1NM-SETTINGS-NMCLI(5) Configuration NM-SETTINGS-NMCLI(5)
2
3
4
6 nm-settings-nmcli - Description of settings and properties of
7 NetworkManager connection profiles for nmcli
8
10 NetworkManager is based on a concept of connection profiles, sometimes
11 referred to as connections only. These connection profiles contain a
12 network configuration. When NetworkManager activates a connection
13 profile on a network device the configuration will be applied and an
14 active network connection will be established. Users are free to create
15 as many connection profiles as they see fit. Thus they are flexible in
16 having various network configurations for different networking needs.
17
18 NetworkManager provides an API for configuring connection profiles, for
19 activating them to configure the network, and inspecting the current
20 network configuration. The command line tool nmcli is a client
21 application to NetworkManager that uses this API. See nmcli(1) for
22 details.
23
24 With commands like nmcli connection add, nmcli connection modify and
25 nmcli connection show, connection profiles can be created, modified and
26 inspected. A profile consists of properties. On D-Bus this follows the
27 format as described by nm-settings-dbus(5), while this manual page
28 describes the settings format how they are expected by nmcli.
29
30 The settings and properties shown in tables below list all available
31 connection configuration options. However, note that not all settings
32 are applicable to all connection types. nmcli connection editor has
33 also a built-in describe command that can display description of
34 particular settings and properties of this page.
35
36 The setting and property can be abbreviated provided they are unique.
37 The list below also shows aliases that can be used unqualified instead
38 of the full name. For example connection.interface-name and ifname
39 refer to the same property.
40
41 connection setting
42 General Connection Profile Settings.
43
44 Properties:
45
46 auth-retries
47 The number of retries for the authentication. Zero means to try
48 indefinitely; -1 means to use a global default. If the global
49 default is not set, the authentication retries for 3 times before
50 failing the connection. Currently this only applies to 802-1x
51 authentication.
52
53 Format: int32
54
55 autoconnect
56 Alias: autoconnect
57
58 Whether or not the connection should be automatically connected by
59 NetworkManager when the resources for the connection are available.
60 TRUE to automatically activate the connection, FALSE to require
61 manual intervention to activate the connection. Note that
62 autoconnect is not implemented for VPN profiles. See "secondaries"
63 as an alternative to automatically connect VPN profiles.
64
65 Format: boolean
66
67 autoconnect-priority
68 The autoconnect priority. If the connection is set to autoconnect,
69 connections with higher priority will be preferred. Defaults to 0.
70 The higher number means higher priority.
71
72 Format: int32
73
74 autoconnect-retries
75 The number of times a connection should be tried when
76 autoactivating before giving up. Zero means forever, -1 means the
77 global default (4 times if not overridden). Setting this to 1 means
78 to try activation only once before blocking autoconnect. Note that
79 after a timeout, NetworkManager will try to autoconnect again.
80
81 Format: int32
82
83 autoconnect-slaves
84 Whether or not slaves of this connection should be automatically
85 brought up when NetworkManager activates this connection. This only
86 has a real effect for master connections. The properties
87 "autoconnect", "autoconnect-priority" and "autoconnect-retries" are
88 unrelated to this setting. The permitted values are: 0: leave slave
89 connections untouched, 1: activate all the slave connections with
90 this connection, -1: default. If -1 (default) is set, global
91 connection.autoconnect-slaves is read to determine the real value.
92 If it is default as well, this fallbacks to 0.
93
94 Format: NMSettingConnectionAutoconnectSlaves (int32)
95
96 gateway-ping-timeout
97 If greater than zero, delay success of IP addressing until either
98 the timeout is reached, or an IP gateway replies to a ping.
99
100 Format: uint32
101
102 id
103 Alias: con-name
104
105 A human readable unique identifier for the connection, like "Work
106 Wi-Fi" or "T-Mobile 3G".
107
108 Format: string
109
110 interface-name
111 Alias: ifname
112
113 The name of the network interface this connection is bound to. If
114 not set, then the connection can be attached to any interface of
115 the appropriate type (subject to restrictions imposed by other
116 settings). For software devices this specifies the name of the
117 created device. For connection types where interface names cannot
118 easily be made persistent (e.g. mobile broadband or USB Ethernet),
119 this property should not be used. Setting this property restricts
120 the interfaces a connection can be used with, and if interface
121 names change or are reordered the connection may be applied to the
122 wrong interface.
123
124 Format: string
125
126 lldp
127 Whether LLDP is enabled for the connection.
128
129 Format: int32
130
131 llmnr
132 Whether Link-Local Multicast Name Resolution (LLMNR) is enabled for
133 the connection. LLMNR is a protocol based on the Domain Name System
134 (DNS) packet format that allows both IPv4 and IPv6 hosts to perform
135 name resolution for hosts on the same local link. The permitted
136 values are: "yes" (2) register hostname and resolving for the
137 connection, "no" (0) disable LLMNR for the interface, "resolve" (1)
138 do not register hostname but allow resolving of LLMNR host names If
139 unspecified, "default" ultimately depends on the DNS plugin (which
140 for systemd-resolved currently means "yes"). This feature requires
141 a plugin which supports LLMNR. Otherwise the setting has no effect.
142 One such plugin is dns-systemd-resolved.
143
144 Format: int32
145
146 master
147 Alias: master
148
149 Interface name of the master device or UUID of the master
150 connection.
151
152 Format: string
153
154 mdns
155 Whether mDNS is enabled for the connection. The permitted values
156 are: "yes" (2) register hostname and resolving for the connection,
157 "no" (0) disable mDNS for the interface, "resolve" (1) do not
158 register hostname but allow resolving of mDNS host names and
159 "default" (-1) to allow lookup of a global default in
160 NetworkManager.conf. If unspecified, "default" ultimately depends
161 on the DNS plugin (which for systemd-resolved currently means
162 "no"). This feature requires a plugin which supports mDNS.
163 Otherwise the setting has no effect. One such plugin is
164 dns-systemd-resolved.
165
166 Format: int32
167
168 metered
169 Whether the connection is metered. When updating this property on a
170 currently activated connection, the change takes effect
171 immediately.
172
173 Format: NMMetered (int32)
174
175 mud-url
176 If configured, set to a Manufacturer Usage Description (MUD) URL
177 that points to manufacturer-recommended network policies for IoT
178 devices. It is transmitted as a DHCPv4 or DHCPv6 option. The value
179 must be a valid URL starting with "https://". The special value
180 "none" is allowed to indicate that no MUD URL is used. If the
181 per-profile value is unspecified (the default), a global connection
182 default gets consulted. If still unspecified, the ultimate default
183 is "none".
184
185 Format: string
186
187 multi-connect
188 Specifies whether the profile can be active multiple times at a
189 particular moment. The value is of type NMConnectionMultiConnect.
190
191 Format: int32
192
193 permissions
194 An array of strings defining what access a given user has to this
195 connection. If this is NULL or empty, all users are allowed to
196 access this connection; otherwise users are allowed if and only if
197 they are in this list. When this is not empty, the connection can
198 be active only when one of the specified users is logged into an
199 active session. Each entry is of the form "[type]:[id]:[reserved]";
200 for example, "user:dcbw:blah". At this time only the "user" [type]
201 is allowed. Any other values are ignored and reserved for future
202 use. [id] is the username that this permission refers to, which may
203 not contain the ":" character. Any [reserved] information present
204 must be ignored and is reserved for future use. All of [type],
205 [id], and [reserved] must be valid UTF-8.
206
207 Format: array of string
208
209 read-only
210 FALSE if the connection can be modified using the provided settings
211 service's D-Bus interface with the right privileges, or TRUE if the
212 connection is read-only and cannot be modified.
213
214 Format: boolean
215
216 secondaries
217 List of connection UUIDs that should be activated when the base
218 connection itself is activated. Currently only VPN connections are
219 supported.
220
221 Format: array of string
222
223 slave-type
224 Alias: slave-type
225
226 Setting name of the device type of this slave's master connection
227 (eg, "bond"), or NULL if this connection is not a slave.
228
229 Format: string
230
231 stable-id
232 This represents the identity of the connection used for various
233 purposes. It allows to configure multiple profiles to share the
234 identity. Also, the stable-id can contain placeholders that are
235 substituted dynamically and deterministically depending on the
236 context. The stable-id is used for generating IPv6 stable private
237 addresses with ipv6.addr-gen-mode=stable-privacy. It is also used
238 to seed the generated cloned MAC address for
239 ethernet.cloned-mac-address=stable and
240 wifi.cloned-mac-address=stable. It is also used as DHCP client
241 identifier with ipv4.dhcp-client-id=stable and to derive the DHCP
242 DUID with ipv6.dhcp-duid=stable-[llt,ll,uuid]. Note that depending
243 on the context where it is used, other parameters are also seeded
244 into the generation algorithm. For example, a per-host key is
245 commonly also included, so that different systems end up generating
246 different IDs. Or with ipv6.addr-gen-mode=stable-privacy, also the
247 device's name is included, so that different interfaces yield
248 different addresses. The '$' character is treated special to
249 perform dynamic substitutions at runtime. Currently supported are
250 "${CONNECTION}", "${DEVICE}", "${MAC}", "${BOOT}", "${RANDOM}".
251 These effectively create unique IDs per-connection, per-device,
252 per-boot, or every time. Note that "${DEVICE}" corresponds to the
253 interface name of the device and "${MAC}" is the permanent MAC
254 address of the device. Any unrecognized patterns following '$' are
255 treated verbatim, however are reserved for future use. You are thus
256 advised to avoid '$' or escape it as "$$". For example, set it to
257 "${CONNECTION}-${BOOT}-${DEVICE}" to create a unique id for this
258 connection that changes with every reboot and differs depending on
259 the interface where the profile activates. If the value is unset, a
260 global connection default is consulted. If the value is still
261 unset, the default is similar to "${CONNECTION}" and uses a unique,
262 fixed ID for the connection.
263
264 Format: string
265
266 timestamp
267 The time, in seconds since the Unix Epoch, that the connection was
268 last _successfully_ fully activated. NetworkManager updates the
269 connection timestamp periodically when the connection is active to
270 ensure that an active connection has the latest timestamp. The
271 property is only meant for reading (changes to this property will
272 not be preserved).
273
274 Format: uint64
275
276 type
277 Alias: type
278
279 Base type of the connection. For hardware-dependent connections,
280 should contain the setting name of the hardware-type specific
281 setting (ie, "802-3-ethernet" or "802-11-wireless" or "bluetooth",
282 etc), and for non-hardware dependent connections like VPN or
283 otherwise, should contain the setting name of that setting type
284 (ie, "vpn" or "bridge", etc).
285
286 Format: string
287
288 uuid
289 A universally unique identifier for the connection, for example
290 generated with libuuid. It should be assigned when the connection
291 is created, and never changed as long as the connection still
292 applies to the same network. For example, it should not be changed
293 when the "id" property or NMSettingIP4Config changes, but might
294 need to be re-created when the Wi-Fi SSID, mobile broadband network
295 provider, or "type" property changes. The UUID must be in the
296 format "2815492f-7e56-435e-b2e9-246bd7cdc664" (ie, contains only
297 hexadecimal characters and "-").
298
299 Format: string
300
301 wait-device-timeout
302 Timeout in milliseconds to wait for device at startup. During boot,
303 devices may take a while to be detected by the driver. This
304 property will cause to delay NetworkManager-wait-online.service and
305 nm-online to give the device a chance to appear. This works by
306 waiting for the given timeout until a compatible device for the
307 profile is available and managed. The value 0 means no wait time.
308 The default value is -1, which currently has the same meaning as no
309 wait time.
310
311 Format: int32
312
313 zone
314 The trust level of a the connection. Free form case-insensitive
315 string (for example "Home", "Work", "Public"). NULL or unspecified
316 zone means the connection will be placed in the default zone as
317 defined by the firewall. When updating this property on a currently
318 activated connection, the change takes effect immediately.
319
320 Format: string
321
322 6lowpan setting
323 6LoWPAN Settings.
324
325 Properties:
326
327 parent
328 Alias: dev
329
330 If given, specifies the parent interface name or parent connection
331 UUID from which this 6LowPAN interface should be created.
332
333 Format: string
334
335 802-1x setting
336 IEEE 802.1x Authentication Settings.
337
338 Properties:
339
340 altsubject-matches
341 List of strings to be matched against the altSubjectName of the
342 certificate presented by the authentication server. If the list is
343 empty, no verification of the server certificate's altSubjectName
344 is performed.
345
346 Format: array of string
347
348 anonymous-identity
349 Anonymous identity string for EAP authentication methods. Used as
350 the unencrypted identity with EAP types that support different
351 tunneled identity like EAP-TTLS.
352
353 Format: string
354
355 auth-timeout
356 A timeout for the authentication. Zero means the global default; if
357 the global default is not set, the authentication timeout is 25
358 seconds.
359
360 Format: int32
361
362 ca-cert
363 Contains the CA certificate if used by the EAP method specified in
364 the "eap" property. Certificate data is specified using a "scheme";
365 three are currently supported: blob, path and pkcs#11 URL. When
366 using the blob scheme this property should be set to the
367 certificate's DER encoded data. When using the path scheme, this
368 property should be set to the full UTF-8 encoded path of the
369 certificate, prefixed with the string "file://" and ending with a
370 terminating NUL byte. This property can be unset even if the EAP
371 method supports CA certificates, but this allows man-in-the-middle
372 attacks and is NOT recommended. Note that enabling
373 NMSetting8021x:system-ca-certs will override this setting to use
374 the built-in path, if the built-in path is not a directory.
375
376 Format: byte array
377
378 ca-cert-password
379 The password used to access the CA certificate stored in "ca-cert"
380 property. Only makes sense if the certificate is stored on a
381 PKCS#11 token that requires a login.
382
383 Format: string
384
385 ca-cert-password-flags
386 Flags indicating how to handle the "ca-cert-password" property. See
387 the section called “Secret flag types:” for flag values.
388
389 Format: NMSettingSecretFlags (uint32)
390
391 ca-path
392 UTF-8 encoded path to a directory containing PEM or DER formatted
393 certificates to be added to the verification chain in addition to
394 the certificate specified in the "ca-cert" property. If
395 NMSetting8021x:system-ca-certs is enabled and the built-in CA path
396 is an existing directory, then this setting is ignored.
397
398 Format: string
399
400 client-cert
401 Contains the client certificate if used by the EAP method specified
402 in the "eap" property. Certificate data is specified using a
403 "scheme"; two are currently supported: blob and path. When using
404 the blob scheme (which is backwards compatible with NM 0.7.x) this
405 property should be set to the certificate's DER encoded data. When
406 using the path scheme, this property should be set to the full
407 UTF-8 encoded path of the certificate, prefixed with the string
408 "file://" and ending with a terminating NUL byte.
409
410 Format: byte array
411
412 client-cert-password
413 The password used to access the client certificate stored in
414 "client-cert" property. Only makes sense if the certificate is
415 stored on a PKCS#11 token that requires a login.
416
417 Format: string
418
419 client-cert-password-flags
420 Flags indicating how to handle the "client-cert-password" property.
421 See the section called “Secret flag types:” for flag values.
422
423 Format: NMSettingSecretFlags (uint32)
424
425 domain-match
426 Constraint for server domain name. If set, this list of FQDNs is
427 used as a match requirement for dNSName element(s) of the
428 certificate presented by the authentication server. If a matching
429 dNSName is found, this constraint is met. If no dNSName values are
430 present, this constraint is matched against SubjectName CN using
431 the same comparison. Multiple valid FQDNs can be passed as a ";"
432 delimited list.
433
434 Format: string
435
436 domain-suffix-match
437 Constraint for server domain name. If set, this FQDN is used as a
438 suffix match requirement for dNSName element(s) of the certificate
439 presented by the authentication server. If a matching dNSName is
440 found, this constraint is met. If no dNSName values are present,
441 this constraint is matched against SubjectName CN using same suffix
442 match comparison. Since version 1.24, multiple valid FQDNs can be
443 passed as a ";" delimited list.
444
445 Format: string
446
447 eap
448 The allowed EAP method to be used when authenticating to the
449 network with 802.1x. Valid methods are: "leap", "md5", "tls",
450 "peap", "ttls", "pwd", and "fast". Each method requires different
451 configuration using the properties of this setting; refer to
452 wpa_supplicant documentation for the allowed combinations.
453
454 Format: array of string
455
456 identity
457 Identity string for EAP authentication methods. Often the user's
458 user or login name.
459
460 Format: string
461
462 optional
463 Whether the 802.1X authentication is optional. If TRUE, the
464 activation will continue even after a timeout or an authentication
465 failure. Setting the property to TRUE is currently allowed only for
466 Ethernet connections. If set to FALSE, the activation can continue
467 only after a successful authentication.
468
469 Format: boolean
470
471 pac-file
472 UTF-8 encoded file path containing PAC for EAP-FAST.
473
474 Format: string
475
476 password
477 UTF-8 encoded password used for EAP authentication methods. If both
478 the "password" property and the "password-raw" property are
479 specified, "password" is preferred.
480
481 Format: string
482
483 password-flags
484 Flags indicating how to handle the "password" property. See the
485 section called “Secret flag types:” for flag values.
486
487 Format: NMSettingSecretFlags (uint32)
488
489 password-raw
490 Password used for EAP authentication methods, given as a byte array
491 to allow passwords in other encodings than UTF-8 to be used. If
492 both the "password" property and the "password-raw" property are
493 specified, "password" is preferred.
