing gigabits modes, as in these cases link
4329 negotiation is mandatory. If the value is unset (the default), the
4330 link configuration will be either skipped (if "auto-negotiate" is
4331 "no", the default) or will be auto-negotiated (if "auto-negotiate"
4332 is "yes") and the local device will advertise all the supported
4333 duplex modes. Must be set together with the "speed" property if
4334 specified. Before specifying a duplex mode be sure your device
4335 supports it.
4336 Format: string
4338 generate-mac-address-mask
4340 With "cloned-mac-address" setting "random" or "stable", by default
4341 all bits of the MAC address are scrambled and a
4342 locally-administered, unicast MAC address is created. This property
4343 allows to specify that certain bits are fixed. Note that the least
4344 significant bit of the first MAC address will always be unset to
4345 create a unicast MAC address.
4346 If the property is NULL, it is eligible to be overwritten by a
4348 default connection setting. If the value is still NULL or an empty
4349 string, the default is to create a locally-administered, unicast
4350 MAC address.
4351 If the value contains one MAC address, this address is used as
4353 mask. The set bits of the mask are to be filled with the current
4354 MAC address of the device, while the unset bits are subject to
4355 randomization. Setting "FE:FF:FF:00:00:00" means to preserve the
4356 OUI of the current MAC address and only randomize the lower 3 bytes
4357 using the "random" or "stable" algorithm.
4358 If the value contains one additional MAC address after the mask,
4360 this address is used instead of the current MAC address to fill the
4361 bits that shall not be randomized. For example, a value of
4362 "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set the OUI of the MAC
4363 address to 68:F7:28, while the lower bits are randomized. A value
4364 of "02:00:00:00:00:00 00:00:00:00:00:00" will create a fully
4365 scrambled globally-administered, burned-in MAC address.
4366 If the value contains more than one additional MAC addresses, one
4368 of them is chosen randomly. For example, "02:00:00:00:00:00
4369 00:00:00:00:00:00 02:00:00:00:00:00" will create a fully scrambled
4370 MAC address, randomly locally or globally administered.
4371 Format: string
4373 mac-address
4375 Alias: mac
4376 If specified, this connection will only apply to the Ethernet
4378 device whose permanent MAC address matches. This property does not
4379 change the MAC address of the device (i.e. MAC spoofing).
4380 Format: byte array
4382 mac-address-blacklist
4384 If specified, this connection will never apply to the Ethernet
4385 device whose permanent MAC address matches an address in the list.
4386 Each MAC address is in the standard hex-digits-and-colons notation
4387 (00:11:22:33:44:55).
4388 Format: array of string
4390 mtu
4392 Alias: mtu
4393 If non-zero, only transmit packets of the specified size or
4395 smaller, breaking larger packets up into multiple Ethernet frames.
4396 Format: uint32
4398 port
4400 Specific port type to use if the device supports multiple
4401 attachment methods. One of "tp" (Twisted Pair), "aui" (Attachment
4402 Unit Interface), "bnc" (Thin Ethernet) or "mii" (Media Independent
4403 Interface). If the device supports only one port type, this setting
4404 is ignored.
4405 Format: string
4407 s390-nettype
4409 s390 network device type; one of "qeth", "lcs", or "ctc",
4410 representing the different types of virtual network devices
4411 available on s390 systems.
4412 Format: string
4414 s390-options
4416 Dictionary of key/value pairs of s390-specific device options. Both
4417 keys and values must be strings. Allowed keys include "portno",
4418 "layer2", "portname", "protocol", among others. Key names must
4419 contain only alphanumeric characters (ie, [a-zA-Z0-9]).
4420 Currently, NetworkManager itself does nothing with this
4422 information. However, s390utils ships a udev rule which parses this
4423 information and applies it to the interface.
