1NM-SETTINGS-NMCLI(5)             Configuration            NM-SETTINGS-NMCLI(5)
2
3
4

NAME

6       nm-settings-nmcli - Description of settings and properties of
7       NetworkManager connection profiles for nmcli
8

DESCRIPTION

10       NetworkManager is based on a concept of connection profiles, sometimes
11       referred to as connections only. These connection profiles contain a
12       network configuration. When NetworkManager activates a connection
13       profile on a network device the configuration will be applied and an
14       active network connection will be established. Users are free to create
15       as many connection profiles as they see fit. Thus they are flexible in
16       having various network configurations for different networking needs.
17
18       NetworkManager provides an API for configuring connection profiles, for
19       activating them to configure the network, and inspecting the current
20       network configuration. The command line tool nmcli is a client
21       application to NetworkManager that uses this API. See nmcli(1) for
22       details.
23
24       With commands like nmcli connection add, nmcli connection modify and
25       nmcli connection show, connection profiles can be created, modified and
26       inspected. A profile consists of properties. On D-Bus this follows the
27       format as described by nm-settings-dbus(5), while this manual page
28       describes the settings format how they are expected by nmcli.
29
30       The settings and properties shown in tables below list all available
31       connection configuration options. However, note that not all settings
32       are applicable to all connection types.  nmcli connection editor has
33       also a built-in describe command that can display description of
34       particular settings and properties of this page.
35
36       The setting and property can be abbreviated provided they are unique.
37       The list below also shows aliases that can be used unqualified instead
38       of the full name. For example connection.interface-name and ifname
39       refer to the same property.
40
41   connection setting
42       General Connection Profile Settings.
43
44       Properties:
45
46       auth-retries
47           The number of retries for the authentication. Zero means to try
48           indefinitely; -1 means to use a global default. If the global
49           default is not set, the authentication retries for 3 times before
50           failing the connection. Currently this only applies to 802-1x
51           authentication.
52
53           Format: int32
54
55       autoconnect
56           Alias: autoconnect
57
58           Whether or not the connection should be automatically connected by
59           NetworkManager when the resources for the connection are available.
60           TRUE to automatically activate the connection, FALSE to require
61           manual intervention to activate the connection. Note that
62           autoconnect is not implemented for VPN profiles. See "secondaries"
63           as an alternative to automatically connect VPN profiles.
64
65           Format: boolean
66
67       autoconnect-priority
68           The autoconnect priority. If the connection is set to autoconnect,
69           connections with higher priority will be preferred. Defaults to 0.
70           The higher number means higher priority.
71
72           Format: int32
73
74       autoconnect-retries
75           The number of times a connection should be tried when
76           autoactivating before giving up. Zero means forever, -1 means the
77           global default (4 times if not overridden). Setting this to 1 means
78           to try activation only once before blocking autoconnect. Note that
79           after a timeout, NetworkManager will try to autoconnect again.
80
81           Format: int32
82
83       autoconnect-slaves
84           Whether or not slaves of this connection should be automatically
85           brought up when NetworkManager activates this connection. This only
86           has a real effect for master connections. The properties
87           "autoconnect", "autoconnect-priority" and "autoconnect-retries" are
88           unrelated to this setting. The permitted values are: 0: leave slave
89           connections untouched, 1: activate all the slave connections with
90           this connection, -1: default. If -1 (default) is set, global
91           connection.autoconnect-slaves is read to determine the real value.
92           If it is default as well, this fallbacks to 0.
93
94           Format: NMSettingConnectionAutoconnectSlaves (int32)
95
96       gateway-ping-timeout
97           If greater than zero, delay success of IP addressing until either
98           the timeout is reached, or an IP gateway replies to a ping.
99
100           Format: uint32
101
102       id
103           Alias: con-name
104
105           A human readable unique identifier for the connection, like "Work
106           Wi-Fi" or "T-Mobile 3G".
107
108           Format: string
109
110       interface-name
111           Alias: ifname
112
113           The name of the network interface this connection is bound to. If
114           not set, then the connection can be attached to any interface of
115           the appropriate type (subject to restrictions imposed by other
116           settings). For software devices this specifies the name of the
117           created device. For connection types where interface names cannot
118           easily be made persistent (e.g. mobile broadband or USB Ethernet),
119           this property should not be used. Setting this property restricts
120           the interfaces a connection can be used with, and if interface
121           names change or are reordered the connection may be applied to the
122           wrong interface.
123
124           Format: string
125
126       lldp
127           Whether LLDP is enabled for the connection.
128
129           Format: int32
130
131       llmnr
132           Whether Link-Local Multicast Name Resolution (LLMNR) is enabled for
133           the connection. LLMNR is a protocol based on the Domain Name System
134           (DNS) packet format that allows both IPv4 and IPv6 hosts to perform
135           name resolution for hosts on the same local link. The permitted
136           values are: "yes" (2) register hostname and resolving for the
137           connection, "no" (0) disable LLMNR for the interface, "resolve" (1)
138           do not register hostname but allow resolving of LLMNR host names If
139           unspecified, "default" ultimately depends on the DNS plugin (which
140           for systemd-resolved currently means "yes"). This feature requires
141           a plugin which supports LLMNR. Otherwise the setting has no effect.
142           One such plugin is dns-systemd-resolved.
143
144           Format: int32
145
146       master
147           Alias: master
148
149           Interface name of the master device or UUID of the master
150           connection.
151
152           Format: string
153
154       mdns
155           Whether mDNS is enabled for the connection. The permitted values
156           are: "yes" (2) register hostname and resolving for the connection,
157           "no" (0) disable mDNS for the interface, "resolve" (1) do not
158           register hostname but allow resolving of mDNS host names and
159           "default" (-1) to allow lookup of a global default in
160           NetworkManager.conf. If unspecified, "default" ultimately depends
161           on the DNS plugin (which for systemd-resolved currently means
162           "no"). This feature requires a plugin which supports mDNS.
163           Otherwise the setting has no effect. One such plugin is
164           dns-systemd-resolved.
165
166           Format: int32
167
168       metered
169           Whether the connection is metered. When updating this property on a
170           currently activated connection, the change takes effect
171           immediately.
172
173           Format: NMMetered (int32)
174
175       mud-url
176           If configured, set to a Manufacturer Usage Description (MUD) URL
177           that points to manufacturer-recommended network policies for IoT
178           devices. It is transmitted as a DHCPv4 or DHCPv6 option. The value
179           must be a valid URL starting with "https://". The special value
180           "none" is allowed to indicate that no MUD URL is used. If the
181           per-profile value is unspecified (the default), a global connection
182           default gets consulted. If still unspecified, the ultimate default
183           is "none".
184
185           Format: string
186
187       multi-connect
188           Specifies whether the profile can be active multiple times at a
189           particular moment. The value is of type NMConnectionMultiConnect.
190
191           Format: int32
192
193       permissions
194           An array of strings defining what access a given user has to this
195           connection. If this is NULL or empty, all users are allowed to
196           access this connection; otherwise users are allowed if and only if
197           they are in this list. When this is not empty, the connection can
198           be active only when one of the specified users is logged into an
199           active session. Each entry is of the form "[type]:[id]:[reserved]";
200           for example, "user:dcbw:blah". At this time only the "user" [type]
201           is allowed. Any other values are ignored and reserved for future
202           use. [id] is the username that this permission refers to, which may
203           not contain the ":" character. Any [reserved] information present
204           must be ignored and is reserved for future use. All of [type],
205           [id], and [reserved] must be valid UTF-8.
206
207           Format: array of string
208
209       read-only
210           FALSE if the connection can be modified using the provided settings
211           service's D-Bus interface with the right privileges, or TRUE if the
212           connection is read-only and cannot be modified.
213
214           Format: boolean
215
216       secondaries
217           List of connection UUIDs that should be activated when the base
218           connection itself is activated. Currently only VPN connections are
219           supported.
220
221           Format: array of string
222
223       slave-type
224           Alias: slave-type
225
226           Setting name of the device type of this slave's master connection
227           (eg, "bond"), or NULL if this connection is not a slave.
228
229           Format: string
230
231       stable-id
232           This represents the identity of the connection used for various
233           purposes. It allows to configure multiple profiles to share the
234           identity. Also, the stable-id can contain placeholders that are
235           substituted dynamically and deterministically depending on the
236           context. The stable-id is used for generating IPv6 stable private
237           addresses with ipv6.addr-gen-mode=stable-privacy. It is also used
238           to seed the generated cloned MAC address for
239           ethernet.cloned-mac-address=stable and
240           wifi.cloned-mac-address=stable. It is also used as DHCP client
241           identifier with ipv4.dhcp-client-id=stable and to derive the DHCP
242           DUID with ipv6.dhcp-duid=stable-[llt,ll,uuid]. Note that depending
243           on the context where it is used, other parameters are also seeded
244           into the generation algorithm. For example, a per-host key is
245           commonly also included, so that different systems end up generating
246           different IDs. Or with ipv6.addr-gen-mode=stable-privacy, also the
247           device's name is included, so that different interfaces yield
248           different addresses. The '$' character is treated special to
249           perform dynamic substitutions at runtime. Currently supported are
250           "${CONNECTION}", "${DEVICE}", "${MAC}", "${BOOT}", "${RANDOM}".
251           These effectively create unique IDs per-connection, per-device,
252           per-boot, or every time. Note that "${DEVICE}" corresponds to the
253           interface name of the device and "${MAC}" is the permanent MAC
254           address of the device. Any unrecognized patterns following '$' are
255           treated verbatim, however are reserved for future use. You are thus
256           advised to avoid '$' or escape it as "$$". For example, set it to
257           "${CONNECTION}-${BOOT}-${DEVICE}" to create a unique id for this
258           connection that changes with every reboot and differs depending on
259           the interface where the profile activates. If the value is unset, a
260           global connection default is consulted. If the value is still
261           unset, the default is similar to "${CONNECTION}" and uses a unique,
262           fixed ID for the connection.
263
264           Format: string
265
266       timestamp
267           The time, in seconds since the Unix Epoch, that the connection was
268           last _successfully_ fully activated. NetworkManager updates the
269           connection timestamp periodically when the connection is active to
270           ensure that an active connection has the latest timestamp. The
271           property is only meant for reading (changes to this property will
272           not be preserved).
273
274           Format: uint64
275
276       type
277           Alias: type
278
279           Base type of the connection. For hardware-dependent connections,
280           should contain the setting name of the hardware-type specific
281           setting (ie, "802-3-ethernet" or "802-11-wireless" or "bluetooth",
282           etc), and for non-hardware dependent connections like VPN or
283           otherwise, should contain the setting name of that setting type
284           (ie, "vpn" or "bridge", etc).
285
286           Format: string
287
288       uuid
289           A universally unique identifier for the connection, for example
290           generated with libuuid. It should be assigned when the connection
291           is created, and never changed as long as the connection still
292           applies to the same network. For example, it should not be changed
293           when the "id" property or NMSettingIP4Config changes, but might
294           need to be re-created when the Wi-Fi SSID, mobile broadband network
295           provider, or "type" property changes. The UUID must be in the
296           format "2815492f-7e56-435e-b2e9-246bd7cdc664" (ie, contains only
297           hexadecimal characters and "-").
298
299           Format: string
300
301       wait-device-timeout
302           Timeout in milliseconds to wait for device at startup. During boot,
303           devices may take a while to be detected by the driver. This
304           property will cause to delay NetworkManager-wait-online.service and
305           nm-online to give the device a chance to appear. This works by
306           waiting for the given timeout until a compatible device for the
307           profile is available and managed. The value 0 means no wait time.
308           The default value is -1, which currently has the same meaning as no
309           wait time.
310
311           Format: int32
312
313       zone
314           The trust level of a the connection. Free form case-insensitive
315           string (for example "Home", "Work", "Public"). NULL or unspecified
316           zone means the connection will be placed in the default zone as
317           defined by the firewall. When updating this property on a currently
318           activated connection, the change takes effect immediately.
319
320           Format: string
321
322   6lowpan setting
323       6LoWPAN Settings.
324
325       Properties:
326
327       parent
328           Alias: dev
329
330           If given, specifies the parent interface name or parent connection
331           UUID from which this 6LowPAN interface should be created.
332
333           Format: string
334
335   802-1x setting
336       IEEE 802.1x Authentication Settings.
337
338       Properties:
339
340       altsubject-matches
341           List of strings to be matched against the altSubjectName of the
342           certificate presented by the authentication server. If the list is
343           empty, no verification of the server certificate's altSubjectName
344           is performed.
345
346           Format: array of string
347
348       anonymous-identity
349           Anonymous identity string for EAP authentication methods. Used as
350           the unencrypted identity with EAP types that support different
351           tunneled identity like EAP-TTLS.
352
353           Format: string
354
355       auth-timeout
356           A timeout for the authentication. Zero means the global default; if
357           the global default is not set, the authentication timeout is 25
358           seconds.
359
360           Format: int32
361
362       ca-cert
363           Contains the CA certificate if used by the EAP method specified in
364           the "eap" property. Certificate data is specified using a "scheme";
365           three are currently supported: blob, path and pkcs#11 URL. When
366           using the blob scheme this property should be set to the
367           certificate's DER encoded data. When using the path scheme, this
368           property should be set to the full UTF-8 encoded path of the
369           certificate, prefixed with the string "file://" and ending with a
370           terminating NUL byte. This property can be unset even if the EAP
371           method supports CA certificates, but this allows man-in-the-middle
372           attacks and is NOT recommended. Note that enabling
373           NMSetting8021x:system-ca-certs will override this setting to use
374           the built-in path, if the built-in path is not a directory.
375
376           Format: byte array
377
378       ca-cert-password
379           The password used to access the CA certificate stored in "ca-cert"
380           property. Only makes sense if the certificate is stored on a
381           PKCS#11 token that requires a login.
382
383           Format: string
384
385       ca-cert-password-flags
386           Flags indicating how to handle the "ca-cert-password" property. See
387           the section called “Secret flag types:” for flag values.
388
389           Format: NMSettingSecretFlags (uint32)
390
391       ca-path
392           UTF-8 encoded path to a directory containing PEM or DER formatted
393           certificates to be added to the verification chain in addition to
394           the certificate specified in the "ca-cert" property. If
395           NMSetting8021x:system-ca-certs is enabled and the built-in CA path
396           is an existing directory, then this setting is ignored.
397
398           Format: string
399
400       client-cert
401           Contains the client certificate if used by the EAP method specified
402           in the "eap" property. Certificate data is specified using a
403           "scheme"; two are currently supported: blob and path. When using
404           the blob scheme (which is backwards compatible with NM 0.7.x) this
405           property should be set to the certificate's DER encoded data. When
406           using the path scheme, this property should be set to the full
407           UTF-8 encoded path of the certificate, prefixed with the string
408           "file://" and ending with a terminating NUL byte.
409
410           Format: byte array
411
412       client-cert-password
413           The password used to access the client certificate stored in
414           "client-cert" property. Only makes sense if the certificate is
415           stored on a PKCS#11 token that requires a login.
416
417           Format: string
418
419       client-cert-password-flags
420           Flags indicating how to handle the "client-cert-password" property.
421           See the section called “Secret flag types:” for flag values.
422
423           Format: NMSettingSecretFlags (uint32)
424
425       domain-match
426           Constraint for server domain name. If set, this list of FQDNs is
427           used as a match requirement for dNSName element(s) of the
428           certificate presented by the authentication server. If a matching
429           dNSName is found, this constraint is met. If no dNSName values are
430           present, this constraint is matched against SubjectName CN using
431           the same comparison. Multiple valid FQDNs can be passed as a ";"
432           delimited list.
433
434           Format: string
435
436       domain-suffix-match
437           Constraint for server domain name. If set, this FQDN is used as a
438           suffix match requirement for dNSName element(s) of the certificate
439           presented by the authentication server. If a matching dNSName is
440           found, this constraint is met. If no dNSName values are present,
441           this constraint is matched against SubjectName CN using same suffix
442           match comparison. Since version 1.24, multiple valid FQDNs can be
443           passed as a ";" delimited list.
444
445           Format: string
446
447       eap
448           The allowed EAP method to be used when authenticating to the
449           network with 802.1x. Valid methods are: "leap", "md5", "tls",
450           "peap", "ttls", "pwd", and "fast". Each method requires different
451           configuration using the properties of this setting; refer to
452           wpa_supplicant documentation for the allowed combinations.
453
454           Format: array of string
455
456       identity
457           Identity string for EAP authentication methods. Often the user's
458           user or login name.
459
460           Format: string
461
462       optional
463           Whether the 802.1X authentication is optional. If TRUE, the
464           activation will continue even after a timeout or an authentication
465           failure. Setting the property to TRUE is currently allowed only for
466           Ethernet connections. If set to FALSE, the activation can continue
467           only after a successful authentication.
468
469           Format: boolean
470
471       pac-file
472           UTF-8 encoded file path containing PAC for EAP-FAST.
473
474           Format: string
475
476       password
477           UTF-8 encoded password used for EAP authentication methods. If both
478           the "password" property and the "password-raw" property are
479           specified, "password" is preferred.
480
481           Format: string
482
483       password-flags
484           Flags indicating how to handle the "password" property. See the
485           section called “Secret flag types:” for flag values.
486
487           Format: NMSettingSecretFlags (uint32)
488
489       password-raw
490           Password used for EAP authentication methods, given as a byte array
491           to allow passwords in other encodings than UTF-8 to be used. If
492           both the "password" property and the "password-raw" property are
493           specified, "password" is preferred.