494
495 Format: byte array
496
497 password-raw-flags
498 Flags indicating how to handle the "password-raw" property. See the
499 section called “Secret flag types:” for flag values.
500
501 Format: NMSettingSecretFlags (uint32)
502
503 phase1-auth-flags
504 Specifies authentication flags to use in "phase 1" outer
505 authentication using NMSetting8021xAuthFlags options. The
506 individual TLS versions can be explicitly disabled. If a certain
507 TLS disable flag is not set, it is up to the supplicant to allow or
508 forbid it. The TLS options map to tls_disable_tlsv1_x settings. See
509 the wpa_supplicant documentation for more details.
510
511 Format: uint32
512
513 phase1-fast-provisioning
514 Enables or disables in-line provisioning of EAP-FAST credentials
515 when FAST is specified as the EAP method in the "eap" property.
516 Recognized values are "0" (disabled), "1" (allow unauthenticated
517 provisioning), "2" (allow authenticated provisioning), and "3"
518 (allow both authenticated and unauthenticated provisioning). See
519 the wpa_supplicant documentation for more details.
520
521 Format: string
522
523 phase1-peaplabel
524 Forces use of the new PEAP label during key derivation. Some RADIUS
525 servers may require forcing the new PEAP label to interoperate with
526 PEAPv1. Set to "1" to force use of the new PEAP label. See the
527 wpa_supplicant documentation for more details.
528
529 Format: string
530
531 phase1-peapver
532 Forces which PEAP version is used when PEAP is set as the EAP
533 method in the "eap" property. When unset, the version reported by
534 the server will be used. Sometimes when using older RADIUS servers,
535 it is necessary to force the client to use a particular PEAP
536 version. To do so, this property may be set to "0" or "1" to force
537 that specific PEAP version.
538
539 Format: string
540
541 phase2-altsubject-matches
542 List of strings to be matched against the altSubjectName of the
543 certificate presented by the authentication server during the inner
544 "phase 2" authentication. If the list is empty, no verification of
545 the server certificate's altSubjectName is performed.
546
547 Format: array of string
548
549 phase2-auth
550 Specifies the allowed "phase 2" inner non-EAP authentication method
551 when an EAP method that uses an inner TLS tunnel is specified in
552 the "eap" property. Recognized non-EAP "phase 2" methods are "pap",
553 "chap", "mschap", "mschapv2", "gtc", "otp", "md5", and "tls". Each
554 "phase 2" inner method requires specific parameters for successful
555 authentication; see the wpa_supplicant documentation for more
556 details.
557
558 Format: string
559
560 phase2-autheap
561 Specifies the allowed "phase 2" inner EAP-based authentication
562 method when an EAP method that uses an inner TLS tunnel is
563 specified in the "eap" property. Recognized EAP-based "phase 2"
564 methods are "md5", "mschapv2", "otp", "gtc", and "tls". Each "phase
565 2" inner method requires specific parameters for successful
566 authentication; see the wpa_supplicant documentation for more
567 details.
568
569 Format: string
570
571 phase2-ca-cert
572 Contains the "phase 2" CA certificate if used by the EAP method
573 specified in the "phase2-auth" or "phase2-autheap" properties.
574 Certificate data is specified using a "scheme"; three are currently
575 supported: blob, path and pkcs#11 URL. When using the blob scheme
576 this property should be set to the certificate's DER encoded data.
577 When using the path scheme, this property should be set to the full
578 UTF-8 encoded path of the certificate, prefixed with the string
579 "file://" and ending with a terminating NUL byte. This property can
580 be unset even if the EAP method supports CA certificates, but this
581 allows man-in-the-middle attacks and is NOT recommended. Note that
582 enabling NMSetting8021x:system-ca-certs will override this setting
583 to use the built-in path, if the built-in path is not a directory.
584
585 Format: byte array
586
587 phase2-ca-cert-password
588 The password used to access the "phase2" CA certificate stored in
589 "phase2-ca-cert" property. Only makes sense if the certificate is
590 stored on a PKCS#11 token that requires a login.
591
592 Format: string
593
594 phase2-ca-cert-password-flags
595 Flags indicating how to handle the "phase2-ca-cert-password"
596 property. See the section called “Secret flag types:” for flag
597 values.
598
599 Format: NMSettingSecretFlags (uint32)
600
601 phase2-ca-path
602 UTF-8 encoded path to a directory containing PEM or DER formatted
603 certificates to be added to the verification chain in addition to
604 the certificate specified in the "phase2-ca-cert" property. If
605 NMSetting8021x:system-ca-certs is enabled and the built-in CA path
606 is an existing directory, then this setting is ignored.
607
608 Format: string
609
610 phase2-client-cert
611 Contains the "phase 2" client certificate if used by the EAP method
612 specified in the "phase2-auth" or "phase2-autheap" properties.
613 Certificate data is specified using a "scheme"; two are currently
614 supported: blob and path. When using the blob scheme (which is
615 backwards compatible with NM 0.7.x) this property should be set to
616 the certificate's DER encoded data. When using the path scheme,
617 this property should be set to the full UTF-8 encoded path of the
618 certificate, prefixed with the string "file://" and ending with a
619 terminating NUL byte. This property can be unset even if the EAP
620 method supports CA certificates, but this allows man-in-the-middle
621 attacks and is NOT recommended.
622
623 Format: byte array
624
625 phase2-client-cert-password
626 The password used to access the "phase2" client certificate stored
627 in "phase2-client-cert" property. Only makes sense if the
628 certificate is stored on a PKCS#11 token that requires a login.
629
630 Format: string
631
632 phase2-client-cert-password-flags
633 Flags indicating how to handle the "phase2-client-cert-password"
634 property. See the section called “Secret flag types:” for flag
635 values.
636
637 Format: NMSettingSecretFlags (uint32)
638
639 phase2-domain-match
640 Constraint for server domain name. If set, this list of FQDNs is
641 used as a match requirement for dNSName element(s) of the
642 certificate presented by the authentication server during the inner
643 "phase 2" authentication. If a matching dNSName is found, this
644 constraint is met. If no dNSName values are present, this
645 constraint is matched against SubjectName CN using the same
646 comparison. Multiple valid FQDNs can be passed as a ";" delimited
647 list.
648
649 Format: string
650
651 phase2-domain-suffix-match
652 Constraint for server domain name. If set, this FQDN is used as a
653 suffix match requirement for dNSName element(s) of the certificate
654 presented by the authentication server during the inner "phase 2"
655 authentication. If a matching dNSName is found, this constraint is
656 met. If no dNSName values are present, this constraint is matched
657 against SubjectName CN using same suffix match comparison. Since
658 version 1.24, multiple valid FQDNs can be passed as a ";" delimited
659 list.
660
661 Format: string
662
663 phase2-private-key
664 Contains the "phase 2" inner private key when the "phase2-auth" or
665 "phase2-autheap" property is set to "tls". Key data is specified
666 using a "scheme"; two are currently supported: blob and path. When
667 using the blob scheme and private keys, this property should be set
668 to the key's encrypted PEM encoded data. When using private keys
669 with the path scheme, this property should be set to the full UTF-8
670 encoded path of the key, prefixed with the string "file://" and
671 ending with a terminating NUL byte. When using PKCS#12 format
672 private keys and the blob scheme, this property should be set to
673 the PKCS#12 data and the "phase2-private-key-password" property
674 must be set to password used to decrypt the PKCS#12 certificate and
675 key. When using PKCS#12 files and the path scheme, this property
676 should be set to the full UTF-8 encoded path of the key, prefixed
677 with the string "file://" and ending with a terminating NUL byte,
678 and as with the blob scheme the "phase2-private-key-password"
679 property must be set to the password used to decode the PKCS#12
680 private key and certificate.
681
682 Format: byte array
683
684 phase2-private-key-password
685 The password used to decrypt the "phase 2" private key specified in
686 the "phase2-private-key" property when the private key either uses
687 the path scheme, or is a PKCS#12 format key.
688
689 Format: string
690
691 phase2-private-key-password-flags
692 Flags indicating how to handle the "phase2-private-key-password"
693 property. See the section called “Secret flag types:” for flag
694 values.
695
696 Format: NMSettingSecretFlags (uint32)
697
698 phase2-subject-match
699 Substring to be matched against the subject of the certificate
700 presented by the authentication server during the inner "phase 2"
701 authentication. When unset, no verification of the authentication
702 server certificate's subject is performed. This property provides
703 little security, if any, and its use is deprecated in favor of
704 NMSetting8021x:phase2-domain-suffix-match.
705
706 Format: string
707
708 pin
709 PIN used for EAP authentication methods.
710
711 Format: string
712
713 pin-flags
714 Flags indicating how to handle the "pin" property. See the section
715 called “Secret flag types:” for flag values.
716
717 Format: NMSettingSecretFlags (uint32)
718
719 private-key
720 Contains the private key when the "eap" property is set to "tls".
721 Key data is specified using a "scheme"; two are currently
722 supported: blob and path. When using the blob scheme and private
723 keys, this property should be set to the key's encrypted PEM
724 encoded data. When using private keys with the path scheme, this
725 property should be set to the full UTF-8 encoded path of the key,
726 prefixed with the string "file://" and ending with a terminating
727 NUL byte. When using PKCS#12 format private keys and the blob
728 scheme, this property should be set to the PKCS#12 data and the
729 "private-key-password" property must be set to password used to
730 decrypt the PKCS#12 certificate and key. When using PKCS#12 files
731 and the path scheme, this property should be set to the full UTF-8
732 encoded path of the key, prefixed with the string "file://" and
733 ending with a terminating NUL byte, and as with the blob scheme the
734 "private-key-password" property must be set to the password used to
735 decode the PKCS#12 private key and certificate. WARNING:
736 "private-key" is not a "secret" property, and thus unencrypted
737 private key data using the BLOB scheme may be readable by
738 unprivileged users. Private keys should always be encrypted with a
739 private key password to prevent unauthorized access to unencrypted
740 private key data.
741
742 Format: byte array
743
744 private-key-password
745 The password used to decrypt the private key specified in the
746 "private-key" property when the private key either uses the path
747 scheme, or if the private key is a PKCS#12 format key.
748
749 Format: string
750
751 private-key-password-flags
752 Flags indicating how to handle the "private-key-password" property.
753 See the section called “Secret flag types:” for flag values.
754
755 Format: NMSettingSecretFlags (uint32)
756
757 subject-match
758 Substring to be matched against the subject of the certificate
759 presented by the authentication server. When unset, no verification
760 of the authentication server certificate's subject is performed.
761 This property provides little security, if any, and its use is
762 deprecated in favor of NMSetting8021x:domain-suffix-match.
763
764 Format: string
765
766 system-ca-certs
767 When TRUE, overrides the "ca-path" and "phase2-ca-path" properties
768 using the system CA directory specified at configure time with the
769 --system-ca-path switch. The certificates in this directory are
770 added to the verification chain in addition to any certificates
771 specified by the "ca-cert" and "phase2-ca-cert" properties. If the
772 path provided with --system-ca-path is rather a file name (bundle
773 of trusted CA certificates), it overrides "ca-cert" and
774 "phase2-ca-cert" properties instead (sets ca_cert/ca_cert2 options
775 for wpa_supplicant).
776
777 Format: boolean
778
779 adsl setting
780 ADSL Settings.
781
782 Properties:
783
784 encapsulation
785 Alias: encapsulation
786
787 Encapsulation of ADSL connection. Can be "vcmux" or "llc".
788
789 Format: string
790
791 password
792 Alias: password
793
794 Password used to authenticate with the ADSL service.
795
796 Format: string
797
798 password-flags
799 Flags indicating how to handle the "password" property. See the
800 section called “Secret flag types:” for flag values.
801
802 Format: NMSettingSecretFlags (uint32)
803
804 protocol
805 Alias: protocol
806
807 ADSL connection protocol. Can be "pppoa", "pppoe" or "ipoatm".
808
809 Format: string
810
811 username
812 Alias: username
813
814 Username used to authenticate with the ADSL service.
815
816 Format: string
817
818 vci
819 VCI of ADSL connection
820
821 Format: uint32
822
823 vpi
824 VPI of ADSL connection
825
826 Format: uint32
827
828 bluetooth setting
829 Bluetooth Settings.
830
831 Properties:
832
833 bdaddr
834 Alias: addr
835
836 The Bluetooth address of the device.
837
838 Format: byte array
839
840 type
841 Alias: bt-type
842
843 Either "dun" for Dial-Up Networking connections or "panu" for
844 Personal Area Networking connections to devices supporting the NAP
845 profile.
846
847 Format: string
848
849 bond setting
850 Bonding Settings.
851
852 Properties:
853
854 options
855 Dictionary of key/value pairs of bonding options. Both keys and
856 values must be strings. Option names must contain only alphanumeric
857 characters (ie, [a-zA-Z0-9]).
858
859 Format: dict of string to string
860
861 bridge setting
862 Bridging Settings.
863
864 Properties:
865
866 ageing-time
867 Alias: ageing-time
868
869 The Ethernet MAC address aging time, in seconds.
870
871 Format: uint32
872
873 forward-delay
874 Alias: forward-delay
875
876 The Spanning Tree Protocol (STP) forwarding delay, in seconds.
877
878 Format: uint32
879
880 group-address
881 If specified, The MAC address of the multicast group this bridge
882 uses for STP. The address must be a link-local address in standard
883 Ethernet MAC address format, ie an address of the form
884 01:80:C2:00:00:0X, with X in [0, 4..F]. If not specified the
885 default value is 01:80:C2:00:00:00.
886
887 Format: byte array
888
889 group-forward-mask
890 Alias: group-forward-mask
891
892 A mask of group addresses to forward. Usually, group addresses in
893 the range from 01:80:C2:00:00:00 to 01:80:C2:00:00:0F are not
894 forwarded according to standards. This property is a mask of 16
895 bits, each corresponding to a group address in that range that must
896 be forwarded. The mask can't have bits 0, 1 or 2 set because they
897 are used for STP, MAC pause frames and LACP.
898
899 Format: uint32
900
901 hello-time
902 Alias: hello-time
903
904 The Spanning Tree Protocol (STP) hello time, in seconds.
905
906 Format: uint32
907
908 mac-address
909 Alias: mac
910
911 If specified, the MAC address of bridge. When creating a new
912 bridge, this MAC address will be set. If this field is left
913 unspecified, the "ethernet.cloned-mac-address" is referred instead
914 to generate the initial MAC address. Note that setting
915 "ethernet.cloned-mac-address" anyway overwrites the MAC address of
916 the bridge later while activating the bridge. Hence, this property
917 is deprecated. Deprecated: 1
918
919 Format: byte array
920
921 max-age
922 Alias: max-age
923
924 The Spanning Tree Protocol (STP) maximum message age, in seconds.
925
926 Format: uint32
927
928 multicast-hash-max
929 Set maximum size of multicast hash table (value must be a power of
930 2).
931
932 Format: uint32
933
934 multicast-last-member-count
935 Set the number of queries the bridge will send before stopping
936 forwarding a multicast group after a "leave" message has been
937 received.
938
939 Format: uint32
940
941 multicast-last-member-interval
942 Set interval (in deciseconds) between queries to find remaining
943 members of a group, after a "leave" message is received.
944
945 Format: uint64
946
947 multicast-membership-interval
948 Set delay (in deciseconds) after which the bridge will leave a
949 group, if no membership reports for this group are received.
950
951 Format: uint64
952
953 multicast-querier
954 Enable or disable sending of multicast queries by the bridge. If
955 not specified the option is disabled.
956
957 Format: boolean
958
959 multicast-querier-interval
960 If no queries are seen after this delay (in deciseconds) has
961 passed, the bridge will start to send its own queries.
962
963 Format: uint64
964
965 multicast-query-interval
966 Interval (in deciseconds) between queries sent by the bridge after
967 the end of the startup phase.
968
969 Format: uint64
970
971 multicast-query-response-interval
972 Set the Max Response Time/Max Response Delay (in deciseconds) for
973 IGMP/MLD queries sent by the bridge.
974
975 Format: uint64
976
977 multicast-query-use-ifaddr
978 If enabled the bridge's own IP address is used as the source
979 address for IGMP queries otherwise the default of 0.0.0.0 is used.
980
981 Format: boolean
982
983 multicast-router
984 Sets bridge's multicast router. Multicast-snooping must be enabled
985 for this option to work. Supported values are: 'auto', 'disabled',
986 'enabled'. If not specified the default value is 'auto'.
987
988 Format: string
989
990 multicast-snooping
991 Alias: multicast-snooping
992
993 Controls whether IGMP snooping is enabled for this bridge. Note
994 that if snooping was automatically disabled due to hash collisions,
995 the system may refuse to enable the feature until the collisions
996 are resolved.
997
998 Format: boolean
999
1000 multicast-startup-query-count
1001 Set the number of IGMP queries to send during startup phase.
1002
1003 Format: uint32
1004
1005 multicast-startup-query-interval
1006 Sets the time (in deciseconds) between queries sent out at startup
1007 to determine membership information.
1008
1009 Format: uint64
1010
1011 priority
1012 Alias: priority
1013
1014 Sets the Spanning Tree Protocol (STP) priority for this bridge.
1015 Lower values are "better"; the lowest priority bridge will be
1016 elected the root bridge.
