1NM-SETTINGS-NMCLI(5) Configuration NM-SETTINGS-NMCLI(5)
2
6 nm-settings-nmcli - Description of settings and properties of
7 NetworkManager connection profiles for nmcli
8
10 NetworkManager is based on a concept of connection profiles, sometimes
11 referred to as connections only. These connection profiles contain a
12 network configuration. When NetworkManager activates a connection
13 profile on a network device the configuration will be applied and an
14 active network connection will be established. Users are free to create
15 as many connection profiles as they see fit. Thus they are flexible in
16 having various network configurations for different networking needs.
17 NetworkManager provides an API for configuring connection profiles, for
19 activating them to configure the network, and inspecting the current
20 network configuration. The command line tool nmcli is a client
21 application to NetworkManager that uses this API. See nmcli(1) for
22 details.
23 With commands like nmcli connection add, nmcli connection modify and
25 nmcli connection show, connection profiles can be created, modified and
26 inspected. A profile consists of properties. On D-Bus this follows the
27 format as described by nm-settings-dbus(5), while this manual page
28 describes the settings format how they are expected by nmcli.
29 The settings and properties shown in tables below list all available
31 connection configuration options. However, note that not all settings
32 are applicable to all connection types. nmcli connection editor has
33 also a built-in describe command that can display description of
34 particular settings and properties of this page.
35 The setting and property can be abbreviated provided they are unique.
37 The list below also shows aliases that can be used unqualified instead
38 of the full name. For example connection.interface-name and ifname
39 refer to the same property.
40 connection setting
42 General Connection Profile Settings.
43 Properties:
45 auth-retries
47 The number of retries for the authentication. Zero means to try
48 indefinitely; -1 means to use a global default. If the global
49 default is not set, the authentication retries for 3 times before
50 failing the connection. Currently this only applies to 802-1x
51 authentication.
52 Format: int32
54 autoconnect
56 Alias: autoconnect
57 Whether or not the connection should be automatically connected by
59 NetworkManager when the resources for the connection are available.
60 TRUE to automatically activate the connection, FALSE to require
61 manual intervention to activate the connection. Note that
62 autoconnect is not implemented for VPN profiles. See "secondaries"
63 as an alternative to automatically connect VPN profiles.
64 Format: boolean
66 autoconnect-priority
68 The autoconnect priority. If the connection is set to autoconnect,
69 connections with higher priority will be preferred. Defaults to 0.
70 The higher number means higher priority.
71 Format: int32
73 autoconnect-retries
75 The number of times a connection should be tried when
76 autoactivating before giving up. Zero means forever, -1 means the
77 global default (4 times if not overridden). Setting this to 1 means
78 to try activation only once before blocking autoconnect. Note that
79 after a timeout, NetworkManager will try to autoconnect again.
80 Format: int32
82 autoconnect-slaves
84 Whether or not slaves of this connection should be automatically
85 brought up when NetworkManager activates this connection. This only
86 has a real effect for master connections. The properties
87 "autoconnect", "autoconnect-priority" and "autoconnect-retries" are
88 unrelated to this setting. The permitted values are: 0: leave slave
89 connections untouched, 1: activate all the slave connections with
90 this connection, -1: default. If -1 (default) is set, global
91 connection.autoconnect-slaves is read to determine the real value.
92 If it is default as well, this fallbacks to 0.
93 Format: NMSettingConnectionAutoconnectSlaves (int32)
95 gateway-ping-timeout
97 If greater than zero, delay success of IP addressing until either
98 the timeout is reached, or an IP gateway replies to a ping.
99 Format: uint32
101 id
103 Alias: con-name
104 A human readable unique identifier for the connection, like "Work
106 Wi-Fi" or "T-Mobile 3G".
107 Format: string
109 interface-name
111 Alias: ifname
112 The name of the network interface this connection is bound to. If
114 not set, then the connection can be attached to any interface of
115 the appropriate type (subject to restrictions imposed by other
116 settings). For software devices this specifies the name of the
117 created device. For connection types where interface names cannot
118 easily be made persistent (e.g. mobile broadband or USB Ethernet),
119 this property should not be used. Setting this property restricts
120 the interfaces a connection can be used with, and if interface
121 names change or are reordered the connection may be applied to the
122 wrong interface.
123 Format: string
125 lldp
127 Whether LLDP is enabled for the connection.
128 Format: int32
130 llmnr
132 Whether Link-Local Multicast Name Resolution (LLMNR) is enabled for
133 the connection. LLMNR is a protocol based on the Domain Name System
134 (DNS) packet format that allows both IPv4 and IPv6 hosts to perform
135 name resolution for hosts on the same local link. The permitted
136 values are: "yes" (2) register hostname and resolving for the
137 connection, "no" (0) disable LLMNR for the interface, "resolve" (1)
138 do not register hostname but allow resolving of LLMNR host names If
139 unspecified, "default" ultimately depends on the DNS plugin (which
140 for systemd-resolved currently means "yes"). This feature requires
141 a plugin which supports LLMNR. Otherwise the setting has no effect.
142 One such plugin is dns-systemd-resolved.
143 Format: int32
145 master
147 Alias: master
148 Interface name of the master device or UUID of the master
150 connection.
151 Format: string
153 mdns
155 Whether mDNS is enabled for the connection. The permitted values
156 are: "yes" (2) register hostname and resolving for the connection,
157 "no" (0) disable mDNS for the interface, "resolve" (1) do not
158 register hostname but allow resolving of mDNS host names and
159 "default" (-1) to allow lookup of a global default in
160 NetworkManager.conf. If unspecified, "default" ultimately depends
161 on the DNS plugin (which for systemd-resolved currently means
162 "no"). This feature requires a plugin which supports mDNS.
163 Otherwise the setting has no effect. One such plugin is
164 dns-systemd-resolved.
165 Format: int32
167 metered
169 Whether the connection is metered. When updating this property on a
170 currently activated connection, the change takes effect
171 immediately.
172 Format: NMMetered (int32)
174 mud-url
176 If configured, set to a Manufacturer Usage Description (MUD) URL
177 that points to manufacturer-recommended network policies for IoT
178 devices. It is transmitted as a DHCPv4 or DHCPv6 option. The value
179 must be a valid URL starting with "https://". The special value
180 "none" is allowed to indicate that no MUD URL is used. If the
181 per-profile value is unspecified (the default), a global connection
182 default gets consulted. If still unspecified, the ultimate default
183 is "none".
184 Format: string
186 multi-connect
188 Specifies whether the profile can be active multiple times at a
189 particular moment. The value is of type NMConnectionMultiConnect.
190 Format: int32
192 permissions
194 An array of strings defining what access a given user has to this
195 connection. If this is NULL or empty, all users are allowed to
196 access this connection; otherwise users are allowed if and only if
197 they are in this list. When this is not empty, the connection can
198 be active only when one of the specified users is logged into an
199 active session. Each entry is of the form "[type]:[id]:[reserved]";
200 for example, "user:dcbw:blah". At this time only the "user" [type]
201 is allowed. Any other values are ignored and reserved for future
202 use. [id] is the username that this permission refers to, which may
203 not contain the ":" character. Any [reserved] information present
204 must be ignored and is reserved for future use. All of [type],
205 [id], and [reserved] must be valid UTF-8.
206 Format: array of string
208 read-only
210 FALSE if the connection can be modified using the provided settings
211 service's D-Bus interface with the right privileges, or TRUE if the
212 connection is read-only and cannot be modified.
213 Format: boolean
215 secondaries
217 List of connection UUIDs that should be activated when the base
218 connection itself is activated. Currently only VPN connections are
219 supported.
220 Format: array of string
222 slave-type
224 Alias: slave-type
225 Setting name of the device type of this slave's master connection
227 (eg, "bond"), or NULL if this connection is not a slave.
228 Format: string
230 stable-id
232 This represents the identity of the connection used for various
233 purposes. It allows to configure multiple profiles to share the
234 identity. Also, the stable-id can contain placeholders that are
235 substituted dynamically and deterministically depending on the
236 context. The stable-id is used for generating IPv6 stable private
237 addresses with ipv6.addr-gen-mode=stable-privacy. It is also used
238 to seed the generated cloned MAC address for
239 ethernet.cloned-mac-address=stable and
240 wifi.cloned-mac-address=stable. It is also used as DHCP client
241 identifier with ipv4.dhcp-client-id=stable and to derive the DHCP
242 DUID with ipv6.dhcp-duid=stable-[llt,ll,uuid]. Note that depending
243 on the context where it is used, other parameters are also seeded
244 into the generation algorithm. For example, a per-host key is
245 commonly also included, so that different systems end up generating
246 different IDs. Or with ipv6.addr-gen-mode=stable-privacy, also the
247 device's name is included, so that different interfaces yield
248 different addresses. The '$' character is treated special to
249 perform dynamic substitutions at runtime. Currently supported are
250 "${CONNECTION}", "${DEVICE}", "${MAC}", "${BOOT}", "${RANDOM}".
251 These effectively create unique IDs per-connection, per-device,
252 per-boot, or every time. Note that "${DEVICE}" corresponds to the
253 interface name of the device and "${MAC}" is the permanent MAC
254 address of the device. Any unrecognized patterns following '$' are
255 treated verbatim, however are reserved for future use. You are thus
256 advised to avoid '$' or escape it as "$$". For example, set it to
257 "${CONNECTION}-${BOOT}-${DEVICE}" to create a unique id for this
258 connection that changes with every reboot and differs depending on
259 the interface where the profile activates. If the value is unset, a
260 global connection default is consulted. If the value is still
261 unset, the default is similar to "${CONNECTION}" and uses a unique,
262 fixed ID for the connection.
263 Format: string
265 timestamp
267 The time, in seconds since the Unix Epoch, that the connection was
268 last _successfully_ fully activated. NetworkManager updates the
269 connection timestamp periodically when the connection is active to
270 ensure that an active connection has the latest timestamp. The
271 property is only meant for reading (changes to this property will
272 not be preserved).
273 Format: uint64
275 type
277 Alias: type
278 Base type of the connection. For hardware-dependent connections,
280 should contain the setting name of the hardware-type specific
281 setting (ie, "802-3-ethernet" or "802-11-wireless" or "bluetooth",
282 etc), and for non-hardware dependent connections like VPN or
283 otherwise, should contain the setting name of that setting type
284 (ie, "vpn" or "bridge", etc).
285 Format: string
287 uuid
289 A universally unique identifier for the connection, for example
290 generated with libuuid. It should be assigned when the connection
291 is created, and never changed as long as the connection still
292 applies to the same network. For example, it should not be changed
293 when the "id" property or NMSettingIP4Config changes, but might
294 need to be re-created when the Wi-Fi SSID, mobile broadband network
295 provider, or "type" property changes. The UUID must be in the
296 format "2815492f-7e56-435e-b2e9-246bd7cdc664" (ie, contains only
297 hexadecimal characters and "-").