494
495           Format: byte array
496
497       password-raw-flags
498           Flags indicating how to handle the "password-raw" property. See the
499           section called “Secret flag types:” for flag values.
500
501           Format: NMSettingSecretFlags (uint32)
502
503       phase1-auth-flags
504           Specifies authentication flags to use in "phase 1" outer
505           authentication using NMSetting8021xAuthFlags options. The
506           individual TLS versions can be explicitly disabled. If a certain
507           TLS disable flag is not set, it is up to the supplicant to allow or
508           forbid it. The TLS options map to tls_disable_tlsv1_x settings. See
509           the wpa_supplicant documentation for more details.
510
511           Format: uint32
512
513       phase1-fast-provisioning
514           Enables or disables in-line provisioning of EAP-FAST credentials
515           when FAST is specified as the EAP method in the "eap" property.
516           Recognized values are "0" (disabled), "1" (allow unauthenticated
517           provisioning), "2" (allow authenticated provisioning), and "3"
518           (allow both authenticated and unauthenticated provisioning). See
519           the wpa_supplicant documentation for more details.
520
521           Format: string
522
523       phase1-peaplabel
524           Forces use of the new PEAP label during key derivation. Some RADIUS
525           servers may require forcing the new PEAP label to interoperate with
526           PEAPv1. Set to "1" to force use of the new PEAP label. See the
527           wpa_supplicant documentation for more details.
528
529           Format: string
530
531       phase1-peapver
532           Forces which PEAP version is used when PEAP is set as the EAP
533           method in the "eap" property. When unset, the version reported by
534           the server will be used. Sometimes when using older RADIUS servers,
535           it is necessary to force the client to use a particular PEAP
536           version. To do so, this property may be set to "0" or "1" to force
537           that specific PEAP version.
538
539           Format: string
540
541       phase2-altsubject-matches
542           List of strings to be matched against the altSubjectName of the
543           certificate presented by the authentication server during the inner
544           "phase 2" authentication. If the list is empty, no verification of
545           the server certificate's altSubjectName is performed.
546
547           Format: array of string
548
549       phase2-auth
550           Specifies the allowed "phase 2" inner non-EAP authentication method
551           when an EAP method that uses an inner TLS tunnel is specified in
552           the "eap" property. Recognized non-EAP "phase 2" methods are "pap",
553           "chap", "mschap", "mschapv2", "gtc", "otp", "md5", and "tls". Each
554           "phase 2" inner method requires specific parameters for successful
555           authentication; see the wpa_supplicant documentation for more
556           details.
557
558           Format: string
559
560       phase2-autheap
561           Specifies the allowed "phase 2" inner EAP-based authentication
562           method when an EAP method that uses an inner TLS tunnel is
563           specified in the "eap" property. Recognized EAP-based "phase 2"
564           methods are "md5", "mschapv2", "otp", "gtc", and "tls". Each "phase
565           2" inner method requires specific parameters for successful
566           authentication; see the wpa_supplicant documentation for more
567           details.
568
569           Format: string
570
571       phase2-ca-cert
572           Contains the "phase 2" CA certificate if used by the EAP method
573           specified in the "phase2-auth" or "phase2-autheap" properties.
574           Certificate data is specified using a "scheme"; three are currently
575           supported: blob, path and pkcs#11 URL. When using the blob scheme
576           this property should be set to the certificate's DER encoded data.
577           When using the path scheme, this property should be set to the full
578           UTF-8 encoded path of the certificate, prefixed with the string
579           "file://" and ending with a terminating NUL byte. This property can
580           be unset even if the EAP method supports CA certificates, but this
581           allows man-in-the-middle attacks and is NOT recommended. Note that
582           enabling NMSetting8021x:system-ca-certs will override this setting
583           to use the built-in path, if the built-in path is not a directory.
584
585           Format: byte array
586
587       phase2-ca-cert-password
588           The password used to access the "phase2" CA certificate stored in
589           "phase2-ca-cert" property. Only makes sense if the certificate is
590           stored on a PKCS#11 token that requires a login.
591
592           Format: string
593
594       phase2-ca-cert-password-flags
595           Flags indicating how to handle the "phase2-ca-cert-password"
596           property. See the section called “Secret flag types:” for flag
597           values.
598
599           Format: NMSettingSecretFlags (uint32)
600
601       phase2-ca-path
602           UTF-8 encoded path to a directory containing PEM or DER formatted
603           certificates to be added to the verification chain in addition to
604           the certificate specified in the "phase2-ca-cert" property. If
605           NMSetting8021x:system-ca-certs is enabled and the built-in CA path
606           is an existing directory, then this setting is ignored.
607
608           Format: string
609
610       phase2-client-cert
611           Contains the "phase 2" client certificate if used by the EAP method
612           specified in the "phase2-auth" or "phase2-autheap" properties.
613           Certificate data is specified using a "scheme"; two are currently
614           supported: blob and path. When using the blob scheme (which is
615           backwards compatible with NM 0.7.x) this property should be set to
616           the certificate's DER encoded data. When using the path scheme,
617           this property should be set to the full UTF-8 encoded path of the
618           certificate, prefixed with the string "file://" and ending with a
619           terminating NUL byte. This property can be unset even if the EAP
620           method supports CA certificates, but this allows man-in-the-middle
621           attacks and is NOT recommended.
622
623           Format: byte array
624
625       phase2-client-cert-password
626           The password used to access the "phase2" client certificate stored
627           in "phase2-client-cert" property. Only makes sense if the
628           certificate is stored on a PKCS#11 token that requires a login.
629
630           Format: string
631
632       phase2-client-cert-password-flags
633           Flags indicating how to handle the "phase2-client-cert-password"
634           property. See the section called “Secret flag types:” for flag
635           values.
636
637           Format: NMSettingSecretFlags (uint32)
638
639       phase2-domain-match
640           Constraint for server domain name. If set, this list of FQDNs is
641           used as a match requirement for dNSName element(s) of the
642           certificate presented by the authentication server during the inner
643           "phase 2" authentication. If a matching dNSName is found, this
644           constraint is met. If no dNSName values are present, this
645           constraint is matched against SubjectName CN using the same
646           comparison. Multiple valid FQDNs can be passed as a ";" delimited
647           list.
648
649           Format: string
650
651       phase2-domain-suffix-match
652           Constraint for server domain name. If set, this FQDN is used as a
653           suffix match requirement for dNSName element(s) of the certificate
654           presented by the authentication server during the inner "phase 2"
655           authentication. If a matching dNSName is found, this constraint is
656           met. If no dNSName values are present, this constraint is matched
657           against SubjectName CN using same suffix match comparison. Since
658           version 1.24, multiple valid FQDNs can be passed as a ";" delimited
659           list.
660
661           Format: string
662
663       phase2-private-key
664           Contains the "phase 2" inner private key when the "phase2-auth" or
665           "phase2-autheap" property is set to "tls". Key data is specified
666           using a "scheme"; two are currently supported: blob and path. When
667           using the blob scheme and private keys, this property should be set
668           to the key's encrypted PEM encoded data. When using private keys
669           with the path scheme, this property should be set to the full UTF-8
670           encoded path of the key, prefixed with the string "file://" and
671           ending with a terminating NUL byte. When using PKCS#12 format
672           private keys and the blob scheme, this property should be set to
673           the PKCS#12 data and the "phase2-private-key-password" property
674           must be set to password used to decrypt the PKCS#12 certificate and
675           key. When using PKCS#12 files and the path scheme, this property
676           should be set to the full UTF-8 encoded path of the key, prefixed
677           with the string "file://" and ending with a terminating NUL byte,
678           and as with the blob scheme the "phase2-private-key-password"
679           property must be set to the password used to decode the PKCS#12
680           private key and certificate.
681
682           Format: byte array
683
684       phase2-private-key-password
685           The password used to decrypt the "phase 2" private key specified in
686           the "phase2-private-key" property when the private key either uses
687           the path scheme, or is a PKCS#12 format key.
688
689           Format: string
690
691       phase2-private-key-password-flags
692           Flags indicating how to handle the "phase2-private-key-password"
693           property. See the section called “Secret flag types:” for flag
694           values.
695
696           Format: NMSettingSecretFlags (uint32)
697
698       phase2-subject-match
699           Substring to be matched against the subject of the certificate
700           presented by the authentication server during the inner "phase 2"
701           authentication. When unset, no verification of the authentication
702           server certificate's subject is performed. This property provides
703           little security, if any, and its use is deprecated in favor of
704           NMSetting8021x:phase2-domain-suffix-match.
705
706           Format: string
707
708       pin
709           PIN used for EAP authentication methods.
710
711           Format: string
712
713       pin-flags
714           Flags indicating how to handle the "pin" property. See the section
715           called “Secret flag types:” for flag values.
716
717           Format: NMSettingSecretFlags (uint32)
718
719       private-key
720           Contains the private key when the "eap" property is set to "tls".
721           Key data is specified using a "scheme"; two are currently
722           supported: blob and path. When using the blob scheme and private
723           keys, this property should be set to the key's encrypted PEM
724           encoded data. When using private keys with the path scheme, this
725           property should be set to the full UTF-8 encoded path of the key,
726           prefixed with the string "file://" and ending with a terminating
727           NUL byte. When using PKCS#12 format private keys and the blob
728           scheme, this property should be set to the PKCS#12 data and the
729           "private-key-password" property must be set to password used to
730           decrypt the PKCS#12 certificate and key. When using PKCS#12 files
731           and the path scheme, this property should be set to the full UTF-8
732           encoded path of the key, prefixed with the string "file://" and
733           ending with a terminating NUL byte, and as with the blob scheme the
734           "private-key-password" property must be set to the password used to
735           decode the PKCS#12 private key and certificate. WARNING:
736           "private-key" is not a "secret" property, and thus unencrypted
737           private key data using the BLOB scheme may be readable by
738           unprivileged users. Private keys should always be encrypted with a
739           private key password to prevent unauthorized access to unencrypted
740           private key data.
741
742           Format: byte array
743
744       private-key-password
745           The password used to decrypt the private key specified in the
746           "private-key" property when the private key either uses the path
747           scheme, or if the private key is a PKCS#12 format key.
748
749           Format: string
750
751       private-key-password-flags
752           Flags indicating how to handle the "private-key-password" property.
753           See the section called “Secret flag types:” for flag values.
754
755           Format: NMSettingSecretFlags (uint32)
756
757       subject-match
758           Substring to be matched against the subject of the certificate
759           presented by the authentication server. When unset, no verification
760           of the authentication server certificate's subject is performed.
761           This property provides little security, if any, and its use is
762           deprecated in favor of NMSetting8021x:domain-suffix-match.
763
764           Format: string
765
766       system-ca-certs
767           When TRUE, overrides the "ca-path" and "phase2-ca-path" properties
768           using the system CA directory specified at configure time with the
769           --system-ca-path switch. The certificates in this directory are
770           added to the verification chain in addition to any certificates
771           specified by the "ca-cert" and "phase2-ca-cert" properties. If the
772           path provided with --system-ca-path is rather a file name (bundle
773           of trusted CA certificates), it overrides "ca-cert" and
774           "phase2-ca-cert" properties instead (sets ca_cert/ca_cert2 options
775           for wpa_supplicant).
776
777           Format: boolean
778
779   adsl setting
780       ADSL Settings.
781
782       Properties:
783
784       encapsulation
785           Alias: encapsulation
786
787           Encapsulation of ADSL connection. Can be "vcmux" or "llc".
788
789           Format: string
790
791       password
792           Alias: password
793
794           Password used to authenticate with the ADSL service.
795
796           Format: string
797
798       password-flags
799           Flags indicating how to handle the "password" property. See the
800           section called “Secret flag types:” for flag values.
801
802           Format: NMSettingSecretFlags (uint32)
803
804       protocol
805           Alias: protocol
806
807           ADSL connection protocol. Can be "pppoa", "pppoe" or "ipoatm".
808
809           Format: string
810
811       username
812           Alias: username
813
814           Username used to authenticate with the ADSL service.
815
816           Format: string
817
818       vci
819           VCI of ADSL connection
820
821           Format: uint32
822
823       vpi
824           VPI of ADSL connection
825
826           Format: uint32
827
828   bluetooth setting
829       Bluetooth Settings.
830
831       Properties:
832
833       bdaddr
834           Alias: addr
835
836           The Bluetooth address of the device.
837
838           Format: byte array
839
840       type
841           Alias: bt-type
842
843           Either "dun" for Dial-Up Networking connections or "panu" for
844           Personal Area Networking connections to devices supporting the NAP
845           profile.
846
847           Format: string
848
849   bond setting
850       Bonding Settings.
851
852       Properties:
853
854       options
855           Dictionary of key/value pairs of bonding options. Both keys and
856           values must be strings. Option names must contain only alphanumeric
857           characters (ie, [a-zA-Z0-9]).
858
859           Format: dict of string to string
860
861   bridge setting
862       Bridging Settings.
863
864       Properties:
865
866       ageing-time
867           Alias: ageing-time
868
869           The Ethernet MAC address aging time, in seconds.
870
871           Format: uint32
872
873       forward-delay
874           Alias: forward-delay
875
876           The Spanning Tree Protocol (STP) forwarding delay, in seconds.
877
878           Format: uint32
879
880       group-address
881           If specified, The MAC address of the multicast group this bridge
882           uses for STP. The address must be a link-local address in standard
883           Ethernet MAC address format, ie an address of the form
884           01:80:C2:00:00:0X, with X in [0, 4..F]. If not specified the
885           default value is 01:80:C2:00:00:00.
886
887           Format: byte array
888
889       group-forward-mask
890           Alias: group-forward-mask
891
892           A mask of group addresses to forward. Usually, group addresses in
893           the range from 01:80:C2:00:00:00 to 01:80:C2:00:00:0F are not
894           forwarded according to standards. This property is a mask of 16
895           bits, each corresponding to a group address in that range that must
896           be forwarded. The mask can't have bits 0, 1 or 2 set because they
897           are used for STP, MAC pause frames and LACP.
898
899           Format: uint32
900
901       hello-time
902           Alias: hello-time
903
904           The Spanning Tree Protocol (STP) hello time, in seconds.
905
906           Format: uint32
907
908       mac-address
909           Alias: mac
910
911           If specified, the MAC address of bridge. When creating a new
912           bridge, this MAC address will be set. If this field is left
913           unspecified, the "ethernet.cloned-mac-address" is referred instead
914           to generate the initial MAC address. Note that setting
915           "ethernet.cloned-mac-address" anyway overwrites the MAC address of
916           the bridge later while activating the bridge. Hence, this property
917           is deprecated. Deprecated: 1
918
919           Format: byte array
920
921       max-age
922           Alias: max-age
923
924           The Spanning Tree Protocol (STP) maximum message age, in seconds.
925
926           Format: uint32
927
928       multicast-hash-max
929           Set maximum size of multicast hash table (value must be a power of
930           2).
931
932           Format: uint32
933
934       multicast-last-member-count
935           Set the number of queries the bridge will send before stopping
936           forwarding a multicast group after a "leave" message has been
937           received.
938
939           Format: uint32
940
941       multicast-last-member-interval
942           Set interval (in deciseconds) between queries to find remaining
943           members of a group, after a "leave" message is received.
944
945           Format: uint64
946
947       multicast-membership-interval
948           Set delay (in deciseconds) after which the bridge will leave a
949           group, if no membership reports for this group are received.
950
951           Format: uint64
952
953       multicast-querier
954           Enable or disable sending of multicast queries by the bridge. If
955           not specified the option is disabled.
956
957           Format: boolean
958
959       multicast-querier-interval
960           If no queries are seen after this delay (in deciseconds) has
961           passed, the bridge will start to send its own queries.
962
963           Format: uint64
964
965       multicast-query-interval
966           Interval (in deciseconds) between queries sent by the bridge after
967           the end of the startup phase.
968
969           Format: uint64
970
971       multicast-query-response-interval
972           Set the Max Response Time/Max Response Delay (in deciseconds) for
973           IGMP/MLD queries sent by the bridge.
974
975           Format: uint64
976
977       multicast-query-use-ifaddr
978           If enabled the bridge's own IP address is used as the source
979           address for IGMP queries otherwise the default of 0.0.0.0 is used.
980
981           Format: boolean
982
983       multicast-router
984           Sets bridge's multicast router. Multicast-snooping must be enabled
985           for this option to work. Supported values are: 'auto', 'disabled',
986           'enabled'. If not specified the default value is 'auto'.
987
988           Format: string
989
990       multicast-snooping
991           Alias: multicast-snooping
992
993           Controls whether IGMP snooping is enabled for this bridge. Note
994           that if snooping was automatically disabled due to hash collisions,
995           the system may refuse to enable the feature until the collisions
996           are resolved.
997
998           Format: boolean
999
1000       multicast-startup-query-count
1001           Set the number of IGMP queries to send during startup phase.
1002
1003           Format: uint32
1004
1005       multicast-startup-query-interval
1006           Sets the time (in deciseconds) between queries sent out at startup
1007           to determine membership information.
1008
1009           Format: uint64
1010
1011       priority
1012           Alias: priority
1013
1014           Sets the Spanning Tree Protocol (STP) priority for this bridge.
1015           Lower values are "better"; the lowest priority bridge will be
1016           elected the root bridge.