1017
1018 Format: uint32
1019
1020 stp
1021 Alias: stp
1022
1023 Controls whether Spanning Tree Protocol (STP) is enabled for this
1024 bridge.
1025
1026 Format: boolean
1027
1028 vlan-default-pvid
1029 The default PVID for the ports of the bridge, that is the VLAN id
1030 assigned to incoming untagged frames.
1031
1032 Format: uint32
1033
1034 vlan-filtering
1035 Control whether VLAN filtering is enabled on the bridge.
1036
1037 Format: boolean
1038
1039 vlan-protocol
1040 If specified, the protocol used for VLAN filtering. Supported
1041 values are: '802.1Q', '802.1ad'. If not specified the default value
1042 is '802.1Q'.
1043
1044 Format: string
1045
1046 vlan-stats-enabled
1047 Controls whether per-VLAN stats accounting is enabled.
1048
1049 Format: boolean
1050
1051 vlans
1052 Array of bridge VLAN objects. In addition to the VLANs specified
1053 here, the bridge will also have the default-pvid VLAN configured by
1054 the bridge.vlan-default-pvid property. In nmcli the VLAN list can
1055 be specified with the following syntax: $vid [pvid] [untagged] [,
1056 $vid [pvid] [untagged]]... where $vid is either a single id between
1057 1 and 4094 or a range, represented as a couple of ids separated by
1058 a dash.
1059
1060 Format: array of vardict
1061
1062 bridge-port setting
1063 Bridge Port Settings.
1064
1065 Properties:
1066
1067 hairpin-mode
1068 Alias: hairpin
1069
1070 Enables or disables "hairpin mode" for the port, which allows
1071 frames to be sent back out through the port the frame was received
1072 on.
1073
1074 Format: boolean
1075
1076 path-cost
1077 Alias: path-cost
1078
1079 The Spanning Tree Protocol (STP) port cost for destinations via
1080 this port.
1081
1082 Format: uint32
1083
1084 priority
1085 Alias: priority
1086
1087 The Spanning Tree Protocol (STP) priority of this bridge port.
1088
1089 Format: uint32
1090
1091 vlans
1092 Array of bridge VLAN objects. In addition to the VLANs specified
1093 here, the port will also have the default-pvid VLAN configured on
1094 the bridge by the bridge.vlan-default-pvid property. In nmcli the
1095 VLAN list can be specified with the following syntax: $vid [pvid]
1096 [untagged] [, $vid [pvid] [untagged]]... where $vid is either a
1097 single id between 1 and 4094 or a range, represented as a couple of
1098 ids separated by a dash.
1099
1100 Format: array of vardict
1101
1102 cdma setting
1103 CDMA-based Mobile Broadband Settings.
1104
1105 Properties:
1106
1107 mtu
1108 If non-zero, only transmit packets of the specified size or
1109 smaller, breaking larger packets up into multiple frames.
1110
1111 Format: uint32
1112
1113 number
1114 The number to dial to establish the connection to the CDMA-based
1115 mobile broadband network, if any. If not specified, the default
1116 number (#777) is used when required.
1117
1118 Format: string
1119
1120 password
1121 Alias: password
1122
1123 The password used to authenticate with the network, if required.
1124 Many providers do not require a password, or accept any password.
1125 But if a password is required, it is specified here.
1126
1127 Format: string
1128
1129 password-flags
1130 Flags indicating how to handle the "password" property. See the
1131 section called “Secret flag types:” for flag values.
1132
1133 Format: NMSettingSecretFlags (uint32)
1134
1135 username
1136 Alias: user
1137
1138 The username used to authenticate with the network, if required.
1139 Many providers do not require a username, or accept any username.
1140 But if a username is required, it is specified here.
1141
1142 Format: string
1143
1144 dcb setting
1145 Data Center Bridging Settings.
1146
1147 Properties:
1148
1149 app-fcoe-flags
1150 Specifies the NMSettingDcbFlags for the DCB FCoE application. Flags
1151 may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1152 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1153 NM_SETTING_DCB_FLAG_WILLING (0x4).
1154
1155 Format: NMSettingDcbFlags (uint32)
1156
1157 app-fcoe-mode
1158 The FCoE controller mode; either "fabric" (default) or "vn2vn".
1159
1160 Format: string
1161
1162 app-fcoe-priority
1163 The highest User Priority (0 - 7) which FCoE frames should use, or
1164 -1 for default priority. Only used when the "app-fcoe-flags"
1165 property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1166
1167 Format: int32
1168
1169 app-fip-flags
1170 Specifies the NMSettingDcbFlags for the DCB FIP application. Flags
1171 may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1172 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1173 NM_SETTING_DCB_FLAG_WILLING (0x4).
1174
1175 Format: NMSettingDcbFlags (uint32)
1176
1177 app-fip-priority
1178 The highest User Priority (0 - 7) which FIP frames should use, or
1179 -1 for default priority. Only used when the "app-fip-flags"
1180 property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1181
1182 Format: int32
1183
1184 app-iscsi-flags
1185 Specifies the NMSettingDcbFlags for the DCB iSCSI application.
1186 Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1187 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1188 NM_SETTING_DCB_FLAG_WILLING (0x4).
1189
1190 Format: NMSettingDcbFlags (uint32)
1191
1192 app-iscsi-priority
1193 The highest User Priority (0 - 7) which iSCSI frames should use, or
1194 -1 for default priority. Only used when the "app-iscsi-flags"
1195 property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1196
1197 Format: int32
1198
1199 priority-bandwidth
1200 An array of 8 uint values, where the array index corresponds to the
1201 User Priority (0 - 7) and the value indicates the percentage of
1202 bandwidth of the priority's assigned group that the priority may
1203 use. The sum of all percentages for priorities which belong to the
1204 same group must total 100 percents.
1205
1206 Format: array of uint32
1207
1208 priority-flow-control
1209 An array of 8 boolean values, where the array index corresponds to
1210 the User Priority (0 - 7) and the value indicates whether or not
1211 the corresponding priority should transmit priority pause.
1212
1213 Format: array of uint32
1214
1215 priority-flow-control-flags
1216 Specifies the NMSettingDcbFlags for DCB Priority Flow Control
1217 (PFC). Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE
1218 (0x1), NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1219 NM_SETTING_DCB_FLAG_WILLING (0x4).
1220
1221 Format: NMSettingDcbFlags (uint32)
1222
1223 priority-group-bandwidth
1224 An array of 8 uint values, where the array index corresponds to the
1225 Priority Group ID (0 - 7) and the value indicates the percentage of
1226 link bandwidth allocated to that group. Allowed values are 0 - 100,
1227 and the sum of all values must total 100 percents.
1228
1229 Format: array of uint32
1230
1231 priority-group-flags
1232 Specifies the NMSettingDcbFlags for DCB Priority Groups. Flags may
1233 be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1234 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1235 NM_SETTING_DCB_FLAG_WILLING (0x4).
1236
1237 Format: NMSettingDcbFlags (uint32)
1238
1239 priority-group-id
1240 An array of 8 uint values, where the array index corresponds to the
1241 User Priority (0 - 7) and the value indicates the Priority Group
1242 ID. Allowed Priority Group ID values are 0 - 7 or 15 for the
1243 unrestricted group.
1244
1245 Format: array of uint32
1246
1247 priority-strict-bandwidth
1248 An array of 8 boolean values, where the array index corresponds to
1249 the User Priority (0 - 7) and the value indicates whether or not
1250 the priority may use all of the bandwidth allocated to its assigned
1251 group.
1252
1253 Format: array of uint32
1254
1255 priority-traffic-class
1256 An array of 8 uint values, where the array index corresponds to the
1257 User Priority (0 - 7) and the value indicates the traffic class (0
1258 - 7) to which the priority is mapped.
1259
1260 Format: array of uint32
1261
1262 ethtool setting
1263 Ethtool Ethernet Settings.
1264
1265 Properties:
1266
1267 coalesce-adaptive-rx
1268
1269 coalesce-adaptive-tx
1270
1271 coalesce-pkt-rate-high
1272
1273 coalesce-pkt-rate-low
1274
1275 coalesce-rx-frames
1276
1277 coalesce-rx-frames-high
1278
1279 coalesce-rx-frames-irq
1280
1281 coalesce-rx-frames-low
1282
1283 coalesce-rx-usecs
1284
1285 coalesce-rx-usecs-high
1286
1287 coalesce-rx-usecs-irq
1288
1289 coalesce-rx-usecs-low
1290
1291 coalesce-sample-interval
1292
1293 coalesce-stats-block-usecs
1294
1295 coalesce-tx-frames
1296
1297 coalesce-tx-frames-high
1298
1299 coalesce-tx-frames-irq
1300
1301 coalesce-tx-frames-low
1302
1303 coalesce-tx-usecs
1304
1305 coalesce-tx-usecs-high
1306
1307 coalesce-tx-usecs-irq
1308
1309 coalesce-tx-usecs-low
1310
1311 feature-esp-hw-offload
1312
1313 feature-esp-tx-csum-hw-offload
1314
1315 feature-fcoe-mtu
1316
1317 feature-gro
1318
1319 feature-gso
1320
1321 feature-highdma
1322
1323 feature-hw-tc-offload
1324
1325 feature-l2-fwd-offload
1326
1327 feature-loopback
1328
1329 feature-lro
1330
1331 feature-ntuple
1332
1333 feature-rx
1334
1335 feature-rx-all
1336
1337 feature-rx-fcs
1338
1339 feature-rx-gro-hw
1340
1341 feature-rx-udp_tunnel-port-offload
1342
1343 feature-rx-vlan-filter
1344
1345 feature-rx-vlan-stag-filter
1346
1347 feature-rx-vlan-stag-hw-parse
1348
1349 feature-rxhash
1350
1351 feature-rxvlan
1352
1353 feature-sg
1354
1355 feature-tls-hw-record
1356
1357 feature-tls-hw-tx-offload
1358
1359 feature-tso
1360
1361 feature-tx
1362
1363 feature-tx-checksum-fcoe-crc
1364
1365 feature-tx-checksum-ip-generic
1366
1367 feature-tx-checksum-ipv4
1368
1369 feature-tx-checksum-ipv6
1370
1371 feature-tx-checksum-sctp
1372
1373 feature-tx-esp-segmentation
1374
1375 feature-tx-fcoe-segmentation
1376
1377 feature-tx-gre-csum-segmentation
1378
1379 feature-tx-gre-segmentation
1380
1381 feature-tx-gso-partial
1382
1383 feature-tx-gso-robust
1384
1385 feature-tx-ipxip4-segmentation
1386
1387 feature-tx-ipxip6-segmentation
1388
1389 feature-tx-nocache-copy
1390
1391 feature-tx-scatter-gather
1392
1393 feature-tx-scatter-gather-fraglist
1394
1395 feature-tx-sctp-segmentation
1396
1397 feature-tx-tcp-ecn-segmentation
1398
1399 feature-tx-tcp-mangleid-segmentation
1400
1401 feature-tx-tcp-segmentation
1402
1403 feature-tx-tcp6-segmentation
1404
1405 feature-tx-udp-segmentation
1406
1407 feature-tx-udp_tnl-csum-segmentation
1408
1409 feature-tx-udp_tnl-segmentation
1410
1411 feature-tx-vlan-stag-hw-insert
1412
1413 feature-txvlan
1414
1415 ring-rx
1416
1417 ring-rx-jumbo
1418
1419 ring-rx-mini
1420
1421 ring-tx
1422
1423 gsm setting
1424 GSM-based Mobile Broadband Settings.
1425
1426 Properties:
1427
1428 apn
1429 Alias: apn
1430
1431 The GPRS Access Point Name specifying the APN used when
1432 establishing a data session with the GSM-based network. The APN
1433 often determines how the user will be billed for their network
1434 usage and whether the user has access to the Internet or just a
1435 provider-specific walled-garden, so it is important to use the
1436 correct APN for the user's mobile broadband plan. The APN may only
1437 be composed of the characters a-z, 0-9, ., and - per GSM 03.60
1438 Section 14.9.
1439
1440 Format: string
1441
1442 auto-config
1443 When TRUE, the settings such as APN, username, or password will
1444 default to values that match the network the modem will register to
1445 in the Mobile Broadband Provider database.
1446
1447 Format: boolean
1448
1449 device-id
1450 The device unique identifier (as given by the WWAN management
1451 service) which this connection applies to. If given, the connection
1452 will only apply to the specified device.
1453
1454 Format: string
1455
1456 home-only
1457 When TRUE, only connections to the home network will be allowed.
1458 Connections to roaming networks will not be made.
1459
1460 Format: boolean
1461
1462 mtu
1463 If non-zero, only transmit packets of the specified size or
1464 smaller, breaking larger packets up into multiple frames.
1465
1466 Format: uint32
1467
1468 network-id
1469 The Network ID (GSM LAI format, ie MCC-MNC) to force specific
1470 network registration. If the Network ID is specified,
1471 NetworkManager will attempt to force the device to register only on
1472 the specified network. This can be used to ensure that the device
1473 does not roam when direct roaming control of the device is not
1474 otherwise possible.
1475
1476 Format: string
1477
1478 number
1479 Legacy setting that used to help establishing PPP data sessions for
1480 GSM-based modems. Deprecated: 1
1481
1482 Format: string
1483
1484 password
1485 Alias: password
1486
1487 The password used to authenticate with the network, if required.
1488 Many providers do not require a password, or accept any password.
1489 But if a password is required, it is specified here.
1490
1491 Format: string
1492
1493 password-flags
1494 Flags indicating how to handle the "password" property. See the
1495 section called “Secret flag types:” for flag values.
1496
1497 Format: NMSettingSecretFlags (uint32)
1498
1499 pin
1500 If the SIM is locked with a PIN it must be unlocked before any
1501 other operations are requested. Specify the PIN here to allow
1502 operation of the device.
1503
1504 Format: string
1505
1506 pin-flags
1507 Flags indicating how to handle the "pin" property. See the section
1508 called “Secret flag types:” for flag values.
1509
1510 Format: NMSettingSecretFlags (uint32)
1511
1512 sim-id
1513 The SIM card unique identifier (as given by the WWAN management
1514 service) which this connection applies to. If given, the connection
1515 will apply to any device also allowed by "device-id" which contains
1516 a SIM card matching the given identifier.
1517
1518 Format: string
1519
1520 sim-operator-id
1521 A MCC/MNC string like "310260" or "21601" identifying the specific
1522 mobile network operator which this connection applies to. If given,
1523 the connection will apply to any device also allowed by "device-id"
1524 and "sim-id" which contains a SIM card provisioned by the given
1525 operator.
1526
1527 Format: string
1528
1529 username
1530 Alias: user
1531
1532 The username used to authenticate with the network, if required.
1533 Many providers do not require a username, or accept any username.
1534 But if a username is required, it is specified here.
1535
1536 Format: string
1537
1538 infiniband setting
1539 Infiniband Settings.
1540
1541 Properties:
1542
1543 mac-address
1544 Alias: mac
1545
1546 If specified, this connection will only apply to the IPoIB device
1547 whose permanent MAC address matches. This property does not change
1548 the MAC address of the device (i.e. MAC spoofing).
1549
1550 Format: byte array
1551
1552 mtu
1553 Alias: mtu
1554
1555 If non-zero, only transmit packets of the specified size or
1556 smaller, breaking larger packets up into multiple frames.
1557
1558 Format: uint32
1559
1560 p-key
1561 Alias: p-key
1562
1563 The InfiniBand P_Key to use for this device. A value of -1 means to
1564 use the default P_Key (aka "the P_Key at index 0"). Otherwise it is
1565 a 16-bit unsigned integer, whose high bit is set if it is a "full
1566 membership" P_Key.
1567
1568 Format: int32
1569
1570 parent
1571 Alias: parent
1572
1573 The interface name of the parent device of this device. Normally
1574 NULL, but if the "p_key" property is set, then you must specify the
1575 base device by setting either this property or "mac-address".
1576
1577 Format: string
1578
1579 transport-mode
1580 Alias: transport-mode
1581
1582 The IP-over-InfiniBand transport mode. Either "datagram" or
1583 "connected".
1584
1585 Format: string
1586
1587 ipv4 setting
1588 IPv4 Settings.
1589
1590 Properties:
1591
1592 addresses
1593 Alias: ip4
1594
1595 Array of IP addresses.
1596
1597 Format: array of array of uint32
1598
1599 dad-timeout
1600 Timeout in milliseconds used to check for the presence of duplicate
1601 IP addresses on the network. If an address conflict is detected,
1602 the activation will fail. A zero value means that no duplicate
1603 address detection is performed, -1 means the default value (either
1604 configuration ipvx.dad-timeout override or zero). A value greater
1605 than zero is a timeout in milliseconds. The property is currently
1606 implemented only for IPv4.
1607
1608 Format: int32
1609
1610 dhcp-client-id
1611 A string sent to the DHCP server to identify the local machine
1612 which the DHCP server may use to customize the DHCP lease and
1613 options. When the property is a hex string ('aa:bb:cc') it is
1614 interpreted as a binary client ID, in which case the first byte is
1615 assumed to be the 'type' field as per RFC 2132 section 9.14 and the
1616 remaining bytes may be an hardware address (e.g.