4424 Format: dict of string to string
4426 s390-subchannels
4428 Identifies specific subchannels that this network device uses for
4429 communication with z/VM or s390 host. Like the "mac-address"
4430 property for non-z/VM devices, this property can be used to ensure
4431 this connection only applies to the network device that uses these
4432 subchannels. The list should contain exactly 3 strings, and each
4433 string may only be composed of hexadecimal characters and the
4434 period (.) character.
4435 Format: array of string
4437 speed
4439 When a value greater than 0 is set, configures the device to use
4440 the specified speed. If "auto-negotiate" is "yes" the specified
4441 speed will be the only one advertised during link negotiation: this
4442 works only for BASE-T 802.3 specifications and is useful for
4443 enforcing gigabit speeds, as in this case link negotiation is
4444 mandatory. If the value is unset (0, the default), the link
4445 configuration will be either skipped (if "auto-negotiate" is "no",
4446 the default) or will be auto-negotiated (if "auto-negotiate" is
4447 "yes") and the local device will advertise all the supported
4448 speeds. In Mbit/s, ie 100 == 100Mbit/s. Must be set together with
4449 the "duplex" property when non-zero. Before specifying a speed
4450 value be sure your device supports it.
4451 Format: uint32
4453 wake-on-lan
4455 The NMSettingWiredWakeOnLan options to enable. Not all devices
4456 support all options. May be any combination of
4457 NM_SETTING_WIRED_WAKE_ON_LAN_PHY (0x2),
4458 NM_SETTING_WIRED_WAKE_ON_LAN_UNICAST (0x4),
4459 NM_SETTING_WIRED_WAKE_ON_LAN_MULTICAST (0x8),
4460 NM_SETTING_WIRED_WAKE_ON_LAN_BROADCAST (0x10),
4461 NM_SETTING_WIRED_WAKE_ON_LAN_ARP (0x20),
4462 NM_SETTING_WIRED_WAKE_ON_LAN_MAGIC (0x40) or the special values
4463 NM_SETTING_WIRED_WAKE_ON_LAN_DEFAULT (0x1) (to use global settings)
4464 and NM_SETTING_WIRED_WAKE_ON_LAN_IGNORE (0x8000) (to disable
4465 management of Wake-on-LAN in NetworkManager).
4466 Format: uint32
4468 wake-on-lan-password
4470 If specified, the password used with magic-packet-based
4471 Wake-on-LAN, represented as an Ethernet MAC address. If NULL, no
4472 password will be required.
4473 Format: string
4475 wireguard setting
4477 WireGuard Settings.
4478 Properties:
4480 fwmark
4482 The use of fwmark is optional and is by default off. Setting it to
4483 0 disables it. Otherwise, it is a 32-bit fwmark for outgoing
4484 packets.
4485 Note that "ip4-auto-default-route" or "ip6-auto-default-route"
4487 enabled, implies to automatically choose a fwmark.
4488 Format: uint32
4490 ip4-auto-default-route
4492 Whether to enable special handling of the IPv4 default route. If
4493 enabled, the IPv4 default route from wireguard.peer-routes will be
4494 placed to a dedicated routing-table and two policy routing rules
4495 will be added. The fwmark number is also used as routing-table for
4496 the default-route, and if fwmark is zero, an unused fwmark/table is
4497 chosen automatically. This corresponds to what wg-quick does with
4498 Table=auto and what WireGuard calls "Improved Rule-based Routing".
4499 Note that for this automatism to work, you usually don't want to
4501 set ipv4.gateway, because that will result in a conflicting default
4502 route.
4503 Leaving this at the default will enable this option automatically
4505 if ipv4.never-default is not set and there are any peers that use a
4506 default-route as allowed-ips. Since this automatism only makes
4507 sense if you also have a peer with an /0 allowed-ips, it is usually
4508 not necessary to enable this explicitly. However, you can disable
4509 it if you want to configure your own routing and rules.