298 Format: string
300 wait-device-timeout
302 Timeout in milliseconds to wait for device at startup. During boot,
303 devices may take a while to be detected by the driver. This
304 property will cause to delay NetworkManager-wait-online.service and
305 nm-online to give the device a chance to appear. This works by
306 waiting for the given timeout until a compatible device for the
307 profile is available and managed. The value 0 means no wait time.
308 The default value is -1, which currently has the same meaning as no
309 wait time.
310 Format: int32
312 zone
314 The trust level of a the connection. Free form case-insensitive
315 string (for example "Home", "Work", "Public"). NULL or unspecified
316 zone means the connection will be placed in the default zone as
317 defined by the firewall. When updating this property on a currently
318 activated connection, the change takes effect immediately.
319 Format: string
321 6lowpan setting
323 6LoWPAN Settings.
324 Properties:
326 parent
328 Alias: dev
329 If given, specifies the parent interface name or parent connection
331 UUID from which this 6LowPAN interface should be created.
332 Format: string
334 802-1x setting
336 IEEE 802.1x Authentication Settings.
337 Properties:
339 altsubject-matches
341 List of strings to be matched against the altSubjectName of the
342 certificate presented by the authentication server. If the list is
343 empty, no verification of the server certificate's altSubjectName
344 is performed.
345 Format: array of string
347 anonymous-identity
349 Anonymous identity string for EAP authentication methods. Used as
350 the unencrypted identity with EAP types that support different
351 tunneled identity like EAP-TTLS.
352 Format: string
354 auth-timeout
356 A timeout for the authentication. Zero means the global default; if
357 the global default is not set, the authentication timeout is 25
358 seconds.
359 Format: int32
361 ca-cert
363 Contains the CA certificate if used by the EAP method specified in
364 the "eap" property. Certificate data is specified using a "scheme";
365 three are currently supported: blob, path and pkcs#11 URL. When
366 using the blob scheme this property should be set to the
367 certificate's DER encoded data. When using the path scheme, this
368 property should be set to the full UTF-8 encoded path of the
369 certificate, prefixed with the string "file://" and ending with a
370 terminating NUL byte. This property can be unset even if the EAP
371 method supports CA certificates, but this allows man-in-the-middle
372 attacks and is NOT recommended. Note that enabling
373 NMSetting8021x:system-ca-certs will override this setting to use
374 the built-in path, if the built-in path is not a directory.
375 Format: byte array
377 ca-cert-password
379 The password used to access the CA certificate stored in "ca-cert"
380 property. Only makes sense if the certificate is stored on a
381 PKCS#11 token that requires a login.
382 Format: string
384 ca-cert-password-flags
386 Flags indicating how to handle the "ca-cert-password" property. See
387 the section called “Secret flag types:” for flag values.
388 Format: NMSettingSecretFlags (uint32)
390 ca-path
392 UTF-8 encoded path to a directory containing PEM or DER formatted
393 certificates to be added to the verification chain in addition to
394 the certificate specified in the "ca-cert" property. If
395 NMSetting8021x:system-ca-certs is enabled and the built-in CA path
396 is an existing directory, then this setting is ignored.
397 Format: string
399 client-cert
401 Contains the client certificate if used by the EAP method specified
402 in the "eap" property. Certificate data is specified using a
403 "scheme"; two are currently supported: blob and path. When using
404 the blob scheme (which is backwards compatible with NM 0.7.x) this
405 property should be set to the certificate's DER encoded data. When
406 using the path scheme, this property should be set to the full
407 UTF-8 encoded path of the certificate, prefixed with the string
408 "file://" and ending with a terminating NUL byte.
409 Format: byte array
411 client-cert-password
413 The password used to access the client certificate stored in
414 "client-cert" property. Only makes sense if the certificate is
415 stored on a PKCS#11 token that requires a login.
416 Format: string
418 client-cert-password-flags
420 Flags indicating how to handle the "client-cert-password" property.
421 See the section called “Secret flag types:” for flag values.
422 Format: NMSettingSecretFlags (uint32)
424 domain-match
426 Constraint for server domain name. If set, this list of FQDNs is
427 used as a match requirement for dNSName element(s) of the
428 certificate presented by the authentication server. If a matching
429 dNSName is found, this constraint is met. If no dNSName values are
430 present, this constraint is matched against SubjectName CN using
431 the same comparison. Multiple valid FQDNs can be passed as a ";"
432 delimited list.
433 Format: string
435 domain-suffix-match
437 Constraint for server domain name. If set, this FQDN is used as a
438 suffix match requirement for dNSName element(s) of the certificate
439 presented by the authentication server. If a matching dNSName is
440 found, this constraint is met. If no dNSName values are present,
441 this constraint is matched against SubjectName CN using same suffix
442 match comparison. Since version 1.24, multiple valid FQDNs can be
443 passed as a ";" delimited list.
444 Format: string
446 eap
448 The allowed EAP method to be used when authenticating to the
449 network with 802.1x. Valid methods are: "leap", "md5", "tls",
450 "peap", "ttls", "pwd", and "fast". Each method requires different
451 configuration using the properties of this setting; refer to
452 wpa_supplicant documentation for the allowed combinations.
453 Format: array of string
455 identity
457 Identity string for EAP authentication methods. Often the user's
458 user or login name.
459 Format: string
461 optional
463 Whether the 802.1X authentication is optional. If TRUE, the
464 activation will continue even after a timeout or an authentication
465 failure. Setting the property to TRUE is currently allowed only for
466 Ethernet connections. If set to FALSE, the activation can continue
467 only after a successful authentication.
468 Format: boolean
470 pac-file
472 UTF-8 encoded file path containing PAC for EAP-FAST.
473 Format: string
475 password
477 UTF-8 encoded password used for EAP authentication methods. If both
478 the "password" property and the "password-raw" property are
479 specified, "password" is preferred.
480 Format: string
482 password-flags
484 Flags indicating how to handle the "password" property. See the
485 section called “Secret flag types:” for flag values.
486 Format: NMSettingSecretFlags (uint32)
488 password-raw
490 Password used for EAP authentication methods, given as a byte array
491 to allow passwords in other encodings than UTF-8 to be used. If
492 both the "password" property and the "password-raw" property are
493 specified, "password" is preferred.
494 Format: byte array
496 password-raw-flags
498 Flags indicating how to handle the "password-raw" property. See the
499 section called “Secret flag types:” for flag values.
500 Format: NMSettingSecretFlags (uint32)
502 phase1-auth-flags
504 Specifies authentication flags to use in "phase 1" outer
505 authentication using NMSetting8021xAuthFlags options. The
506 individual TLS versions can be explicitly disabled. If a certain
507 TLS disable flag is not set, it is up to the supplicant to allow or
508 forbid it. The TLS options map to tls_disable_tlsv1_x settings. See
509 the wpa_supplicant documentation for more details.
510 Format: uint32
512 phase1-fast-provisioning
514 Enables or disables in-line provisioning of EAP-FAST credentials
515 when FAST is specified as the EAP method in the "eap" property.
516 Recognized values are "0" (disabled), "1" (allow unauthenticated
517 provisioning), "2" (allow authenticated provisioning), and "3"
518 (allow both authenticated and unauthenticated provisioning). See
519 the wpa_supplicant documentation for more details.
520 Format: string
522 phase1-peaplabel
524 Forces use of the new PEAP label during key derivation. Some RADIUS
525 servers may require forcing the new PEAP label to interoperate with
526 PEAPv1. Set to "1" to force use of the new PEAP label. See the
527 wpa_supplicant documentation for more details.
528 Format: string
530 phase1-peapver
532 Forces which PEAP version is used when PEAP is set as the EAP
533 method in the "eap" property. When unset, the version reported by
534 the server will be used. Sometimes when using older RADIUS servers,
535 it is necessary to force the client to use a particular PEAP
536 version. To do so, this property may be set to "0" or "1" to force
537 that specific PEAP version.
538 Format: string
540 phase2-altsubject-matches
542 List of strings to be matched against the altSubjectName of the
543 certificate presented by the authentication server during the inner
544 "phase 2" authentication. If the list is empty, no verification of
545 the server certificate's altSubjectName is performed.
546 Format: array of string
548 phase2-auth
550 Specifies the allowed "phase 2" inner non-EAP authentication method
551 when an EAP method that uses an inner TLS tunnel is specified in
552 the "eap" property. Recognized non-EAP "phase 2" methods are "pap",
553 "chap", "mschap", "mschapv2", "gtc", "otp", "md5", and "tls". Each
554 "phase 2" inner method requires specific parameters for successful
555 authentication; see the wpa_supplicant documentation for more
556 details.
557 Format: string
559 phase2-autheap
561 Specifies the allowed "phase 2" inner EAP-based authentication
562 method when an EAP method that uses an inner TLS tunnel is
563 specified in the "eap" property. Recognized EAP-based "phase 2"
564 methods are "md5", "mschapv2", "otp", "gtc", and "tls". Each "phase
565 2" inner method requires specific parameters for successful
566 authentication; see the wpa_supplicant documentation for more
567 details.
568 Format: string
570 phase2-ca-cert
572 Contains the "phase 2" CA certificate if used by the EAP method
573 specified in the "phase2-auth" or "phase2-autheap" properties.
574 Certificate data is specified using a "scheme"; three are currently
575 supported: blob, path and pkcs#11 URL. When using the blob scheme
576 this property should be set to the certificate's DER encoded data.
577 When using the path scheme, this property should be set to the full
578 UTF-8 encoded path of the certificate, prefixed with the string
579 "file://" and ending with a terminating NUL byte. This property can
580 be unset even if the EAP method supports CA certificates, but this
581 allows man-in-the-middle attacks and is NOT recommended. Note that
582 enabling NMSetting8021x:system-ca-certs will override this setting
583 to use the built-in path, if the built-in path is not a directory.
584 Format: byte array
586 phase2-ca-cert-password
588 The password used to access the "phase2" CA certificate stored in
589 "phase2-ca-cert" property. Only makes sense if the certificate is
590 stored on a PKCS#11 token that requires a login.
591 Format: string
593 phase2-ca-cert-password-flags
595 Flags indicating how to handle the "phase2-ca-cert-password"
596 property. See the section called “Secret flag types:” for flag
597 values.
598 Format: NMSettingSecretFlags (uint32)
600 phase2-ca-path
602 UTF-8 encoded path to a directory containing PEM or DER formatted
603 certificates to be added to the verification chain in addition to
604 the certificate specified in the "phase2-ca-cert" property. If
605 NMSetting8021x:system-ca-certs is enabled and the built-in CA path
606 is an existing directory, then this setting is ignored.
607 Format: string
609 phase2-client-cert
611 Contains the "phase 2" client certificate if used by the EAP method
612 specified in the "phase2-auth" or "phase2-autheap" properties.