1017
1018           Format: uint32
1019
1020       stp
1021           Alias: stp
1022
1023           Controls whether Spanning Tree Protocol (STP) is enabled for this
1024           bridge.
1025
1026           Format: boolean
1027
1028       vlan-default-pvid
1029           The default PVID for the ports of the bridge, that is the VLAN id
1030           assigned to incoming untagged frames.
1031
1032           Format: uint32
1033
1034       vlan-filtering
1035           Control whether VLAN filtering is enabled on the bridge.
1036
1037           Format: boolean
1038
1039       vlan-protocol
1040           If specified, the protocol used for VLAN filtering. Supported
1041           values are: '802.1Q', '802.1ad'. If not specified the default value
1042           is '802.1Q'.
1043
1044           Format: string
1045
1046       vlan-stats-enabled
1047           Controls whether per-VLAN stats accounting is enabled.
1048
1049           Format: boolean
1050
1051       vlans
1052           Array of bridge VLAN objects. In addition to the VLANs specified
1053           here, the bridge will also have the default-pvid VLAN configured by
1054           the bridge.vlan-default-pvid property. In nmcli the VLAN list can
1055           be specified with the following syntax: $vid [pvid] [untagged] [,
1056           $vid [pvid] [untagged]]... where $vid is either a single id between
1057           1 and 4094 or a range, represented as a couple of ids separated by
1058           a dash.
1059
1060           Format: array of vardict
1061
1062   bridge-port setting
1063       Bridge Port Settings.
1064
1065       Properties:
1066
1067       hairpin-mode
1068           Alias: hairpin
1069
1070           Enables or disables "hairpin mode" for the port, which allows
1071           frames to be sent back out through the port the frame was received
1072           on.
1073
1074           Format: boolean
1075
1076       path-cost
1077           Alias: path-cost
1078
1079           The Spanning Tree Protocol (STP) port cost for destinations via
1080           this port.
1081
1082           Format: uint32
1083
1084       priority
1085           Alias: priority
1086
1087           The Spanning Tree Protocol (STP) priority of this bridge port.
1088
1089           Format: uint32
1090
1091       vlans
1092           Array of bridge VLAN objects. In addition to the VLANs specified
1093           here, the port will also have the default-pvid VLAN configured on
1094           the bridge by the bridge.vlan-default-pvid property. In nmcli the
1095           VLAN list can be specified with the following syntax: $vid [pvid]
1096           [untagged] [, $vid [pvid] [untagged]]... where $vid is either a
1097           single id between 1 and 4094 or a range, represented as a couple of
1098           ids separated by a dash.
1099
1100           Format: array of vardict
1101
1102   cdma setting
1103       CDMA-based Mobile Broadband Settings.
1104
1105       Properties:
1106
1107       mtu
1108           If non-zero, only transmit packets of the specified size or
1109           smaller, breaking larger packets up into multiple frames.
1110
1111           Format: uint32
1112
1113       number
1114           The number to dial to establish the connection to the CDMA-based
1115           mobile broadband network, if any. If not specified, the default
1116           number (#777) is used when required.
1117
1118           Format: string
1119
1120       password
1121           Alias: password
1122
1123           The password used to authenticate with the network, if required.
1124           Many providers do not require a password, or accept any password.
1125           But if a password is required, it is specified here.
1126
1127           Format: string
1128
1129       password-flags
1130           Flags indicating how to handle the "password" property. See the
1131           section called “Secret flag types:” for flag values.
1132
1133           Format: NMSettingSecretFlags (uint32)
1134
1135       username
1136           Alias: user
1137
1138           The username used to authenticate with the network, if required.
1139           Many providers do not require a username, or accept any username.
1140           But if a username is required, it is specified here.
1141
1142           Format: string
1143
1144   dcb setting
1145       Data Center Bridging Settings.
1146
1147       Properties:
1148
1149       app-fcoe-flags
1150           Specifies the NMSettingDcbFlags for the DCB FCoE application. Flags
1151           may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1152           NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1153           NM_SETTING_DCB_FLAG_WILLING (0x4).
1154
1155           Format: NMSettingDcbFlags (uint32)
1156
1157       app-fcoe-mode
1158           The FCoE controller mode; either "fabric" (default) or "vn2vn".
1159
1160           Format: string
1161
1162       app-fcoe-priority
1163           The highest User Priority (0 - 7) which FCoE frames should use, or
1164           -1 for default priority. Only used when the "app-fcoe-flags"
1165           property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1166
1167           Format: int32
1168
1169       app-fip-flags
1170           Specifies the NMSettingDcbFlags for the DCB FIP application. Flags
1171           may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1172           NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1173           NM_SETTING_DCB_FLAG_WILLING (0x4).
1174
1175           Format: NMSettingDcbFlags (uint32)
1176
1177       app-fip-priority
1178           The highest User Priority (0 - 7) which FIP frames should use, or
1179           -1 for default priority. Only used when the "app-fip-flags"
1180           property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1181
1182           Format: int32
1183
1184       app-iscsi-flags
1185           Specifies the NMSettingDcbFlags for the DCB iSCSI application.
1186           Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1187           NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1188           NM_SETTING_DCB_FLAG_WILLING (0x4).
1189
1190           Format: NMSettingDcbFlags (uint32)
1191
1192       app-iscsi-priority
1193           The highest User Priority (0 - 7) which iSCSI frames should use, or
1194           -1 for default priority. Only used when the "app-iscsi-flags"
1195           property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1196
1197           Format: int32
1198
1199       priority-bandwidth
1200           An array of 8 uint values, where the array index corresponds to the
1201           User Priority (0 - 7) and the value indicates the percentage of
1202           bandwidth of the priority's assigned group that the priority may
1203           use. The sum of all percentages for priorities which belong to the
1204           same group must total 100 percents.
1205
1206           Format: array of uint32
1207
1208       priority-flow-control
1209           An array of 8 boolean values, where the array index corresponds to
1210           the User Priority (0 - 7) and the value indicates whether or not
1211           the corresponding priority should transmit priority pause.
1212
1213           Format: array of uint32
1214
1215       priority-flow-control-flags
1216           Specifies the NMSettingDcbFlags for DCB Priority Flow Control
1217           (PFC). Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE
1218           (0x1), NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1219           NM_SETTING_DCB_FLAG_WILLING (0x4).
1220
1221           Format: NMSettingDcbFlags (uint32)
1222
1223       priority-group-bandwidth
1224           An array of 8 uint values, where the array index corresponds to the
1225           Priority Group ID (0 - 7) and the value indicates the percentage of
1226           link bandwidth allocated to that group. Allowed values are 0 - 100,
1227           and the sum of all values must total 100 percents.
1228
1229           Format: array of uint32
1230
1231       priority-group-flags
1232           Specifies the NMSettingDcbFlags for DCB Priority Groups. Flags may
1233           be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1234           NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1235           NM_SETTING_DCB_FLAG_WILLING (0x4).
1236
1237           Format: NMSettingDcbFlags (uint32)
1238
1239       priority-group-id
1240           An array of 8 uint values, where the array index corresponds to the
1241           User Priority (0 - 7) and the value indicates the Priority Group
1242           ID. Allowed Priority Group ID values are 0 - 7 or 15 for the
1243           unrestricted group.
1244
1245           Format: array of uint32
1246
1247       priority-strict-bandwidth
1248           An array of 8 boolean values, where the array index corresponds to
1249           the User Priority (0 - 7) and the value indicates whether or not
1250           the priority may use all of the bandwidth allocated to its assigned
1251           group.
1252
1253           Format: array of uint32
1254
1255       priority-traffic-class
1256           An array of 8 uint values, where the array index corresponds to the
1257           User Priority (0 - 7) and the value indicates the traffic class (0
1258           - 7) to which the priority is mapped.
1259
1260           Format: array of uint32
1261
1262   ethtool setting
1263       Ethtool Ethernet Settings.
1264
1265       Properties:
1266
1267       coalesce-adaptive-rx
1268
1269       coalesce-adaptive-tx
1270
1271       coalesce-pkt-rate-high
1272
1273       coalesce-pkt-rate-low
1274
1275       coalesce-rx-frames
1276
1277       coalesce-rx-frames-high
1278
1279       coalesce-rx-frames-irq
1280
1281       coalesce-rx-frames-low
1282
1283       coalesce-rx-usecs
1284
1285       coalesce-rx-usecs-high
1286
1287       coalesce-rx-usecs-irq
1288
1289       coalesce-rx-usecs-low
1290
1291       coalesce-sample-interval
1292
1293       coalesce-stats-block-usecs
1294
1295       coalesce-tx-frames
1296
1297       coalesce-tx-frames-high
1298
1299       coalesce-tx-frames-irq
1300
1301       coalesce-tx-frames-low
1302
1303       coalesce-tx-usecs
1304
1305       coalesce-tx-usecs-high
1306
1307       coalesce-tx-usecs-irq
1308
1309       coalesce-tx-usecs-low
1310
1311       feature-esp-hw-offload
1312
1313       feature-esp-tx-csum-hw-offload
1314
1315       feature-fcoe-mtu
1316
1317       feature-gro
1318
1319       feature-gso
1320
1321       feature-highdma
1322
1323       feature-hw-tc-offload
1324
1325       feature-l2-fwd-offload
1326
1327       feature-loopback
1328
1329       feature-lro
1330
1331       feature-ntuple
1332
1333       feature-rx
1334
1335       feature-rx-all
1336
1337       feature-rx-fcs
1338
1339       feature-rx-gro-hw
1340
1341       feature-rx-udp_tunnel-port-offload
1342
1343       feature-rx-vlan-filter
1344
1345       feature-rx-vlan-stag-filter
1346
1347       feature-rx-vlan-stag-hw-parse
1348
1349       feature-rxhash
1350
1351       feature-rxvlan
1352
1353       feature-sg
1354
1355       feature-tls-hw-record
1356
1357       feature-tls-hw-tx-offload
1358
1359       feature-tso
1360
1361       feature-tx
1362
1363       feature-tx-checksum-fcoe-crc
1364
1365       feature-tx-checksum-ip-generic
1366
1367       feature-tx-checksum-ipv4
1368
1369       feature-tx-checksum-ipv6
1370
1371       feature-tx-checksum-sctp
1372
1373       feature-tx-esp-segmentation
1374
1375       feature-tx-fcoe-segmentation
1376
1377       feature-tx-gre-csum-segmentation
1378
1379       feature-tx-gre-segmentation
1380
1381       feature-tx-gso-partial
1382
1383       feature-tx-gso-robust
1384
1385       feature-tx-ipxip4-segmentation
1386
1387       feature-tx-ipxip6-segmentation
1388
1389       feature-tx-nocache-copy
1390
1391       feature-tx-scatter-gather
1392
1393       feature-tx-scatter-gather-fraglist
1394
1395       feature-tx-sctp-segmentation
1396
1397       feature-tx-tcp-ecn-segmentation
1398
1399       feature-tx-tcp-mangleid-segmentation
1400
1401       feature-tx-tcp-segmentation
1402
1403       feature-tx-tcp6-segmentation
1404
1405       feature-tx-udp-segmentation
1406
1407       feature-tx-udp_tnl-csum-segmentation
1408
1409       feature-tx-udp_tnl-segmentation
1410
1411       feature-tx-vlan-stag-hw-insert
1412
1413       feature-txvlan
1414
1415       ring-rx
1416
1417       ring-rx-jumbo
1418
1419       ring-rx-mini
1420
1421       ring-tx
1422
1423   gsm setting
1424       GSM-based Mobile Broadband Settings.
1425
1426       Properties:
1427
1428       apn
1429           Alias: apn
1430
1431           The GPRS Access Point Name specifying the APN used when
1432           establishing a data session with the GSM-based network. The APN
1433           often determines how the user will be billed for their network
1434           usage and whether the user has access to the Internet or just a
1435           provider-specific walled-garden, so it is important to use the
1436           correct APN for the user's mobile broadband plan. The APN may only
1437           be composed of the characters a-z, 0-9, ., and - per GSM 03.60
1438           Section 14.9.
1439
1440           Format: string
1441
1442       auto-config
1443           When TRUE, the settings such as APN, username, or password will
1444           default to values that match the network the modem will register to
1445           in the Mobile Broadband Provider database.
1446
1447           Format: boolean
1448
1449       device-id
1450           The device unique identifier (as given by the WWAN management
1451           service) which this connection applies to. If given, the connection
1452           will only apply to the specified device.
1453
1454           Format: string
1455
1456       home-only
1457           When TRUE, only connections to the home network will be allowed.
1458           Connections to roaming networks will not be made.
1459
1460           Format: boolean
1461
1462       mtu
1463           If non-zero, only transmit packets of the specified size or
1464           smaller, breaking larger packets up into multiple frames.
1465
1466           Format: uint32
1467
1468       network-id
1469           The Network ID (GSM LAI format, ie MCC-MNC) to force specific
1470           network registration. If the Network ID is specified,
1471           NetworkManager will attempt to force the device to register only on
1472           the specified network. This can be used to ensure that the device
1473           does not roam when direct roaming control of the device is not
1474           otherwise possible.
1475
1476           Format: string
1477
1478       number
1479           Legacy setting that used to help establishing PPP data sessions for
1480           GSM-based modems. Deprecated: 1
1481
1482           Format: string
1483
1484       password
1485           Alias: password
1486
1487           The password used to authenticate with the network, if required.
1488           Many providers do not require a password, or accept any password.
1489           But if a password is required, it is specified here.
1490
1491           Format: string
1492
1493       password-flags
1494           Flags indicating how to handle the "password" property. See the
1495           section called “Secret flag types:” for flag values.
1496
1497           Format: NMSettingSecretFlags (uint32)
1498
1499       pin
1500           If the SIM is locked with a PIN it must be unlocked before any
1501           other operations are requested. Specify the PIN here to allow
1502           operation of the device.
1503
1504           Format: string
1505
1506       pin-flags
1507           Flags indicating how to handle the "pin" property. See the section
1508           called “Secret flag types:” for flag values.
1509
1510           Format: NMSettingSecretFlags (uint32)
1511
1512       sim-id
1513           The SIM card unique identifier (as given by the WWAN management
1514           service) which this connection applies to. If given, the connection
1515           will apply to any device also allowed by "device-id" which contains
1516           a SIM card matching the given identifier.
1517
1518           Format: string
1519
1520       sim-operator-id
1521           A MCC/MNC string like "310260" or "21601" identifying the specific
1522           mobile network operator which this connection applies to. If given,
1523           the connection will apply to any device also allowed by "device-id"
1524           and "sim-id" which contains a SIM card provisioned by the given
1525           operator.
1526
1527           Format: string
1528
1529       username
1530           Alias: user
1531
1532           The username used to authenticate with the network, if required.
1533           Many providers do not require a username, or accept any username.
1534           But if a username is required, it is specified here.
1535
1536           Format: string
1537
1538   infiniband setting
1539       Infiniband Settings.
1540
1541       Properties:
1542
1543       mac-address
1544           Alias: mac
1545
1546           If specified, this connection will only apply to the IPoIB device
1547           whose permanent MAC address matches. This property does not change
1548           the MAC address of the device (i.e. MAC spoofing).
1549
1550           Format: byte array
1551
1552       mtu
1553           Alias: mtu
1554
1555           If non-zero, only transmit packets of the specified size or
1556           smaller, breaking larger packets up into multiple frames.
1557
1558           Format: uint32
1559
1560       p-key
1561           Alias: p-key
1562
1563           The InfiniBand P_Key to use for this device. A value of -1 means to
1564           use the default P_Key (aka "the P_Key at index 0"). Otherwise it is
1565           a 16-bit unsigned integer, whose high bit is set if it is a "full
1566           membership" P_Key.
1567
1568           Format: int32
1569
1570       parent
1571           Alias: parent
1572
1573           The interface name of the parent device of this device. Normally
1574           NULL, but if the "p_key" property is set, then you must specify the
1575           base device by setting either this property or "mac-address".
1576
1577           Format: string
1578
1579       transport-mode
1580           Alias: transport-mode
1581
1582           The IP-over-InfiniBand transport mode. Either "datagram" or
1583           "connected".
1584
1585           Format: string
1586
1587   ipv4 setting
1588       IPv4 Settings.
1589
1590       Properties:
1591
1592       addresses
1593           Alias: ip4
1594
1595           Array of IP addresses.
1596
1597           Format: array of array of uint32
1598
1599       dad-timeout
1600           Timeout in milliseconds used to check for the presence of duplicate
1601           IP addresses on the network. If an address conflict is detected,
1602           the activation will fail. A zero value means that no duplicate
1603           address detection is performed, -1 means the default value (either
1604           configuration ipvx.dad-timeout override or zero). A value greater
1605           than zero is a timeout in milliseconds. The property is currently
1606           implemented only for IPv4.
1607
1608           Format: int32
1609
1610       dhcp-client-id
1611           A string sent to the DHCP server to identify the local machine
1612           which the DHCP server may use to customize the DHCP lease and
1613           options. When the property is a hex string ('aa:bb:cc') it is
1614           interpreted as a binary client ID, in which case the first byte is
1615           assumed to be the 'type' field as per RFC 2132 section 9.14 and the
1616           remaining bytes may be an hardware address (e.g.