4510 Format: NMTernary (int32)
4512 ip6-auto-default-route
4514 Like ip4-auto-default-route, but for the IPv6 default route.
4515 Format: NMTernary (int32)
4517 listen-port
4519 The listen-port. If listen-port is not specified, the port will be
4520 chosen randomly when the interface comes up.
4521 Format: uint32
4523 mtu
4525 If non-zero, only transmit packets of the specified size or
4526 smaller, breaking larger packets up into multiple fragments.
4527 If zero a default MTU is used. Note that contrary to wg-quick's MTU
4529 setting, this does not take into account the current routes at the
4530 time of activation.
4531 Format: uint32
4533 peer-routes
4535 Whether to automatically add routes for the AllowedIPs ranges of
4536 the peers. If TRUE (the default), NetworkManager will automatically
4537 add routes in the routing tables according to ipv4.route-table and
4538 ipv6.route-table. Usually you want this automatism enabled. If
4539 FALSE, no such routes are added automatically. In this case, the
4540 user may want to configure static routes in ipv4.routes and
4541 ipv6.routes, respectively.
4542 Note that if the peer's AllowedIPs is "0.0.0.0/0" or "::/0" and the
4544 profile's ipv4.never-default or ipv6.never-default setting is
4545 enabled, the peer route for this peer won't be added automatically.
4546 Format: boolean
4548 private-key
4550 The 256 bit private-key in base64 encoding.
4551 Format: string
4553 private-key-flags
4555 Flags indicating how to handle the "private-key" property.
4556 Format: NMSettingSecretFlags (uint32)
4558 802-11-wireless setting
4560 Alias: wifi
4561 Wi-Fi Settings.
4563 Properties:
4565 ap-isolation
4567 Configures AP isolation, which prevents communication between
4568 wireless devices connected to this AP. This property can be set to
4569 a value different from NM_TERNARY_DEFAULT (-1) only when the
4570 interface is configured in AP mode.
4571 If set to NM_TERNARY_TRUE (1), devices are not able to communicate
4573 with each other. This increases security because it protects
4574 devices against attacks from other clients in the network. At the
4575 same time, it prevents devices to access resources on the same
4576 wireless networks as file shares, printers, etc.
4577 If set to NM_TERNARY_FALSE (0), devices can talk to each other.
4579 When set to NM_TERNARY_DEFAULT (-1), the global default is used; in
4581 case the global default is unspecified it is assumed to be
4582 NM_TERNARY_FALSE (0).
4583 Format: NMTernary (int32)
4585 band
4587 802.11 frequency band of the network. One of "a" for 5GHz 802.11a
4588 or "bg" for 2.4GHz 802.11. This will lock associations to the Wi-Fi
4589 network to the specific band, i.e. if "a" is specified, the device
4590 will not associate with the same network in the 2.4GHz band even if
4591 the network's settings are compatible. This setting depends on
4592 specific driver capability and may not work with all drivers.
4593 Format: string
4595 bssid
4597 If specified, directs the device to only associate with the given
4598 access point. This capability is highly driver dependent and not
4599 supported by all devices. Note: this property does not control the
4600 BSSID used when creating an Ad-Hoc network and is unlikely to in
4601 the future.
4602 Locking a client profile to a certain BSSID will prevent roaming
4604 and also disable background scanning. That can be useful, if there
4605 is only one access point for the SSID.
4606 Format: byte array
4608 channel
4610 Wireless channel to use for the Wi-Fi connection. The device will
4611 only join (or create for Ad-Hoc networks) a Wi-Fi network on the
4612 specified channel. Because channel numbers overlap between bands,
4613 this property also requires the "band" property to be set.
4614 Format: uint32
4616 cloned-mac-address
4618 Alias: cloned-mac
4619 If specified, request that the device use this MAC address instead.
4621 This is known as MAC cloning or spoofing.
4622 Beside explicitly specifying a MAC address, the special values
4624 "preserve", "permanent", "random" and "stable" are supported.
4625 "preserve" means not to touch the MAC address on activation.