613 Certificate data is specified using a "scheme"; two are currently
614 supported: blob and path. When using the blob scheme (which is
615 backwards compatible with NM 0.7.x) this property should be set to
616 the certificate's DER encoded data. When using the path scheme,
617 this property should be set to the full UTF-8 encoded path of the
618 certificate, prefixed with the string "file://" and ending with a
619 terminating NUL byte. This property can be unset even if the EAP
620 method supports CA certificates, but this allows man-in-the-middle
621 attacks and is NOT recommended.
622 Format: byte array
624 phase2-client-cert-password
626 The password used to access the "phase2" client certificate stored
627 in "phase2-client-cert" property. Only makes sense if the
628 certificate is stored on a PKCS#11 token that requires a login.
629 Format: string
631 phase2-client-cert-password-flags
633 Flags indicating how to handle the "phase2-client-cert-password"
634 property. See the section called “Secret flag types:” for flag
635 values.
636 Format: NMSettingSecretFlags (uint32)
638 phase2-domain-match
640 Constraint for server domain name. If set, this list of FQDNs is
641 used as a match requirement for dNSName element(s) of the
642 certificate presented by the authentication server during the inner
643 "phase 2" authentication. If a matching dNSName is found, this
644 constraint is met. If no dNSName values are present, this
645 constraint is matched against SubjectName CN using the same
646 comparison. Multiple valid FQDNs can be passed as a ";" delimited
647 list.
648 Format: string
650 phase2-domain-suffix-match
652 Constraint for server domain name. If set, this FQDN is used as a
653 suffix match requirement for dNSName element(s) of the certificate
654 presented by the authentication server during the inner "phase 2"
655 authentication. If a matching dNSName is found, this constraint is
656 met. If no dNSName values are present, this constraint is matched
657 against SubjectName CN using same suffix match comparison. Since
658 version 1.24, multiple valid FQDNs can be passed as a ";" delimited
659 list.
660 Format: string
662 phase2-private-key
664 Contains the "phase 2" inner private key when the "phase2-auth" or
665 "phase2-autheap" property is set to "tls". Key data is specified
666 using a "scheme"; two are currently supported: blob and path. When
667 using the blob scheme and private keys, this property should be set
668 to the key's encrypted PEM encoded data. When using private keys
669 with the path scheme, this property should be set to the full UTF-8
670 encoded path of the key, prefixed with the string "file://" and
671 ending with a terminating NUL byte. When using PKCS#12 format
672 private keys and the blob scheme, this property should be set to
673 the PKCS#12 data and the "phase2-private-key-password" property
674 must be set to password used to decrypt the PKCS#12 certificate and
675 key. When using PKCS#12 files and the path scheme, this property
676 should be set to the full UTF-8 encoded path of the key, prefixed
677 with the string "file://" and ending with a terminating NUL byte,
678 and as with the blob scheme the "phase2-private-key-password"
679 property must be set to the password used to decode the PKCS#12
680 private key and certificate.
681 Format: byte array
683 phase2-private-key-password
685 The password used to decrypt the "phase 2" private key specified in
686 the "phase2-private-key" property when the private key either uses
687 the path scheme, or is a PKCS#12 format key.
688 Format: string
690 phase2-private-key-password-flags
692 Flags indicating how to handle the "phase2-private-key-password"
693 property. See the section called “Secret flag types:” for flag
694 values.
695 Format: NMSettingSecretFlags (uint32)
697 phase2-subject-match
699 Substring to be matched against the subject of the certificate
700 presented by the authentication server during the inner "phase 2"
701 authentication. When unset, no verification of the authentication
702 server certificate's subject is performed. This property provides
703 little security, if any, and its use is deprecated in favor of
704 NMSetting8021x:phase2-domain-suffix-match.
705 Format: string
707 pin
709 PIN used for EAP authentication methods.
710 Format: string
712 pin-flags
714 Flags indicating how to handle the "pin" property. See the section
715 called “Secret flag types:” for flag values.
716 Format: NMSettingSecretFlags (uint32)
718 private-key
720 Contains the private key when the "eap" property is set to "tls".
721 Key data is specified using a "scheme"; two are currently
722 supported: blob and path. When using the blob scheme and private
723 keys, this property should be set to the key's encrypted PEM
724 encoded data. When using private keys with the path scheme, this
725 property should be set to the full UTF-8 encoded path of the key,
726 prefixed with the string "file://" and ending with a terminating
727 NUL byte. When using PKCS#12 format private keys and the blob
728 scheme, this property should be set to the PKCS#12 data and the
729 "private-key-password" property must be set to password used to
730 decrypt the PKCS#12 certificate and key. When using PKCS#12 files
731 and the path scheme, this property should be set to the full UTF-8
732 encoded path of the key, prefixed with the string "file://" and
733 ending with a terminating NUL byte, and as with the blob scheme the
734 "private-key-password" property must be set to the password used to
735 decode the PKCS#12 private key and certificate. WARNING:
736 "private-key" is not a "secret" property, and thus unencrypted
737 private key data using the BLOB scheme may be readable by
738 unprivileged users. Private keys should always be encrypted with a
739 private key password to prevent unauthorized access to unencrypted
740 private key data.
741 Format: byte array
743 private-key-password
745 The password used to decrypt the private key specified in the
746 "private-key" property when the private key either uses the path
747 scheme, or if the private key is a PKCS#12 format key.
748 Format: string
750 private-key-password-flags
752 Flags indicating how to handle the "private-key-password" property.
753 See the section called “Secret flag types:” for flag values.
754 Format: NMSettingSecretFlags (uint32)
756 subject-match
758 Substring to be matched against the subject of the certificate
759 presented by the authentication server. When unset, no verification
760 of the authentication server certificate's subject is performed.
761 This property provides little security, if any, and its use is
762 deprecated in favor of NMSetting8021x:domain-suffix-match.
763 Format: string
765 system-ca-certs
767 When TRUE, overrides the "ca-path" and "phase2-ca-path" properties
768 using the system CA directory specified at configure time with the
769 --system-ca-path switch. The certificates in this directory are
770 added to the verification chain in addition to any certificates
771 specified by the "ca-cert" and "phase2-ca-cert" properties. If the
772 path provided with --system-ca-path is rather a file name (bundle
773 of trusted CA certificates), it overrides "ca-cert" and
774 "phase2-ca-cert" properties instead (sets ca_cert/ca_cert2 options
775 for wpa_supplicant).
776 Format: boolean
778 adsl setting
780 ADSL Settings.
781 Properties:
783 encapsulation
785 Alias: encapsulation
786 Encapsulation of ADSL connection. Can be "vcmux" or "llc".
788 Format: string
790 password
792 Alias: password
793 Password used to authenticate with the ADSL service.
795 Format: string
797 password-flags
799 Flags indicating how to handle the "password" property. See the
800 section called “Secret flag types:” for flag values.
801 Format: NMSettingSecretFlags (uint32)
803 protocol
805 Alias: protocol
806 ADSL connection protocol. Can be "pppoa", "pppoe" or "ipoatm".
808 Format: string
810 username
812 Alias: username
813 Username used to authenticate with the ADSL service.
815 Format: string
817 vci
819 VCI of ADSL connection
820 Format: uint32
822 vpi
824 VPI of ADSL connection
825 Format: uint32
827 bluetooth setting
829 Bluetooth Settings.
830 Properties:
832 bdaddr
834 Alias: addr
835 The Bluetooth address of the device.
837 Format: byte array
839 type
841 Alias: bt-type
842 Either "dun" for Dial-Up Networking connections or "panu" for
844 Personal Area Networking connections to devices supporting the NAP
845 profile.
846 Format: string
848 bond setting
850 Bonding Settings.
851 Properties:
853 options
855 Dictionary of key/value pairs of bonding options. Both keys and
856 values must be strings. Option names must contain only alphanumeric
857 characters (ie, [a-zA-Z0-9]).
858 Format: dict of string to string
860 bridge setting
862 Bridging Settings.
863 Properties:
865 ageing-time
867 Alias: ageing-time
868 The Ethernet MAC address aging time, in seconds.
870 Format: uint32
872 forward-delay
874 Alias: forward-delay
875 The Spanning Tree Protocol (STP) forwarding delay, in seconds.
877 Format: uint32
879 group-address
881 If specified, The MAC address of the multicast group this bridge
882 uses for STP. The address must be a link-local address in standard
883 Ethernet MAC address format, ie an address of the form
884 01:80:C2:00:00:0X, with X in [0, 4..F]. If not specified the
885 default value is 01:80:C2:00:00:00.
886 Format: byte array
888 group-forward-mask
890 Alias: group-forward-mask
891 A mask of group addresses to forward. Usually, group addresses in
893 the range from 01:80:C2:00:00:00 to 01:80:C2:00:00:0F are not
894 forwarded according to standards. This property is a mask of 16
895 bits, each corresponding to a group address in that range that must
896 be forwarded. The mask can't have bits 0, 1 or 2 set because they
897 are used for STP, MAC pause frames and LACP.
898 Format: uint32
900 hello-time
902 Alias: hello-time
903 The Spanning Tree Protocol (STP) hello time, in seconds.
905 Format: uint32
907 mac-address
909 Alias: mac
910 If specified, the MAC address of bridge. When creating a new
912 bridge, this MAC address will be set. If this field is left
913 unspecified, the "ethernet.cloned-mac-address" is referred instead
914 to generate the initial MAC address. Note that setting
915 "ethernet.cloned-mac-address" anyway overwrites the MAC address of
916 the bridge later while activating the bridge. Hence, this property
917 is deprecated. Deprecated: 1
918 Format: byte array
920 max-age
922 Alias: max-age
923 The Spanning Tree Protocol (STP) maximum message age, in seconds.
925 Format: uint32
927 multicast-hash-max
929 Set maximum size of multicast hash table (value must be a power of
930 2).
931 Format: uint32
933 multicast-last-member-count
935 Set the number of queries the bridge will send before stopping
936 forwarding a multicast group after a "leave" message has been
937 received.
938 Format: uint32
940 multicast-last-member-interval
942 Set interval (in deciseconds) between queries to find remaining
943 members of a group, after a "leave" message is received.
944 Format: uint64
946 multicast-membership-interval
948 Set delay (in deciseconds) after which the bridge will leave a
949 group, if no membership reports for this group are received.
950 Format: uint64
952 multicast-querier
954 Enable or disable sending of multicast queries by the bridge. If
955 not specified the option is disabled.
956 Format: boolean
958 multicast-querier-interval
960 If no queries are seen after this delay (in deciseconds) has
961 passed, the bridge will start to send its own queries.
962 Format: uint64
964 multicast-query-interval
966 Interval (in deciseconds) between queries sent by the bridge after
967 the end of the startup phase.
968 Format: uint64
970 multicast-query-response-interval
972 Set the Max Response Time/Max Response Delay (in deciseconds) for
973 IGMP/MLD queries sent by the bridge.
974 Format: uint64
976 multicast-query-use-ifaddr
978 If enabled the bridge's own IP address is used as the source
979 address for IGMP queries otherwise the default of 0.0.0.0 is used.