1617           '01:xx:xx:xx:xx:xx:xx' where 1 is the Ethernet ARP type and the
1618           rest is a MAC address). If the property is not a hex string it is
1619           considered as a non-hardware-address client ID and the 'type' field
1620           is set to 0. The special values "mac" and "perm-mac" are supported,
1621           which use the current or permanent MAC address of the device to
1622           generate a client identifier with type ethernet (01). Currently,
1623           these options only work for ethernet type of links. The special
1624           value "duid" generates a RFC4361-compliant client identifier based
1625           on a hash of the interface name as IAID and /etc/machine-id. The
1626           special value "stable" is supported to generate a type 0 client
1627           identifier based on the stable-id (see connection.stable-id) and a
1628           per-host key. If you set the stable-id, you may want to include the
1629           "${DEVICE}" or "${MAC}" specifier to get a per-device key. If
1630           unset, a globally configured default is used. If still unset, the
1631           default depends on the DHCP plugin.
1632
1633           Format: string
1634
1635       dhcp-fqdn
1636           If the "dhcp-send-hostname" property is TRUE, then the specified
1637           FQDN will be sent to the DHCP server when acquiring a lease. This
1638           property and "dhcp-hostname" are mutually exclusive and cannot be
1639           set at the same time.
1640
1641           Format: string
1642
1643       dhcp-hostname
1644           If the "dhcp-send-hostname" property is TRUE, then the specified
1645           name will be sent to the DHCP server when acquiring a lease. This
1646           property and "dhcp-fqdn" are mutually exclusive and cannot be set
1647           at the same time.
1648
1649           Format: string
1650
1651       dhcp-hostname-flags
1652           Flags for the DHCP hostname and FQDN. Currently this property only
1653           includes flags to control the FQDN flags set in the DHCP FQDN
1654           option. Supported FQDN flags are
1655           NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1656           NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
1657           NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is
1658           set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the
1659           DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag
1660           is set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set,
1661           the standard FQDN flags are set in the request:
1662           NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1663           NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
1664           NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6. When this
1665           property is set to the default value NM_DHCP_HOSTNAME_FLAG_NONE
1666           (0x0), a global default is looked up in NetworkManager
1667           configuration. If that value is unset or also
1668           NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
1669           described above are sent in the DHCP requests.
1670
1671           Format: uint32
1672
1673       dhcp-iaid
1674           A string containing the "Identity Association Identifier" (IAID)
1675           used by the DHCP client. The property is a 32-bit decimal value or
1676           a special value among "mac", "perm-mac", "ifname" and "stable".
1677           When set to "mac" (or "perm-mac"), the last 4 bytes of the current
1678           (or permanent) MAC address are used as IAID. When set to "ifname",
1679           the IAID is computed by hashing the interface name. The special
1680           value "stable" can be used to generate an IAID based on the
1681           stable-id (see connection.stable-id), a per-host key and the
1682           interface name. When the property is unset, the value from global
1683           configuration is used; if no global default is set then the IAID is
1684           assumed to be "ifname". Note that at the moment this property is
1685           ignored for IPv6 by dhclient, which always derives the IAID from
1686           the MAC address.
1687
1688           Format: string
1689
1690       dhcp-send-hostname
1691           If TRUE, a hostname is sent to the DHCP server when acquiring a
1692           lease. Some DHCP servers use this hostname to update DNS databases,
1693           essentially providing a static hostname for the computer. If the
1694           "dhcp-hostname" property is NULL and this property is TRUE, the
1695           current persistent hostname of the computer is sent.
1696
1697           Format: boolean
1698
1699       dhcp-timeout
1700           A timeout for a DHCP transaction in seconds. If zero (the default),
1701           a globally configured default is used. If still unspecified, a
1702           device specific timeout is used (usually 45 seconds). Set to
1703           2147483647 (MAXINT32) for infinity.
1704
1705           Format: int32
1706
1707       dhcp-vendor-class-identifier
1708           The Vendor Class Identifier DHCP option (60). Special characters in
1709           the data string may be escaped using C-style escapes, nevertheless
1710           this property cannot contain nul bytes. If the per-profile value is
1711           unspecified (the default), a global connection default gets
1712           consulted. If still unspecified, the DHCP option is not sent to the
1713           server. Since 1.28, 1.26.4
1714
1715           Format: string
1716
1717       dns
1718           Array of IP addresses of DNS servers.
1719
1720           Format: array of uint32
1721
1722       dns-options
1723           Array of DNS options as described in man 5 resolv.conf. NULL means
1724           that the options are unset and left at the default. In this case
1725           NetworkManager will use default options. This is distinct from an
1726           empty list of properties. The currently supported options are
1727           "attempts", "debug", "edns0", "inet6", "ip6-bytestring",
1728           "ip6-dotint", "ndots", "no-check-names", "no-ip6-dotint",
1729           "no-reload", "no-tld-query", "rotate", "single-request",
1730           "single-request-reopen", "timeout", "trust-ad", "use-vc". The
1731           "trust-ad" setting is only honored if the profile contributes name
1732           servers to resolv.conf, and if all contributing profiles have
1733           "trust-ad" enabled.
1734
1735           Format: array of string
1736
1737       dns-priority
1738           DNS servers priority. The relative priority for DNS servers
1739           specified by this setting. A lower value is better (higher
1740           priority). Zero selects a globally configured default value. If the
1741           latter is missing or zero too, it defaults to 50 for VPNs
1742           (including WireGuard) and 100 for other connections. Note that the
1743           priority is to order DNS settings for multiple active connections.
1744           It does not disambiguate multiple DNS servers within the same
1745           connection profile. When using dns=default, servers with higher
1746           priority will be on top of resolv.conf. To prioritize a given
1747           server over another one within the same connection, just specify
1748           them in the desired order. When multiple devices have
1749           configurations with the same priority, VPNs will be considered
1750           first, then devices with the best (lowest metric) default route and
1751           then all other devices. Negative values have the special effect of
1752           excluding other configurations with a greater priority value; so in
1753           presence of at least one negative priority, only DNS servers from
1754           connections with the lowest priority value will be used. When using
1755           a DNS resolver that supports Conditional Forwarding as dns=dnsmasq
1756           or dns=systemd-resolved, each connection is used to query domains
1757           in its search list. Queries for domains not present in any search
1758           list are routed through connections having the '~.' special
1759           wildcard domain, which is added automatically to connections with
1760           the default route (or can be added manually). When multiple
1761           connections specify the same domain, the one with the highest
1762           priority (lowest numerical value) wins. If a connection specifies a
1763           domain which is subdomain of another domain with a negative DNS
1764           priority value, the subdomain is ignored.
1765
1766           Format: int32
1767
1768       dns-search
1769           Array of DNS search domains. Domains starting with a tilde ('~')
1770           are considered 'routing' domains and are used only to decide the
1771           interface over which a query must be forwarded; they are not used
1772           to complete unqualified host names.
1773
1774           Format: array of string
1775
1776       gateway
1777           Alias: gw4
1778
1779           The gateway associated with this configuration. This is only
1780           meaningful if "addresses" is also set. The gateway's main purpose
1781           is to control the next hop of the standard default route on the
1782           device. Hence, the gateway property conflicts with "never-default"
1783           and will be automatically dropped if the IP configuration is set to
1784           never-default. As an alternative to set the gateway, configure a
1785           static default route with /0 as prefix length.
1786
1787           Format: string
1788
1789       ignore-auto-dns
1790           When "method" is set to "auto" and this property to TRUE,
1791           automatically configured nameservers and search domains are ignored
1792           and only nameservers and search domains specified in the "dns" and
1793           "dns-search" properties, if any, are used.
1794
1795           Format: boolean
1796
1797       ignore-auto-routes
1798           When "method" is set to "auto" and this property to TRUE,
1799           automatically configured routes are ignored and only routes
1800           specified in the "routes" property, if any, are used.
1801
1802           Format: boolean
1803
1804       may-fail
1805           If TRUE, allow overall network configuration to proceed even if the
1806           configuration specified by this property times out. Note that at
1807           least one IP configuration must succeed or overall network
1808           configuration will still fail. For example, in IPv6-only networks,
1809           setting this property to TRUE on the NMSettingIP4Config allows the
1810           overall network configuration to succeed if IPv4 configuration
1811           fails but IPv6 configuration completes successfully.
1812
1813           Format: boolean
1814
1815       method
1816           IP configuration method. NMSettingIP4Config and NMSettingIP6Config
1817           both support "disabled", "auto", "manual", and "link-local". See
1818           the subclass-specific documentation for other values. In general,
1819           for the "auto" method, properties such as "dns" and "routes"
1820           specify information that is added on to the information returned
1821           from automatic configuration. The "ignore-auto-routes" and
1822           "ignore-auto-dns" properties modify this behavior. For methods that
1823           imply no upstream network, such as "shared" or "link-local", these
1824           properties must be empty. For IPv4 method "shared", the IP subnet
1825           can be configured by adding one manual IPv4 address or otherwise
1826           10.42.x.0/24 is chosen. Note that the shared method must be
1827           configured on the interface which shares the internet to a subnet,
1828           not on the uplink which is shared.
1829
1830           Format: string
1831
1832       never-default
1833           If TRUE, this connection will never be the default connection for
1834           this IP type, meaning it will never be assigned the default route
1835           by NetworkManager.
1836
1837           Format: boolean
1838
1839       route-metric
1840           The default metric for routes that don't explicitly specify a
1841           metric. The default value -1 means that the metric is chosen
1842           automatically based on the device type. The metric applies to
1843           dynamic routes, manual (static) routes that don't have an explicit
1844           metric setting, address prefix routes, and the default route. Note
1845           that for IPv6, the kernel accepts zero (0) but coerces it to 1024
1846           (user default). Hence, setting this property to zero effectively
1847           mean setting it to 1024. For IPv4, zero is a regular value for the
1848           metric.
1849
1850           Format: int64
1851
1852       route-table
1853           Enable policy routing (source routing) and set the routing table
1854           used when adding routes. This affects all routes, including
1855           device-routes, IPv4LL, DHCP, SLAAC, default-routes and static
1856           routes. But note that static routes can individually overwrite the
1857           setting by explicitly specifying a non-zero routing table. If the
1858           table setting is left at zero, it is eligible to be overwritten via
1859           global configuration. If the property is zero even after applying
1860           the global configuration value, policy routing is disabled for the
1861           address family of this connection. Policy routing disabled means
1862           that NetworkManager will add all routes to the main table (except
1863           static routes that explicitly configure a different table).
1864           Additionally, NetworkManager will not delete any extraneous routes
1865           from tables except the main table. This is to preserve backward
1866           compatibility for users who manage routing tables outside of
1867           NetworkManager.
1868
1869           Format: uint32
1870
1871       routes
1872           Array of IP routes.
1873
1874           Format: array of array of uint32
1875
1876       routing-rules
1877
1878   ipv6 setting
1879       IPv6 Settings.
1880
1881       Properties:
1882
1883       addr-gen-mode
1884           Configure method for creating the address for use with RFC4862 IPv6
1885           Stateless Address Autoconfiguration. The permitted values are:
1886           NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_EUI64 (0) or
1887           NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_STABLE_PRIVACY (1). If the
1888           property is set to EUI64, the addresses will be generated using the
1889           interface tokens derived from hardware address. This makes the host
1890           part of the address to stay constant, making it possible to track
1891           host's presence when it changes networks. The address changes when
1892           the interface hardware is replaced. The value of stable-privacy
1893           enables use of cryptographically secure hash of a secret
1894           host-specific key along with the connection's stable-id and the
1895           network address as specified by RFC7217. This makes it impossible
1896           to use the address track host's presence, and makes the address
1897           stable when the network interface hardware is replaced. On D-Bus,
1898           the absence of an addr-gen-mode setting equals enabling
1899           stable-privacy. For keyfile plugin, the absence of the setting on
1900           disk means EUI64 so that the property doesn't change on upgrade
1901           from older versions. Note that this setting is distinct from the
1902           Privacy Extensions as configured by "ip6-privacy" property and it
1903           does not affect the temporary addresses configured with this
1904           option.
1905
1906           Format: int32
1907
1908       addresses
1909           Alias: ip6
1910
1911           Array of IP addresses.
1912
1913           Format: array of legacy IPv6 address struct
1914
1915       dhcp-duid
1916           A string containing the DHCPv6 Unique Identifier (DUID) used by the
1917           dhcp client to identify itself to DHCPv6 servers (RFC 3315). The
1918           DUID is carried in the Client Identifier option. If the property is
1919           a hex string ('aa:bb:cc') it is interpreted as a binary DUID and
1920           filled as an opaque value in the Client Identifier option. The
1921           special value "lease" will retrieve the DUID previously used from
1922           the lease file belonging to the connection. If no DUID is found and
1923           "dhclient" is the configured dhcp client, the DUID is searched in
1924           the system-wide dhclient lease file. If still no DUID is found, or
1925           another dhcp client is used, a global and permanent DUID-UUID (RFC
1926           6355) will be generated based on the machine-id. The special values
1927           "llt" and "ll" will generate a DUID of type LLT or LL (see RFC
1928           3315) based on the current MAC address of the device. In order to
1929           try providing a stable DUID-LLT, the time field will contain a
1930           constant timestamp that is used globally (for all profiles) and
1931           persisted to disk. The special values "stable-llt", "stable-ll" and
1932           "stable-uuid" will generate a DUID of the corresponding type,
1933           derived from the connection's stable-id and a per-host unique key.
1934           You may want to include the "${DEVICE}" or "${MAC}" specifier in
1935           the stable-id, in case this profile gets activated on multiple
1936           devices. So, the link-layer address of "stable-ll" and "stable-llt"
1937           will be a generated address derived from the stable id. The
1938           DUID-LLT time value in the "stable-llt" option will be picked among
1939           a static timespan of three years (the upper bound of the interval
1940           is the same constant timestamp used in "llt"). When the property is
1941           unset, the global value provided for "ipv6.dhcp-duid" is used. If
1942           no global value is provided, the default "lease" value is assumed.
1943
1944           Format: string
1945
1946       dhcp-hostname
1947           If the "dhcp-send-hostname" property is TRUE, then the specified
1948           name will be sent to the DHCP server when acquiring a lease. This
1949           property and "dhcp-fqdn" are mutually exclusive and cannot be set
1950           at the same time.
1951
1952           Format: string
1953
1954       dhcp-hostname-flags
1955           Flags for the DHCP hostname and FQDN. Currently this property only
1956           includes flags to control the FQDN flags set in the DHCP FQDN
1957           option. Supported FQDN flags are
1958           NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1959           NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
1960           NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is
1961           set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the
1962           DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag
1963           is set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set,
1964           the standard FQDN flags are set in the request:
1965           NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1966           NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
1967           NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6. When this
1968           property is set to the default value NM_DHCP_HOSTNAME_FLAG_NONE
1969           (0x0), a global default is looked up in NetworkManager
1970           configuration. If that value is unset or also
1971           NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
1972           described above are sent in the DHCP requests.
1973
1974           Format: uint32
1975
1976       dhcp-iaid
1977           A string containing the "Identity Association Identifier" (IAID)
1978           used by the DHCP client. The property is a 32-bit decimal value or
1979           a special value among "mac", "perm-mac", "ifname" and "stable".
1980           When set to "mac" (or "perm-mac"), the last 4 bytes of the current
1981           (or permanent) MAC address are used as IAID. When set to "ifname",
1982           the IAID is computed by hashing the interface name. The special
1983           value "stable" can be used to generate an IAID based on the
1984           stable-id (see connection.stable-id), a per-host key and the
1985           interface name. When the property is unset, the value from global
1986           configuration is used; if no global default is set then the IAID is
1987           assumed to be "ifname". Note that at the moment this property is
1988           ignored for IPv6 by dhclient, which always derives the IAID from
1989           the MAC address.
1990
1991           Format: string
1992
1993       dhcp-send-hostname
1994           If TRUE, a hostname is sent to the DHCP server when acquiring a
1995           lease. Some DHCP servers use this hostname to update DNS databases,
1996           essentially providing a static hostname for the computer. If the
1997           "dhcp-hostname" property is NULL and this property is TRUE, the
1998           current persistent hostname of the computer is sent.
1999
2000           Format: boolean
2001
2002       dhcp-timeout
2003           A timeout for a DHCP transaction in seconds. If zero (the default),
2004           a globally configured default is used. If still unspecified, a
2005           device specific timeout is used (usually 45 seconds). Set to
2006           2147483647 (MAXINT32) for infinity.
2007
2008           Format: int32
2009
2010       dns
2011           Array of IP addresses of DNS servers.
2012
2013           Format: array of byte array
2014
2015       dns-options
2016           Array of DNS options as described in man 5 resolv.conf. NULL means
2017           that the options are unset and left at the default. In this case
2018           NetworkManager will use default options. This is distinct from an
2019           empty list of properties. The currently supported options are
2020           "attempts", "debug", "edns0", "inet6", "ip6-bytestring",
2021           "ip6-dotint", "ndots", "no-check-names", "no-ip6-dotint",
2022           "no-reload", "no-tld-query", "rotate", "single-request",
2023           "single-request-reopen", "timeout", "trust-ad", "use-vc". The
2024           "trust-ad" setting is only honored if the profile contributes name
2025           servers to resolv.conf, and if all contributing profiles have
2026           "trust-ad" enabled.
2027
2028           Format: array of string
2029
2030       dns-priority
2031           DNS servers priority. The relative priority for DNS servers
2032           specified by this setting. A lower value is better (higher
2033           priority). Zero selects a globally configured default value. If the
2034           latter is missing or zero too, it defaults to 50 for VPNs
2035           (including WireGuard) and 100 for other connections. Note that the
2036           priority is to order DNS settings for multiple active connections.