1617 '01:xx:xx:xx:xx:xx:xx' where 1 is the Ethernet ARP type and the
1618 rest is a MAC address). If the property is not a hex string it is
1619 considered as a non-hardware-address client ID and the 'type' field
1620 is set to 0. The special values "mac" and "perm-mac" are supported,
1621 which use the current or permanent MAC address of the device to
1622 generate a client identifier with type ethernet (01). Currently,
1623 these options only work for ethernet type of links. The special
1624 value "duid" generates a RFC4361-compliant client identifier based
1625 on a hash of the interface name as IAID and /etc/machine-id. The
1626 special value "stable" is supported to generate a type 0 client
1627 identifier based on the stable-id (see connection.stable-id) and a
1628 per-host key. If you set the stable-id, you may want to include the
1629 "${DEVICE}" or "${MAC}" specifier to get a per-device key. If
1630 unset, a globally configured default is used. If still unset, the
1631 default depends on the DHCP plugin.
1632
1633 Format: string
1634
1635 dhcp-fqdn
1636 If the "dhcp-send-hostname" property is TRUE, then the specified
1637 FQDN will be sent to the DHCP server when acquiring a lease. This
1638 property and "dhcp-hostname" are mutually exclusive and cannot be
1639 set at the same time.
1640
1641 Format: string
1642
1643 dhcp-hostname
1644 If the "dhcp-send-hostname" property is TRUE, then the specified
1645 name will be sent to the DHCP server when acquiring a lease. This
1646 property and "dhcp-fqdn" are mutually exclusive and cannot be set
1647 at the same time.
1648
1649 Format: string
1650
1651 dhcp-hostname-flags
1652 Flags for the DHCP hostname and FQDN. Currently this property only
1653 includes flags to control the FQDN flags set in the DHCP FQDN
1654 option. Supported FQDN flags are
1655 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1656 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
1657 NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is
1658 set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the
1659 DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag
1660 is set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set,
1661 the standard FQDN flags are set in the request:
1662 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1663 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
1664 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6. When this
1665 property is set to the default value NM_DHCP_HOSTNAME_FLAG_NONE
1666 (0x0), a global default is looked up in NetworkManager
1667 configuration. If that value is unset or also
1668 NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
1669 described above are sent in the DHCP requests.
1670
1671 Format: uint32
1672
1673 dhcp-iaid
1674 A string containing the "Identity Association Identifier" (IAID)
1675 used by the DHCP client. The property is a 32-bit decimal value or
1676 a special value among "mac", "perm-mac", "ifname" and "stable".
1677 When set to "mac" (or "perm-mac"), the last 4 bytes of the current
1678 (or permanent) MAC address are used as IAID. When set to "ifname",
1679 the IAID is computed by hashing the interface name. The special
1680 value "stable" can be used to generate an IAID based on the
1681 stable-id (see connection.stable-id), a per-host key and the
1682 interface name. When the property is unset, the value from global
1683 configuration is used; if no global default is set then the IAID is
1684 assumed to be "ifname". Note that at the moment this property is
1685 ignored for IPv6 by dhclient, which always derives the IAID from
1686 the MAC address.
1687
1688 Format: string
1689
1690 dhcp-send-hostname
1691 If TRUE, a hostname is sent to the DHCP server when acquiring a
1692 lease. Some DHCP servers use this hostname to update DNS databases,
1693 essentially providing a static hostname for the computer. If the
1694 "dhcp-hostname" property is NULL and this property is TRUE, the
1695 current persistent hostname of the computer is sent.
1696
1697 Format: boolean
1698
1699 dhcp-timeout
1700 A timeout for a DHCP transaction in seconds. If zero (the default),
1701 a globally configured default is used. If still unspecified, a
1702 device specific timeout is used (usually 45 seconds). Set to
1703 2147483647 (MAXINT32) for infinity.
1704
1705 Format: int32
1706
1707 dhcp-vendor-class-identifier
1708 The Vendor Class Identifier DHCP option (60). Special characters in
1709 the data string may be escaped using C-style escapes, nevertheless
1710 this property cannot contain nul bytes. If the per-profile value is
1711 unspecified (the default), a global connection default gets
1712 consulted. If still unspecified, the DHCP option is not sent to the
1713 server. Since 1.28, 1.26.4
1714
1715 Format: string
1716
1717 dns
1718 Array of IP addresses of DNS servers.
1719
1720 Format: array of uint32
1721
1722 dns-options
1723 Array of DNS options as described in man 5 resolv.conf. NULL means
1724 that the options are unset and left at the default. In this case
1725 NetworkManager will use default options. This is distinct from an
1726 empty list of properties. The currently supported options are
1727 "attempts", "debug", "edns0", "inet6", "ip6-bytestring",
1728 "ip6-dotint", "ndots", "no-check-names", "no-ip6-dotint",
1729 "no-reload", "no-tld-query", "rotate", "single-request",
1730 "single-request-reopen", "timeout", "trust-ad", "use-vc". The
1731 "trust-ad" setting is only honored if the profile contributes name
1732 servers to resolv.conf, and if all contributing profiles have
1733 "trust-ad" enabled.
1734
1735 Format: array of string
1736
1737 dns-priority
1738 DNS servers priority. The relative priority for DNS servers
1739 specified by this setting. A lower value is better (higher
1740 priority). Zero selects a globally configured default value. If the
1741 latter is missing or zero too, it defaults to 50 for VPNs
1742 (including WireGuard) and 100 for other connections. Note that the
1743 priority is to order DNS settings for multiple active connections.
1744 It does not disambiguate multiple DNS servers within the same
1745 connection profile. When using dns=default, servers with higher
1746 priority will be on top of resolv.conf. To prioritize a given
1747 server over another one within the same connection, just specify
1748 them in the desired order. When multiple devices have
1749 configurations with the same priority, VPNs will be considered
1750 first, then devices with the best (lowest metric) default route and
1751 then all other devices. Negative values have the special effect of
1752 excluding other configurations with a greater priority value; so in
1753 presence of at least one negative priority, only DNS servers from
1754 connections with the lowest priority value will be used. When using
1755 a DNS resolver that supports Conditional Forwarding as dns=dnsmasq
1756 or dns=systemd-resolved, each connection is used to query domains
1757 in its search list. Queries for domains not present in any search
1758 list are routed through connections having the '~.' special
1759 wildcard domain, which is added automatically to connections with
1760 the default route (or can be added manually). When multiple
1761 connections specify the same domain, the one with the highest
1762 priority (lowest numerical value) wins. If a connection specifies a
1763 domain which is subdomain of another domain with a negative DNS
1764 priority value, the subdomain is ignored.
1765
1766 Format: int32
1767
1768 dns-search
1769 Array of DNS search domains. Domains starting with a tilde ('~')
1770 are considered 'routing' domains and are used only to decide the
1771 interface over which a query must be forwarded; they are not used
1772 to complete unqualified host names.
1773
1774 Format: array of string
1775
1776 gateway
1777 Alias: gw4
1778
1779 The gateway associated with this configuration. This is only
1780 meaningful if "addresses" is also set. The gateway's main purpose
1781 is to control the next hop of the standard default route on the
1782 device. Hence, the gateway property conflicts with "never-default"
1783 and will be automatically dropped if the IP configuration is set to
1784 never-default. As an alternative to set the gateway, configure a
1785 static default route with /0 as prefix length.
1786
1787 Format: string
1788
1789 ignore-auto-dns
1790 When "method" is set to "auto" and this property to TRUE,
1791 automatically configured nameservers and search domains are ignored
1792 and only nameservers and search domains specified in the "dns" and
1793 "dns-search" properties, if any, are used.
1794
1795 Format: boolean
1796
1797 ignore-auto-routes
1798 When "method" is set to "auto" and this property to TRUE,
1799 automatically configured routes are ignored and only routes
1800 specified in the "routes" property, if any, are used.
1801
1802 Format: boolean
1803
1804 may-fail
1805 If TRUE, allow overall network configuration to proceed even if the
1806 configuration specified by this property times out. Note that at
1807 least one IP configuration must succeed or overall network
1808 configuration will still fail. For example, in IPv6-only networks,
1809 setting this property to TRUE on the NMSettingIP4Config allows the
1810 overall network configuration to succeed if IPv4 configuration
1811 fails but IPv6 configuration completes successfully.
1812
1813 Format: boolean
1814
1815 method
1816 IP configuration method. NMSettingIP4Config and NMSettingIP6Config
1817 both support "disabled", "auto", "manual", and "link-local". See
1818 the subclass-specific documentation for other values. In general,
1819 for the "auto" method, properties such as "dns" and "routes"
1820 specify information that is added on to the information returned
1821 from automatic configuration. The "ignore-auto-routes" and
1822 "ignore-auto-dns" properties modify this behavior. For methods that
1823 imply no upstream network, such as "shared" or "link-local", these
1824 properties must be empty. For IPv4 method "shared", the IP subnet
1825 can be configured by adding one manual IPv4 address or otherwise
1826 10.42.x.0/24 is chosen. Note that the shared method must be
1827 configured on the interface which shares the internet to a subnet,
1828 not on the uplink which is shared.
1829
1830 Format: string
1831
1832 never-default
1833 If TRUE, this connection will never be the default connection for
1834 this IP type, meaning it will never be assigned the default route
1835 by NetworkManager.
1836
1837 Format: boolean
1838
1839 route-metric
1840 The default metric for routes that don't explicitly specify a
1841 metric. The default value -1 means that the metric is chosen
1842 automatically based on the device type. The metric applies to
1843 dynamic routes, manual (static) routes that don't have an explicit
1844 metric setting, address prefix routes, and the default route. Note
1845 that for IPv6, the kernel accepts zero (0) but coerces it to 1024
1846 (user default). Hence, setting this property to zero effectively
1847 mean setting it to 1024. For IPv4, zero is a regular value for the
1848 metric.
1849
1850 Format: int64
1851
1852 route-table
1853 Enable policy routing (source routing) and set the routing table
1854 used when adding routes. This affects all routes, including
1855 device-routes, IPv4LL, DHCP, SLAAC, default-routes and static
1856 routes. But note that static routes can individually overwrite the
1857 setting by explicitly specifying a non-zero routing table. If the
1858 table setting is left at zero, it is eligible to be overwritten via
1859 global configuration. If the property is zero even after applying
1860 the global configuration value, policy routing is disabled for the
1861 address family of this connection. Policy routing disabled means
1862 that NetworkManager will add all routes to the main table (except
1863 static routes that explicitly configure a different table).
1864 Additionally, NetworkManager will not delete any extraneous routes
1865 from tables except the main table. This is to preserve backward
1866 compatibility for users who manage routing tables outside of
1867 NetworkManager.
1868
1869 Format: uint32
1870
1871 routes
1872 Array of IP routes.
1873
1874 Format: array of array of uint32
1875
1876 routing-rules
1877
1878 ipv6 setting
1879 IPv6 Settings.
1880
1881 Properties:
1882
1883 addr-gen-mode
1884 Configure method for creating the address for use with RFC4862 IPv6
1885 Stateless Address Autoconfiguration. The permitted values are:
1886 NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_EUI64 (0) or
1887 NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_STABLE_PRIVACY (1). If the
1888 property is set to EUI64, the addresses will be generated using the
1889 interface tokens derived from hardware address. This makes the host
1890 part of the address to stay constant, making it possible to track
1891 host's presence when it changes networks. The address changes when
1892 the interface hardware is replaced. The value of stable-privacy
1893 enables use of cryptographically secure hash of a secret
1894 host-specific key along with the connection's stable-id and the
1895 network address as specified by RFC7217. This makes it impossible
1896 to use the address track host's presence, and makes the address
1897 stable when the network interface hardware is replaced. On D-Bus,
1898 the absence of an addr-gen-mode setting equals enabling
1899 stable-privacy. For keyfile plugin, the absence of the setting on
1900 disk means EUI64 so that the property doesn't change on upgrade
1901 from older versions. Note that this setting is distinct from the
1902 Privacy Extensions as configured by "ip6-privacy" property and it
1903 does not affect the temporary addresses configured with this
1904 option.
1905
1906 Format: int32
1907
1908 addresses
1909 Alias: ip6
1910
1911 Array of IP addresses.
1912
1913 Format: array of legacy IPv6 address struct
1914
1915 dhcp-duid
1916 A string containing the DHCPv6 Unique Identifier (DUID) used by the
1917 dhcp client to identify itself to DHCPv6 servers (RFC 3315). The
1918 DUID is carried in the Client Identifier option. If the property is
1919 a hex string ('aa:bb:cc') it is interpreted as a binary DUID and
1920 filled as an opaque value in the Client Identifier option. The
1921 special value "lease" will retrieve the DUID previously used from
1922 the lease file belonging to the connection. If no DUID is found and
1923 "dhclient" is the configured dhcp client, the DUID is searched in
1924 the system-wide dhclient lease file. If still no DUID is found, or
1925 another dhcp client is used, a global and permanent DUID-UUID (RFC
1926 6355) will be generated based on the machine-id. The special values
1927 "llt" and "ll" will generate a DUID of type LLT or LL (see RFC
1928 3315) based on the current MAC address of the device. In order to
1929 try providing a stable DUID-LLT, the time field will contain a
1930 constant timestamp that is used globally (for all profiles) and
1931 persisted to disk. The special values "stable-llt", "stable-ll" and
1932 "stable-uuid" will generate a DUID of the corresponding type,
1933 derived from the connection's stable-id and a per-host unique key.
1934 You may want to include the "${DEVICE}" or "${MAC}" specifier in
1935 the stable-id, in case this profile gets activated on multiple
1936 devices. So, the link-layer address of "stable-ll" and "stable-llt"
1937 will be a generated address derived from the stable id. The
1938 DUID-LLT time value in the "stable-llt" option will be picked among
1939 a static timespan of three years (the upper bound of the interval
1940 is the same constant timestamp used in "llt"). When the property is
1941 unset, the global value provided for "ipv6.dhcp-duid" is used. If
1942 no global value is provided, the default "lease" value is assumed.
1943
1944 Format: string
1945
1946 dhcp-hostname
1947 If the "dhcp-send-hostname" property is TRUE, then the specified
1948 name will be sent to the DHCP server when acquiring a lease. This
1949 property and "dhcp-fqdn" are mutually exclusive and cannot be set
1950 at the same time.
1951
1952 Format: string
1953
1954 dhcp-hostname-flags
1955 Flags for the DHCP hostname and FQDN. Currently this property only
1956 includes flags to control the FQDN flags set in the DHCP FQDN
1957 option. Supported FQDN flags are
1958 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1959 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
1960 NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is
1961 set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the
1962 DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag
1963 is set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set,
1964 the standard FQDN flags are set in the request:
1965 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1966 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
1967 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6. When this
1968 property is set to the default value NM_DHCP_HOSTNAME_FLAG_NONE
1969 (0x0), a global default is looked up in NetworkManager
1970 configuration. If that value is unset or also
1971 NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
1972 described above are sent in the DHCP requests.
1973
1974 Format: uint32
1975
1976 dhcp-iaid
1977 A string containing the "Identity Association Identifier" (IAID)
1978 used by the DHCP client. The property is a 32-bit decimal value or
1979 a special value among "mac", "perm-mac", "ifname" and "stable".
1980 When set to "mac" (or "perm-mac"), the last 4 bytes of the current
1981 (or permanent) MAC address are used as IAID. When set to "ifname",
1982 the IAID is computed by hashing the interface name. The special
1983 value "stable" can be used to generate an IAID based on the
1984 stable-id (see connection.stable-id), a per-host key and the
1985 interface name. When the property is unset, the value from global
1986 configuration is used; if no global default is set then the IAID is
1987 assumed to be "ifname". Note that at the moment this property is
1988 ignored for IPv6 by dhclient, which always derives the IAID from
1989 the MAC address.
1990
1991 Format: string
1992
1993 dhcp-send-hostname
1994 If TRUE, a hostname is sent to the DHCP server when acquiring a
1995 lease. Some DHCP servers use this hostname to update DNS databases,
1996 essentially providing a static hostname for the computer. If the
1997 "dhcp-hostname" property is NULL and this property is TRUE, the
1998 current persistent hostname of the computer is sent.
1999
2000 Format: boolean
2001
2002 dhcp-timeout
2003 A timeout for a DHCP transaction in seconds. If zero (the default),
2004 a globally configured default is used. If still unspecified, a
2005 device specific timeout is used (usually 45 seconds). Set to
2006 2147483647 (MAXINT32) for infinity.
2007
2008 Format: int32
2009
2010 dns
2011 Array of IP addresses of DNS servers.
2012
2013 Format: array of byte array
2014
2015 dns-options
2016 Array of DNS options as described in man 5 resolv.conf. NULL means
2017 that the options are unset and left at the default. In this case
2018 NetworkManager will use default options. This is distinct from an
2019 empty list of properties. The currently supported options are
2020 "attempts", "debug", "edns0", "inet6", "ip6-bytestring",
2021 "ip6-dotint", "ndots", "no-check-names", "no-ip6-dotint",
2022 "no-reload", "no-tld-query", "rotate", "single-request",
2023 "single-request-reopen", "timeout", "trust-ad", "use-vc". The
2024 "trust-ad" setting is only honored if the profile contributes name
2025 servers to resolv.conf, and if all contributing profiles have
2026 "trust-ad" enabled.
2027
2028 Format: array of string
2029
2030 dns-priority
2031 DNS servers priority. The relative priority for DNS servers
2032 specified by this setting. A lower value is better (higher
2033 priority). Zero selects a globally configured default value. If the
2034 latter is missing or zero too, it defaults to 50 for VPNs
2035 (including WireGuard) and 100 for other connections. Note that the
2036 priority is to order DNS settings for multiple active connections.