4626 "permanent" means to use the permanent hardware address of the
4627 device. "random" creates a random MAC address on each connect.
4628 "stable" creates a hashed MAC address based on connection.stable-id
4629 and a machine dependent key.
4630 If unspecified, the value can be overwritten via global defaults,
4632 see manual of NetworkManager.conf. If still unspecified, it
4633 defaults to "preserve" (older versions of NetworkManager may use a
4634 different default value).
4635 On D-Bus, this field is expressed as "assigned-mac-address" or the
4637 deprecated "cloned-mac-address".
4638 Format: byte array
4640 generate-mac-address-mask
4642 With "cloned-mac-address" setting "random" or "stable", by default
4643 all bits of the MAC address are scrambled and a
4644 locally-administered, unicast MAC address is created. This property
4645 allows to specify that certain bits are fixed. Note that the least
4646 significant bit of the first MAC address will always be unset to
4647 create a unicast MAC address.
4648 If the property is NULL, it is eligible to be overwritten by a
4650 default connection setting. If the value is still NULL or an empty
4651 string, the default is to create a locally-administered, unicast
4652 MAC address.
4653 If the value contains one MAC address, this address is used as
4655 mask. The set bits of the mask are to be filled with the current
4656 MAC address of the device, while the unset bits are subject to
4657 randomization. Setting "FE:FF:FF:00:00:00" means to preserve the
4658 OUI of the current MAC address and only randomize the lower 3 bytes
4659 using the "random" or "stable" algorithm.
4660 If the value contains one additional MAC address after the mask,
4662 this address is used instead of the current MAC address to fill the
4663 bits that shall not be randomized. For example, a value of
4664 "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set the OUI of the MAC
4665 address to 68:F7:28, while the lower bits are randomized. A value
4666 of "02:00:00:00:00:00 00:00:00:00:00:00" will create a fully
4667 scrambled globally-administered, burned-in MAC address.
4668 If the value contains more than one additional MAC addresses, one
4670 of them is chosen randomly. For example, "02:00:00:00:00:00
4671 00:00:00:00:00:00 02:00:00:00:00:00" will create a fully scrambled
4672 MAC address, randomly locally or globally administered.
4673 Format: string
4675 hidden
4677 If TRUE, indicates that the network is a non-broadcasting network
4678 that hides its SSID. This works both in infrastructure and AP mode.
4679 In infrastructure mode, various workarounds are used for a more
4681 reliable discovery of hidden networks, such as probe-scanning the
4682 SSID. However, these workarounds expose inherent insecurities with
4683 hidden SSID networks, and thus hidden SSID networks should be used
4684 with caution.
4685 In AP mode, the created network does not broadcast its SSID.
4687 Note that marking the network as hidden may be a privacy issue for
4689 you (in infrastructure mode) or client stations (in AP mode), as
4690 the explicit probe-scans are distinctly recognizable on the air.
4691 Format: boolean
4693 mac-address
4695 Alias: mac
4696 If specified, this connection will only apply to the Wi-Fi device
4698 whose permanent MAC address matches. This property does not change
4699 the MAC address of the device (i.e. MAC spoofing).
4700 Format: byte array
4702 mac-address-blacklist
4704 A list of permanent MAC addresses of Wi-Fi devices to which this
4705 connection should never apply. Each MAC address should be given in
4706 the standard hex-digits-and-colons notation (eg
4707 "00:11:22:33:44:55").
4708 Format: array of string
4710 mac-address-randomization
4712 One of NM_SETTING_MAC_RANDOMIZATION_DEFAULT (0) (never randomize
4713 unless the user has set a global default to randomize and the
4714 supplicant supports randomization),
4715 NM_SETTING_MAC_RANDOMIZATION_NEVER (1) (never randomize the MAC
4716 address), or NM_SETTING_MAC_RANDOMIZATION_ALWAYS (2) (always
4717 randomize the MAC address).