2037           It does not disambiguate multiple DNS servers within the same
2038           connection profile. When using dns=default, servers with higher
2039           priority will be on top of resolv.conf. To prioritize a given
2040           server over another one within the same connection, just specify
2041           them in the desired order. When multiple devices have
2042           configurations with the same priority, VPNs will be considered
2043           first, then devices with the best (lowest metric) default route and
2044           then all other devices. Negative values have the special effect of
2045           excluding other configurations with a greater priority value; so in
2046           presence of at least one negative priority, only DNS servers from
2047           connections with the lowest priority value will be used. When using
2048           a DNS resolver that supports Conditional Forwarding as dns=dnsmasq
2049           or dns=systemd-resolved, each connection is used to query domains
2050           in its search list. Queries for domains not present in any search
2051           list are routed through connections having the '~.' special
2052           wildcard domain, which is added automatically to connections with
2053           the default route (or can be added manually). When multiple
2054           connections specify the same domain, the one with the highest
2055           priority (lowest numerical value) wins. If a connection specifies a
2056           domain which is subdomain of another domain with a negative DNS
2057           priority value, the subdomain is ignored.
2058
2059           Format: int32
2060
2061       dns-search
2062           Array of DNS search domains. Domains starting with a tilde ('~')
2063           are considered 'routing' domains and are used only to decide the
2064           interface over which a query must be forwarded; they are not used
2065           to complete unqualified host names.
2066
2067           Format: array of string
2068
2069       gateway
2070           Alias: gw6
2071
2072           The gateway associated with this configuration. This is only
2073           meaningful if "addresses" is also set. The gateway's main purpose
2074           is to control the next hop of the standard default route on the
2075           device. Hence, the gateway property conflicts with "never-default"
2076           and will be automatically dropped if the IP configuration is set to
2077           never-default. As an alternative to set the gateway, configure a
2078           static default route with /0 as prefix length.
2079
2080           Format: string
2081
2082       ignore-auto-dns
2083           When "method" is set to "auto" and this property to TRUE,
2084           automatically configured nameservers and search domains are ignored
2085           and only nameservers and search domains specified in the "dns" and
2086           "dns-search" properties, if any, are used.
2087
2088           Format: boolean
2089
2090       ignore-auto-routes
2091           When "method" is set to "auto" and this property to TRUE,
2092           automatically configured routes are ignored and only routes
2093           specified in the "routes" property, if any, are used.
2094
2095           Format: boolean
2096
2097       ip6-privacy
2098           Configure IPv6 Privacy Extensions for SLAAC, described in RFC4941.
2099           If enabled, it makes the kernel generate a temporary IPv6 address
2100           in addition to the public one generated from MAC address via
2101           modified EUI-64. This enhances privacy, but could cause problems in
2102           some applications, on the other hand. The permitted values are: -1:
2103           unknown, 0: disabled, 1: enabled (prefer public address), 2:
2104           enabled (prefer temporary addresses). Having a per-connection
2105           setting set to "-1" (unknown) means fallback to global
2106           configuration "ipv6.ip6-privacy". If also global configuration is
2107           unspecified or set to "-1", fallback to read
2108           "/proc/sys/net/ipv6/conf/default/use_tempaddr". Note that this
2109           setting is distinct from the Stable Privacy addresses that can be
2110           enabled with the "addr-gen-mode" property's "stable-privacy"
2111           setting as another way of avoiding host tracking with IPv6
2112           addresses.
2113
2114           Format: NMSettingIP6ConfigPrivacy (int32)
2115
2116       may-fail
2117           If TRUE, allow overall network configuration to proceed even if the
2118           configuration specified by this property times out. Note that at
2119           least one IP configuration must succeed or overall network
2120           configuration will still fail. For example, in IPv6-only networks,
2121           setting this property to TRUE on the NMSettingIP4Config allows the
2122           overall network configuration to succeed if IPv4 configuration
2123           fails but IPv6 configuration completes successfully.
2124
2125           Format: boolean
2126
2127       method
2128           IP configuration method. NMSettingIP4Config and NMSettingIP6Config
2129           both support "disabled", "auto", "manual", and "link-local". See
2130           the subclass-specific documentation for other values. In general,
2131           for the "auto" method, properties such as "dns" and "routes"
2132           specify information that is added on to the information returned
2133           from automatic configuration. The "ignore-auto-routes" and
2134           "ignore-auto-dns" properties modify this behavior. For methods that
2135           imply no upstream network, such as "shared" or "link-local", these
2136           properties must be empty. For IPv4 method "shared", the IP subnet
2137           can be configured by adding one manual IPv4 address or otherwise
2138           10.42.x.0/24 is chosen. Note that the shared method must be
2139           configured on the interface which shares the internet to a subnet,
2140           not on the uplink which is shared.
2141
2142           Format: string
2143
2144       never-default
2145           If TRUE, this connection will never be the default connection for
2146           this IP type, meaning it will never be assigned the default route
2147           by NetworkManager.
2148
2149           Format: boolean
2150
2151       ra-timeout
2152           A timeout for waiting Router Advertisements in seconds. If zero
2153           (the default), a globally configured default is used. If still
2154           unspecified, the timeout depends on the sysctl settings of the
2155           device. Set to 2147483647 (MAXINT32) for infinity.
2156
2157           Format: int32
2158
2159       route-metric
2160           The default metric for routes that don't explicitly specify a
2161           metric. The default value -1 means that the metric is chosen
2162           automatically based on the device type. The metric applies to
2163           dynamic routes, manual (static) routes that don't have an explicit
2164           metric setting, address prefix routes, and the default route. Note
2165           that for IPv6, the kernel accepts zero (0) but coerces it to 1024
2166           (user default). Hence, setting this property to zero effectively
2167           mean setting it to 1024. For IPv4, zero is a regular value for the
2168           metric.
2169
2170           Format: int64
2171
2172       route-table
2173           Enable policy routing (source routing) and set the routing table
2174           used when adding routes. This affects all routes, including
2175           device-routes, IPv4LL, DHCP, SLAAC, default-routes and static
2176           routes. But note that static routes can individually overwrite the
2177           setting by explicitly specifying a non-zero routing table. If the
2178           table setting is left at zero, it is eligible to be overwritten via
2179           global configuration. If the property is zero even after applying
2180           the global configuration value, policy routing is disabled for the
2181           address family of this connection. Policy routing disabled means
2182           that NetworkManager will add all routes to the main table (except
2183           static routes that explicitly configure a different table).
2184           Additionally, NetworkManager will not delete any extraneous routes
2185           from tables except the main table. This is to preserve backward
2186           compatibility for users who manage routing tables outside of
2187           NetworkManager.
2188
2189           Format: uint32
2190
2191       routes
2192           Array of IP routes.
2193
2194           Format: array of legacy IPv6 route struct
2195
2196       routing-rules
2197
2198       token
2199           Configure the token for
2200           draft-chown-6man-tokenised-ipv6-identifiers-02 IPv6 tokenized
2201           interface identifiers. Useful with eui64 addr-gen-mode.
2202
2203           Format: string
2204
2205   ip-tunnel setting
2206       IP Tunneling Settings.
2207
2208       Properties:
2209
2210       encapsulation-limit
2211           How many additional levels of encapsulation are permitted to be
2212           prepended to packets. This property applies only to IPv6 tunnels.
2213
2214           Format: uint32
2215
2216       flags
2217           Tunnel flags. Currently the following values are supported:
2218           NM_IP_TUNNEL_FLAG_IP6_IGN_ENCAP_LIMIT (0x1),
2219           NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_TCLASS (0x2),
2220           NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FLOWLABEL (0x4),
2221           NM_IP_TUNNEL_FLAG_IP6_MIP6_DEV (0x8),
2222           NM_IP_TUNNEL_FLAG_IP6_RCV_DSCP_COPY (0x10),
2223           NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FWMARK (0x20). They are valid only
2224           for IPv6 tunnels.
2225
2226           Format: uint32
2227
2228       flow-label
2229           The flow label to assign to tunnel packets. This property applies
2230           only to IPv6 tunnels.
2231
2232           Format: uint32
2233
2234       input-key
2235           The key used for tunnel input packets; the property is valid only
2236           for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
2237
2238           Format: string
2239
2240       local
2241           Alias: local
2242
2243           The local endpoint of the tunnel; the value can be empty, otherwise
2244           it must contain an IPv4 or IPv6 address.
2245
2246           Format: string
2247
2248       mode
2249           Alias: mode
2250
2251           The tunneling mode, for example NM_IP_TUNNEL_MODE_IPIP (1) or
2252           NM_IP_TUNNEL_MODE_GRE (2).
2253
2254           Format: uint32
2255
2256       mtu
2257           If non-zero, only transmit packets of the specified size or
2258           smaller, breaking larger packets up into multiple fragments.
2259
2260           Format: uint32
2261
2262       output-key
2263           The key used for tunnel output packets; the property is valid only
2264           for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
2265
2266           Format: string
2267
2268       parent
2269           Alias: dev
2270
2271           If given, specifies the parent interface name or parent connection
2272           UUID the new device will be bound to so that tunneled packets will
2273           only be routed via that interface.
2274
2275           Format: string
2276
2277       path-mtu-discovery
2278           Whether to enable Path MTU Discovery on this tunnel.
2279
2280           Format: boolean
2281
2282       remote
2283           Alias: remote
2284
2285           The remote endpoint of the tunnel; the value must contain an IPv4
2286           or IPv6 address.
2287
2288           Format: string
2289
2290       tos
2291           The type of service (IPv4) or traffic class (IPv6) field to be set
2292           on tunneled packets.
2293
2294           Format: uint32
2295
2296       ttl
2297           The TTL to assign to tunneled packets. 0 is a special value meaning
2298           that packets inherit the TTL value.
2299
2300           Format: uint32
2301
2302   macsec setting
2303       MACSec Settings.
2304
2305       Properties:
2306
2307       encrypt
2308           Alias: encrypt
2309
2310           Whether the transmitted traffic must be encrypted.
2311
2312           Format: boolean
2313
2314       mka-cak
2315           Alias: cak
2316
2317           The pre-shared CAK (Connectivity Association Key) for MACsec Key
2318           Agreement.
2319
2320           Format: string
2321
2322       mka-cak-flags
2323           Flags indicating how to handle the "mka-cak" property. See the
2324           section called “Secret flag types:” for flag values.
2325
2326           Format: NMSettingSecretFlags (uint32)
2327
2328       mka-ckn
2329           Alias: ckn
2330
2331           The pre-shared CKN (Connectivity-association Key Name) for MACsec
2332           Key Agreement.
2333
2334           Format: string
2335
2336       mode
2337           Alias: mode
2338
2339           Specifies how the CAK (Connectivity Association Key) for MKA
2340           (MACsec Key Agreement) is obtained.
2341
2342           Format: int32
2343
2344       parent
2345           Alias: dev
2346
2347           If given, specifies the parent interface name or parent connection
2348           UUID from which this MACSEC interface should be created. If this
2349           property is not specified, the connection must contain an
2350           "802-3-ethernet" setting with a "mac-address" property.
2351
2352           Format: string
2353
2354       port
2355           Alias: port
2356
2357           The port component of the SCI (Secure Channel Identifier), between
2358           1 and 65534.
2359
2360           Format: int32
2361
2362       send-sci
2363           Specifies whether the SCI (Secure Channel Identifier) is included
2364           in every packet.
2365
2366           Format: boolean
2367
2368       validation
2369           Specifies the validation mode for incoming frames.
2370
2371           Format: int32
2372
2373   macvlan setting
2374       MAC VLAN Settings.
2375
2376       Properties:
2377
2378       mode
2379           Alias: mode
2380
2381           The macvlan mode, which specifies the communication mechanism
2382           between multiple macvlans on the same lower device.
2383
2384           Format: uint32
2385
2386       parent
2387           Alias: dev
2388
2389           If given, specifies the parent interface name or parent connection
2390           UUID from which this MAC-VLAN interface should be created. If this
2391           property is not specified, the connection must contain an
2392           "802-3-ethernet" setting with a "mac-address" property.
2393
2394           Format: string
2395
2396       promiscuous
2397           Whether the interface should be put in promiscuous mode.
2398
2399           Format: boolean
2400
2401       tap
2402           Alias: tap
2403
2404           Whether the interface should be a MACVTAP.
2405
2406           Format: boolean
2407
2408   match setting
2409       Match settings.
2410
2411       Properties:
2412
2413       driver
2414           A list of driver names to match. Each element is a shell wildcard
2415           pattern. See NMSettingMatch:interface-name for how special
2416           characters '|', '&', '!' and '\' are used for optional and
2417           mandatory matches and inverting the pattern.
2418
2419           Format: array of string
2420
2421       interface-name
2422           A list of interface names to match. Each element is a shell
2423           wildcard pattern. An element can be prefixed with a pipe symbol (|)
2424           or an ampersand (&). The former means that the element is optional
2425           and the latter means that it is mandatory. If there are any
2426           optional elements, than the match evaluates to true if at least one
2427           of the optional element matches (logical OR). If there are any
2428           mandatory elements, then they all must match (logical AND). By
2429           default, an element is optional. This means that an element "foo"
2430           behaves the same as "|foo". An element can also be inverted with
2431           exclamation mark (!) between the pipe symbol (or the ampersand) and
2432           before the pattern. Note that "!foo" is a shortcut for the
2433           mandatory match "&!foo". Finally, a backslash can be used at the
2434           beginning of the element (after the optional special characters) to
2435           escape the start of the pattern. For example, "&\!a" is an
2436           mandatory match for literally "!a".
2437
2438           Format: array of string
2439
2440       kernel-command-line
2441           A list of kernel command line arguments to match. This may be used
2442           to check whether a specific kernel command line option is set (or
2443           if prefixed with the exclamation mark unset). The argument must
2444           either be a single word, or an assignment (i.e. two words,
2445           separated "="). In the former case the kernel command line is
2446           searched for the word appearing as is, or as left hand side of an
2447           assignment. In the latter case, the exact assignment is looked for
2448           with right and left hand side matching. See
2449           NMSettingMatch:interface-name for how special characters '|', '&',
2450           '!' and '\' are used for optional and mandatory matches and
2451           inverting the pattern.
2452
2453           Format: array of string
2454
2455       path
2456           A list of paths to match against the ID_PATH udev property of
2457           devices. ID_PATH represents the topological persistent path of a
2458           device. It typically contains a subsystem string (pci, usb,
2459           platform, etc.) and a subsystem-specific identifier. For PCI
2460           devices the path has the form "pci-$domain:$bus:$device.$function",
2461           where each variable is an hexadecimal value; for example
2462           "pci-0000:0a:00.0". The path of a device can be obtained with
2463           "udevadm info /sys/class/net/$dev | grep ID_PATH=" or by looking at
2464           the "path" property exported by NetworkManager ("nmcli -f
2465           general.path device show $dev"). Each element of the list is a
2466           shell wildcard pattern. See NMSettingMatch:interface-name for how
2467           special characters '|', '&', '!' and '\' are used for optional and
2468           mandatory matches and inverting the pattern.
2469
2470           Format: array of string
2471
2472   802-11-olpc-mesh setting
2473       Alias: olpc-mesh
2474
2475       OLPC Wireless Mesh Settings.
2476
2477       Properties:
2478
2479       channel
2480           Alias: channel
2481
2482           Channel on which the mesh network to join is located.
2483
2484           Format: uint32
2485
2486       dhcp-anycast-address
2487           Alias: dhcp-anycast
2488
2489           Anycast DHCP MAC address used when requesting an IP address via
2490           DHCP. The specific anycast address used determines which DHCP
2491           server class answers the request.
2492
2493           Format: byte array
2494
2495       ssid
2496           Alias: ssid
2497
2498           SSID of the mesh network to join.
2499
2500           Format: byte array
2501
2502   ovs-bridge setting
2503       OvsBridge Link Settings.
2504
2505       Properties:
2506
2507       datapath-type
2508           The data path type. One of "system", "netdev" or empty.
2509
2510           Format: string
2511
2512       fail-mode
2513           The bridge failure mode. One of "secure", "standalone" or empty.
2514
2515           Format: string
2516
2517       mcast-snooping-enable
2518           Enable or disable multicast snooping.
2519
2520           Format: boolean
2521
2522       rstp-enable
2523           Enable or disable RSTP.
2524
2525           Format: boolean
2526
2527       stp-enable
2528           Enable or disable STP.
2529
2530           Format: boolean
2531
2532   ovs-dpdk setting
2533       OvsDpdk Link Settings.
2534
2535       Properties:
2536
2537       devargs
2538           Open vSwitch DPDK device arguments.
2539
2540           Format: string
2541
2542   ovs-interface setting
2543       Open vSwitch Interface Settings.
2544
2545       Properties:
2546
2547       type
2548           The interface type. Either "internal", "system", "patch", "dpdk",
2549           or empty.
2550
2551           Format: string
2552
2553   ovs-patch setting
2554       OvsPatch Link Settings.
2555
2556       Properties:
2557
2558       peer
2559           Specifies the name of the interface for the other side of the
2560           patch. The patch on the other side must also set this interface as
2561           peer.