980 Format: boolean
982 multicast-router
984 Sets bridge's multicast router. Multicast-snooping must be enabled
985 for this option to work. Supported values are: 'auto', 'disabled',
986 'enabled'. If not specified the default value is 'auto'.
987 Format: string
989 multicast-snooping
991 Alias: multicast-snooping
992 Controls whether IGMP snooping is enabled for this bridge. Note
994 that if snooping was automatically disabled due to hash collisions,
995 the system may refuse to enable the feature until the collisions
996 are resolved.
997 Format: boolean
999 multicast-startup-query-count
1001 Set the number of IGMP queries to send during startup phase.
1002 Format: uint32
1004 multicast-startup-query-interval
1006 Sets the time (in deciseconds) between queries sent out at startup
1007 to determine membership information.
1008 Format: uint64
1010 priority
1012 Alias: priority
1013 Sets the Spanning Tree Protocol (STP) priority for this bridge.
1015 Lower values are "better"; the lowest priority bridge will be
1016 elected the root bridge.
1017 Format: uint32
1019 stp
1021 Alias: stp
1022 Controls whether Spanning Tree Protocol (STP) is enabled for this
1024 bridge.
1025 Format: boolean
1027 vlan-default-pvid
1029 The default PVID for the ports of the bridge, that is the VLAN id
1030 assigned to incoming untagged frames.
1031 Format: uint32
1033 vlan-filtering
1035 Control whether VLAN filtering is enabled on the bridge.
1036 Format: boolean
1038 vlan-protocol
1040 If specified, the protocol used for VLAN filtering. Supported
1041 values are: '802.1Q', '802.1ad'. If not specified the default value
1042 is '802.1Q'.
1043 Format: string
1045 vlan-stats-enabled
1047 Controls whether per-VLAN stats accounting is enabled.
1048 Format: boolean
1050 vlans
1052 Array of bridge VLAN objects. In addition to the VLANs specified
1053 here, the bridge will also have the default-pvid VLAN configured by
1054 the bridge.vlan-default-pvid property. In nmcli the VLAN list can
1055 be specified with the following syntax: $vid [pvid] [untagged] [,
1056 $vid [pvid] [untagged]]... where $vid is either a single id between
1057 1 and 4094 or a range, represented as a couple of ids separated by
1058 a dash.
1059 Format: array of vardict
1061 bridge-port setting
1063 Bridge Port Settings.
1064 Properties:
1066 hairpin-mode
1068 Alias: hairpin
1069 Enables or disables "hairpin mode" for the port, which allows
1071 frames to be sent back out through the port the frame was received
1072 on.
1073 Format: boolean
1075 path-cost
1077 Alias: path-cost
1078 The Spanning Tree Protocol (STP) port cost for destinations via
1080 this port.
1081 Format: uint32
1083 priority
1085 Alias: priority
1086 The Spanning Tree Protocol (STP) priority of this bridge port.
1088 Format: uint32
1090 vlans
1092 Array of bridge VLAN objects. In addition to the VLANs specified
1093 here, the port will also have the default-pvid VLAN configured on
1094 the bridge by the bridge.vlan-default-pvid property. In nmcli the
1095 VLAN list can be specified with the following syntax: $vid [pvid]
1096 [untagged] [, $vid [pvid] [untagged]]... where $vid is either a
1097 single id between 1 and 4094 or a range, represented as a couple of
1098 ids separated by a dash.
1099 Format: array of vardict
1101 cdma setting
1103 CDMA-based Mobile Broadband Settings.
1104 Properties:
1106 mtu
1108 If non-zero, only transmit packets of the specified size or
1109 smaller, breaking larger packets up into multiple frames.
1110 Format: uint32
1112 number
1114 The number to dial to establish the connection to the CDMA-based
1115 mobile broadband network, if any. If not specified, the default
1116 number (#777) is used when required.
1117 Format: string
1119 password
1121 Alias: password
1122 The password used to authenticate with the network, if required.
1124 Many providers do not require a password, or accept any password.
1125 But if a password is required, it is specified here.
1126 Format: string
1128 password-flags
1130 Flags indicating how to handle the "password" property. See the
1131 section called “Secret flag types:” for flag values.
1132 Format: NMSettingSecretFlags (uint32)
1134 username
1136 Alias: user
1137 The username used to authenticate with the network, if required.
1139 Many providers do not require a username, or accept any username.
1140 But if a username is required, it is specified here.
1141 Format: string
1143 dcb setting
1145 Data Center Bridging Settings.
1146 Properties:
1148 app-fcoe-flags
1150 Specifies the NMSettingDcbFlags for the DCB FCoE application. Flags
1151 may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1152 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1153 NM_SETTING_DCB_FLAG_WILLING (0x4).
1154 Format: NMSettingDcbFlags (uint32)
1156 app-fcoe-mode
1158 The FCoE controller mode; either "fabric" (default) or "vn2vn".
1159 Format: string
1161 app-fcoe-priority
1163 The highest User Priority (0 - 7) which FCoE frames should use, or
1164 -1 for default priority. Only used when the "app-fcoe-flags"
1165 property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1166 Format: int32
1168 app-fip-flags
1170 Specifies the NMSettingDcbFlags for the DCB FIP application. Flags
1171 may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1172 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1173 NM_SETTING_DCB_FLAG_WILLING (0x4).
1174 Format: NMSettingDcbFlags (uint32)
1176 app-fip-priority
1178 The highest User Priority (0 - 7) which FIP frames should use, or
1179 -1 for default priority. Only used when the "app-fip-flags"
1180 property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1181 Format: int32
1183 app-iscsi-flags
1185 Specifies the NMSettingDcbFlags for the DCB iSCSI application.
1186 Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1187 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1188 NM_SETTING_DCB_FLAG_WILLING (0x4).
1189 Format: NMSettingDcbFlags (uint32)
1191 app-iscsi-priority
1193 The highest User Priority (0 - 7) which iSCSI frames should use, or
1194 -1 for default priority. Only used when the "app-iscsi-flags"
1195 property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1196 Format: int32
1198 priority-bandwidth
1200 An array of 8 uint values, where the array index corresponds to the
1201 User Priority (0 - 7) and the value indicates the percentage of
1202 bandwidth of the priority's assigned group that the priority may
1203 use. The sum of all percentages for priorities which belong to the
1204 same group must total 100 percents.
1205 Format: array of uint32
1207 priority-flow-control
1209 An array of 8 boolean values, where the array index corresponds to
1210 the User Priority (0 - 7) and the value indicates whether or not
1211 the corresponding priority should transmit priority pause.
1212 Format: array of uint32
1214 priority-flow-control-flags
1216 Specifies the NMSettingDcbFlags for DCB Priority Flow Control
1217 (PFC). Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE
1218 (0x1), NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1219 NM_SETTING_DCB_FLAG_WILLING (0x4).
1220 Format: NMSettingDcbFlags (uint32)
1222 priority-group-bandwidth
1224 An array of 8 uint values, where the array index corresponds to the
1225 Priority Group ID (0 - 7) and the value indicates the percentage of
1226 link bandwidth allocated to that group. Allowed values are 0 - 100,
1227 and the sum of all values must total 100 percents.
1228 Format: array of uint32
1230 priority-group-flags
1232 Specifies the NMSettingDcbFlags for DCB Priority Groups. Flags may
1233 be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1234 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1235 NM_SETTING_DCB_FLAG_WILLING (0x4).
1236 Format: NMSettingDcbFlags (uint32)
1238 priority-group-id
1240 An array of 8 uint values, where the array index corresponds to the
1241 User Priority (0 - 7) and the value indicates the Priority Group
1242 ID. Allowed Priority Group ID values are 0 - 7 or 15 for the
1243 unrestricted group.
1244 Format: array of uint32
1246 priority-strict-bandwidth
1248 An array of 8 boolean values, where the array index corresponds to
1249 the User Priority (0 - 7) and the value indicates whether or not
1250 the priority may use all of the bandwidth allocated to its assigned
1251 group.
1252 Format: array of uint32
1254 priority-traffic-class
1256 An array of 8 uint values, where the array index corresponds to the
1257 User Priority (0 - 7) and the value indicates the traffic class (0
1258 - 7) to which the priority is mapped.
1259 Format: array of uint32
1261 ethtool setting
1263 Ethtool Ethernet Settings.
1264 Properties:
1266 coalesce-adaptive-rx
1268 coalesce-adaptive-tx
1270 coalesce-pkt-rate-high
1272 coalesce-pkt-rate-low
1274 coalesce-rx-frames
1276 coalesce-rx-frames-high
1278 coalesce-rx-frames-irq
1280 coalesce-rx-frames-low
1282 coalesce-rx-usecs
1284 coalesce-rx-usecs-high
1286 coalesce-rx-usecs-irq
1288 coalesce-rx-usecs-low
1290 coalesce-sample-interval
1292 coalesce-stats-block-usecs
1294 coalesce-tx-frames
1296 coalesce-tx-frames-high
1298 coalesce-tx-frames-irq
1300 coalesce-tx-frames-low
1302 coalesce-tx-usecs
1304 coalesce-tx-usecs-high
1306 coalesce-tx-usecs-irq
1308 coalesce-tx-usecs-low
1310 feature-esp-hw-offload
1312 feature-esp-tx-csum-hw-offload
1314 feature-fcoe-mtu
1316 feature-gro
1318 feature-gso
1320 feature-highdma
1322 feature-hw-tc-offload
1324 feature-l2-fwd-offload
1326 feature-loopback
1328 feature-lro
1330 feature-ntuple
1332 feature-rx
1334 feature-rx-all
1336 feature-rx-fcs
1338 feature-rx-gro-hw
1340 feature-rx-udp_tunnel-port-offload
1342 feature-rx-vlan-filter
1344 feature-rx-vlan-stag-filter
1346 feature-rx-vlan-stag-hw-parse
1348 feature-rxhash
1350 feature-rxvlan
1352 feature-sg
1354 feature-tls-hw-record
1356 feature-tls-hw-tx-offload
1358 feature-tso
1360 feature-tx
1362 feature-tx-checksum-fcoe-crc
1364 feature-tx-checksum-ip-generic
1366 feature-tx-checksum-ipv4
1368 feature-tx-checksum-ipv6
1370 feature-tx-checksum-sctp
1372 feature-tx-esp-segmentation
1374 feature-tx-fcoe-segmentation
1376 feature-tx-gre-csum-segmentation
1378 feature-tx-gre-segmentation
1380 feature-tx-gso-partial
1382 feature-tx-gso-robust
1384 feature-tx-ipxip4-segmentation
1386 feature-tx-ipxip6-segmentation
1388 feature-tx-nocache-copy
1390 feature-tx-scatter-gather
1392 feature-tx-scatter-gather-fraglist
1394 feature-tx-sctp-segmentation
1396 feature-tx-tcp-ecn-segmentation
1398 feature-tx-tcp-mangleid-segmentation
1400 feature-tx-tcp-segmentation
1402 feature-tx-tcp6-segmentation
1404 feature-tx-udp-segmentation
1406 feature-tx-udp_tnl-csum-segmentation
1408 feature-tx-udp_tnl-segmentation
1410 feature-tx-vlan-stag-hw-insert
1412 feature-txvlan
1414 ring-rx
1416 ring-rx-jumbo
1418 ring-rx-mini
1420 ring-tx
1422 gsm setting
1424 GSM-based Mobile Broadband Settings.
1425 Properties:
1427 apn
1429 Alias: apn
1430 The GPRS Access Point Name specifying the APN used when
1432 establishing a data session with the GSM-based network. The APN
1433 often determines how the user will be billed for their network
1434 usage and whether the user has access to the Internet or just a
1435 provider-specific walled-garden, so it is important to use the
1436 correct APN for the user's mobile broadband plan. The APN may only
1437 be composed of the characters a-z, 0-9, ., and - per GSM 03.60
1438 Section 14.9.
1439 Format: string
1441 auto-config
1443 When TRUE, the settings such as APN, username, or password will
1444 default to values that match the network the modem will register to
1445 in the Mobile Broadband Provider database.