4718 This property is deprecated since version 1.4. Use the
4720 "cloned-mac-address" property instead.
4721 Format: uint32
4723 mode
4725 Alias: mode
4726 Wi-Fi network mode; one of "infrastructure", "mesh", "adhoc" or
4728 "ap". If blank, infrastructure is assumed.
4729 Format: string
4731 mtu
4733 Alias: mtu
4734 If non-zero, only transmit packets of the specified size or
4736 smaller, breaking larger packets up into multiple Ethernet frames.
4737 Format: uint32
4739 powersave
4741 One of NM_SETTING_WIRELESS_POWERSAVE_DISABLE (2) (disable Wi-Fi
4742 power saving), NM_SETTING_WIRELESS_POWERSAVE_ENABLE (3) (enable
4743 Wi-Fi power saving), NM_SETTING_WIRELESS_POWERSAVE_IGNORE (1)
4744 (don't touch currently configure setting) or
4745 NM_SETTING_WIRELESS_POWERSAVE_DEFAULT (0) (use the globally
4746 configured value). All other values are reserved.
4747 Format: uint32
4749 rate
4751 If non-zero, directs the device to only use the specified bitrate
4752 for communication with the access point. Units are in Kb/s, ie 5500
4753 = 5.5 Mbit/s. This property is highly driver dependent and not all
4754 devices support setting a static bitrate.
4755 Format: uint32
4757 seen-bssids
4759 A list of BSSIDs (each BSSID formatted as a MAC address like
4760 "00:11:22:33:44:55") that have been detected as part of the Wi-Fi
4761 network. NetworkManager internally tracks previously seen BSSIDs.
4762 The property is only meant for reading and reflects the BSSID list
4763 of NetworkManager. The changes you make to this property will not
4764 be preserved.
4765 Format: array of string
4767 ssid
4769 Alias: ssid
4770 SSID of the Wi-Fi network. Must be specified.
4772 Format: byte array
4774 tx-power
4776 If non-zero, directs the device to use the specified transmit
4777 power. Units are dBm. This property is highly driver dependent and
4778 not all devices support setting a static transmit power.
4779 Format: uint32
4781 wake-on-wlan
4783 The NMSettingWirelessWakeOnWLan options to enable. Not all devices
4784 support all options. May be any combination of
4785 NM_SETTING_WIRELESS_WAKE_ON_WLAN_ANY (0x2),
4786 NM_SETTING_WIRELESS_WAKE_ON_WLAN_DISCONNECT (0x4),
4787 NM_SETTING_WIRELESS_WAKE_ON_WLAN_MAGIC (0x8),
4788 NM_SETTING_WIRELESS_WAKE_ON_WLAN_GTK_REKEY_FAILURE (0x10),
4789 NM_SETTING_WIRELESS_WAKE_ON_WLAN_EAP_IDENTITY_REQUEST (0x20),
4790 NM_SETTING_WIRELESS_WAKE_ON_WLAN_4WAY_HANDSHAKE (0x40),
4791 NM_SETTING_WIRELESS_WAKE_ON_WLAN_RFKILL_RELEASE (0x80),
4792 NM_SETTING_WIRELESS_WAKE_ON_WLAN_TCP (0x100) or the special values
4793 NM_SETTING_WIRELESS_WAKE_ON_WLAN_DEFAULT (0x1) (to use global
4794 settings) and NM_SETTING_WIRELESS_WAKE_ON_WLAN_IGNORE (0x8000) (to
4795 disable management of Wake-on-LAN in NetworkManager).
4796 Format: uint32
4798 802-11-wireless-security setting
4800 Alias: wifi-sec
4801 Wi-Fi Security Settings.
4803 Properties:
4805 auth-alg
4807 When WEP is used (ie, key-mgmt = "none" or "ieee8021x") indicate
4808 the 802.11 authentication algorithm required by the AP here. One of
4809 "open" for Open System, "shared" for Shared Key, or "leap" for
4810 Cisco LEAP. When using Cisco LEAP (ie, key-mgmt = "ieee8021x" and
4811 auth-alg = "leap") the "leap-username" and "leap-password"
4812 properties must be specified.