2037 It does not disambiguate multiple DNS servers within the same
2038 connection profile. When using dns=default, servers with higher
2039 priority will be on top of resolv.conf. To prioritize a given
2040 server over another one within the same connection, just specify
2041 them in the desired order. When multiple devices have
2042 configurations with the same priority, VPNs will be considered
2043 first, then devices with the best (lowest metric) default route and
2044 then all other devices. Negative values have the special effect of
2045 excluding other configurations with a greater priority value; so in
2046 presence of at least one negative priority, only DNS servers from
2047 connections with the lowest priority value will be used. When using
2048 a DNS resolver that supports Conditional Forwarding as dns=dnsmasq
2049 or dns=systemd-resolved, each connection is used to query domains
2050 in its search list. Queries for domains not present in any search
2051 list are routed through connections having the '~.' special
2052 wildcard domain, which is added automatically to connections with
2053 the default route (or can be added manually). When multiple
2054 connections specify the same domain, the one with the highest
2055 priority (lowest numerical value) wins. If a connection specifies a
2056 domain which is subdomain of another domain with a negative DNS
2057 priority value, the subdomain is ignored.
2058
2059 Format: int32
2060
2061 dns-search
2062 Array of DNS search domains. Domains starting with a tilde ('~')
2063 are considered 'routing' domains and are used only to decide the
2064 interface over which a query must be forwarded; they are not used
2065 to complete unqualified host names.
2066
2067 Format: array of string
2068
2069 gateway
2070 Alias: gw6
2071
2072 The gateway associated with this configuration. This is only
2073 meaningful if "addresses" is also set. The gateway's main purpose
2074 is to control the next hop of the standard default route on the
2075 device. Hence, the gateway property conflicts with "never-default"
2076 and will be automatically dropped if the IP configuration is set to
2077 never-default. As an alternative to set the gateway, configure a
2078 static default route with /0 as prefix length.
2079
2080 Format: string
2081
2082 ignore-auto-dns
2083 When "method" is set to "auto" and this property to TRUE,
2084 automatically configured nameservers and search domains are ignored
2085 and only nameservers and search domains specified in the "dns" and
2086 "dns-search" properties, if any, are used.
2087
2088 Format: boolean
2089
2090 ignore-auto-routes
2091 When "method" is set to "auto" and this property to TRUE,
2092 automatically configured routes are ignored and only routes
2093 specified in the "routes" property, if any, are used.
2094
2095 Format: boolean
2096
2097 ip6-privacy
2098 Configure IPv6 Privacy Extensions for SLAAC, described in RFC4941.
2099 If enabled, it makes the kernel generate a temporary IPv6 address
2100 in addition to the public one generated from MAC address via
2101 modified EUI-64. This enhances privacy, but could cause problems in
2102 some applications, on the other hand. The permitted values are: -1:
2103 unknown, 0: disabled, 1: enabled (prefer public address), 2:
2104 enabled (prefer temporary addresses). Having a per-connection
2105 setting set to "-1" (unknown) means fallback to global
2106 configuration "ipv6.ip6-privacy". If also global configuration is
2107 unspecified or set to "-1", fallback to read
2108 "/proc/sys/net/ipv6/conf/default/use_tempaddr". Note that this
2109 setting is distinct from the Stable Privacy addresses that can be
2110 enabled with the "addr-gen-mode" property's "stable-privacy"
2111 setting as another way of avoiding host tracking with IPv6
2112 addresses.
2113
2114 Format: NMSettingIP6ConfigPrivacy (int32)
2115
2116 may-fail
2117 If TRUE, allow overall network configuration to proceed even if the
2118 configuration specified by this property times out. Note that at
2119 least one IP configuration must succeed or overall network
2120 configuration will still fail. For example, in IPv6-only networks,
2121 setting this property to TRUE on the NMSettingIP4Config allows the
2122 overall network configuration to succeed if IPv4 configuration
2123 fails but IPv6 configuration completes successfully.
2124
2125 Format: boolean
2126
2127 method
2128 IP configuration method. NMSettingIP4Config and NMSettingIP6Config
2129 both support "disabled", "auto", "manual", and "link-local". See
2130 the subclass-specific documentation for other values. In general,
2131 for the "auto" method, properties such as "dns" and "routes"
2132 specify information that is added on to the information returned
2133 from automatic configuration. The "ignore-auto-routes" and
2134 "ignore-auto-dns" properties modify this behavior. For methods that
2135 imply no upstream network, such as "shared" or "link-local", these
2136 properties must be empty. For IPv4 method "shared", the IP subnet
2137 can be configured by adding one manual IPv4 address or otherwise
2138 10.42.x.0/24 is chosen. Note that the shared method must be
2139 configured on the interface which shares the internet to a subnet,
2140 not on the uplink which is shared.
2141
2142 Format: string
2143
2144 never-default
2145 If TRUE, this connection will never be the default connection for
2146 this IP type, meaning it will never be assigned the default route
2147 by NetworkManager.
2148
2149 Format: boolean
2150
2151 ra-timeout
2152 A timeout for waiting Router Advertisements in seconds. If zero
2153 (the default), a globally configured default is used. If still
2154 unspecified, the timeout depends on the sysctl settings of the
2155 device. Set to 2147483647 (MAXINT32) for infinity.
2156
2157 Format: int32
2158
2159 route-metric
2160 The default metric for routes that don't explicitly specify a
2161 metric. The default value -1 means that the metric is chosen
2162 automatically based on the device type. The metric applies to
2163 dynamic routes, manual (static) routes that don't have an explicit
2164 metric setting, address prefix routes, and the default route. Note
2165 that for IPv6, the kernel accepts zero (0) but coerces it to 1024
2166 (user default). Hence, setting this property to zero effectively
2167 mean setting it to 1024. For IPv4, zero is a regular value for the
2168 metric.
2169
2170 Format: int64
2171
2172 route-table
2173 Enable policy routing (source routing) and set the routing table
2174 used when adding routes. This affects all routes, including
2175 device-routes, IPv4LL, DHCP, SLAAC, default-routes and static
2176 routes. But note that static routes can individually overwrite the
2177 setting by explicitly specifying a non-zero routing table. If the
2178 table setting is left at zero, it is eligible to be overwritten via
2179 global configuration. If the property is zero even after applying
2180 the global configuration value, policy routing is disabled for the
2181 address family of this connection. Policy routing disabled means
2182 that NetworkManager will add all routes to the main table (except
2183 static routes that explicitly configure a different table).
2184 Additionally, NetworkManager will not delete any extraneous routes
2185 from tables except the main table. This is to preserve backward
2186 compatibility for users who manage routing tables outside of
2187 NetworkManager.
2188
2189 Format: uint32
2190
2191 routes
2192 Array of IP routes.
2193
2194 Format: array of legacy IPv6 route struct
2195
2196 routing-rules
2197
2198 token
2199 Configure the token for
2200 draft-chown-6man-tokenised-ipv6-identifiers-02 IPv6 tokenized
2201 interface identifiers. Useful with eui64 addr-gen-mode.
2202
2203 Format: string
2204
2205 ip-tunnel setting
2206 IP Tunneling Settings.
2207
2208 Properties:
2209
2210 encapsulation-limit
2211 How many additional levels of encapsulation are permitted to be
2212 prepended to packets. This property applies only to IPv6 tunnels.
2213
2214 Format: uint32
2215
2216 flags
2217 Tunnel flags. Currently the following values are supported:
2218 NM_IP_TUNNEL_FLAG_IP6_IGN_ENCAP_LIMIT (0x1),
2219 NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_TCLASS (0x2),
2220 NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FLOWLABEL (0x4),
2221 NM_IP_TUNNEL_FLAG_IP6_MIP6_DEV (0x8),
2222 NM_IP_TUNNEL_FLAG_IP6_RCV_DSCP_COPY (0x10),
2223 NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FWMARK (0x20). They are valid only
2224 for IPv6 tunnels.
2225
2226 Format: uint32
2227
2228 flow-label
2229 The flow label to assign to tunnel packets. This property applies
2230 only to IPv6 tunnels.
2231
2232 Format: uint32
2233
2234 input-key
2235 The key used for tunnel input packets; the property is valid only
2236 for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
2237
2238 Format: string
2239
2240 local
2241 Alias: local
2242
2243 The local endpoint of the tunnel; the value can be empty, otherwise
2244 it must contain an IPv4 or IPv6 address.
2245
2246 Format: string
2247
2248 mode
2249 Alias: mode
2250
2251 The tunneling mode, for example NM_IP_TUNNEL_MODE_IPIP (1) or
2252 NM_IP_TUNNEL_MODE_GRE (2).
2253
2254 Format: uint32
2255
2256 mtu
2257 If non-zero, only transmit packets of the specified size or
2258 smaller, breaking larger packets up into multiple fragments.
2259
2260 Format: uint32
2261
2262 output-key
2263 The key used for tunnel output packets; the property is valid only
2264 for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
2265
2266 Format: string
2267
2268 parent
2269 Alias: dev
2270
2271 If given, specifies the parent interface name or parent connection
2272 UUID the new device will be bound to so that tunneled packets will
2273 only be routed via that interface.
2274
2275 Format: string
2276
2277 path-mtu-discovery
2278 Whether to enable Path MTU Discovery on this tunnel.
2279
2280 Format: boolean
2281
2282 remote
2283 Alias: remote
2284
2285 The remote endpoint of the tunnel; the value must contain an IPv4
2286 or IPv6 address.
2287
2288 Format: string
2289
2290 tos
2291 The type of service (IPv4) or traffic class (IPv6) field to be set
2292 on tunneled packets.
2293
2294 Format: uint32
2295
2296 ttl
2297 The TTL to assign to tunneled packets. 0 is a special value meaning
2298 that packets inherit the TTL value.
2299
2300 Format: uint32
2301
2302 macsec setting
2303 MACSec Settings.
2304
2305 Properties:
2306
2307 encrypt
2308 Alias: encrypt
2309
2310 Whether the transmitted traffic must be encrypted.
2311
2312 Format: boolean
2313
2314 mka-cak
2315 Alias: cak
2316
2317 The pre-shared CAK (Connectivity Association Key) for MACsec Key
2318 Agreement.
2319
2320 Format: string
2321
2322 mka-cak-flags
2323 Flags indicating how to handle the "mka-cak" property. See the
2324 section called “Secret flag types:” for flag values.
2325
2326 Format: NMSettingSecretFlags (uint32)
2327
2328 mka-ckn
2329 Alias: ckn
2330
2331 The pre-shared CKN (Connectivity-association Key Name) for MACsec
2332 Key Agreement.
2333
2334 Format: string
2335
2336 mode
2337 Alias: mode
2338
2339 Specifies how the CAK (Connectivity Association Key) for MKA
2340 (MACsec Key Agreement) is obtained.
2341
2342 Format: int32
2343
2344 parent
2345 Alias: dev
2346
2347 If given, specifies the parent interface name or parent connection
2348 UUID from which this MACSEC interface should be created. If this
2349 property is not specified, the connection must contain an
2350 "802-3-ethernet" setting with a "mac-address" property.
2351
2352 Format: string
2353
2354 port
2355 Alias: port
2356
2357 The port component of the SCI (Secure Channel Identifier), between
2358 1 and 65534.
2359
2360 Format: int32
2361
2362 send-sci
2363 Specifies whether the SCI (Secure Channel Identifier) is included
2364 in every packet.
2365
2366 Format: boolean
2367
2368 validation
2369 Specifies the validation mode for incoming frames.
2370
2371 Format: int32
2372
2373 macvlan setting
2374 MAC VLAN Settings.
2375
2376 Properties:
2377
2378 mode
2379 Alias: mode
2380
2381 The macvlan mode, which specifies the communication mechanism
2382 between multiple macvlans on the same lower device.
2383
2384 Format: uint32
2385
2386 parent
2387 Alias: dev
2388
2389 If given, specifies the parent interface name or parent connection
2390 UUID from which this MAC-VLAN interface should be created. If this
2391 property is not specified, the connection must contain an
2392 "802-3-ethernet" setting with a "mac-address" property.
2393
2394 Format: string
2395
2396 promiscuous
2397 Whether the interface should be put in promiscuous mode.
2398
2399 Format: boolean
2400
2401 tap
2402 Alias: tap
2403
2404 Whether the interface should be a MACVTAP.
2405
2406 Format: boolean
2407
2408 match setting
2409 Match settings.
2410
2411 Properties:
2412
2413 driver
2414 A list of driver names to match. Each element is a shell wildcard
2415 pattern. See NMSettingMatch:interface-name for how special
2416 characters '|', '&', '!' and '\' are used for optional and
2417 mandatory matches and inverting the pattern.
2418
2419 Format: array of string
2420
2421 interface-name
2422 A list of interface names to match. Each element is a shell
2423 wildcard pattern. An element can be prefixed with a pipe symbol (|)
2424 or an ampersand (&). The former means that the element is optional
2425 and the latter means that it is mandatory. If there are any
2426 optional elements, than the match evaluates to true if at least one
2427 of the optional element matches (logical OR). If there are any
2428 mandatory elements, then they all must match (logical AND). By
2429 default, an element is optional. This means that an element "foo"
2430 behaves the same as "|foo". An element can also be inverted with
2431 exclamation mark (!) between the pipe symbol (or the ampersand) and
2432 before the pattern. Note that "!foo" is a shortcut for the
2433 mandatory match "&!foo". Finally, a backslash can be used at the
2434 beginning of the element (after the optional special characters) to
2435 escape the start of the pattern. For example, "&\!a" is an
2436 mandatory match for literally "!a".
2437
2438 Format: array of string
2439
2440 kernel-command-line
2441 A list of kernel command line arguments to match. This may be used
2442 to check whether a specific kernel command line option is set (or
2443 if prefixed with the exclamation mark unset). The argument must
2444 either be a single word, or an assignment (i.e. two words,
2445 separated "="). In the former case the kernel command line is
2446 searched for the word appearing as is, or as left hand side of an
2447 assignment. In the latter case, the exact assignment is looked for
2448 with right and left hand side matching. See
2449 NMSettingMatch:interface-name for how special characters '|', '&',
2450 '!' and '\' are used for optional and mandatory matches and
2451 inverting the pattern.
2452
2453 Format: array of string
2454
2455 path
2456 A list of paths to match against the ID_PATH udev property of
2457 devices. ID_PATH represents the topological persistent path of a
2458 device. It typically contains a subsystem string (pci, usb,
2459 platform, etc.) and a subsystem-specific identifier. For PCI
2460 devices the path has the form "pci-$domain:$bus:$device.$function",
2461 where each variable is an hexadecimal value; for example
2462 "pci-0000:0a:00.0". The path of a device can be obtained with
2463 "udevadm info /sys/class/net/$dev | grep ID_PATH=" or by looking at
2464 the "path" property exported by NetworkManager ("nmcli -f
2465 general.path device show $dev"). Each element of the list is a
2466 shell wildcard pattern. See NMSettingMatch:interface-name for how
2467 special characters '|', '&', '!' and '\' are used for optional and
2468 mandatory matches and inverting the pattern.
2469
2470 Format: array of string
2471
2472 802-11-olpc-mesh setting
2473 Alias: olpc-mesh
2474
2475 OLPC Wireless Mesh Settings.
2476
2477 Properties:
2478
2479 channel
2480 Alias: channel
2481
2482 Channel on which the mesh network to join is located.
2483
2484 Format: uint32
2485
2486 dhcp-anycast-address
2487 Alias: dhcp-anycast
2488
2489 Anycast DHCP MAC address used when requesting an IP address via
2490 DHCP. The specific anycast address used determines which DHCP
2491 server class answers the request.
2492
2493 Format: byte array
2494
2495 ssid
2496 Alias: ssid
2497
2498 SSID of the mesh network to join.
2499
2500 Format: byte array
2501
2502 ovs-bridge setting
2503 OvsBridge Link Settings.
2504
2505 Properties:
2506
2507 datapath-type
2508 The data path type. One of "system", "netdev" or empty.
2509
2510 Format: string
2511
2512 fail-mode
2513 The bridge failure mode. One of "secure", "standalone" or empty.
2514
2515 Format: string
2516
2517 mcast-snooping-enable
2518 Enable or disable multicast snooping.
2519
2520 Format: boolean
2521
2522 rstp-enable
2523 Enable or disable RSTP.
2524
2525 Format: boolean
2526
2527 stp-enable
2528 Enable or disable STP.
2529
2530 Format: boolean
2531
2532 ovs-dpdk setting
2533 OvsDpdk Link Settings.
2534
2535 Properties:
2536
2537 devargs
2538 Open vSwitch DPDK device arguments.
2539
2540 Format: string
2541
2542 ovs-interface setting
2543 Open vSwitch Interface Settings.
2544
2545 Properties:
2546
2547 type
2548 The interface type. Either "internal", "system", "patch", "dpdk",
2549 or empty.
2550
2551 Format: string
2552
2553 ovs-patch setting
2554 OvsPatch Link Settings.
2555
2556 Properties:
2557
2558 peer
2559 Specifies the name of the interface for the other side of the
2560 patch. The patch on the other side must also set this interface as
2561 peer.