1446 Format: boolean
1448 device-id
1450 The device unique identifier (as given by the WWAN management
1451 service) which this connection applies to. If given, the connection
1452 will only apply to the specified device.
1453 Format: string
1455 home-only
1457 When TRUE, only connections to the home network will be allowed.
1458 Connections to roaming networks will not be made.
1459 Format: boolean
1461 mtu
1463 If non-zero, only transmit packets of the specified size or
1464 smaller, breaking larger packets up into multiple frames.
1465 Format: uint32
1467 network-id
1469 The Network ID (GSM LAI format, ie MCC-MNC) to force specific
1470 network registration. If the Network ID is specified,
1471 NetworkManager will attempt to force the device to register only on
1472 the specified network. This can be used to ensure that the device
1473 does not roam when direct roaming control of the device is not
1474 otherwise possible.
1475 Format: string
1477 number
1479 Legacy setting that used to help establishing PPP data sessions for
1480 GSM-based modems. Deprecated: 1
1481 Format: string
1483 password
1485 Alias: password
1486 The password used to authenticate with the network, if required.
1488 Many providers do not require a password, or accept any password.
1489 But if a password is required, it is specified here.
1490 Format: string
1492 password-flags
1494 Flags indicating how to handle the "password" property. See the
1495 section called “Secret flag types:” for flag values.
1496 Format: NMSettingSecretFlags (uint32)
1498 pin
1500 If the SIM is locked with a PIN it must be unlocked before any
1501 other operations are requested. Specify the PIN here to allow
1502 operation of the device.
1503 Format: string
1505 pin-flags
1507 Flags indicating how to handle the "pin" property. See the section
1508 called “Secret flag types:” for flag values.
1509 Format: NMSettingSecretFlags (uint32)
1511 sim-id
1513 The SIM card unique identifier (as given by the WWAN management
1514 service) which this connection applies to. If given, the connection
1515 will apply to any device also allowed by "device-id" which contains
1516 a SIM card matching the given identifier.
1517 Format: string
1519 sim-operator-id
1521 A MCC/MNC string like "310260" or "21601" identifying the specific
1522 mobile network operator which this connection applies to. If given,
1523 the connection will apply to any device also allowed by "device-id"
1524 and "sim-id" which contains a SIM card provisioned by the given
1525 operator.
1526 Format: string
1528 username
1530 Alias: user
1531 The username used to authenticate with the network, if required.
1533 Many providers do not require a username, or accept any username.
1534 But if a username is required, it is specified here.
1535 Format: string
1537 infiniband setting
1539 Infiniband Settings.
1540 Properties:
1542 mac-address
1544 Alias: mac
1545 If specified, this connection will only apply to the IPoIB device
1547 whose permanent MAC address matches. This property does not change
1548 the MAC address of the device (i.e. MAC spoofing).
1549 Format: byte array
1551 mtu
1553 Alias: mtu
1554 If non-zero, only transmit packets of the specified size or
1556 smaller, breaking larger packets up into multiple frames.
1557 Format: uint32
1559 p-key
1561 Alias: p-key
1562 The InfiniBand P_Key to use for this device. A value of -1 means to
1564 use the default P_Key (aka "the P_Key at index 0"). Otherwise it is
1565 a 16-bit unsigned integer, whose high bit is set if it is a "full
1566 membership" P_Key.
1567 Format: int32
1569 parent
1571 Alias: parent
1572 The interface name of the parent device of this device. Normally
1574 NULL, but if the "p_key" property is set, then you must specify the
1575 base device by setting either this property or "mac-address".
1576 Format: string
1578 transport-mode
1580 Alias: transport-mode
1581 The IP-over-InfiniBand transport mode. Either "datagram" or
1583 "connected".
1584 Format: string
1586 ipv4 setting
1588 IPv4 Settings.
1589 Properties:
1591 addresses
1593 Alias: ip4
1594 Array of IP addresses.
1596 Format: array of array of uint32
1598 dad-timeout
1600 Timeout in milliseconds used to check for the presence of duplicate
1601 IP addresses on the network. If an address conflict is detected,
1602 the activation will fail. A zero value means that no duplicate
1603 address detection is performed, -1 means the default value (either
1604 configuration ipvx.dad-timeout override or zero). A value greater
1605 than zero is a timeout in milliseconds. The property is currently
1606 implemented only for IPv4.
1607 Format: int32
1609 dhcp-client-id
1611 A string sent to the DHCP server to identify the local machine
1612 which the DHCP server may use to customize the DHCP lease and
1613 options. When the property is a hex string ('aa:bb:cc') it is
1614 interpreted as a binary client ID, in which case the first byte is
1615 assumed to be the 'type' field as per RFC 2132 section 9.14 and the
1616 remaining bytes may be an hardware address (e.g.
1617 '01:xx:xx:xx:xx:xx:xx' where 1 is the Ethernet ARP type and the
1618 rest is a MAC address). If the property is not a hex string it is
1619 considered as a non-hardware-address client ID and the 'type' field
1620 is set to 0. The special values "mac" and "perm-mac" are supported,
1621 which use the current or permanent MAC address of the device to
1622 generate a client identifier with type ethernet (01). Currently,
1623 these options only work for ethernet type of links. The special
1624 value "duid" generates a RFC4361-compliant client identifier based
1625 on a hash of the interface name as IAID and /etc/machine-id. The
1626 special value "stable" is supported to generate a type 0 client
1627 identifier based on the stable-id (see connection.stable-id) and a
1628 per-host key. If you set the stable-id, you may want to include the
1629 "${DEVICE}" or "${MAC}" specifier to get a per-device key. If
1630 unset, a globally configured default is used. If still unset, the
1631 default depends on the DHCP plugin.
1632 Format: string
1634 dhcp-fqdn
1636 If the "dhcp-send-hostname" property is TRUE, then the specified
1637 FQDN will be sent to the DHCP server when acquiring a lease. This
1638 property and "dhcp-hostname" are mutually exclusive and cannot be
1639 set at the same time.
1640 Format: string
1642 dhcp-hostname
1644 If the "dhcp-send-hostname" property is TRUE, then the specified
1645 name will be sent to the DHCP server when acquiring a lease. This
1646 property and "dhcp-fqdn" are mutually exclusive and cannot be set
1647 at the same time.
1648 Format: string
1650 dhcp-hostname-flags
1652 Flags for the DHCP hostname and FQDN. Currently this property only
1653 includes flags to control the FQDN flags set in the DHCP FQDN
1654 option. Supported FQDN flags are
1655 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1656 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
1657 NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is
1658 set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the
1659 DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag
1660 is set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set,
1661 the standard FQDN flags are set in the request:
1662 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1663 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
1664 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6. When this
1665 property is set to the default value NM_DHCP_HOSTNAME_FLAG_NONE
1666 (0x0), a global default is looked up in NetworkManager
1667 configuration. If that value is unset or also
1668 NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
1669 described above are sent in the DHCP requests.
1670 Format: uint32
1672 dhcp-iaid
1674 A string containing the "Identity Association Identifier" (IAID)
1675 used by the DHCP client. The property is a 32-bit decimal value or
1676 a special value among "mac", "perm-mac", "ifname" and "stable".
1677 When set to "mac" (or "perm-mac"), the last 4 bytes of the current
1678 (or permanent) MAC address are used as IAID. When set to "ifname",
1679 the IAID is computed by hashing the interface name. The special
1680 value "stable" can be used to generate an IAID based on the
1681 stable-id (see connection.stable-id), a per-host key and the
1682 interface name. When the property is unset, the value from global
1683 configuration is used; if no global default is set then the IAID is
1684 assumed to be "ifname". Note that at the moment this property is
1685 ignored for IPv6 by dhclient, which always derives the IAID from
1686 the MAC address.
1687 Format: string
1689 dhcp-send-hostname
1691 If TRUE, a hostname is sent to the DHCP server when acquiring a
1692 lease. Some DHCP servers use this hostname to update DNS databases,
1693 essentially providing a static hostname for the computer. If the
1694 "dhcp-hostname" property is NULL and this property is TRUE, the
1695 current persistent hostname of the computer is sent.
1696 Format: boolean
1698 dhcp-timeout
1700 A timeout for a DHCP transaction in seconds. If zero (the default),
1701 a globally configured default is used. If still unspecified, a
1702 device specific timeout is used (usually 45 seconds). Set to
1703 2147483647 (MAXINT32) for infinity.
1704 Format: int32
1706 dhcp-vendor-class-identifier
1708 The Vendor Class Identifier DHCP option (60). Special characters in
1709 the data string may be escaped using C-style escapes, nevertheless
1710 this property cannot contain nul bytes. If the per-profile value is
1711 unspecified (the default), a global connection default gets
1712 consulted. If still unspecified, the DHCP option is not sent to the
1713 server. Since 1.28, 1.26.4
1714 Format: string
1716 dns
1718 Array of IP addresses of DNS servers.
1719 Format: array of uint32
1721 dns-options
1723 Array of DNS options as described in man 5 resolv.conf. NULL means
1724 that the options are unset and left at the default. In this case
1725 NetworkManager will use default options. This is distinct from an
1726 empty list of properties. The currently supported options are
1727 "attempts", "debug", "edns0", "inet6", "ip6-bytestring",
1728 "ip6-dotint", "ndots", "no-check-names", "no-ip6-dotint",
1729 "no-reload", "no-tld-query", "rotate", "single-request",
1730 "single-request-reopen", "timeout", "trust-ad", "use-vc". The
1731 "trust-ad" setting is only honored if the profile contributes name
1732 servers to resolv.conf, and if all contributing profiles have
1733 "trust-ad" enabled.