4813 Format: string
4815 fils
4817 Indicates whether Fast Initial Link Setup (802.11ai) must be
4818 enabled for the connection. One of
4819 NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) (use global default
4820 value), NM_SETTING_WIRELESS_SECURITY_FILS_DISABLE (1) (disable
4821 FILS), NM_SETTING_WIRELESS_SECURITY_FILS_OPTIONAL (2) (enable FILS
4822 if the supplicant and the access point support it) or
4823 NM_SETTING_WIRELESS_SECURITY_FILS_REQUIRED (3) (enable FILS and
4824 fail if not supported). When set to
4825 NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) and no global default
4826 is set, FILS will be optionally enabled.
4827 Format: int32
4829 group
4831 A list of group/broadcast encryption algorithms which prevents
4832 connections to Wi-Fi networks that do not utilize one of the
4833 algorithms in the list. For maximum compatibility leave this
4834 property empty. Each list element may be one of "wep40", "wep104",
4835 "tkip", or "ccmp".
4836 Format: array of string
4838 key-mgmt
4840 Key management used for the connection. One of "none" (WEP or no
4841 password protection), "ieee8021x" (Dynamic WEP), "owe"
4842 (Opportunistic Wireless Encryption), "wpa-psk" (WPA2 + WPA3
4843 personal), "sae" (WPA3 personal only), "wpa-eap" (WPA2 + WPA3
4844 enterprise) or "wpa-eap-suite-b-192" (WPA3 enterprise only).
4845 This property must be set for any Wi-Fi connection that uses
4847 security.
4848 Format: string
4850 leap-password
4852 The login password for legacy LEAP connections (ie, key-mgmt =
4853 "ieee8021x" and auth-alg = "leap").
4854 Format: string
4856 leap-password-flags
4858 Flags indicating how to handle the "leap-password" property.
4859 Format: NMSettingSecretFlags (uint32)
4861 leap-username
4863 The login username for legacy LEAP connections (ie, key-mgmt =
4864 "ieee8021x" and auth-alg = "leap").
4865 Format: string
4867 pairwise
4869 A list of pairwise encryption algorithms which prevents connections
4870 to Wi-Fi networks that do not utilize one of the algorithms in the
4871 list. For maximum compatibility leave this property empty. Each
4872 list element may be one of "tkip" or "ccmp".
4873 Format: array of string
4875 pmf
4877 Indicates whether Protected Management Frames (802.11w) must be
4878 enabled for the connection. One of
4879 NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) (use global default
4880 value), NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE (1) (disable PMF),
4881 NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL (2) (enable PMF if the
4882 supplicant and the access point support it) or
4883 NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED (3) (enable PMF and fail
4884 if not supported). When set to
4885 NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) and no global default
4886 is set, PMF will be optionally enabled.
4887 Format: int32
4889 proto
4891 List of strings specifying the allowed WPA protocol versions to
4892 use. Each element may be one "wpa" (allow WPA) or "rsn" (allow
4893 WPA2/RSN). If not specified, both WPA and RSN connections are
4894 allowed.
4895 Format: array of string
4897 psk
4899 Pre-Shared-Key for WPA networks. For WPA-PSK, it's either an ASCII
4900 passphrase of 8 to 63 characters that is (as specified in the
4901 802.11i standard) hashed to derive the actual key, or the key in
4902 form of 64 hexadecimal character. The WPA3-Personal networks use a
4903 passphrase of any length for SAE authentication.
4904 Format: string
4906 psk-flags
4908 Flags indicating how to handle the "psk" property.
4909 Format: NMSettingSecretFlags (uint32)
4911 wep-key-flags
4913 Flags indicating how to handle the "wep-key0", "wep-key1",
4914 "wep-key2", and "wep-key3" properties.