2562
2563 Format: string
2564
2565 ovs-port setting
2566 OvsPort Link Settings.
2567
2568 Properties:
2569
2570 bond-downdelay
2571 The time port must be inactive in order to be considered down.
2572
2573 Format: uint32
2574
2575 bond-mode
2576 Bonding mode. One of "active-backup", "balance-slb", or
2577 "balance-tcp".
2578
2579 Format: string
2580
2581 bond-updelay
2582 The time port must be active before it starts forwarding traffic.
2583
2584 Format: uint32
2585
2586 lacp
2587 LACP mode. One of "active", "off", or "passive".
2588
2589 Format: string
2590
2591 tag
2592 The VLAN tag in the range 0-4095.
2593
2594 Format: uint32
2595
2596 vlan-mode
2597 The VLAN mode. One of "access", "native-tagged", "native-untagged",
2598 "trunk" or unset.
2599
2600 Format: string
2601
2602 ppp setting
2603 Point-to-Point Protocol Settings.
2604
2605 Properties:
2606
2607 baud
2608 If non-zero, instruct pppd to set the serial port to the specified
2609 baudrate. This value should normally be left as 0 to automatically
2610 choose the speed.
2611
2612 Format: uint32
2613
2614 crtscts
2615 If TRUE, specify that pppd should set the serial port to use
2616 hardware flow control with RTS and CTS signals. This value should
2617 normally be set to FALSE.
2618
2619 Format: boolean
2620
2621 lcp-echo-failure
2622 If non-zero, instruct pppd to presume the connection to the peer
2623 has failed if the specified number of LCP echo-requests go
2624 unanswered by the peer. The "lcp-echo-interval" property must also
2625 be set to a non-zero value if this property is used.
2626
2627 Format: uint32
2628
2629 lcp-echo-interval
2630 If non-zero, instruct pppd to send an LCP echo-request frame to the
2631 peer every n seconds (where n is the specified value). Note that
2632 some PPP peers will respond to echo requests and some will not, and
2633 it is not possible to autodetect this.
2634
2635 Format: uint32
2636
2637 mppe-stateful
2638 If TRUE, stateful MPPE is used. See pppd documentation for more
2639 information on stateful MPPE.
2640
2641 Format: boolean
2642
2643 mru
2644 If non-zero, instruct pppd to request that the peer send packets no
2645 larger than the specified size. If non-zero, the MRU should be
2646 between 128 and 16384.
2647
2648 Format: uint32
2649
2650 mtu
2651 If non-zero, instruct pppd to send packets no larger than the
2652 specified size.
2653
2654 Format: uint32
2655
2656 no-vj-comp
2657 If TRUE, Van Jacobsen TCP header compression will not be requested.
2658
2659 Format: boolean
2660
2661 noauth
2662 If TRUE, do not require the other side (usually the PPP server) to
2663 authenticate itself to the client. If FALSE, require authentication
2664 from the remote side. In almost all cases, this should be TRUE.
2665
2666 Format: boolean
2667
2668 nobsdcomp
2669 If TRUE, BSD compression will not be requested.
2670
2671 Format: boolean
2672
2673 nodeflate
2674 If TRUE, "deflate" compression will not be requested.
2675
2676 Format: boolean
2677
2678 refuse-chap
2679 If TRUE, the CHAP authentication method will not be used.
2680
2681 Format: boolean
2682
2683 refuse-eap
2684 If TRUE, the EAP authentication method will not be used.
2685
2686 Format: boolean
2687
2688 refuse-mschap
2689 If TRUE, the MSCHAP authentication method will not be used.
2690
2691 Format: boolean
2692
2693 refuse-mschapv2
2694 If TRUE, the MSCHAPv2 authentication method will not be used.
2695
2696 Format: boolean
2697
2698 refuse-pap
2699 If TRUE, the PAP authentication method will not be used.
2700
2701 Format: boolean
2702
2703 require-mppe
2704 If TRUE, MPPE (Microsoft Point-to-Point Encryption) will be
2705 required for the PPP session. If either 64-bit or 128-bit MPPE is
2706 not available the session will fail. Note that MPPE is not used on
2707 mobile broadband connections.
2708
2709 Format: boolean
2710
2711 require-mppe-128
2712 If TRUE, 128-bit MPPE (Microsoft Point-to-Point Encryption) will be
2713 required for the PPP session, and the "require-mppe" property must
2714 also be set to TRUE. If 128-bit MPPE is not available the session
2715 will fail.
2716
2717 Format: boolean
2718
2719 pppoe setting
2720 PPP-over-Ethernet Settings.
2721
2722 Properties:
2723
2724 parent
2725 Alias: parent
2726
2727 If given, specifies the parent interface name on which this PPPoE
2728 connection should be created. If this property is not specified,
2729 the connection is activated on the interface specified in
2730 "interface-name" of NMSettingConnection.
2731
2732 Format: string
2733
2734 password
2735 Alias: password
2736
2737 Password used to authenticate with the PPPoE service.
2738
2739 Format: string
2740
2741 password-flags
2742 Flags indicating how to handle the "password" property. See the
2743 section called “Secret flag types:” for flag values.
2744
2745 Format: NMSettingSecretFlags (uint32)
2746
2747 service
2748 Alias: service
2749
2750 If specified, instruct PPPoE to only initiate sessions with access
2751 concentrators that provide the specified service. For most
2752 providers, this should be left blank. It is only required if there
2753 are multiple access concentrators or a specific service is known to
2754 be required.
2755
2756 Format: string
2757
2758 username
2759 Alias: username
2760
2761 Username used to authenticate with the PPPoE service.
2762
2763 Format: string
2764
2765 proxy setting
2766 WWW Proxy Settings.
2767
2768 Properties:
2769
2770 browser-only
2771 Alias: browser-only
2772
2773 Whether the proxy configuration is for browser only.
2774
2775 Format: boolean
2776
2777 method
2778 Alias: method
2779
2780 Method for proxy configuration, Default is
2781 NM_SETTING_PROXY_METHOD_NONE (0)
2782
2783 Format: int32
2784
2785 pac-script
2786 Alias: pac-script
2787
2788 PAC script for the connection.
2789
2790 Format: string
2791
2792 pac-url
2793 Alias: pac-url
2794
2795 PAC URL for obtaining PAC file.
2796
2797 Format: string
2798
2799 serial setting
2800 Serial Link Settings.
2801
2802 Properties:
2803
2804 baud
2805 Speed to use for communication over the serial port. Note that this
2806 value usually has no effect for mobile broadband modems as they
2807 generally ignore speed settings and use the highest available
2808 speed.
2809
2810 Format: uint32
2811
2812 bits
2813 Byte-width of the serial communication. The 8 in "8n1" for example.
2814
2815 Format: uint32
2816
2817 parity
2818 Parity setting of the serial port.
2819
2820 Format: NMSettingSerialParity (byte)
2821
2822 send-delay
2823 Time to delay between each byte sent to the modem, in microseconds.
2824
2825 Format: uint64
2826
2827 stopbits
2828 Number of stop bits for communication on the serial port. Either 1
2829 or 2. The 1 in "8n1" for example.
2830
2831 Format: uint32
2832
2833 sriov setting
2834 SR-IOV settings.
2835
2836 Properties:
2837
2838 autoprobe-drivers
2839 Whether to autoprobe virtual functions by a compatible driver. If
2840 set to NM_TERNARY_TRUE (1), the kernel will try to bind VFs to a
2841 compatible driver and if this succeeds a new network interface will
2842 be instantiated for each VF. If set to NM_TERNARY_FALSE (0), VFs
2843 will not be claimed and no network interfaces will be created for
2844 them. When set to NM_TERNARY_DEFAULT (-1), the global default is
2845 used; in case the global default is unspecified it is assumed to be
2846 NM_TERNARY_TRUE (1).
2847
2848 Format: NMTernary (int32)
2849
2850 total-vfs
2851 The total number of virtual functions to create. Note that when the
2852 sriov setting is present NetworkManager enforces the number of
2853 virtual functions on the interface (also when it is zero) during
2854 activation and resets it upon deactivation. To prevent any changes
2855 to SR-IOV parameters don't add a sriov setting to the connection.
2856
2857 Format: uint32
2858
2859 vfs
2860 Array of virtual function descriptors. Each VF descriptor is a
2861 dictionary mapping attribute names to GVariant values. The 'index'
2862 entry is mandatory for each VF. When represented as string a VF is
2863 in the form: "INDEX [ATTR=VALUE[ ATTR=VALUE]...]". for example: "2
2864 mac=00:11:22:33:44:55 spoof-check=true". Multiple VFs can be
2865 specified using a comma as separator. Currently the following
2866 attributes are supported: mac, spoof-check, trust, min-tx-rate,
2867 max-tx-rate, vlans. The "vlans" attribute is represented as a
2868 semicolon-separated list of VLAN descriptors, where each descriptor
2869 has the form "ID[.PRIORITY[.PROTO]]". PROTO can be either 'q' for
2870 802.1Q (the default) or 'ad' for 802.1ad.
2871
2872 Format: array of vardict
2873
2874 tc setting
2875 Linux Traffic Control Settings.
2876
2877 Properties:
2878
2879 qdiscs
2880 Array of TC queueing disciplines.
2881
2882 Format: array of vardict
2883
2884 tfilters
2885 Array of TC traffic filters.
2886
2887 Format: array of vardict
2888
2889 team setting
2890 Teaming Settings.
2891
2892 Properties:
2893
2894 config
2895 Alias: config
2896
2897 The JSON configuration for the team network interface. The property
2898 should contain raw JSON configuration data suitable for teamd,
2899 because the value is passed directly to teamd. If not specified,
2900 the default configuration is used. See man teamd.conf for the
2901 format details.
2902
2903 Format: string
2904
2905 link-watchers
2906 Link watchers configuration for the connection: each link watcher
2907 is defined by a dictionary, whose keys depend upon the selected
2908 link watcher. Available link watchers are 'ethtool', 'nsna_ping'
2909 and 'arp_ping' and it is specified in the dictionary with the key
2910 'name'. Available keys are: ethtool: 'delay-up', 'delay-down',
2911 'init-wait'; nsna_ping: 'init-wait', 'interval', 'missed-max',
2912 'target-host'; arp_ping: all the ones in nsna_ping and
2913 'source-host', 'validate-active', 'validate-inactive',
2914 'send-always'. See teamd.conf man for more details.
2915
2916 Format: array of vardict
2917
2918 mcast-rejoin-count
2919 Corresponds to the teamd mcast_rejoin.count.
2920
2921 Format: int32
2922
2923 mcast-rejoin-interval
2924 Corresponds to the teamd mcast_rejoin.interval.
2925
2926 Format: int32
2927
2928 notify-peers-count
2929 Corresponds to the teamd notify_peers.count.
2930
2931 Format: int32
2932
2933 notify-peers-interval
2934 Corresponds to the teamd notify_peers.interval.
2935
2936 Format: int32
2937
2938 runner
2939 Corresponds to the teamd runner.name. Permitted values are:
2940 "roundrobin", "broadcast", "activebackup", "loadbalance", "lacp",
2941 "random".
2942
2943 Format: string
2944
2945 runner-active
2946 Corresponds to the teamd runner.active.
2947
2948 Format: boolean
2949
2950 runner-agg-select-policy
2951 Corresponds to the teamd runner.agg_select_policy.
2952
2953 Format: string
2954
2955 runner-fast-rate
2956 Corresponds to the teamd runner.fast_rate.
2957
2958 Format: boolean
2959
2960 runner-hwaddr-policy
2961 Corresponds to the teamd runner.hwaddr_policy.
2962
2963 Format: string
2964
2965 runner-min-ports
2966 Corresponds to the teamd runner.min_ports.
2967
2968 Format: int32
2969
2970 runner-sys-prio
2971 Corresponds to the teamd runner.sys_prio.
2972
2973 Format: int32
2974
2975 runner-tx-balancer
2976 Corresponds to the teamd runner.tx_balancer.name.
2977
2978 Format: string
2979
2980 runner-tx-balancer-interval
2981 Corresponds to the teamd runner.tx_balancer.interval.
2982
2983 Format: int32
2984
2985 runner-tx-hash
2986 Corresponds to the teamd runner.tx_hash.
2987
2988 Format: array of string
2989
2990 team-port setting
2991 Team Port Settings.
2992
2993 Properties:
2994
2995 config
2996 Alias: config
2997
2998 The JSON configuration for the team port. The property should
2999 contain raw JSON configuration data suitable for teamd, because the
3000 value is passed directly to teamd. If not specified, the default
3001 configuration is used. See man teamd.conf for the format details.
3002
3003 Format: string
3004
3005 lacp-key
3006 Corresponds to the teamd ports.PORTIFNAME.lacp_key.
3007
3008 Format: int32
3009
3010 lacp-prio
3011 Corresponds to the teamd ports.PORTIFNAME.lacp_prio.
3012
3013 Format: int32
3014
3015 link-watchers
3016 Link watchers configuration for the connection: each link watcher
3017 is defined by a dictionary, whose keys depend upon the selected
3018 link watcher. Available link watchers are 'ethtool', 'nsna_ping'
3019 and 'arp_ping' and it is specified in the dictionary with the key
3020 'name'. Available keys are: ethtool: 'delay-up', 'delay-down',
3021 'init-wait'; nsna_ping: 'init-wait', 'interval', 'missed-max',
3022 'target-host'; arp_ping: all the ones in nsna_ping and
3023 'source-host', 'validate-active', 'validate-inactive',
3024 'send-always'. See teamd.conf man for more details.
3025
3026 Format: array of vardict
3027
3028 prio
3029 Corresponds to the teamd ports.PORTIFNAME.prio.
3030
3031 Format: int32
3032
3033 queue-id
3034 Corresponds to the teamd ports.PORTIFNAME.queue_id. When set to -1
3035 means the parameter is skipped from the json config.
3036
3037 Format: int32
3038
3039 sticky
3040 Corresponds to the teamd ports.PORTIFNAME.sticky.
3041
3042 Format: boolean
3043
3044 tun setting
3045 Tunnel Settings.
3046
3047 Properties:
3048
3049 group
3050 Alias: group
3051
3052 The group ID which will own the device. If set to NULL everyone
3053 will be able to use the device.
3054
3055 Format: string
3056
3057 mode
3058 Alias: mode
3059
3060 The operating mode of the virtual device. Allowed values are
3061 NM_SETTING_TUN_MODE_TUN (1) to create a layer 3 device and
3062 NM_SETTING_TUN_MODE_TAP (2) to create an Ethernet-like layer 2 one.
3063
3064 Format: uint32
3065
3066 multi-queue
3067 Alias: multi-queue
3068
3069 If the property is set to TRUE, the interface will support multiple
3070 file descriptors (queues) to parallelize packet sending or
3071 receiving. Otherwise, the interface will only support a single
3072 queue.
3073
3074 Format: boolean
3075
3076 owner
3077 Alias: owner
3078
3079 The user ID which will own the device. If set to NULL everyone will
3080 be able to use the device.
3081
3082 Format: string
3083
3084 pi
3085 Alias: pi
3086
3087 If TRUE the interface will prepend a 4 byte header describing the
3088 physical interface to the packets.
3089
3090 Format: boolean
3091
3092 vnet-hdr
3093 Alias: vnet-hdr
3094
3095 If TRUE the IFF_VNET_HDR the tunnel packets will include a virtio
3096 network header.
3097
3098 Format: boolean
3099
3100 vlan setting
3101 VLAN Settings.
3102
3103 Properties:
3104
3105 egress-priority-map
3106 Alias: egress
3107
3108 For outgoing packets, a list of mappings from Linux SKB priorities
3109 to 802.1p priorities. The mapping is given in the format "from:to"
3110 where both "from" and "to" are unsigned integers, ie "7:3".
3111
3112 Format: array of string
3113
3114 flags
3115 Alias: flags
3116
3117 One or more flags which control the behavior and features of the
3118 VLAN interface. Flags include NM_VLAN_FLAG_REORDER_HEADERS (0x1)
3119 (reordering of output packet headers), NM_VLAN_FLAG_GVRP (0x2) (use
3120 of the GVRP protocol), and NM_VLAN_FLAG_LOOSE_BINDING (0x4) (loose
3121 binding of the interface to its master device's operating state).
3122 NM_VLAN_FLAG_MVRP (0x8) (use of the MVRP protocol). The default
3123 value of this property is NM_VLAN_FLAG_REORDER_HEADERS, but it used
3124 to be 0. To preserve backward compatibility, the default-value in
3125 the D-Bus API continues to be 0 and a missing property on D-Bus is
3126 still considered as 0.
3127
3128 Format: NMVlanFlags (uint32)
3129
3130 id
3131 Alias: id
3132
3133 The VLAN identifier that the interface created by this connection
3134 should be assigned. The valid range is from 0 to 4094, without the
3135 reserved id 4095.
3136
3137 Format: uint32
3138
3139 ingress-priority-map
3140 Alias: ingress
3141
3142 For incoming packets, a list of mappings from 802.1p priorities to
3143 Linux SKB priorities. The mapping is given in the format "from:to"
3144 where both "from" and "to" are unsigned integers, ie "7:3".
3145
3146 Format: array of string
3147
3148 parent
3149 Alias: dev
3150
3151 If given, specifies the parent interface name or parent connection
3152 UUID from which this VLAN interface should be created. If this
3153 property is not specified, the connection must contain an
3154 "802-3-ethernet" setting with a "mac-address" property.