1734 Format: array of string
1736 dns-priority
1738 DNS servers priority. The relative priority for DNS servers
1739 specified by this setting. A lower value is better (higher
1740 priority). Zero selects a globally configured default value. If the
1741 latter is missing or zero too, it defaults to 50 for VPNs
1742 (including WireGuard) and 100 for other connections. Note that the
1743 priority is to order DNS settings for multiple active connections.
1744 It does not disambiguate multiple DNS servers within the same
1745 connection profile. When using dns=default, servers with higher
1746 priority will be on top of resolv.conf. To prioritize a given
1747 server over another one within the same connection, just specify
1748 them in the desired order. When multiple devices have
1749 configurations with the same priority, VPNs will be considered
1750 first, then devices with the best (lowest metric) default route and
1751 then all other devices. Negative values have the special effect of
1752 excluding other configurations with a greater priority value; so in
1753 presence of at least one negative priority, only DNS servers from
1754 connections with the lowest priority value will be used. When using
1755 a DNS resolver that supports Conditional Forwarding as dns=dnsmasq
1756 or dns=systemd-resolved, each connection is used to query domains
1757 in its search list. Queries for domains not present in any search
1758 list are routed through connections having the '~.' special
1759 wildcard domain, which is added automatically to connections with
1760 the default route (or can be added manually). When multiple
1761 connections specify the same domain, the one with the highest
1762 priority (lowest numerical value) wins. If a connection specifies a
1763 domain which is subdomain of another domain with a negative DNS
1764 priority value, the subdomain is ignored.
1765 Format: int32
1767 dns-search
1769 Array of DNS search domains. Domains starting with a tilde ('~')
1770 are considered 'routing' domains and are used only to decide the
1771 interface over which a query must be forwarded; they are not used
1772 to complete unqualified host names.
1773 Format: array of string
1775 gateway
1777 Alias: gw4
1778 The gateway associated with this configuration. This is only
1780 meaningful if "addresses" is also set. The gateway's main purpose
1781 is to control the next hop of the standard default route on the
1782 device. Hence, the gateway property conflicts with "never-default"
1783 and will be automatically dropped if the IP configuration is set to
1784 never-default. As an alternative to set the gateway, configure a
1785 static default route with /0 as prefix length.
1786 Format: string
1788 ignore-auto-dns
1790 When "method" is set to "auto" and this property to TRUE,
1791 automatically configured nameservers and search domains are ignored
1792 and only nameservers and search domains specified in the "dns" and
1793 "dns-search" properties, if any, are used.
1794 Format: boolean
1796 ignore-auto-routes
1798 When "method" is set to "auto" and this property to TRUE,
1799 automatically configured routes are ignored and only routes
1800 specified in the "routes" property, if any, are used.
1801 Format: boolean
1803 may-fail
1805 If TRUE, allow overall network configuration to proceed even if the
1806 configuration specified by this property times out. Note that at
1807 least one IP configuration must succeed or overall network
1808 configuration will still fail. For example, in IPv6-only networks,
1809 setting this property to TRUE on the NMSettingIP4Config allows the
1810 overall network configuration to succeed if IPv4 configuration
1811 fails but IPv6 configuration completes successfully.
1812 Format: boolean
1814 method
1816 IP configuration method. NMSettingIP4Config and NMSettingIP6Config
1817 both support "disabled", "auto", "manual", and "link-local". See
1818 the subclass-specific documentation for other values. In general,
1819 for the "auto" method, properties such as "dns" and "routes"
1820 specify information that is added on to the information returned
1821 from automatic configuration. The "ignore-auto-routes" and
1822 "ignore-auto-dns" properties modify this behavior. For methods that
1823 imply no upstream network, such as "shared" or "link-local", these
1824 properties must be empty. For IPv4 method "shared", the IP subnet
1825 can be configured by adding one manual IPv4 address or otherwise
1826 10.42.x.0/24 is chosen. Note that the shared method must be
1827 configured on the interface which shares the internet to a subnet,
1828 not on the uplink which is shared.
1829 Format: string
1831 never-default
1833 If TRUE, this connection will never be the default connection for
1834 this IP type, meaning it will never be assigned the default route
1835 by NetworkManager.
1836 Format: boolean
1838 route-metric
1840 The default metric for routes that don't explicitly specify a
1841 metric. The default value -1 means that the metric is chosen
1842 automatically based on the device type. The metric applies to
1843 dynamic routes, manual (static) routes that don't have an explicit
1844 metric setting, address prefix routes, and the default route. Note
1845 that for IPv6, the kernel accepts zero (0) but coerces it to 1024
1846 (user default). Hence, setting this property to zero effectively
1847 mean setting it to 1024. For IPv4, zero is a regular value for the
1848 metric.
1849 Format: int64
1851 route-table
1853 Enable policy routing (source routing) and set the routing table
1854 used when adding routes. This affects all routes, including
1855 device-routes, IPv4LL, DHCP, SLAAC, default-routes and static
1856 routes. But note that static routes can individually overwrite the
1857 setting by explicitly specifying a non-zero routing table. If the
1858 table setting is left at zero, it is eligible to be overwritten via
1859 global configuration. If the property is zero even after applying
1860 the global configuration value, policy routing is disabled for the
1861 address family of this connection. Policy routing disabled means
1862 that NetworkManager will add all routes to the main table (except
1863 static routes that explicitly configure a different table).
1864 Additionally, NetworkManager will not delete any extraneous routes
1865 from tables except the main table. This is to preserve backward
1866 compatibility for users who manage routing tables outside of
1867 NetworkManager.
1868 Format: uint32
1870 routes
1872 Array of IP routes.
1873 Format: array of array of uint32
1875 routing-rules
1877 ipv6 setting
1879 IPv6 Settings.
1880 Properties:
1882 addr-gen-mode
1884 Configure method for creating the address for use with RFC4862 IPv6
1885 Stateless Address Autoconfiguration. The permitted values are:
1886 NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_EUI64 (0) or
1887 NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_STABLE_PRIVACY (1). If the
1888 property is set to EUI64, the addresses will be generated using the
1889 interface tokens derived from hardware address. This makes the host
1890 part of the address to stay constant, making it possible to track
1891 host's presence when it changes networks. The address changes when
1892 the interface hardware is replaced. The value of stable-privacy
1893 enables use of cryptographically secure hash of a secret
1894 host-specific key along with the connection's stable-id and the
1895 network address as specified by RFC7217. This makes it impossible
1896 to use the address track host's presence, and makes the address
1897 stable when the network interface hardware is replaced. On D-Bus,
1898 the absence of an addr-gen-mode setting equals enabling
1899 stable-privacy. For keyfile plugin, the absence of the setting on
1900 disk means EUI64 so that the property doesn't change on upgrade
1901 from older versions. Note that this setting is distinct from the
1902 Privacy Extensions as configured by "ip6-privacy" property and it
1903 does not affect the temporary addresses configured with this
1904 option.
1905 Format: int32
1907 addresses
1909 Alias: ip6
1910 Array of IP addresses.
1912 Format: array of legacy IPv6 address struct
1914 dhcp-duid
1916 A string containing the DHCPv6 Unique Identifier (DUID) used by the
1917 dhcp client to identify itself to DHCPv6 servers (RFC 3315). The
1918 DUID is carried in the Client Identifier option. If the property is
1919 a hex string ('aa:bb:cc') it is interpreted as a binary DUID and
1920 filled as an opaque value in the Client Identifier option. The
1921 special value "lease" will retrieve the DUID previously used from
1922 the lease file belonging to the connection. If no DUID is found and
1923 "dhclient" is the configured dhcp client, the DUID is searched in
1924 the system-wide dhclient lease file. If still no DUID is found, or
1925 another dhcp client is used, a global and permanent DUID-UUID (RFC
1926 6355) will be generated based on the machine-id. The special values
1927 "llt" and "ll" will generate a DUID of type LLT or LL (see RFC
1928 3315) based on the current MAC address of the device. In order to
1929 try providing a stable DUID-LLT, the time field will contain a
1930 constant timestamp that is used globally (for all profiles) and
1931 persisted to disk. The special values "stable-llt", "stable-ll" and
1932 "stable-uuid" will generate a DUID of the corresponding type,
1933 derived from the connection's stable-id and a per-host unique key.
1934 You may want to include the "${DEVICE}" or "${MAC}" specifier in
1935 the stable-id, in case this profile gets activated on multiple
1936 devices. So, the link-layer address of "stable-ll" and "stable-llt"
1937 will be a generated address derived from the stable id. The
1938 DUID-LLT time value in the "stable-llt" option will be picked among
1939 a static timespan of three years (the upper bound of the interval
1940 is the same constant timestamp used in "llt"). When the property is
1941 unset, the global value provided for "ipv6.dhcp-duid" is used. If
1942 no global value is provided, the default "lease" value is assumed.
1943 Format: string
1945 dhcp-hostname
1947 If the "dhcp-send-hostname" property is TRUE, then the specified
1948 name will be sent to the DHCP server when acquiring a lease. This
1949 property and "dhcp-fqdn" are mutually exclusive and cannot be set
1950 at the same time.
1951 Format: string
1953 dhcp-hostname-flags
1955 Flags for the DHCP hostname and FQDN. Currently this property only
1956 includes flags to control the FQDN flags set in the DHCP FQDN
1957 option. Supported FQDN flags are
1958 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1959 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
1960 NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is
1961 set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the
1962 DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag
1963 is set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set,
1964 the standard FQDN flags are set in the request:
1965 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1966 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
1967 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6. When this
1968 property is set to the default value NM_DHCP_HOSTNAME_FLAG_NONE
1969 (0x0), a global default is looked up in NetworkManager
1970 configuration. If that value is unset or also
1971 NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
1972 described above are sent in the DHCP requests.
1973 Format: uint32
1975 dhcp-iaid
1977 A string containing the "Identity Association Identifier" (IAID)
1978 used by the DHCP client. The property is a 32-bit decimal value or
1979 a special value among "mac", "perm-mac", "ifname" and "stable".
1980 When set to "mac" (or "perm-mac"), the last 4 bytes of the current
1981 (or permanent) MAC address are used as IAID. When set to "ifname",
1982 the IAID is computed by hashing the interface name. The special
1983 value "stable" can be used to generate an IAID based on the
1984 stable-id (see connection.stable-id), a per-host key and the
1985 interface name. When the property is unset, the value from global
1986 configuration is used; if no global default is set then the IAID is
1987 assumed to be "ifname". Note that at the moment this property is
1988 ignored for IPv6 by dhclient, which always derives the IAID from
1989 the MAC address.
1990 Format: string
1992 dhcp-send-hostname
1994 If TRUE, a hostname is sent to the DHCP server when acquiring a
1995 lease. Some DHCP servers use this hostname to update DNS databases,
1996 essentially providing a static hostname for the computer. If the
1997 "dhcp-hostname" property is NULL and this property is TRUE, the
1998 current persistent hostname of the computer is sent.
1999 Format: boolean
2001 dhcp-timeout
2003 A timeout for a DHCP transaction in seconds. If zero (the default),
2004 a globally configured default is used. If still unspecified, a
2005 device specific timeout is used (usually 45 seconds). Set to
2006 2147483647 (MAXINT32) for infinity.