4915 Format: NMSettingSecretFlags (uint32)
4917 wep-key-type
4919 Controls the interpretation of WEP keys. Allowed values are
4920 NM_WEP_KEY_TYPE_KEY (1), in which case the key is either a 10- or
4921 26-character hexadecimal string, or a 5- or 13-character ASCII
4922 password; or NM_WEP_KEY_TYPE_PASSPHRASE (2), in which case the
4923 passphrase is provided as a string and will be hashed using the
4924 de-facto MD5 method to derive the actual WEP key.
4925 Format: NMWepKeyType (uint32)
4927 wep-key0
4929 Index 0 WEP key. This is the WEP key used in most networks. See the
4930 "wep-key-type" property for a description of how this key is
4931 interpreted.
4932 Format: string
4934 wep-key1
4936 Index 1 WEP key. This WEP index is not used by most networks. See
4937 the "wep-key-type" property for a description of how this key is
4938 interpreted.
4939 Format: string
4941 wep-key2
4943 Index 2 WEP key. This WEP index is not used by most networks. See
4944 the "wep-key-type" property for a description of how this key is
4945 interpreted.
4946 Format: string
4948 wep-key3
4950 Index 3 WEP key. This WEP index is not used by most networks. See
4951 the "wep-key-type" property for a description of how this key is
4952 interpreted.
4953 Format: string
4955 wep-tx-keyidx
4957 When static WEP is used (ie, key-mgmt = "none") and a non-default
4958 WEP key index is used by the AP, put that WEP key index here. Valid
4959 values are 0 (default key) through 3. Note that some consumer
4960 access points (like the Linksys WRT54G) number the keys 1 - 4.
4961 Format: uint32
4963 wps-method
4965 Flags indicating which mode of WPS is to be used if any.
4966 There's little point in changing the default setting as
4968 NetworkManager will automatically determine whether it's feasible
4969 to start WPS enrollment from the Access Point capabilities.
4970 WPS can be disabled by setting this property to a value of 1.
4972 Format: uint32
4974 wpan setting
4976 IEEE 802.15.4 (WPAN) MAC Settings.
4977 Properties:
4979 channel
4981 Alias: channel
4982 IEEE 802.15.4 channel. A positive integer or -1, meaning "do not
4984 set, use whatever the device is already set to".
4985 Format: int32
4987 mac-address
4989 Alias: mac
4990 If specified, this connection will only apply to the IEEE 802.15.4
4992 (WPAN) MAC layer device whose permanent MAC address matches.
4993 Format: string
4995 page
4997 Alias: page
4998 IEEE 802.15.4 channel page. A positive integer or -1, meaning "do
5000 not set, use whatever the device is already set to".
5001 Format: int32
5003 pan-id
5005 Alias: pan-id
5006 IEEE 802.15.4 Personal Area Network (PAN) identifier.
5008 Format: uint32
5010 short-address
5012 Alias: short-addr
5013 Short IEEE 802.15.4 address to be used within a restricted
5015 environment.
5016 Format: uint32
5018 bond-port setting
5020 Bond Port Settings.
5021 Properties:
5023 prio
5025 Alias: prio
5026 The port priority for bond active port re-selection during
5028 failover. A higher number means a higher priority in selection. The
5029 primary port has the highest priority. This option is only
5030 compatible with active-backup, balance-tlb and balance-alb modes.
5031 Format: int32
5033 queue-id
5035 Alias: queue-id
5036 The queue ID of this bond port. The maximum value of queue ID is
5038 the number of TX queues currently active in device.
5039 Format: uint32
5041 hostname setting
5043 Hostname settings.
5044 Properties:
5046 from-dhcp
5048 Whether the system hostname can be determined from DHCP on this
5049 connection.