3155
3156 Format: string
3157
3158 vpn setting
3159 VPN Settings.
3160
3161 Properties:
3162
3163 data
3164 Dictionary of key/value pairs of VPN plugin specific data. Both
3165 keys and values must be strings.
3166
3167 Format: dict of string to string
3168
3169 persistent
3170 If the VPN service supports persistence, and this property is TRUE,
3171 the VPN will attempt to stay connected across link changes and
3172 outages, until explicitly disconnected.
3173
3174 Format: boolean
3175
3176 secrets
3177 Dictionary of key/value pairs of VPN plugin specific secrets like
3178 passwords or private keys. Both keys and values must be strings.
3179
3180 Format: dict of string to string
3181
3182 service-type
3183 Alias: vpn-type
3184
3185 D-Bus service name of the VPN plugin that this setting uses to
3186 connect to its network. i.e. org.freedesktop.NetworkManager.vpnc
3187 for the vpnc plugin.
3188
3189 Format: string
3190
3191 timeout
3192 Timeout for the VPN service to establish the connection. Some
3193 services may take quite a long time to connect. Value of 0 means a
3194 default timeout, which is 60 seconds (unless overridden by
3195 vpn.timeout in configuration file). Values greater than zero mean
3196 timeout in seconds.
3197
3198 Format: uint32
3199
3200 user-name
3201 Alias: user
3202
3203 If the VPN connection requires a user name for authentication, that
3204 name should be provided here. If the connection is available to
3205 more than one user, and the VPN requires each user to supply a
3206 different name, then leave this property empty. If this property is
3207 empty, NetworkManager will automatically supply the username of the
3208 user which requested the VPN connection.
3209
3210 Format: string
3211
3212 vrf setting
3213 VRF settings.
3214
3215 Properties:
3216
3217 table
3218 Alias: table
3219
3220 The routing table for this VRF.
3221
3222 Format: uint32
3223
3224 vxlan setting
3225 VXLAN Settings.
3226
3227 Properties:
3228
3229 ageing
3230 Specifies the lifetime in seconds of FDB entries learnt by the
3231 kernel.
3232
3233 Format: uint32
3234
3235 destination-port
3236 Alias: destination-port
3237
3238 Specifies the UDP destination port to communicate to the remote
3239 VXLAN tunnel endpoint.
3240
3241 Format: uint32
3242
3243 id
3244 Alias: id
3245
3246 Specifies the VXLAN Network Identifier (or VXLAN Segment
3247 Identifier) to use.
3248
3249 Format: uint32
3250
3251 l2-miss
3252 Specifies whether netlink LL ADDR miss notifications are generated.
3253
3254 Format: boolean
3255
3256 l3-miss
3257 Specifies whether netlink IP ADDR miss notifications are generated.
3258
3259 Format: boolean
3260
3261 learning
3262 Specifies whether unknown source link layer addresses and IP
3263 addresses are entered into the VXLAN device forwarding database.
3264
3265 Format: boolean
3266
3267 limit
3268 Specifies the maximum number of FDB entries. A value of zero means
3269 that the kernel will store unlimited entries.
3270
3271 Format: uint32
3272
3273 local
3274 Alias: local
3275
3276 If given, specifies the source IP address to use in outgoing
3277 packets.
3278
3279 Format: string
3280
3281 parent
3282 Alias: dev
3283
3284 If given, specifies the parent interface name or parent connection
3285 UUID.
3286
3287 Format: string
3288
3289 proxy
3290 Specifies whether ARP proxy is turned on.
3291
3292 Format: boolean
3293
3294 remote
3295 Alias: remote
3296
3297 Specifies the unicast destination IP address to use in outgoing
3298 packets when the destination link layer address is not known in the
3299 VXLAN device forwarding database, or the multicast IP address to
3300 join.
3301
3302 Format: string
3303
3304 rsc
3305 Specifies whether route short circuit is turned on.
3306
3307 Format: boolean
3308
3309 source-port-max
3310 Alias: source-port-max
3311
3312 Specifies the maximum UDP source port to communicate to the remote
3313 VXLAN tunnel endpoint.
3314
3315 Format: uint32
3316
3317 source-port-min
3318 Alias: source-port-min
3319
3320 Specifies the minimum UDP source port to communicate to the remote
3321 VXLAN tunnel endpoint.
3322
3323 Format: uint32
3324
3325 tos
3326 Specifies the TOS value to use in outgoing packets.
3327
3328 Format: uint32
3329
3330 ttl
3331 Specifies the time-to-live value to use in outgoing packets.
3332
3333 Format: uint32
3334
3335 wifi-p2p setting
3336 Wi-Fi P2P Settings.
3337
3338 Properties:
3339
3340 peer
3341 Alias: peer
3342
3343 The P2P device that should be connected to. Currently this is the
3344 only way to create or join a group.
3345
3346 Format: string
3347
3348 wfd-ies
3349 The Wi-Fi Display (WFD) Information Elements (IEs) to set. Wi-Fi
3350 Display requires a protocol specific information element to be set
3351 in certain Wi-Fi frames. These can be specified here for the
3352 purpose of establishing a connection. This setting is only useful
3353 when implementing a Wi-Fi Display client.
3354
3355 Format: byte array
3356
3357 wps-method
3358 Flags indicating which mode of WPS is to be used. There's little
3359 point in changing the default setting as NetworkManager will
3360 automatically determine the best method to use.
3361
3362 Format: uint32
3363
3364 wimax setting
3365 WiMax Settings.
3366
3367 Properties:
3368
3369 mac-address
3370 Alias: mac
3371
3372 If specified, this connection will only apply to the WiMAX device
3373 whose MAC address matches. This property does not change the MAC
3374 address of the device (known as MAC spoofing). Deprecated: 1
3375
3376 Format: byte array
3377
3378 network-name
3379 Alias: nsp
3380
3381 Network Service Provider (NSP) name of the WiMAX network this
3382 connection should use. Deprecated: 1
3383
3384 Format: string
3385
3386 802-3-ethernet setting
3387 Alias: ethernet
3388
3389 Wired Ethernet Settings.
3390
3391 Properties:
3392
3393 auto-negotiate
3394 When TRUE, enforce auto-negotiation of speed and duplex mode. If
3395 "speed" and "duplex" properties are both specified, only that
3396 single mode will be advertised and accepted during the link
3397 auto-negotiation process: this works only for BASE-T 802.3
3398 specifications and is useful for enforcing gigabits modes, as in
3399 these cases link negotiation is mandatory. When FALSE, "speed" and
3400 "duplex" properties should be both set or link configuration will
3401 be skipped.
3402
3403 Format: boolean
3404
3405 cloned-mac-address
3406 Alias: cloned-mac
3407
3408 If specified, request that the device use this MAC address instead.
3409 This is known as MAC cloning or spoofing. Beside explicitly
3410 specifying a MAC address, the special values "preserve",
3411 "permanent", "random" and "stable" are supported. "preserve" means
3412 not to touch the MAC address on activation. "permanent" means to
3413 use the permanent hardware address if the device has one (otherwise
3414 this is treated as "preserve"). "random" creates a random MAC
3415 address on each connect. "stable" creates a hashed MAC address
3416 based on connection.stable-id and a machine dependent key. If
3417 unspecified, the value can be overwritten via global defaults, see
3418 manual of NetworkManager.conf. If still unspecified, it defaults to
3419 "preserve" (older versions of NetworkManager may use a different
3420 default value). On D-Bus, this field is expressed as
3421 "assigned-mac-address" or the deprecated "cloned-mac-address".
3422
3423 Format: byte array
3424
3425 duplex
3426 When a value is set, either "half" or "full", configures the device
3427 to use the specified duplex mode. If "auto-negotiate" is "yes" the
3428 specified duplex mode will be the only one advertised during link
3429 negotiation: this works only for BASE-T 802.3 specifications and is
3430 useful for enforcing gigabits modes, as in these cases link
3431 negotiation is mandatory. If the value is unset (the default), the
3432 link configuration will be either skipped (if "auto-negotiate" is
3433 "no", the default) or will be auto-negotiated (if "auto-negotiate"
3434 is "yes") and the local device will advertise all the supported
3435 duplex modes. Must be set together with the "speed" property if
3436 specified. Before specifying a duplex mode be sure your device
3437 supports it.
3438
3439 Format: string
3440
3441 generate-mac-address-mask
3442 With "cloned-mac-address" setting "random" or "stable", by default
3443 all bits of the MAC address are scrambled and a
3444 locally-administered, unicast MAC address is created. This property
3445 allows to specify that certain bits are fixed. Note that the least
3446 significant bit of the first MAC address will always be unset to
3447 create a unicast MAC address. If the property is NULL, it is
3448 eligible to be overwritten by a default connection setting. If the
3449 value is still NULL or an empty string, the default is to create a
3450 locally-administered, unicast MAC address. If the value contains
3451 one MAC address, this address is used as mask. The set bits of the
3452 mask are to be filled with the current MAC address of the device,
3453 while the unset bits are subject to randomization. Setting
3454 "FE:FF:FF:00:00:00" means to preserve the OUI of the current MAC
3455 address and only randomize the lower 3 bytes using the "random" or
3456 "stable" algorithm. If the value contains one additional MAC
3457 address after the mask, this address is used instead of the current
3458 MAC address to fill the bits that shall not be randomized. For
3459 example, a value of "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set
3460 the OUI of the MAC address to 68:F7:28, while the lower bits are
3461 randomized. A value of "02:00:00:00:00:00 00:00:00:00:00:00" will
3462 create a fully scrambled globally-administered, burned-in MAC
3463 address. If the value contains more than one additional MAC
3464 addresses, one of them is chosen randomly. For example,
3465 "02:00:00:00:00:00 00:00:00:00:00:00 02:00:00:00:00:00" will create
3466 a fully scrambled MAC address, randomly locally or globally
3467 administered.
3468
3469 Format: string
3470
3471 mac-address
3472 Alias: mac
3473
3474 If specified, this connection will only apply to the Ethernet
3475 device whose permanent MAC address matches. This property does not
3476 change the MAC address of the device (i.e. MAC spoofing).
3477
3478 Format: byte array
3479
3480 mac-address-blacklist
3481 If specified, this connection will never apply to the Ethernet
3482 device whose permanent MAC address matches an address in the list.
3483 Each MAC address is in the standard hex-digits-and-colons notation
3484 (00:11:22:33:44:55).
3485
3486 Format: array of string
3487
3488 mtu
3489 Alias: mtu
3490
3491 If non-zero, only transmit packets of the specified size or
3492 smaller, breaking larger packets up into multiple Ethernet frames.
3493
3494 Format: uint32
3495
3496 port
3497 Specific port type to use if the device supports multiple
3498 attachment methods. One of "tp" (Twisted Pair), "aui" (Attachment
3499 Unit Interface), "bnc" (Thin Ethernet) or "mii" (Media Independent
3500 Interface). If the device supports only one port type, this setting
3501 is ignored.
3502
3503 Format: string
3504
3505 s390-nettype
3506 s390 network device type; one of "qeth", "lcs", or "ctc",
3507 representing the different types of virtual network devices
3508 available on s390 systems.
3509
3510 Format: string
3511
3512 s390-options
3513 Dictionary of key/value pairs of s390-specific device options. Both
3514 keys and values must be strings. Allowed keys include "portno",
3515 "layer2", "portname", "protocol", among others. Key names must
3516 contain only alphanumeric characters (ie, [a-zA-Z0-9]).
3517
3518 Format: dict of string to string
3519
3520 s390-subchannels
3521 Identifies specific subchannels that this network device uses for
3522 communication with z/VM or s390 host. Like the "mac-address"
3523 property for non-z/VM devices, this property can be used to ensure
3524 this connection only applies to the network device that uses these
3525 subchannels. The list should contain exactly 3 strings, and each
3526 string may only be composed of hexadecimal characters and the
3527 period (.) character.
3528
3529 Format: array of string
3530
3531 speed
3532 When a value greater than 0 is set, configures the device to use
3533 the specified speed. If "auto-negotiate" is "yes" the specified
3534 speed will be the only one advertised during link negotiation: this
3535 works only for BASE-T 802.3 specifications and is useful for
3536 enforcing gigabit speeds, as in this case link negotiation is
3537 mandatory. If the value is unset (0, the default), the link
3538 configuration will be either skipped (if "auto-negotiate" is "no",
3539 the default) or will be auto-negotiated (if "auto-negotiate" is
3540 "yes") and the local device will advertise all the supported
3541 speeds. In Mbit/s, ie 100 == 100Mbit/s. Must be set together with
3542 the "duplex" property when non-zero. Before specifying a speed
3543 value be sure your device supports it.
3544
3545 Format: uint32
3546
3547 wake-on-lan
3548 The NMSettingWiredWakeOnLan options to enable. Not all devices
3549 support all options. May be any combination of
3550 NM_SETTING_WIRED_WAKE_ON_LAN_PHY (0x2),
3551 NM_SETTING_WIRED_WAKE_ON_LAN_UNICAST (0x4),
3552 NM_SETTING_WIRED_WAKE_ON_LAN_MULTICAST (0x8),
3553 NM_SETTING_WIRED_WAKE_ON_LAN_BROADCAST (0x10),
3554 NM_SETTING_WIRED_WAKE_ON_LAN_ARP (0x20),
3555 NM_SETTING_WIRED_WAKE_ON_LAN_MAGIC (0x40) or the special values
3556 NM_SETTING_WIRED_WAKE_ON_LAN_DEFAULT (0x1) (to use global settings)
3557 and NM_SETTING_WIRED_WAKE_ON_LAN_IGNORE (0x8000) (to disable
3558 management of Wake-on-LAN in NetworkManager).
3559
3560 Format: uint32
3561
3562 wake-on-lan-password
3563 If specified, the password used with magic-packet-based
3564 Wake-on-LAN, represented as an Ethernet MAC address. If NULL, no
3565 password will be required.
3566
3567 Format: string
3568
3569 wireguard setting
3570 WireGuard Settings.
3571
3572 Properties:
3573
3574 fwmark
3575 The use of fwmark is optional and is by default off. Setting it to
3576 0 disables it. Otherwise it is a 32-bit fwmark for outgoing
3577 packets. Note that "ip4-auto-default-route" or
3578 "ip6-auto-default-route" enabled, implies to automatically choose a
3579 fwmark.
3580
3581 Format: uint32
3582
3583 ip4-auto-default-route
3584 Whether to enable special handling of the IPv4 default route. If
3585 enabled, the IPv4 default route from wireguard.peer-routes will be
3586 placed to a dedicated routing-table and two policy routing rules
3587 will be added. The fwmark number is also used as routing-table for
3588 the default-route, and if fwmark is zero, an unused fwmark/table is
3589 chosen automatically. This corresponds to what wg-quick does with
3590 Table=auto and what WireGuard calls "Improved Rule-based Routing".
3591 Note that for this automatism to work, you usually don't want to
3592 set ipv4.gateway, because that will result in a conflicting default
3593 route. Leaving this at the default will enable this option
3594 automatically if ipv4.never-default is not set and there are any
3595 peers that use a default-route as allowed-ips.
3596
3597 Format: NMTernary (int32)
3598
3599 ip6-auto-default-route
3600 Like ip4-auto-default-route, but for the IPv6 default route.
3601
3602 Format: NMTernary (int32)
3603
3604 listen-port
3605 The listen-port. If listen-port is not specified, the port will be
3606 chosen randomly when the interface comes up.
3607
3608 Format: uint32
3609
3610 mtu
3611 If non-zero, only transmit packets of the specified size or
3612 smaller, breaking larger packets up into multiple fragments. If
3613 zero a default MTU is used. Note that contrary to wg-quick's MTU
3614 setting, this does not take into account the current routes at the
3615 time of activation.
3616
3617 Format: uint32
3618
3619 peer-routes
3620 Whether to automatically add routes for the AllowedIPs ranges of
3621 the peers. If TRUE (the default), NetworkManager will automatically
3622 add routes in the routing tables according to ipv4.route-table and
3623 ipv6.route-table. Usually you want this automatism enabled. If
3624 FALSE, no such routes are added automatically. In this case, the
3625 user may want to configure static routes in ipv4.routes and
3626 ipv6.routes, respectively. Note that if the peer's AllowedIPs is
3627 "0.0.0.0/0" or "::/0" and the profile's ipv4.never-default or
3628 ipv6.never-default setting is enabled, the peer route for this peer
3629 won't be added automatically.
3630
3631 Format: boolean
3632
3633 private-key
3634 The 256 bit private-key in base64 encoding.
3635
3636 Format: string
3637
3638 private-key-flags
3639 Flags indicating how to handle the "private-key" property. See the
3640 section called “Secret flag types:” for flag values.
3641
3642 Format: NMSettingSecretFlags (uint32)
3643
3644 802-11-wireless setting
3645 Alias: wifi
3646
3647 Wi-Fi Settings.
3648
3649 Properties:
3650
3651 band
3652 802.11 frequency band of the network. One of "a" for 5GHz 802.11a
3653 or "bg" for 2.4GHz 802.11. This will lock associations to the Wi-Fi
3654 network to the specific band, i.e. if "a" is specified, the device
3655 will not associate with the same network in the 2.4GHz band even if
3656 the network's settings are compatible. This setting depends on
3657 specific driver capability and may not work with all drivers.
3658
3659 Format: string
3660
3661 bssid
3662 If specified, directs the device to only associate with the given
3663 access point. This capability is highly driver dependent and not
3664 supported by all devices. Note: this property does not control the
3665 BSSID used when creating an Ad-Hoc network and is unlikely to in
3666 the future.