2007 Format: int32
2009 dns
2011 Array of IP addresses of DNS servers.
2012 Format: array of byte array
2014 dns-options
2016 Array of DNS options as described in man 5 resolv.conf. NULL means
2017 that the options are unset and left at the default. In this case
2018 NetworkManager will use default options. This is distinct from an
2019 empty list of properties. The currently supported options are
2020 "attempts", "debug", "edns0", "inet6", "ip6-bytestring",
2021 "ip6-dotint", "ndots", "no-check-names", "no-ip6-dotint",
2022 "no-reload", "no-tld-query", "rotate", "single-request",
2023 "single-request-reopen", "timeout", "trust-ad", "use-vc". The
2024 "trust-ad" setting is only honored if the profile contributes name
2025 servers to resolv.conf, and if all contributing profiles have
2026 "trust-ad" enabled.
2027 Format: array of string
2029 dns-priority
2031 DNS servers priority. The relative priority for DNS servers
2032 specified by this setting. A lower value is better (higher
2033 priority). Zero selects a globally configured default value. If the
2034 latter is missing or zero too, it defaults to 50 for VPNs
2035 (including WireGuard) and 100 for other connections. Note that the
2036 priority is to order DNS settings for multiple active connections.
2037 It does not disambiguate multiple DNS servers within the same
2038 connection profile. When using dns=default, servers with higher
2039 priority will be on top of resolv.conf. To prioritize a given
2040 server over another one within the same connection, just specify
2041 them in the desired order. When multiple devices have
2042 configurations with the same priority, VPNs will be considered
2043 first, then devices with the best (lowest metric) default route and
2044 then all other devices. Negative values have the special effect of
2045 excluding other configurations with a greater priority value; so in
2046 presence of at least one negative priority, only DNS servers from
2047 connections with the lowest priority value will be used. When using
2048 a DNS resolver that supports Conditional Forwarding as dns=dnsmasq
2049 or dns=systemd-resolved, each connection is used to query domains
2050 in its search list. Queries for domains not present in any search
2051 list are routed through connections having the '~.' special
2052 wildcard domain, which is added automatically to connections with
2053 the default route (or can be added manually). When multiple
2054 connections specify the same domain, the one with the highest
2055 priority (lowest numerical value) wins. If a connection specifies a
2056 domain which is subdomain of another domain with a negative DNS
2057 priority value, the subdomain is ignored.
2058 Format: int32
2060 dns-search
2062 Array of DNS search domains. Domains starting with a tilde ('~')
2063 are considered 'routing' domains and are used only to decide the
2064 interface over which a query must be forwarded; they are not used
2065 to complete unqualified host names.
2066 Format: array of string
2068 gateway
2070 Alias: gw6
2071 The gateway associated with this configuration. This is only
2073 meaningful if "addresses" is also set. The gateway's main purpose
2074 is to control the next hop of the standard default route on the
2075 device. Hence, the gateway property conflicts with "never-default"
2076 and will be automatically dropped if the IP configuration is set to
2077 never-default. As an alternative to set the gateway, configure a
2078 static default route with /0 as prefix length.
2079 Format: string
2081 ignore-auto-dns
2083 When "method" is set to "auto" and this property to TRUE,
2084 automatically configured nameservers and search domains are ignored
2085 and only nameservers and search domains specified in the "dns" and
2086 "dns-search" properties, if any, are used.
2087 Format: boolean
2089 ignore-auto-routes
2091 When "method" is set to "auto" and this property to TRUE,
2092 automatically configured routes are ignored and only routes
2093 specified in the "routes" property, if any, are used.
2094 Format: boolean
2096 ip6-privacy
2098 Configure IPv6 Privacy Extensions for SLAAC, described in RFC4941.
2099 If enabled, it makes the kernel generate a temporary IPv6 address
2100 in addition to the public one generated from MAC address via
2101 modified EUI-64. This enhances privacy, but could cause problems in
2102 some applications, on the other hand. The permitted values are: -1:
2103 unknown, 0: disabled, 1: enabled (prefer public address), 2:
2104 enabled (prefer temporary addresses). Having a per-connection
2105 setting set to "-1" (unknown) means fallback to global
2106 configuration "ipv6.ip6-privacy". If also global configuration is
2107 unspecified or set to "-1", fallback to read
2108 "/proc/sys/net/ipv6/conf/default/use_tempaddr". Note that this
2109 setting is distinct from the Stable Privacy addresses that can be
2110 enabled with the "addr-gen-mode" property's "stable-privacy"
2111 setting as another way of avoiding host tracking with IPv6
2112 addresses.
2113 Format: NMSettingIP6ConfigPrivacy (int32)
2115 may-fail
2117 If TRUE, allow overall network configuration to proceed even if the
2118 configuration specified by this property times out. Note that at
2119 least one IP configuration must succeed or overall network
2120 configuration will still fail. For example, in IPv6-only networks,
2121 setting this property to TRUE on the NMSettingIP4Config allows the
2122 overall network configuration to succeed if IPv4 configuration
2123 fails but IPv6 configuration completes successfully.
2124 Format: boolean
2126 method
2128 IP configuration method. NMSettingIP4Config and NMSettingIP6Config
2129 both support "disabled", "auto", "manual", and "link-local". See
2130 the subclass-specific documentation for other values. In general,
2131 for the "auto" method, properties such as "dns" and "routes"
2132 specify information that is added on to the information returned
2133 from automatic configuration. The "ignore-auto-routes" and
2134 "ignore-auto-dns" properties modify this behavior. For methods that
2135 imply no upstream network, such as "shared" or "link-local", these
2136 properties must be empty. For IPv4 method "shared", the IP subnet
2137 can be configured by adding one manual IPv4 address or otherwise
2138 10.42.x.0/24 is chosen. Note that the shared method must be
2139 configured on the interface which shares the internet to a subnet,
2140 not on the uplink which is shared.
2141 Format: string
2143 never-default
2145 If TRUE, this connection will never be the default connection for
2146 this IP type, meaning it will never be assigned the default route
2147 by NetworkManager.
2148 Format: boolean
2150 ra-timeout
2152 A timeout for waiting Router Advertisements in seconds. If zero
2153 (the default), a globally configured default is used. If still
2154 unspecified, the timeout depends on the sysctl settings of the
2155 device. Set to 2147483647 (MAXINT32) for infinity.
2156 Format: int32
2158 route-metric
2160 The default metric for routes that don't explicitly specify a
2161 metric. The default value -1 means that the metric is chosen
2162 automatically based on the device type. The metric applies to
2163 dynamic routes, manual (static) routes that don't have an explicit
2164 metric setting, address prefix routes, and the default route. Note
2165 that for IPv6, the kernel accepts zero (0) but coerces it to 1024
2166 (user default). Hence, setting this property to zero effectively
2167 mean setting it to 1024. For IPv4, zero is a regular value for the
2168 metric.
2169 Format: int64
2171 route-table
2173 Enable policy routing (source routing) and set the routing table
2174 used when adding routes. This affects all routes, including
2175 device-routes, IPv4LL, DHCP, SLAAC, default-routes and static
2176 routes. But note that static routes can individually overwrite the
2177 setting by explicitly specifying a non-zero routing table. If the
2178 table setting is left at zero, it is eligible to be overwritten via
2179 global configuration. If the property is zero even after applying
2180 the global configuration value, policy routing is disabled for the
2181 address family of this connection. Policy routing disabled means
2182 that NetworkManager will add all routes to the main table (except
2183 static routes that explicitly configure a different table).
2184 Additionally, NetworkManager will not delete any extraneous routes
2185 from tables except the main table. This is to preserve backward
2186 compatibility for users who manage routing tables outside of
2187 NetworkManager.
2188 Format: uint32
2190 routes
2192 Array of IP routes.
2193 Format: array of legacy IPv6 route struct
2195 routing-rules
2197 token
2199 Configure the token for
2200 draft-chown-6man-tokenised-ipv6-identifiers-02 IPv6 tokenized
2201 interface identifiers. Useful with eui64 addr-gen-mode.
2202 Format: string
2204 ip-tunnel setting
2206 IP Tunneling Settings.
2207 Properties:
2209 encapsulation-limit
2211 How many additional levels of encapsulation are permitted to be
2212 prepended to packets. This property applies only to IPv6 tunnels.
2213 Format: uint32
2215 flags
2217 Tunnel flags. Currently the following values are supported:
2218 NM_IP_TUNNEL_FLAG_IP6_IGN_ENCAP_LIMIT (0x1),
2219 NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_TCLASS (0x2),
2220 NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FLOWLABEL (0x4),
2221 NM_IP_TUNNEL_FLAG_IP6_MIP6_DEV (0x8),
2222 NM_IP_TUNNEL_FLAG_IP6_RCV_DSCP_COPY (0x10),
2223 NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FWMARK (0x20). They are valid only
2224 for IPv6 tunnels.
2225 Format: uint32
2227 flow-label
2229 The flow label to assign to tunnel packets. This property applies
2230 only to IPv6 tunnels.
2231 Format: uint32
2233 input-key
2235 The key used for tunnel input packets; the property is valid only
2236 for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
2237 Format: string
2239 local
2241 Alias: local
2242 The local endpoint of the tunnel; the value can be empty, otherwise
2244 it must contain an IPv4 or IPv6 address.
2245 Format: string
2247 mode
2249 Alias: mode
2250 The tunneling mode, for example NM_IP_TUNNEL_MODE_IPIP (1) or
2252 NM_IP_TUNNEL_MODE_GRE (2).
2253 Format: uint32
2255 mtu
2257 If non-zero, only transmit packets of the specified size or
2258 smaller, breaking larger packets up into multiple fragments.
2259 Format: uint32
2261 output-key
2263 The key used for tunnel output packets; the property is valid only
2264 for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
2265 Format: string
2267 parent
2269 Alias: dev
2270 If given, specifies the parent interface name or parent connection
2272 UUID the new device will be bound to so that tunneled packets will
2273 only be routed via that interface.
2274 Format: string
2276 path-mtu-discovery
2278 Whether to enable Path MTU Discovery on this tunnel.
2279 Format: boolean
2281 remote
2283 Alias: remote
2284 The remote endpoint of the tunnel; the value must contain an IPv4
2286 or IPv6 address.
2287 Format: string
2289 tos
2291 The type of service (IPv4) or traffic class (IPv6) field to be set
2292 on tunneled packets.
2293 Format: uint32
2295 ttl
2297 The TTL to assign to tunneled packets. 0 is a special value meaning
2298 that packets inherit the TTL value.
2299 Format: uint32
2301 macsec setting
2303 MACSec Settings.
2304 Properties:
2306 encrypt
2308 Alias: encrypt
2309 Whether the transmitted traffic must be encrypted.
2311 Format: boolean
2313 mka-cak
2315 Alias: cak
2316 The pre-shared CAK (Connectivity Association Key) for MACsec Key
2318 Agreement.
2319 Format: string
2321 mka-cak-flags
2323 Flags indicating how to handle the "mka-cak" property. See the
2324 section called “Secret flag types:” for flag values.