5050 When set to NM_TERNARY_DEFAULT (-1), the value from global
5052 configuration is used. If the property doesn't have a value in the
5053 global configuration, NetworkManager assumes the value to be
5054 NM_TERNARY_TRUE (1).
5055 Format: NMTernary (int32)
5057 from-dns-lookup
5059 Whether the system hostname can be determined from reverse DNS
5060 lookup of addresses on this device.
5061 When set to NM_TERNARY_DEFAULT (-1), the value from global
5063 configuration is used. If the property doesn't have a value in the
5064 global configuration, NetworkManager assumes the value to be
5065 NM_TERNARY_TRUE (1).
5066 Format: NMTernary (int32)
5068 only-from-default
5070 If set to NM_TERNARY_TRUE (1), NetworkManager attempts to get the
5071 hostname via DHCPv4/DHCPv6 or reverse DNS lookup on this device
5072 only when the device has the default route for the given address
5073 family (IPv4/IPv6).
5074 If set to NM_TERNARY_FALSE (0), the hostname can be set from this
5076 device even if it doesn't have the default route.
5077 When set to NM_TERNARY_DEFAULT (-1), the value from global
5079 configuration is used. If the property doesn't have a value in the
5080 global configuration, NetworkManager assumes the value to be
5081 NM_TERNARY_FALSE (0).
5082 Format: NMTernary (int32)
5084 priority
5086 The relative priority of this connection to determine the system
5087 hostname. A lower numerical value is better (higher priority). A
5088 connection with higher priority is considered before connections
5089 with lower priority.
5090 If the value is zero, it can be overridden by a global value from
5092 NetworkManager configuration. If the property doesn't have a value
5093 in the global configuration, the value is assumed to be 100.
5094 Negative values have the special effect of excluding other
5096 connections with a greater numerical priority value; so in presence
5097 of at least one negative priority, only connections with the lowest
5098 priority value will be used to determine the hostname.
5099 Format: int32
5101 loopback setting
5103 Loopback Link Settings.
5104 Properties:
5106 mtu
5108 Alias: mtu
5109 If non-zero, only transmit packets of the specified size or
5111 smaller, breaking larger packets up into multiple Ethernet frames.
5112 Format: uint32
5114 veth setting
5116 Veth Settings.
5117 Properties:
5119 peer
5121 Alias: peer
5122 This property specifies the peer interface name of the veth. This
5124 property is mandatory.
5125 Format: string
5127 Secret flag types:
5129 Each password or secret property in a setting has an associated flags
5130 property that describes how to handle that secret. The flags property
5131 is a bitfield that contains zero or more of the following values
5132 logically OR-ed together.
5133 • 0x0 (none) - the system is responsible for providing and storing
5135 this secret. This may be required so that secrets are already
5136 available before the user logs in. It also commonly means that the
5137 secret will be stored in plain text on disk, accessible to root
5138 only. For example via the keyfile settings plugin as described in
5139 the "PLUGINS" section in NetworkManager.conf(5).
5140 • 0x1 (agent-owned) - a user-session secret agent is responsible for
5142 providing and storing this secret; when it is required, agents will
5143 be asked to provide it.
5144 • 0x2 (not-saved) - this secret should not be saved but should be
5146 requested from the user each time it is required. This flag should
5147 be used for One-Time-Pad secrets, PIN codes from hardware tokens,
5148 or if the user simply does not want to save the secret.
5149 • 0x4 (not-required) - in some situations it cannot be automatically
5151 determined that a secret is required or not. This flag hints that
5152 the secret is not required and should not be requested from the
5153 user.
5154
5156 /etc/NetworkManager/system-connections or distro plugin-specific
5157 location
5158
5160 nmcli(1), nmcli-examples(7), NetworkManager(8), nm-settings-dbus(5),
5161 nm-settings-keyfile(5), NetworkManager.conf(5)
5162NetworkManager 1.42.8 NM-SETTINGS-NMCLI(5)