2562
2563           Format: string
2564
2565   ovs-port setting
2566       OvsPort Link Settings.
2567
2568       Properties:
2569
2570       bond-downdelay
2571           The time port must be inactive in order to be considered down.
2572
2573           Format: uint32
2574
2575       bond-mode
2576           Bonding mode. One of "active-backup", "balance-slb", or
2577           "balance-tcp".
2578
2579           Format: string
2580
2581       bond-updelay
2582           The time port must be active before it starts forwarding traffic.
2583
2584           Format: uint32
2585
2586       lacp
2587           LACP mode. One of "active", "off", or "passive".
2588
2589           Format: string
2590
2591       tag
2592           The VLAN tag in the range 0-4095.
2593
2594           Format: uint32
2595
2596       vlan-mode
2597           The VLAN mode. One of "access", "native-tagged", "native-untagged",
2598           "trunk" or unset.
2599
2600           Format: string
2601
2602   ppp setting
2603       Point-to-Point Protocol Settings.
2604
2605       Properties:
2606
2607       baud
2608           If non-zero, instruct pppd to set the serial port to the specified
2609           baudrate. This value should normally be left as 0 to automatically
2610           choose the speed.
2611
2612           Format: uint32
2613
2614       crtscts
2615           If TRUE, specify that pppd should set the serial port to use
2616           hardware flow control with RTS and CTS signals. This value should
2617           normally be set to FALSE.
2618
2619           Format: boolean
2620
2621       lcp-echo-failure
2622           If non-zero, instruct pppd to presume the connection to the peer
2623           has failed if the specified number of LCP echo-requests go
2624           unanswered by the peer. The "lcp-echo-interval" property must also
2625           be set to a non-zero value if this property is used.
2626
2627           Format: uint32
2628
2629       lcp-echo-interval
2630           If non-zero, instruct pppd to send an LCP echo-request frame to the
2631           peer every n seconds (where n is the specified value). Note that
2632           some PPP peers will respond to echo requests and some will not, and
2633           it is not possible to autodetect this.
2634
2635           Format: uint32
2636
2637       mppe-stateful
2638           If TRUE, stateful MPPE is used. See pppd documentation for more
2639           information on stateful MPPE.
2640
2641           Format: boolean
2642
2643       mru
2644           If non-zero, instruct pppd to request that the peer send packets no
2645           larger than the specified size. If non-zero, the MRU should be
2646           between 128 and 16384.
2647
2648           Format: uint32
2649
2650       mtu
2651           If non-zero, instruct pppd to send packets no larger than the
2652           specified size.
2653
2654           Format: uint32
2655
2656       no-vj-comp
2657           If TRUE, Van Jacobsen TCP header compression will not be requested.
2658
2659           Format: boolean
2660
2661       noauth
2662           If TRUE, do not require the other side (usually the PPP server) to
2663           authenticate itself to the client. If FALSE, require authentication
2664           from the remote side. In almost all cases, this should be TRUE.
2665
2666           Format: boolean
2667
2668       nobsdcomp
2669           If TRUE, BSD compression will not be requested.
2670
2671           Format: boolean
2672
2673       nodeflate
2674           If TRUE, "deflate" compression will not be requested.
2675
2676           Format: boolean
2677
2678       refuse-chap
2679           If TRUE, the CHAP authentication method will not be used.
2680
2681           Format: boolean
2682
2683       refuse-eap
2684           If TRUE, the EAP authentication method will not be used.
2685
2686           Format: boolean
2687
2688       refuse-mschap
2689           If TRUE, the MSCHAP authentication method will not be used.
2690
2691           Format: boolean
2692
2693       refuse-mschapv2
2694           If TRUE, the MSCHAPv2 authentication method will not be used.
2695
2696           Format: boolean
2697
2698       refuse-pap
2699           If TRUE, the PAP authentication method will not be used.
2700
2701           Format: boolean
2702
2703       require-mppe
2704           If TRUE, MPPE (Microsoft Point-to-Point Encryption) will be
2705           required for the PPP session. If either 64-bit or 128-bit MPPE is
2706           not available the session will fail. Note that MPPE is not used on
2707           mobile broadband connections.
2708
2709           Format: boolean
2710
2711       require-mppe-128
2712           If TRUE, 128-bit MPPE (Microsoft Point-to-Point Encryption) will be
2713           required for the PPP session, and the "require-mppe" property must
2714           also be set to TRUE. If 128-bit MPPE is not available the session
2715           will fail.
2716
2717           Format: boolean
2718
2719   pppoe setting
2720       PPP-over-Ethernet Settings.
2721
2722       Properties:
2723
2724       parent
2725           Alias: parent
2726
2727           If given, specifies the parent interface name on which this PPPoE
2728           connection should be created. If this property is not specified,
2729           the connection is activated on the interface specified in
2730           "interface-name" of NMSettingConnection.
2731
2732           Format: string
2733
2734       password
2735           Alias: password
2736
2737           Password used to authenticate with the PPPoE service.
2738
2739           Format: string
2740
2741       password-flags
2742           Flags indicating how to handle the "password" property. See the
2743           section called “Secret flag types:” for flag values.
2744
2745           Format: NMSettingSecretFlags (uint32)
2746
2747       service
2748           Alias: service
2749
2750           If specified, instruct PPPoE to only initiate sessions with access
2751           concentrators that provide the specified service. For most
2752           providers, this should be left blank. It is only required if there
2753           are multiple access concentrators or a specific service is known to
2754           be required.
2755
2756           Format: string
2757
2758       username
2759           Alias: username
2760
2761           Username used to authenticate with the PPPoE service.
2762
2763           Format: string
2764
2765   proxy setting
2766       WWW Proxy Settings.
2767
2768       Properties:
2769
2770       browser-only
2771           Alias: browser-only
2772
2773           Whether the proxy configuration is for browser only.
2774
2775           Format: boolean
2776
2777       method
2778           Alias: method
2779
2780           Method for proxy configuration, Default is
2781           NM_SETTING_PROXY_METHOD_NONE (0)
2782
2783           Format: int32
2784
2785       pac-script
2786           Alias: pac-script
2787
2788           PAC script for the connection.
2789
2790           Format: string
2791
2792       pac-url
2793           Alias: pac-url
2794
2795           PAC URL for obtaining PAC file.
2796
2797           Format: string
2798
2799   serial setting
2800       Serial Link Settings.
2801
2802       Properties:
2803
2804       baud
2805           Speed to use for communication over the serial port. Note that this
2806           value usually has no effect for mobile broadband modems as they
2807           generally ignore speed settings and use the highest available
2808           speed.
2809
2810           Format: uint32
2811
2812       bits
2813           Byte-width of the serial communication. The 8 in "8n1" for example.
2814
2815           Format: uint32
2816
2817       parity
2818           Parity setting of the serial port.
2819
2820           Format: NMSettingSerialParity (byte)
2821
2822       send-delay
2823           Time to delay between each byte sent to the modem, in microseconds.
2824
2825           Format: uint64
2826
2827       stopbits
2828           Number of stop bits for communication on the serial port. Either 1
2829           or 2. The 1 in "8n1" for example.
2830
2831           Format: uint32
2832
2833   sriov setting
2834       SR-IOV settings.
2835
2836       Properties:
2837
2838       autoprobe-drivers
2839           Whether to autoprobe virtual functions by a compatible driver. If
2840           set to NM_TERNARY_TRUE (1), the kernel will try to bind VFs to a
2841           compatible driver and if this succeeds a new network interface will
2842           be instantiated for each VF. If set to NM_TERNARY_FALSE (0), VFs
2843           will not be claimed and no network interfaces will be created for
2844           them. When set to NM_TERNARY_DEFAULT (-1), the global default is
2845           used; in case the global default is unspecified it is assumed to be
2846           NM_TERNARY_TRUE (1).
2847
2848           Format: NMTernary (int32)
2849
2850       total-vfs
2851           The total number of virtual functions to create. Note that when the
2852           sriov setting is present NetworkManager enforces the number of
2853           virtual functions on the interface (also when it is zero) during
2854           activation and resets it upon deactivation. To prevent any changes
2855           to SR-IOV parameters don't add a sriov setting to the connection.
2856
2857           Format: uint32
2858
2859       vfs
2860           Array of virtual function descriptors. Each VF descriptor is a
2861           dictionary mapping attribute names to GVariant values. The 'index'
2862           entry is mandatory for each VF. When represented as string a VF is
2863           in the form: "INDEX [ATTR=VALUE[ ATTR=VALUE]...]". for example: "2
2864           mac=00:11:22:33:44:55 spoof-check=true". Multiple VFs can be
2865           specified using a comma as separator. Currently the following
2866           attributes are supported: mac, spoof-check, trust, min-tx-rate,
2867           max-tx-rate, vlans. The "vlans" attribute is represented as a
2868           semicolon-separated list of VLAN descriptors, where each descriptor
2869           has the form "ID[.PRIORITY[.PROTO]]". PROTO can be either 'q' for
2870           802.1Q (the default) or 'ad' for 802.1ad.
2871
2872           Format: array of vardict
2873
2874   tc setting
2875       Linux Traffic Control Settings.
2876
2877       Properties:
2878
2879       qdiscs
2880           Array of TC queueing disciplines.
2881
2882           Format: array of vardict
2883
2884       tfilters
2885           Array of TC traffic filters.
2886
2887           Format: array of vardict
2888
2889   team setting
2890       Teaming Settings.
2891
2892       Properties:
2893
2894       config
2895           Alias: config
2896
2897           The JSON configuration for the team network interface. The property
2898           should contain raw JSON configuration data suitable for teamd,
2899           because the value is passed directly to teamd. If not specified,
2900           the default configuration is used. See man teamd.conf for the
2901           format details.
2902
2903           Format: string
2904
2905       link-watchers
2906           Link watchers configuration for the connection: each link watcher
2907           is defined by a dictionary, whose keys depend upon the selected
2908           link watcher. Available link watchers are 'ethtool', 'nsna_ping'
2909           and 'arp_ping' and it is specified in the dictionary with the key
2910           'name'. Available keys are: ethtool: 'delay-up', 'delay-down',
2911           'init-wait'; nsna_ping: 'init-wait', 'interval', 'missed-max',
2912           'target-host'; arp_ping: all the ones in nsna_ping and
2913           'source-host', 'validate-active', 'validate-inactive',
2914           'send-always'. See teamd.conf man for more details.
2915
2916           Format: array of vardict
2917
2918       mcast-rejoin-count
2919           Corresponds to the teamd mcast_rejoin.count.
2920
2921           Format: int32
2922
2923       mcast-rejoin-interval
2924           Corresponds to the teamd mcast_rejoin.interval.
2925
2926           Format: int32
2927
2928       notify-peers-count
2929           Corresponds to the teamd notify_peers.count.
2930
2931           Format: int32
2932
2933       notify-peers-interval
2934           Corresponds to the teamd notify_peers.interval.
2935
2936           Format: int32
2937
2938       runner
2939           Corresponds to the teamd runner.name. Permitted values are:
2940           "roundrobin", "broadcast", "activebackup", "loadbalance", "lacp",
2941           "random".
2942
2943           Format: string
2944
2945       runner-active
2946           Corresponds to the teamd runner.active.
2947
2948           Format: boolean
2949
2950       runner-agg-select-policy
2951           Corresponds to the teamd runner.agg_select_policy.
2952
2953           Format: string
2954
2955       runner-fast-rate
2956           Corresponds to the teamd runner.fast_rate.
2957
2958           Format: boolean
2959
2960       runner-hwaddr-policy
2961           Corresponds to the teamd runner.hwaddr_policy.
2962
2963           Format: string
2964
2965       runner-min-ports
2966           Corresponds to the teamd runner.min_ports.
2967
2968           Format: int32
2969
2970       runner-sys-prio
2971           Corresponds to the teamd runner.sys_prio.
2972
2973           Format: int32
2974
2975       runner-tx-balancer
2976           Corresponds to the teamd runner.tx_balancer.name.
2977
2978           Format: string
2979
2980       runner-tx-balancer-interval
2981           Corresponds to the teamd runner.tx_balancer.interval.
2982
2983           Format: int32
2984
2985       runner-tx-hash
2986           Corresponds to the teamd runner.tx_hash.
2987
2988           Format: array of string
2989
2990   team-port setting
2991       Team Port Settings.
2992
2993       Properties:
2994
2995       config
2996           Alias: config
2997
2998           The JSON configuration for the team port. The property should
2999           contain raw JSON configuration data suitable for teamd, because the
3000           value is passed directly to teamd. If not specified, the default
3001           configuration is used. See man teamd.conf for the format details.
3002
3003           Format: string
3004
3005       lacp-key
3006           Corresponds to the teamd ports.PORTIFNAME.lacp_key.
3007
3008           Format: int32
3009
3010       lacp-prio
3011           Corresponds to the teamd ports.PORTIFNAME.lacp_prio.
3012
3013           Format: int32
3014
3015       link-watchers
3016           Link watchers configuration for the connection: each link watcher
3017           is defined by a dictionary, whose keys depend upon the selected
3018           link watcher. Available link watchers are 'ethtool', 'nsna_ping'
3019           and 'arp_ping' and it is specified in the dictionary with the key
3020           'name'. Available keys are: ethtool: 'delay-up', 'delay-down',
3021           'init-wait'; nsna_ping: 'init-wait', 'interval', 'missed-max',
3022           'target-host'; arp_ping: all the ones in nsna_ping and
3023           'source-host', 'validate-active', 'validate-inactive',
3024           'send-always'. See teamd.conf man for more details.
3025
3026           Format: array of vardict
3027
3028       prio
3029           Corresponds to the teamd ports.PORTIFNAME.prio.
3030
3031           Format: int32
3032
3033       queue-id
3034           Corresponds to the teamd ports.PORTIFNAME.queue_id. When set to -1
3035           means the parameter is skipped from the json config.
3036
3037           Format: int32
3038
3039       sticky
3040           Corresponds to the teamd ports.PORTIFNAME.sticky.
3041
3042           Format: boolean
3043
3044   tun setting
3045       Tunnel Settings.
3046
3047       Properties:
3048
3049       group
3050           Alias: group
3051
3052           The group ID which will own the device. If set to NULL everyone
3053           will be able to use the device.
3054
3055           Format: string
3056
3057       mode
3058           Alias: mode
3059
3060           The operating mode of the virtual device. Allowed values are
3061           NM_SETTING_TUN_MODE_TUN (1) to create a layer 3 device and
3062           NM_SETTING_TUN_MODE_TAP (2) to create an Ethernet-like layer 2 one.
3063
3064           Format: uint32
3065
3066       multi-queue
3067           Alias: multi-queue
3068
3069           If the property is set to TRUE, the interface will support multiple
3070           file descriptors (queues) to parallelize packet sending or
3071           receiving. Otherwise, the interface will only support a single
3072           queue.
3073
3074           Format: boolean
3075
3076       owner
3077           Alias: owner
3078
3079           The user ID which will own the device. If set to NULL everyone will
3080           be able to use the device.
3081
3082           Format: string
3083
3084       pi
3085           Alias: pi
3086
3087           If TRUE the interface will prepend a 4 byte header describing the
3088           physical interface to the packets.
3089
3090           Format: boolean
3091
3092       vnet-hdr
3093           Alias: vnet-hdr
3094
3095           If TRUE the IFF_VNET_HDR the tunnel packets will include a virtio
3096           network header.
3097
3098           Format: boolean
3099
3100   vlan setting
3101       VLAN Settings.
3102
3103       Properties:
3104
3105       egress-priority-map
3106           Alias: egress
3107
3108           For outgoing packets, a list of mappings from Linux SKB priorities
3109           to 802.1p priorities. The mapping is given in the format "from:to"
3110           where both "from" and "to" are unsigned integers, ie "7:3".
3111
3112           Format: array of string
3113
3114       flags
3115           Alias: flags
3116
3117           One or more flags which control the behavior and features of the
3118           VLAN interface. Flags include NM_VLAN_FLAG_REORDER_HEADERS (0x1)
3119           (reordering of output packet headers), NM_VLAN_FLAG_GVRP (0x2) (use
3120           of the GVRP protocol), and NM_VLAN_FLAG_LOOSE_BINDING (0x4) (loose
3121           binding of the interface to its master device's operating state).
3122           NM_VLAN_FLAG_MVRP (0x8) (use of the MVRP protocol). The default
3123           value of this property is NM_VLAN_FLAG_REORDER_HEADERS, but it used
3124           to be 0. To preserve backward compatibility, the default-value in
3125           the D-Bus API continues to be 0 and a missing property on D-Bus is
3126           still considered as 0.
3127
3128           Format: NMVlanFlags (uint32)
3129
3130       id
3131           Alias: id
3132
3133           The VLAN identifier that the interface created by this connection
3134           should be assigned. The valid range is from 0 to 4094, without the
3135           reserved id 4095.
3136
3137           Format: uint32
3138
3139       ingress-priority-map
3140           Alias: ingress
3141
3142           For incoming packets, a list of mappings from 802.1p priorities to
3143           Linux SKB priorities. The mapping is given in the format "from:to"
3144           where both "from" and "to" are unsigned integers, ie "7:3".
3145
3146           Format: array of string
3147
3148       parent
3149           Alias: dev
3150
3151           If given, specifies the parent interface name or parent connection
3152           UUID from which this VLAN interface should be created. If this
3153           property is not specified, the connection must contain an
3154           "802-3-ethernet" setting with a "mac-address" property.