3667
3668 Format: byte array
3669
3670 channel
3671 Wireless channel to use for the Wi-Fi connection. The device will
3672 only join (or create for Ad-Hoc networks) a Wi-Fi network on the
3673 specified channel. Because channel numbers overlap between bands,
3674 this property also requires the "band" property to be set.
3675
3676 Format: uint32
3677
3678 cloned-mac-address
3679 Alias: cloned-mac
3680
3681 If specified, request that the device use this MAC address instead.
3682 This is known as MAC cloning or spoofing. Beside explicitly
3683 specifying a MAC address, the special values "preserve",
3684 "permanent", "random" and "stable" are supported. "preserve" means
3685 not to touch the MAC address on activation. "permanent" means to
3686 use the permanent hardware address of the device. "random" creates
3687 a random MAC address on each connect. "stable" creates a hashed MAC
3688 address based on connection.stable-id and a machine dependent key.
3689 If unspecified, the value can be overwritten via global defaults,
3690 see manual of NetworkManager.conf. If still unspecified, it
3691 defaults to "preserve" (older versions of NetworkManager may use a
3692 different default value). On D-Bus, this field is expressed as
3693 "assigned-mac-address" or the deprecated "cloned-mac-address".
3694
3695 Format: byte array
3696
3697 generate-mac-address-mask
3698 With "cloned-mac-address" setting "random" or "stable", by default
3699 all bits of the MAC address are scrambled and a
3700 locally-administered, unicast MAC address is created. This property
3701 allows to specify that certain bits are fixed. Note that the least
3702 significant bit of the first MAC address will always be unset to
3703 create a unicast MAC address. If the property is NULL, it is
3704 eligible to be overwritten by a default connection setting. If the
3705 value is still NULL or an empty string, the default is to create a
3706 locally-administered, unicast MAC address. If the value contains
3707 one MAC address, this address is used as mask. The set bits of the
3708 mask are to be filled with the current MAC address of the device,
3709 while the unset bits are subject to randomization. Setting
3710 "FE:FF:FF:00:00:00" means to preserve the OUI of the current MAC
3711 address and only randomize the lower 3 bytes using the "random" or
3712 "stable" algorithm. If the value contains one additional MAC
3713 address after the mask, this address is used instead of the current
3714 MAC address to fill the bits that shall not be randomized. For
3715 example, a value of "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set
3716 the OUI of the MAC address to 68:F7:28, while the lower bits are
3717 randomized. A value of "02:00:00:00:00:00 00:00:00:00:00:00" will
3718 create a fully scrambled globally-administered, burned-in MAC
3719 address. If the value contains more than one additional MAC
3720 addresses, one of them is chosen randomly. For example,
3721 "02:00:00:00:00:00 00:00:00:00:00:00 02:00:00:00:00:00" will create
3722 a fully scrambled MAC address, randomly locally or globally
3723 administered.
3724
3725 Format: string
3726
3727 hidden
3728 If TRUE, indicates that the network is a non-broadcasting network
3729 that hides its SSID. This works both in infrastructure and AP mode.
3730 In infrastructure mode, various workarounds are used for a more
3731 reliable discovery of hidden networks, such as probe-scanning the
3732 SSID. However, these workarounds expose inherent insecurities with
3733 hidden SSID networks, and thus hidden SSID networks should be used
3734 with caution. In AP mode, the created network does not broadcast
3735 its SSID. Note that marking the network as hidden may be a privacy
3736 issue for you (in infrastructure mode) or client stations (in AP
3737 mode), as the explicit probe-scans are distinctly recognizable on
3738 the air.
3739
3740 Format: boolean
3741
3742 mac-address
3743 Alias: mac
3744
3745 If specified, this connection will only apply to the Wi-Fi device
3746 whose permanent MAC address matches. This property does not change
3747 the MAC address of the device (i.e. MAC spoofing).
3748
3749 Format: byte array
3750
3751 mac-address-blacklist
3752 A list of permanent MAC addresses of Wi-Fi devices to which this
3753 connection should never apply. Each MAC address should be given in
3754 the standard hex-digits-and-colons notation (eg
3755 "00:11:22:33:44:55").
3756
3757 Format: array of string
3758
3759 mac-address-randomization
3760 One of NM_SETTING_MAC_RANDOMIZATION_DEFAULT (0) (never randomize
3761 unless the user has set a global default to randomize and the
3762 supplicant supports randomization),
3763 NM_SETTING_MAC_RANDOMIZATION_NEVER (1) (never randomize the MAC
3764 address), or NM_SETTING_MAC_RANDOMIZATION_ALWAYS (2) (always
3765 randomize the MAC address). This property is deprecated for
3766 'cloned-mac-address'. Deprecated: 1
3767
3768 Format: uint32
3769
3770 mode
3771 Alias: mode
3772
3773 Wi-Fi network mode; one of "infrastructure", "mesh", "adhoc" or
3774 "ap". If blank, infrastructure is assumed.
3775
3776 Format: string
3777
3778 mtu
3779 Alias: mtu
3780
3781 If non-zero, only transmit packets of the specified size or
3782 smaller, breaking larger packets up into multiple Ethernet frames.
3783
3784 Format: uint32
3785
3786 powersave
3787 One of NM_SETTING_WIRELESS_POWERSAVE_DISABLE (2) (disable Wi-Fi
3788 power saving), NM_SETTING_WIRELESS_POWERSAVE_ENABLE (3) (enable
3789 Wi-Fi power saving), NM_SETTING_WIRELESS_POWERSAVE_IGNORE (1)
3790 (don't touch currently configure setting) or
3791 NM_SETTING_WIRELESS_POWERSAVE_DEFAULT (0) (use the globally
3792 configured value). All other values are reserved.
3793
3794 Format: uint32
3795
3796 rate
3797 If non-zero, directs the device to only use the specified bitrate
3798 for communication with the access point. Units are in Kb/s, ie 5500
3799 = 5.5 Mbit/s. This property is highly driver dependent and not all
3800 devices support setting a static bitrate.
3801
3802 Format: uint32
3803
3804 seen-bssids
3805 A list of BSSIDs (each BSSID formatted as a MAC address like
3806 "00:11:22:33:44:55") that have been detected as part of the Wi-Fi
3807 network. NetworkManager internally tracks previously seen BSSIDs.
3808 The property is only meant for reading and reflects the BSSID list
3809 of NetworkManager. The changes you make to this property will not
3810 be preserved.
3811
3812 Format: array of string
3813
3814 ssid
3815 Alias: ssid
3816
3817 SSID of the Wi-Fi network. Must be specified.
3818
3819 Format: byte array
3820
3821 tx-power
3822 If non-zero, directs the device to use the specified transmit
3823 power. Units are dBm. This property is highly driver dependent and
3824 not all devices support setting a static transmit power.
3825
3826 Format: uint32
3827
3828 wake-on-wlan
3829 The NMSettingWirelessWakeOnWLan options to enable. Not all devices
3830 support all options. May be any combination of
3831 NM_SETTING_WIRELESS_WAKE_ON_WLAN_ANY (0x2),
3832 NM_SETTING_WIRELESS_WAKE_ON_WLAN_DISCONNECT (0x4),
3833 NM_SETTING_WIRELESS_WAKE_ON_WLAN_MAGIC (0x8),
3834 NM_SETTING_WIRELESS_WAKE_ON_WLAN_GTK_REKEY_FAILURE (0x10),
3835 NM_SETTING_WIRELESS_WAKE_ON_WLAN_EAP_IDENTITY_REQUEST (0x20),
3836 NM_SETTING_WIRELESS_WAKE_ON_WLAN_4WAY_HANDSHAKE (0x40),
3837 NM_SETTING_WIRELESS_WAKE_ON_WLAN_RFKILL_RELEASE (0x80),
3838 NM_SETTING_WIRELESS_WAKE_ON_WLAN_TCP (0x100) or the special values
3839 NM_SETTING_WIRELESS_WAKE_ON_WLAN_DEFAULT (0x1) (to use global
3840 settings) and NM_SETTING_WIRELESS_WAKE_ON_WLAN_IGNORE (0x8000) (to
3841 disable management of Wake-on-LAN in NetworkManager).
3842
3843 Format: uint32
3844
3845 802-11-wireless-security setting
3846 Alias: wifi-sec
3847
3848 Wi-Fi Security Settings.
3849
3850 Properties:
3851
3852 auth-alg
3853 When WEP is used (ie, key-mgmt = "none" or "ieee8021x") indicate
3854 the 802.11 authentication algorithm required by the AP here. One of
3855 "open" for Open System, "shared" for Shared Key, or "leap" for
3856 Cisco LEAP. When using Cisco LEAP (ie, key-mgmt = "ieee8021x" and
3857 auth-alg = "leap") the "leap-username" and "leap-password"
3858 properties must be specified.
3859
3860 Format: string
3861
3862 fils
3863 Indicates whether Fast Initial Link Setup (802.11ai) must be
3864 enabled for the connection. One of
3865 NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) (use global default
3866 value), NM_SETTING_WIRELESS_SECURITY_FILS_DISABLE (1) (disable
3867 FILS), NM_SETTING_WIRELESS_SECURITY_FILS_OPTIONAL (2) (enable FILS
3868 if the supplicant and the access point support it) or
3869 NM_SETTING_WIRELESS_SECURITY_FILS_REQUIRED (3) (enable FILS and
3870 fail if not supported). When set to
3871 NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) and no global default
3872 is set, FILS will be optionally enabled.
3873
3874 Format: int32
3875
3876 group
3877 A list of group/broadcast encryption algorithms which prevents
3878 connections to Wi-Fi networks that do not utilize one of the
3879 algorithms in the list. For maximum compatibility leave this
3880 property empty. Each list element may be one of "wep40", "wep104",
3881 "tkip", or "ccmp".
3882
3883 Format: array of string
3884
3885 key-mgmt
3886 Key management used for the connection. One of "none" (WEP),
3887 "ieee8021x" (Dynamic WEP), "wpa-psk" (infrastructure WPA-PSK),
3888 "sae" (SAE), "owe" (Opportunistic Wireless Encryption) or "wpa-eap"
3889 (WPA-Enterprise). This property must be set for any Wi-Fi
3890 connection that uses security.
3891
3892 Format: string
3893
3894 leap-password
3895 The login password for legacy LEAP connections (ie, key-mgmt =
3896 "ieee8021x" and auth-alg = "leap").
3897
3898 Format: string
3899
3900 leap-password-flags
3901 Flags indicating how to handle the "leap-password" property. See
3902 the section called “Secret flag types:” for flag values.
3903
3904 Format: NMSettingSecretFlags (uint32)
3905
3906 leap-username
3907 The login username for legacy LEAP connections (ie, key-mgmt =
3908 "ieee8021x" and auth-alg = "leap").
3909
3910 Format: string
3911
3912 pairwise
3913 A list of pairwise encryption algorithms which prevents connections
3914 to Wi-Fi networks that do not utilize one of the algorithms in the
3915 list. For maximum compatibility leave this property empty. Each
3916 list element may be one of "tkip" or "ccmp".
3917
3918 Format: array of string
3919
3920 pmf
3921 Indicates whether Protected Management Frames (802.11w) must be
3922 enabled for the connection. One of
3923 NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) (use global default
3924 value), NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE (1) (disable PMF),
3925 NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL (2) (enable PMF if the
3926 supplicant and the access point support it) or
3927 NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED (3) (enable PMF and fail
3928 if not supported). When set to
3929 NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) and no global default
3930 is set, PMF will be optionally enabled.
3931
3932 Format: int32
3933
3934 proto
3935 List of strings specifying the allowed WPA protocol versions to
3936 use. Each element may be one "wpa" (allow WPA) or "rsn" (allow
3937 WPA2/RSN). If not specified, both WPA and RSN connections are
3938 allowed.
3939
3940 Format: array of string
3941
3942 psk
3943 Pre-Shared-Key for WPA networks. For WPA-PSK, it's either an ASCII
3944 passphrase of 8 to 63 characters that is (as specified in the
3945 802.11i standard) hashed to derive the actual key, or the key in
3946 form of 64 hexadecimal character. The WPA3-Personal networks use a
3947 passphrase of any length for SAE authentication.
3948
3949 Format: string
3950
3951 psk-flags
3952 Flags indicating how to handle the "psk" property. See the section
3953 called “Secret flag types:” for flag values.
3954
3955 Format: NMSettingSecretFlags (uint32)
3956
3957 wep-key-flags
3958 Flags indicating how to handle the "wep-key0", "wep-key1",
3959 "wep-key2", and "wep-key3" properties. See the section called
3960 “Secret flag types:” for flag values.
3961
3962 Format: NMSettingSecretFlags (uint32)
3963
3964 wep-key-type
3965 Controls the interpretation of WEP keys. Allowed values are
3966 NM_WEP_KEY_TYPE_KEY (1), in which case the key is either a 10- or
3967 26-character hexadecimal string, or a 5- or 13-character ASCII
3968 password; or NM_WEP_KEY_TYPE_PASSPHRASE (2), in which case the
3969 passphrase is provided as a string and will be hashed using the
3970 de-facto MD5 method to derive the actual WEP key.
3971
3972 Format: NMWepKeyType (uint32)
3973
3974 wep-key0
3975 Index 0 WEP key. This is the WEP key used in most networks. See the
3976 "wep-key-type" property for a description of how this key is
3977 interpreted.
3978
3979 Format: string
3980
3981 wep-key1
3982 Index 1 WEP key. This WEP index is not used by most networks. See
3983 the "wep-key-type" property for a description of how this key is
3984 interpreted.
3985
3986 Format: string
3987
3988 wep-key2
3989 Index 2 WEP key. This WEP index is not used by most networks. See
3990 the "wep-key-type" property for a description of how this key is
3991 interpreted.
3992
3993 Format: string
3994
3995 wep-key3
3996 Index 3 WEP key. This WEP index is not used by most networks. See
3997 the "wep-key-type" property for a description of how this key is
3998 interpreted.
3999
4000 Format: string
4001
4002 wep-tx-keyidx
4003 When static WEP is used (ie, key-mgmt = "none") and a non-default
4004 WEP key index is used by the AP, put that WEP key index here. Valid
4005 values are 0 (default key) through 3. Note that some consumer
4006 access points (like the Linksys WRT54G) number the keys 1 - 4.
4007
4008 Format: uint32
4009
4010 wps-method
4011 Flags indicating which mode of WPS is to be used if any. There's
4012 little point in changing the default setting as NetworkManager will
4013 automatically determine whether it's feasible to start WPS
4014 enrollment from the Access Point capabilities. WPS can be disabled
4015 by setting this property to a value of 1.
4016
4017 Format: uint32
4018
4019 wpan setting
4020 IEEE 802.15.4 (WPAN) MAC Settings.
4021
4022 Properties:
4023
4024 channel
4025 Alias: channel
4026
4027 IEEE 802.15.4 channel. A positive integer or -1, meaning "do not
4028 set, use whatever the device is already set to".
4029
4030 Format: int32
4031
4032 mac-address
4033 Alias: mac
4034
4035 If specified, this connection will only apply to the IEEE 802.15.4
4036 (WPAN) MAC layer device whose permanent MAC address matches.
4037
4038 Format: string
4039
4040 page
4041 Alias: page
4042
4043 IEEE 802.15.4 channel page. A positive integer or -1, meaning "do
4044 not set, use whatever the device is already set to".
4045
4046 Format: int32
4047
4048 pan-id
4049 Alias: pan-id
4050
4051 IEEE 802.15.4 Personal Area Network (PAN) identifier.
4052
4053 Format: uint32
4054
4055 short-address
4056 Alias: short-addr
4057
4058 Short IEEE 802.15.4 address to be used within a restricted
4059 environment.
4060
4061 Format: uint32
4062
4063 Secret flag types:
4064 Each password or secret property in a setting has an associated flags
4065 property that describes how to handle that secret. The flags property
4066 is a bitfield that contains zero or more of the following values
4067 logically OR-ed together.
4068
4069 · 0x0 (none) - the system is responsible for providing and storing
4070 this secret. This may be required so that secrets are already
4071 available before the user logs in. It also commonly means that the
4072 secret will be stored in plain text on disk, accessible to root
4073 only. For example via the keyfile settings plugin as described in
4074 the "PLUGINS" section in NetworkManager.conf(5).
4075
4076 · 0x1 (agent-owned) - a user-session secret agent is responsible for
4077 providing and storing this secret; when it is required, agents will
4078 be asked to provide it.
4079
4080 · 0x2 (not-saved) - this secret should not be saved but should be
4081 requested from the user each time it is required. This flag should
4082 be used for One-Time-Pad secrets, PIN codes from hardware tokens,
4083 or if the user simply does not want to save the secret.
4084
4085 · 0x4 (not-required) - in some situations it cannot be automatically
4086 determined that a secret is required or not. This flag hints that
4087 the secret is not required and should not be requested from the
4088 user.
4089
4091 /etc/NetworkManager/system-connections or distro plugin-specific
4092 location
4093
4095 nmcli(1), nmcli-examples(7), NetworkManager(8), nm-settings-dbus(5),
4096 nm-settings-keyfile(5), NetworkManager.conf(5)
4097
4098
4099
4100NetworkManager 1.26.6 NM-SETTINGS-NMCLI(5)