3155
3156           Format: string
3157
3158   vpn setting
3159       VPN Settings.
3160
3161       Properties:
3162
3163       data
3164           Dictionary of key/value pairs of VPN plugin specific data. Both
3165           keys and values must be strings.
3166
3167           Format: dict of string to string
3168
3169       persistent
3170           If the VPN service supports persistence, and this property is TRUE,
3171           the VPN will attempt to stay connected across link changes and
3172           outages, until explicitly disconnected.
3173
3174           Format: boolean
3175
3176       secrets
3177           Dictionary of key/value pairs of VPN plugin specific secrets like
3178           passwords or private keys. Both keys and values must be strings.
3179
3180           Format: dict of string to string
3181
3182       service-type
3183           Alias: vpn-type
3184
3185           D-Bus service name of the VPN plugin that this setting uses to
3186           connect to its network. i.e. org.freedesktop.NetworkManager.vpnc
3187           for the vpnc plugin.
3188
3189           Format: string
3190
3191       timeout
3192           Timeout for the VPN service to establish the connection. Some
3193           services may take quite a long time to connect. Value of 0 means a
3194           default timeout, which is 60 seconds (unless overridden by
3195           vpn.timeout in configuration file). Values greater than zero mean
3196           timeout in seconds.
3197
3198           Format: uint32
3199
3200       user-name
3201           Alias: user
3202
3203           If the VPN connection requires a user name for authentication, that
3204           name should be provided here. If the connection is available to
3205           more than one user, and the VPN requires each user to supply a
3206           different name, then leave this property empty. If this property is
3207           empty, NetworkManager will automatically supply the username of the
3208           user which requested the VPN connection.
3209
3210           Format: string
3211
3212   vrf setting
3213       VRF settings.
3214
3215       Properties:
3216
3217       table
3218           Alias: table
3219
3220           The routing table for this VRF.
3221
3222           Format: uint32
3223
3224   vxlan setting
3225       VXLAN Settings.
3226
3227       Properties:
3228
3229       ageing
3230           Specifies the lifetime in seconds of FDB entries learnt by the
3231           kernel.
3232
3233           Format: uint32
3234
3235       destination-port
3236           Alias: destination-port
3237
3238           Specifies the UDP destination port to communicate to the remote
3239           VXLAN tunnel endpoint.
3240
3241           Format: uint32
3242
3243       id
3244           Alias: id
3245
3246           Specifies the VXLAN Network Identifier (or VXLAN Segment
3247           Identifier) to use.
3248
3249           Format: uint32
3250
3251       l2-miss
3252           Specifies whether netlink LL ADDR miss notifications are generated.
3253
3254           Format: boolean
3255
3256       l3-miss
3257           Specifies whether netlink IP ADDR miss notifications are generated.
3258
3259           Format: boolean
3260
3261       learning
3262           Specifies whether unknown source link layer addresses and IP
3263           addresses are entered into the VXLAN device forwarding database.
3264
3265           Format: boolean
3266
3267       limit
3268           Specifies the maximum number of FDB entries. A value of zero means
3269           that the kernel will store unlimited entries.
3270
3271           Format: uint32
3272
3273       local
3274           Alias: local
3275
3276           If given, specifies the source IP address to use in outgoing
3277           packets.
3278
3279           Format: string
3280
3281       parent
3282           Alias: dev
3283
3284           If given, specifies the parent interface name or parent connection
3285           UUID.
3286
3287           Format: string
3288
3289       proxy
3290           Specifies whether ARP proxy is turned on.
3291
3292           Format: boolean
3293
3294       remote
3295           Alias: remote
3296
3297           Specifies the unicast destination IP address to use in outgoing
3298           packets when the destination link layer address is not known in the
3299           VXLAN device forwarding database, or the multicast IP address to
3300           join.
3301
3302           Format: string
3303
3304       rsc
3305           Specifies whether route short circuit is turned on.
3306
3307           Format: boolean
3308
3309       source-port-max
3310           Alias: source-port-max
3311
3312           Specifies the maximum UDP source port to communicate to the remote
3313           VXLAN tunnel endpoint.
3314
3315           Format: uint32
3316
3317       source-port-min
3318           Alias: source-port-min
3319
3320           Specifies the minimum UDP source port to communicate to the remote
3321           VXLAN tunnel endpoint.
3322
3323           Format: uint32
3324
3325       tos
3326           Specifies the TOS value to use in outgoing packets.
3327
3328           Format: uint32
3329
3330       ttl
3331           Specifies the time-to-live value to use in outgoing packets.
3332
3333           Format: uint32
3334
3335   wifi-p2p setting
3336       Wi-Fi P2P Settings.
3337
3338       Properties:
3339
3340       peer
3341           Alias: peer
3342
3343           The P2P device that should be connected to. Currently this is the
3344           only way to create or join a group.
3345
3346           Format: string
3347
3348       wfd-ies
3349           The Wi-Fi Display (WFD) Information Elements (IEs) to set. Wi-Fi
3350           Display requires a protocol specific information element to be set
3351           in certain Wi-Fi frames. These can be specified here for the
3352           purpose of establishing a connection. This setting is only useful
3353           when implementing a Wi-Fi Display client.
3354
3355           Format: byte array
3356
3357       wps-method
3358           Flags indicating which mode of WPS is to be used. There's little
3359           point in changing the default setting as NetworkManager will
3360           automatically determine the best method to use.
3361
3362           Format: uint32
3363
3364   wimax setting
3365       WiMax Settings.
3366
3367       Properties:
3368
3369       mac-address
3370           Alias: mac
3371
3372           If specified, this connection will only apply to the WiMAX device
3373           whose MAC address matches. This property does not change the MAC
3374           address of the device (known as MAC spoofing). Deprecated: 1
3375
3376           Format: byte array
3377
3378       network-name
3379           Alias: nsp
3380
3381           Network Service Provider (NSP) name of the WiMAX network this
3382           connection should use. Deprecated: 1
3383
3384           Format: string
3385
3386   802-3-ethernet setting
3387       Alias: ethernet
3388
3389       Wired Ethernet Settings.
3390
3391       Properties:
3392
3393       auto-negotiate
3394           When TRUE, enforce auto-negotiation of speed and duplex mode. If
3395           "speed" and "duplex" properties are both specified, only that
3396           single mode will be advertised and accepted during the link
3397           auto-negotiation process: this works only for BASE-T 802.3
3398           specifications and is useful for enforcing gigabits modes, as in
3399           these cases link negotiation is mandatory. When FALSE, "speed" and
3400           "duplex" properties should be both set or link configuration will
3401           be skipped.
3402
3403           Format: boolean
3404
3405       cloned-mac-address
3406           Alias: cloned-mac
3407
3408           If specified, request that the device use this MAC address instead.
3409           This is known as MAC cloning or spoofing. Beside explicitly
3410           specifying a MAC address, the special values "preserve",
3411           "permanent", "random" and "stable" are supported. "preserve" means
3412           not to touch the MAC address on activation. "permanent" means to
3413           use the permanent hardware address if the device has one (otherwise
3414           this is treated as "preserve"). "random" creates a random MAC
3415           address on each connect. "stable" creates a hashed MAC address
3416           based on connection.stable-id and a machine dependent key. If
3417           unspecified, the value can be overwritten via global defaults, see
3418           manual of NetworkManager.conf. If still unspecified, it defaults to
3419           "preserve" (older versions of NetworkManager may use a different
3420           default value). On D-Bus, this field is expressed as
3421           "assigned-mac-address" or the deprecated "cloned-mac-address".
3422
3423           Format: byte array
3424
3425       duplex
3426           When a value is set, either "half" or "full", configures the device
3427           to use the specified duplex mode. If "auto-negotiate" is "yes" the
3428           specified duplex mode will be the only one advertised during link
3429           negotiation: this works only for BASE-T 802.3 specifications and is
3430           useful for enforcing gigabits modes, as in these cases link
3431           negotiation is mandatory. If the value is unset (the default), the
3432           link configuration will be either skipped (if "auto-negotiate" is
3433           "no", the default) or will be auto-negotiated (if "auto-negotiate"
3434           is "yes") and the local device will advertise all the supported
3435           duplex modes. Must be set together with the "speed" property if
3436           specified. Before specifying a duplex mode be sure your device
3437           supports it.
3438
3439           Format: string
3440
3441       generate-mac-address-mask
3442           With "cloned-mac-address" setting "random" or "stable", by default
3443           all bits of the MAC address are scrambled and a
3444           locally-administered, unicast MAC address is created. This property
3445           allows to specify that certain bits are fixed. Note that the least
3446           significant bit of the first MAC address will always be unset to
3447           create a unicast MAC address. If the property is NULL, it is
3448           eligible to be overwritten by a default connection setting. If the
3449           value is still NULL or an empty string, the default is to create a
3450           locally-administered, unicast MAC address. If the value contains
3451           one MAC address, this address is used as mask. The set bits of the
3452           mask are to be filled with the current MAC address of the device,
3453           while the unset bits are subject to randomization. Setting
3454           "FE:FF:FF:00:00:00" means to preserve the OUI of the current MAC
3455           address and only randomize the lower 3 bytes using the "random" or
3456           "stable" algorithm. If the value contains one additional MAC
3457           address after the mask, this address is used instead of the current
3458           MAC address to fill the bits that shall not be randomized. For
3459           example, a value of "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set
3460           the OUI of the MAC address to 68:F7:28, while the lower bits are
3461           randomized. A value of "02:00:00:00:00:00 00:00:00:00:00:00" will
3462           create a fully scrambled globally-administered, burned-in MAC
3463           address. If the value contains more than one additional MAC
3464           addresses, one of them is chosen randomly. For example,
3465           "02:00:00:00:00:00 00:00:00:00:00:00 02:00:00:00:00:00" will create
3466           a fully scrambled MAC address, randomly locally or globally
3467           administered.
3468
3469           Format: string
3470
3471       mac-address
3472           Alias: mac
3473
3474           If specified, this connection will only apply to the Ethernet
3475           device whose permanent MAC address matches. This property does not
3476           change the MAC address of the device (i.e. MAC spoofing).
3477
3478           Format: byte array
3479
3480       mac-address-blacklist
3481           If specified, this connection will never apply to the Ethernet
3482           device whose permanent MAC address matches an address in the list.
3483           Each MAC address is in the standard hex-digits-and-colons notation
3484           (00:11:22:33:44:55).
3485
3486           Format: array of string
3487
3488       mtu
3489           Alias: mtu
3490
3491           If non-zero, only transmit packets of the specified size or
3492           smaller, breaking larger packets up into multiple Ethernet frames.
3493
3494           Format: uint32
3495
3496       port
3497           Specific port type to use if the device supports multiple
3498           attachment methods. One of "tp" (Twisted Pair), "aui" (Attachment
3499           Unit Interface), "bnc" (Thin Ethernet) or "mii" (Media Independent
3500           Interface). If the device supports only one port type, this setting
3501           is ignored.
3502
3503           Format: string
3504
3505       s390-nettype
3506           s390 network device type; one of "qeth", "lcs", or "ctc",
3507           representing the different types of virtual network devices
3508           available on s390 systems.
3509
3510           Format: string
3511
3512       s390-options
3513           Dictionary of key/value pairs of s390-specific device options. Both
3514           keys and values must be strings. Allowed keys include "portno",
3515           "layer2", "portname", "protocol", among others. Key names must
3516           contain only alphanumeric characters (ie, [a-zA-Z0-9]).
3517
3518           Format: dict of string to string
3519
3520       s390-subchannels
3521           Identifies specific subchannels that this network device uses for
3522           communication with z/VM or s390 host. Like the "mac-address"
3523           property for non-z/VM devices, this property can be used to ensure
3524           this connection only applies to the network device that uses these
3525           subchannels. The list should contain exactly 3 strings, and each
3526           string may only be composed of hexadecimal characters and the
3527           period (.) character.
3528
3529           Format: array of string
3530
3531       speed
3532           When a value greater than 0 is set, configures the device to use
3533           the specified speed. If "auto-negotiate" is "yes" the specified
3534           speed will be the only one advertised during link negotiation: this
3535           works only for BASE-T 802.3 specifications and is useful for
3536           enforcing gigabit speeds, as in this case link negotiation is
3537           mandatory. If the value is unset (0, the default), the link
3538           configuration will be either skipped (if "auto-negotiate" is "no",
3539           the default) or will be auto-negotiated (if "auto-negotiate" is
3540           "yes") and the local device will advertise all the supported
3541           speeds. In Mbit/s, ie 100 == 100Mbit/s. Must be set together with
3542           the "duplex" property when non-zero. Before specifying a speed
3543           value be sure your device supports it.
3544
3545           Format: uint32
3546
3547       wake-on-lan
3548           The NMSettingWiredWakeOnLan options to enable. Not all devices
3549           support all options. May be any combination of
3550           NM_SETTING_WIRED_WAKE_ON_LAN_PHY (0x2),
3551           NM_SETTING_WIRED_WAKE_ON_LAN_UNICAST (0x4),
3552           NM_SETTING_WIRED_WAKE_ON_LAN_MULTICAST (0x8),
3553           NM_SETTING_WIRED_WAKE_ON_LAN_BROADCAST (0x10),
3554           NM_SETTING_WIRED_WAKE_ON_LAN_ARP (0x20),
3555           NM_SETTING_WIRED_WAKE_ON_LAN_MAGIC (0x40) or the special values
3556           NM_SETTING_WIRED_WAKE_ON_LAN_DEFAULT (0x1) (to use global settings)
3557           and NM_SETTING_WIRED_WAKE_ON_LAN_IGNORE (0x8000) (to disable
3558           management of Wake-on-LAN in NetworkManager).
3559
3560           Format: uint32
3561
3562       wake-on-lan-password
3563           If specified, the password used with magic-packet-based
3564           Wake-on-LAN, represented as an Ethernet MAC address. If NULL, no
3565           password will be required.
3566
3567           Format: string
3568
3569   wireguard setting
3570       WireGuard Settings.
3571
3572       Properties:
3573
3574       fwmark
3575           The use of fwmark is optional and is by default off. Setting it to
3576           0 disables it. Otherwise it is a 32-bit fwmark for outgoing
3577           packets. Note that "ip4-auto-default-route" or
3578           "ip6-auto-default-route" enabled, implies to automatically choose a
3579           fwmark.
3580
3581           Format: uint32
3582
3583       ip4-auto-default-route
3584           Whether to enable special handling of the IPv4 default route. If
3585           enabled, the IPv4 default route from wireguard.peer-routes will be
3586           placed to a dedicated routing-table and two policy routing rules
3587           will be added. The fwmark number is also used as routing-table for
3588           the default-route, and if fwmark is zero, an unused fwmark/table is
3589           chosen automatically. This corresponds to what wg-quick does with
3590           Table=auto and what WireGuard calls "Improved Rule-based Routing".
3591           Note that for this automatism to work, you usually don't want to
3592           set ipv4.gateway, because that will result in a conflicting default
3593           route. Leaving this at the default will enable this option
3594           automatically if ipv4.never-default is not set and there are any
3595           peers that use a default-route as allowed-ips.
3596
3597           Format: NMTernary (int32)
3598
3599       ip6-auto-default-route
3600           Like ip4-auto-default-route, but for the IPv6 default route.
3601
3602           Format: NMTernary (int32)
3603
3604       listen-port
3605           The listen-port. If listen-port is not specified, the port will be
3606           chosen randomly when the interface comes up.
3607
3608           Format: uint32
3609
3610       mtu
3611           If non-zero, only transmit packets of the specified size or
3612           smaller, breaking larger packets up into multiple fragments. If
3613           zero a default MTU is used. Note that contrary to wg-quick's MTU
3614           setting, this does not take into account the current routes at the
3615           time of activation.
3616
3617           Format: uint32
3618
3619       peer-routes
3620           Whether to automatically add routes for the AllowedIPs ranges of
3621           the peers. If TRUE (the default), NetworkManager will automatically
3622           add routes in the routing tables according to ipv4.route-table and
3623           ipv6.route-table. Usually you want this automatism enabled. If
3624           FALSE, no such routes are added automatically. In this case, the
3625           user may want to configure static routes in ipv4.routes and
3626           ipv6.routes, respectively. Note that if the peer's AllowedIPs is
3627           "0.0.0.0/0" or "::/0" and the profile's ipv4.never-default or
3628           ipv6.never-default setting is enabled, the peer route for this peer
3629           won't be added automatically.
3630
3631           Format: boolean
3632
3633       private-key
3634           The 256 bit private-key in base64 encoding.
3635
3636           Format: string
3637
3638       private-key-flags
3639           Flags indicating how to handle the "private-key" property. See the
3640           section called “Secret flag types:” for flag values.
3641
3642           Format: NMSettingSecretFlags (uint32)
3643
3644   802-11-wireless setting
3645       Alias: wifi
3646
3647       Wi-Fi Settings.
3648
3649       Properties:
3650
3651       band
3652           802.11 frequency band of the network. One of "a" for 5GHz 802.11a
3653           or "bg" for 2.4GHz 802.11. This will lock associations to the Wi-Fi
3654           network to the specific band, i.e. if "a" is specified, the device
3655           will not associate with the same network in the 2.4GHz band even if
3656           the network's settings are compatible. This setting depends on
3657           specific driver capability and may not work with all drivers.
3658
3659           Format: string
3660
3661       bssid
3662           If specified, directs the device to only associate with the given
3663           access point. This capability is highly driver dependent and not
3664           supported by all devices. Note: this property does not control the
3665           BSSID used when creating an Ad-Hoc network and is unlikely to in
3666           the future.
3667
3668           Format: byte array
3669
3670       channel
3671           Wireless channel to use for the Wi-Fi connection. The device will
3672           only join (or create for Ad-Hoc networks) a Wi-Fi network on the
3673           specified channel. Because channel numbers overlap between bands,
3674           this property also requires the "band" property to be set.
3675
3676           Format: uint32
3677
3678       cloned-mac-address
3679           Alias: cloned-mac
3680
3681           If specified, request that the device use this MAC address instead.
3682           This is known as MAC cloning or spoofing. Beside explicitly
3683           specifying a MAC address, the special values "preserve",
3684           "permanent", "random" and "stable" are supported. "preserve" means
3685           not to touch the MAC address on activation. "permanent" means to
3686           use the permanent hardware address of the device. "random" creates
3687           a random MAC address on each connect. "stable" creates a hashed MAC
3688           address based on connection.stable-id and a machine dependent key.
3689           If unspecified, the value can be overwritten via global defaults,
3690           see manual of NetworkManager.conf. If still unspecified, it
3691           defaults to "preserve" (older versions of NetworkManager may use a
3692           different default value). On D-Bus, this field is expressed as
3693           "assigned-mac-address" or the deprecated "cloned-mac-address".
3694
3695           Format: byte array
3696
3697       generate-mac-address-mask
3698           With "cloned-mac-address" setting "random" or "stable", by default
3699           all bits of the MAC address are scrambled and a
3700           locally-administered, unicast MAC address is created. This property
3701           allows to specify that certain bits are fixed. Note that the least
3702           significant bit of the first MAC address will always be unset to
3703           create a unicast MAC address. If the property is NULL, it is
3704           eligible to be overwritten by a default connection setting. If the
3705           value is still NULL or an empty string, the default is to create a
3706           locally-administered, unicast MAC address. If the value contains
3707           one MAC address, this address is used as mask. The set bits of the
3708           mask are to be filled with the current MAC address of the device,
3709           while the unset bits are subject to randomization. Setting
3710           "FE:FF:FF:00:00:00" means to preserve the OUI of the current MAC
3711           address and only randomize the lower 3 bytes using the "random" or
3712           "stable" algorithm. If the value contains one additional MAC
3713           address after the mask, this address is used instead of the current
3714           MAC address to fill the bits that shall not be randomized. For
3715           example, a value of "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set
3716           the OUI of the MAC address to 68:F7:28, while the lower bits are
3717           randomized. A value of "02:00:00:00:00:00 00:00:00:00:00:00" will
3718           create a fully scrambled globally-administered, burned-in MAC
3719           address. If the value contains more than one additional MAC
3720           addresses, one of them is chosen randomly. For example,
3721           "02:00:00:00:00:00 00:00:00:00:00:00 02:00:00:00:00:00" will create
3722           a fully scrambled MAC address, randomly locally or globally
3723           administered.
3724
3725           Format: string
3726
3727       hidden
3728           If TRUE, indicates that the network is a non-broadcasting network
3729           that hides its SSID. This works both in infrastructure and AP mode.
3730           In infrastructure mode, various workarounds are used for a more
3731           reliable discovery of hidden networks, such as probe-scanning the
3732           SSID. However, these workarounds expose inherent insecurities with
3733           hidden SSID networks, and thus hidden SSID networks should be used
3734           with caution. In AP mode, the created network does not broadcast
3735           its SSID. Note that marking the network as hidden may be a privacy
3736           issue for you (in infrastructure mode) or client stations (in AP
3737           mode), as the explicit probe-scans are distinctly recognizable on
3738           the air.
3739
3740           Format: boolean
3741
3742       mac-address
3743           Alias: mac
3744
3745           If specified, this connection will only apply to the Wi-Fi device
3746           whose permanent MAC address matches. This property does not change
3747           the MAC address of the device (i.e. MAC spoofing).
3748
3749           Format: byte array
3750
3751       mac-address-blacklist
3752           A list of permanent MAC addresses of Wi-Fi devices to which this
3753           connection should never apply. Each MAC address should be given in
3754           the standard hex-digits-and-colons notation (eg
3755           "00:11:22:33:44:55").
3756
3757           Format: array of string
3758
3759       mac-address-randomization
3760           One of NM_SETTING_MAC_RANDOMIZATION_DEFAULT (0) (never randomize
3761           unless the user has set a global default to randomize and the
3762           supplicant supports randomization),
3763           NM_SETTING_MAC_RANDOMIZATION_NEVER (1) (never randomize the MAC
3764           address), or NM_SETTING_MAC_RANDOMIZATION_ALWAYS (2) (always
3765           randomize the MAC address). This property is deprecated for
3766           'cloned-mac-address'. Deprecated: 1
3767
3768           Format: uint32
3769
3770       mode
3771           Alias: mode
3772
3773           Wi-Fi network mode; one of "infrastructure", "mesh", "adhoc" or
3774           "ap". If blank, infrastructure is assumed.
3775
3776           Format: string
3777
3778       mtu
3779           Alias: mtu
3780
3781           If non-zero, only transmit packets of the specified size or
3782           smaller, breaking larger packets up into multiple Ethernet frames.
3783
3784           Format: uint32
3785
3786       powersave
3787           One of NM_SETTING_WIRELESS_POWERSAVE_DISABLE (2) (disable Wi-Fi
3788           power saving), NM_SETTING_WIRELESS_POWERSAVE_ENABLE (3) (enable
3789           Wi-Fi power saving), NM_SETTING_WIRELESS_POWERSAVE_IGNORE (1)
3790           (don't touch currently configure setting) or
3791           NM_SETTING_WIRELESS_POWERSAVE_DEFAULT (0) (use the globally
3792           configured value). All other values are reserved.
3793
3794           Format: uint32
3795
3796       rate
3797           If non-zero, directs the device to only use the specified bitrate
3798           for communication with the access point. Units are in Kb/s, ie 5500
3799           = 5.5 Mbit/s. This property is highly driver dependent and not all
3800           devices support setting a static bitrate.
3801
3802           Format: uint32
3803
3804       seen-bssids
3805           A list of BSSIDs (each BSSID formatted as a MAC address like
3806           "00:11:22:33:44:55") that have been detected as part of the Wi-Fi
3807           network. NetworkManager internally tracks previously seen BSSIDs.
3808           The property is only meant for reading and reflects the BSSID list
3809           of NetworkManager. The changes you make to this property will not
3810           be preserved.
3811
3812           Format: array of string
3813
3814       ssid
3815           Alias: ssid
3816
3817           SSID of the Wi-Fi network. Must be specified.
3818
3819           Format: byte array
3820
3821       tx-power
3822           If non-zero, directs the device to use the specified transmit
3823           power. Units are dBm. This property is highly driver dependent and
3824           not all devices support setting a static transmit power.
3825
3826           Format: uint32
3827
3828       wake-on-wlan
3829           The NMSettingWirelessWakeOnWLan options to enable. Not all devices
3830           support all options. May be any combination of
3831           NM_SETTING_WIRELESS_WAKE_ON_WLAN_ANY (0x2),
3832           NM_SETTING_WIRELESS_WAKE_ON_WLAN_DISCONNECT (0x4),
3833           NM_SETTING_WIRELESS_WAKE_ON_WLAN_MAGIC (0x8),
3834           NM_SETTING_WIRELESS_WAKE_ON_WLAN_GTK_REKEY_FAILURE (0x10),
3835           NM_SETTING_WIRELESS_WAKE_ON_WLAN_EAP_IDENTITY_REQUEST (0x20),
3836           NM_SETTING_WIRELESS_WAKE_ON_WLAN_4WAY_HANDSHAKE (0x40),
3837           NM_SETTING_WIRELESS_WAKE_ON_WLAN_RFKILL_RELEASE (0x80),
3838           NM_SETTING_WIRELESS_WAKE_ON_WLAN_TCP (0x100) or the special values
3839           NM_SETTING_WIRELESS_WAKE_ON_WLAN_DEFAULT (0x1) (to use global
3840           settings) and NM_SETTING_WIRELESS_WAKE_ON_WLAN_IGNORE (0x8000) (to
3841           disable management of Wake-on-LAN in NetworkManager).
3842
3843           Format: uint32
3844
3845   802-11-wireless-security setting
3846       Alias: wifi-sec
3847
3848       Wi-Fi Security Settings.
3849
3850       Properties:
3851
3852       auth-alg
3853           When WEP is used (ie, key-mgmt = "none" or "ieee8021x") indicate
3854           the 802.11 authentication algorithm required by the AP here. One of
3855           "open" for Open System, "shared" for Shared Key, or "leap" for
3856           Cisco LEAP. When using Cisco LEAP (ie, key-mgmt = "ieee8021x" and
3857           auth-alg = "leap") the "leap-username" and "leap-password"
3858           properties must be specified.
3859
3860           Format: string
3861
3862       fils
3863           Indicates whether Fast Initial Link Setup (802.11ai) must be
3864           enabled for the connection. One of
3865           NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) (use global default
3866           value), NM_SETTING_WIRELESS_SECURITY_FILS_DISABLE (1) (disable
3867           FILS), NM_SETTING_WIRELESS_SECURITY_FILS_OPTIONAL (2) (enable FILS
3868           if the supplicant and the access point support it) or
3869           NM_SETTING_WIRELESS_SECURITY_FILS_REQUIRED (3) (enable FILS and
3870           fail if not supported). When set to
3871           NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) and no global default
3872           is set, FILS will be optionally enabled.
3873
3874           Format: int32
3875
3876       group
3877           A list of group/broadcast encryption algorithms which prevents
3878           connections to Wi-Fi networks that do not utilize one of the
3879           algorithms in the list. For maximum compatibility leave this
3880           property empty. Each list element may be one of "wep40", "wep104",
3881           "tkip", or "ccmp".
3882
3883           Format: array of string
3884
3885       key-mgmt
3886           Key management used for the connection. One of "none" (WEP),
3887           "ieee8021x" (Dynamic WEP), "wpa-psk" (infrastructure WPA-PSK),
3888           "sae" (SAE), "owe" (Opportunistic Wireless Encryption) or "wpa-eap"
3889           (WPA-Enterprise). This property must be set for any Wi-Fi
3890           connection that uses security.
3891
3892           Format: string
3893
3894       leap-password
3895           The login password for legacy LEAP connections (ie, key-mgmt =
3896           "ieee8021x" and auth-alg = "leap").
3897
3898           Format: string
3899
3900       leap-password-flags
3901           Flags indicating how to handle the "leap-password" property. See
3902           the section called “Secret flag types:” for flag values.
3903
3904           Format: NMSettingSecretFlags (uint32)
3905
3906       leap-username
3907           The login username for legacy LEAP connections (ie, key-mgmt =
3908           "ieee8021x" and auth-alg = "leap").
3909
3910           Format: string
3911
3912       pairwise
3913           A list of pairwise encryption algorithms which prevents connections
3914           to Wi-Fi networks that do not utilize one of the algorithms in the
3915           list. For maximum compatibility leave this property empty. Each
3916           list element may be one of "tkip" or "ccmp".
3917
3918           Format: array of string
3919
3920       pmf
3921           Indicates whether Protected Management Frames (802.11w) must be
3922           enabled for the connection. One of
3923           NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) (use global default
3924           value), NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE (1) (disable PMF),
3925           NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL (2) (enable PMF if the
3926           supplicant and the access point support it) or
3927           NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED (3) (enable PMF and fail
3928           if not supported). When set to
3929           NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) and no global default
3930           is set, PMF will be optionally enabled.
3931
3932           Format: int32
3933
3934       proto
3935           List of strings specifying the allowed WPA protocol versions to
3936           use. Each element may be one "wpa" (allow WPA) or "rsn" (allow
3937           WPA2/RSN). If not specified, both WPA and RSN connections are
3938           allowed.
3939
3940           Format: array of string
3941
3942       psk
3943           Pre-Shared-Key for WPA networks. For WPA-PSK, it's either an ASCII
3944           passphrase of 8 to 63 characters that is (as specified in the
3945           802.11i standard) hashed to derive the actual key, or the key in
3946           form of 64 hexadecimal character. The WPA3-Personal networks use a
3947           passphrase of any length for SAE authentication.
3948
3949           Format: string
3950
3951       psk-flags
3952           Flags indicating how to handle the "psk" property. See the section
3953           called “Secret flag types:” for flag values.
3954
3955           Format: NMSettingSecretFlags (uint32)
3956
3957       wep-key-flags
3958           Flags indicating how to handle the "wep-key0", "wep-key1",
3959           "wep-key2", and "wep-key3" properties. See the section called
3960           “Secret flag types:” for flag values.
3961
3962           Format: NMSettingSecretFlags (uint32)
3963
3964       wep-key-type
3965           Controls the interpretation of WEP keys. Allowed values are
3966           NM_WEP_KEY_TYPE_KEY (1), in which case the key is either a 10- or
3967           26-character hexadecimal string, or a 5- or 13-character ASCII
3968           password; or NM_WEP_KEY_TYPE_PASSPHRASE (2), in which case the
3969           passphrase is provided as a string and will be hashed using the
3970           de-facto MD5 method to derive the actual WEP key.
3971
3972           Format: NMWepKeyType (uint32)
3973
3974       wep-key0
3975           Index 0 WEP key. This is the WEP key used in most networks. See the
3976           "wep-key-type" property for a description of how this key is
3977           interpreted.
3978
3979           Format: string
3980
3981       wep-key1
3982           Index 1 WEP key. This WEP index is not used by most networks. See
3983           the "wep-key-type" property for a description of how this key is
3984           interpreted.
3985
3986           Format: string
3987
3988       wep-key2
3989           Index 2 WEP key. This WEP index is not used by most networks. See
3990           the "wep-key-type" property for a description of how this key is
3991           interpreted.
3992
3993           Format: string
3994
3995       wep-key3
3996           Index 3 WEP key. This WEP index is not used by most networks. See
3997           the "wep-key-type" property for a description of how this key is
3998           interpreted.
3999
4000           Format: string
4001
4002       wep-tx-keyidx
4003           When static WEP is used (ie, key-mgmt = "none") and a non-default
4004           WEP key index is used by the AP, put that WEP key index here. Valid
4005           values are 0 (default key) through 3. Note that some consumer
4006           access points (like the Linksys WRT54G) number the keys 1 - 4.
4007
4008           Format: uint32
4009
4010       wps-method
4011           Flags indicating which mode of WPS is to be used if any. There's
4012           little point in changing the default setting as NetworkManager will
4013           automatically determine whether it's feasible to start WPS
4014           enrollment from the Access Point capabilities. WPS can be disabled
4015           by setting this property to a value of 1.
4016
4017           Format: uint32
4018
4019   wpan setting
4020       IEEE 802.15.4 (WPAN) MAC Settings.
4021
4022       Properties:
4023
4024       channel
4025           Alias: channel
4026
4027           IEEE 802.15.4 channel. A positive integer or -1, meaning "do not
4028           set, use whatever the device is already set to".
4029
4030           Format: int32
4031
4032       mac-address
4033           Alias: mac
4034
4035           If specified, this connection will only apply to the IEEE 802.15.4
4036           (WPAN) MAC layer device whose permanent MAC address matches.
4037
4038           Format: string
4039
4040       page
4041           Alias: page
4042
4043           IEEE 802.15.4 channel page. A positive integer or -1, meaning "do
4044           not set, use whatever the device is already set to".
4045
4046           Format: int32
4047
4048       pan-id
4049           Alias: pan-id
4050
4051           IEEE 802.15.4 Personal Area Network (PAN) identifier.
4052
4053           Format: uint32
4054
4055       short-address
4056           Alias: short-addr
4057
4058           Short IEEE 802.15.4 address to be used within a restricted
4059           environment.
4060
4061           Format: uint32
4062
4063   Secret flag types:
4064       Each password or secret property in a setting has an associated flags
4065       property that describes how to handle that secret. The flags property
4066       is a bitfield that contains zero or more of the following values
4067       logically OR-ed together.
4068
4069       ·   0x0 (none) - the system is responsible for providing and storing
4070           this secret. This may be required so that secrets are already
4071           available before the user logs in. It also commonly means that the
4072           secret will be stored in plain text on disk, accessible to root
4073           only. For example via the keyfile settings plugin as described in
4074           the "PLUGINS" section in NetworkManager.conf(5).
4075
4076       ·   0x1 (agent-owned) - a user-session secret agent is responsible for
4077           providing and storing this secret; when it is required, agents will
4078           be asked to provide it.
4079
4080       ·   0x2 (not-saved) - this secret should not be saved but should be
4081           requested from the user each time it is required. This flag should
4082           be used for One-Time-Pad secrets, PIN codes from hardware tokens,
4083           or if the user simply does not want to save the secret.
4084
4085       ·   0x4 (not-required) - in some situations it cannot be automatically
4086           determined that a secret is required or not. This flag hints that
4087           the secret is not required and should not be requested from the
4088           user.
4089

FILES

4091       /etc/NetworkManager/system-connections or distro plugin-specific
4092       location
4093

SEE ALSO

4095       nmcli(1), nmcli-examples(7), NetworkManager(8), nm-settings-dbus(5),
4096       nm-settings-keyfile(5), NetworkManager.conf(5)
4097
4098
4099
4100NetworkManager 1.26.6                                     NM-SETTINGS-NMCLI(5)
Impressum