2325 Format: NMSettingSecretFlags (uint32)
2327 mka-ckn
2329 Alias: ckn
2330 The pre-shared CKN (Connectivity-association Key Name) for MACsec
2332 Key Agreement.
2333 Format: string
2335 mode
2337 Alias: mode
2338 Specifies how the CAK (Connectivity Association Key) for MKA
2340 (MACsec Key Agreement) is obtained.
2341 Format: int32
2343 parent
2345 Alias: dev
2346 If given, specifies the parent interface name or parent connection
2348 UUID from which this MACSEC interface should be created. If this
2349 property is not specified, the connection must contain an
2350 "802-3-ethernet" setting with a "mac-address" property.
2351 Format: string
2353 port
2355 Alias: port
2356 The port component of the SCI (Secure Channel Identifier), between
2358 1 and 65534.
2359 Format: int32
2361 send-sci
2363 Specifies whether the SCI (Secure Channel Identifier) is included
2364 in every packet.
2365 Format: boolean
2367 validation
2369 Specifies the validation mode for incoming frames.
2370 Format: int32
2372 macvlan setting
2374 MAC VLAN Settings.
2375 Properties:
2377 mode
2379 Alias: mode
2380 The macvlan mode, which specifies the communication mechanism
2382 between multiple macvlans on the same lower device.
2383 Format: uint32
2385 parent
2387 Alias: dev
2388 If given, specifies the parent interface name or parent connection
2390 UUID from which this MAC-VLAN interface should be created. If this
2391 property is not specified, the connection must contain an
2392 "802-3-ethernet" setting with a "mac-address" property.
2393 Format: string
2395 promiscuous
2397 Whether the interface should be put in promiscuous mode.
2398 Format: boolean
2400 tap
2402 Alias: tap
2403 Whether the interface should be a MACVTAP.
2405 Format: boolean
2407 match setting
2409 Match settings.
2410 Properties:
2412 driver
2414 A list of driver names to match. Each element is a shell wildcard
2415 pattern. See NMSettingMatch:interface-name for how special
2416 characters '|', '&', '!' and '\' are used for optional and
2417 mandatory matches and inverting the pattern.
2418 Format: array of string
2420 interface-name
2422 A list of interface names to match. Each element is a shell
2423 wildcard pattern. An element can be prefixed with a pipe symbol (|)
2424 or an ampersand (&). The former means that the element is optional
2425 and the latter means that it is mandatory. If there are any
2426 optional elements, than the match evaluates to true if at least one
2427 of the optional element matches (logical OR). If there are any
2428 mandatory elements, then they all must match (logical AND). By
2429 default, an element is optional. This means that an element "foo"
2430 behaves the same as "|foo". An element can also be inverted with
2431 exclamation mark (!) between the pipe symbol (or the ampersand) and
2432 before the pattern. Note that "!foo" is a shortcut for the
2433 mandatory match "&!foo". Finally, a backslash can be used at the
2434 beginning of the element (after the optional special characters) to
2435 escape the start of the pattern. For example, "&\!a" is an
2436 mandatory match for literally "!a".
2437 Format: array of string
2439 kernel-command-line
2441 A list of kernel command line arguments to match. This may be used
2442 to check whether a specific kernel command line option is set (or
2443 if prefixed with the exclamation mark unset). The argument must
2444 either be a single word, or an assignment (i.e. two words,
2445 separated "="). In the former case the kernel command line is
2446 searched for the word appearing as is, or as left hand side of an
2447 assignment. In the latter case, the exact assignment is looked for
2448 with right and left hand side matching. See
2449 NMSettingMatch:interface-name for how special characters '|', '&',
2450 '!' and '\' are used for optional and mandatory matches and
2451 inverting the pattern.
2452 Format: array of string
2454 path
2456 A list of paths to match against the ID_PATH udev property of
2457 devices. ID_PATH represents the topological persistent path of a
2458 device. It typically contains a subsystem string (pci, usb,
2459 platform, etc.) and a subsystem-specific identifier. For PCI
2460 devices the path has the form "pci-$domain:$bus:$device.$function",
2461 where each variable is an hexadecimal value; for example
2462 "pci-0000:0a:00.0". The path of a device can be obtained with
2463 "udevadm info /sys/class/net/$dev | grep ID_PATH=" or by looking at
2464 the "path" property exported by NetworkManager ("nmcli -f
2465 general.path device show $dev"). Each element of the list is a
2466 shell wildcard pattern. See NMSettingMatch:interface-name for how
2467 special characters '|', '&', '!' and '\' are used for optional and
2468 mandatory matches and inverting the pattern.
2469 Format: array of string
2471 802-11-olpc-mesh setting
2473 Alias: olpc-mesh
2474 OLPC Wireless Mesh Settings.
2476 Properties:
2478 channel
2480 Alias: channel
2481 Channel on which the mesh network to join is located.
2483 Format: uint32
2485 dhcp-anycast-address
2487 Alias: dhcp-anycast
2488 Anycast DHCP MAC address used when requesting an IP address via
2490 DHCP. The specific anycast address used determines which DHCP
2491 server class answers the request.
2492 Format: byte array
2494 ssid
2496 Alias: ssid
2497 SSID of the mesh network to join.
2499 Format: byte array
2501 ovs-bridge setting
2503 OvsBridge Link Settings.
2504 Properties:
2506 datapath-type
2508 The data path type. One of "system", "netdev" or empty.
2509 Format: string
2511 fail-mode
2513 The bridge failure mode. One of "secure", "standalone" or empty.
2514 Format: string
2516 mcast-snooping-enable
2518 Enable or disable multicast snooping.
2519 Format: boolean
2521 rstp-enable
2523 Enable or disable RSTP.
2524 Format: boolean
2526 stp-enable
2528 Enable or disable STP.
2529 Format: boolean
2531 ovs-dpdk setting
2533 OvsDpdk Link Settings.
2534 Properties:
2536 devargs
2538 Open vSwitch DPDK device arguments.
2539 Format: string
2541 ovs-interface setting
2543 Open vSwitch Interface Settings.
2544 Properties:
2546 type
2548 The interface type. Either "internal", "system", "patch", "dpdk",
2549 or empty.
2550 Format: string
2552 ovs-patch setting
2554 OvsPatch Link Settings.
2555 Properties:
2557 peer
2559 Specifies the name of the interface for the other side of the
2560 patch. The patch on the other side must also set this interface as
2561 peer.
2562 Format: string
2564 ovs-port setting
2566 OvsPort Link Settings.
2567 Properties:
2569 bond-downdelay
2571 The time port must be inactive in order to be considered down.
2572 Format: uint32
2574 bond-mode
2576 Bonding mode. One of "active-backup", "balance-slb", or
2577 "balance-tcp".
2578 Format: string
2580 bond-updelay
2582 The time port must be active before it starts forwarding traffic.
2583 Format: uint32
2585 lacp
2587 LACP mode. One of "active", "off", or "passive".
2588 Format: string
2590 tag
2592 The VLAN tag in the range 0-4095.
2593 Format: uint32
2595 vlan-mode
2597 The VLAN mode. One of "access", "native-tagged", "native-untagged",
2598 "trunk" or unset.
2599 Format: string
2601 ppp setting
2603 Point-to-Point Protocol Settings.
2604 Properties:
2606 baud
2608 If non-zero, instruct pppd to set the serial port to the specified
2609 baudrate. This value should normally be left as 0 to automatically
2610 choose the speed.
2611 Format: uint32
2613 crtscts
2615 If TRUE, specify that pppd should set the serial port to use
2616 hardware flow control with RTS and CTS signals. This value should
2617 normally be set to FALSE.
2618 Format: boolean
2620 lcp-echo-failure
2622 If non-zero, instruct pppd to presume the connection to the peer
2623 has failed if the specified number of LCP echo-requests go
2624 unanswered by the peer. The "lcp-echo-interval" property must also
2625 be set to a non-zero value if this property is used.
2626 Format: uint32
2628 lcp-echo-interval
2630 If non-zero, instruct pppd to send an LCP echo-request frame to the
2631 peer every n seconds (where n is the specified value). Note that
2632 some PPP peers will respond to echo requests and some will not, and
2633 it is not possible to autodetect this.
2634 Format: uint32
2636 mppe-stateful
2638 If TRUE, stateful MPPE is used. See pppd documentation for more
2639 information on stateful MPPE.
2640 Format: boolean
2642 mru
2644 If non-zero, instruct pppd to request that the peer send packets no
2645 larger than the specified size. If non-zero, the MRU should be
2646 between 128 and 16384.
2647 Format: uint32
2649 mtu
2651 If non-zero, instruct pppd to send packets no larger than the
2652 specified size.
2653 Format: uint32
2655 no-vj-comp
2657 If TRUE, Van Jacobsen TCP header compression will not be requested.
2658 Format: boolean
2660 noauth
2662 If TRUE, do not require the other side (usually the PPP server) to
2663 authenticate itself to the client. If FALSE, require authentication
2664 from the remote side. In almost all cases, this should be TRUE.
2665 Format: boolean
2667 nobsdcomp
2669 If TRUE, BSD compression will not be requested.
2670 Format: boolean
2672 nodeflate
2674 If TRUE, "deflate" compression will not be requested.
2675 Format: boolean
2677 refuse-chap
2679 If TRUE, the CHAP authentication method will not be used.
2680 Format: boolean
2682 refuse-eap
2684 If TRUE, the EAP authentication method will not be used.
2685 Format: boolean
2687 refuse-mschap
2689 If TRUE, the MSCHAP authentication method will not be used.
2690 Format: boolean
2692 refuse-mschapv2
2694 If TRUE, the MSCHAPv2 authentication method will not be used.
2695 Format: boolean
2697 refuse-pap
2699 If TRUE, the PAP authentication method will not be used.
2700 Format: boolean
2702 require-mppe
2704 If TRUE, MPPE (Microsoft Point-to-Point Encryption) will be
2705 required for the PPP session. If either 64-bit or 128-bit MPPE is
2706 not available the session will fail. Note that MPPE is not used on
2707 mobile broadband connections.
2708 Format: boolean
2710 require-mppe-128
2712 If TRUE, 128-bit MPPE (Microsoft Point-to-Point Encryption) will be
2713 required for the PPP session, and the "require-mppe" property must
2714 also be set to TRUE. If 128-bit MPPE is not available the session
2715 will fail.
2716 Format: boolean
2718 pppoe setting
2720 PPP-over-Ethernet Settings.
2721 Properties:
2723 parent
2725 Alias: parent
2726 If given, specifies the parent interface name on which this PPPoE
2728 connection should be created. If this property is not specified,
2729 the connection is activated on the interface specified in
2730 "interface-name" of NMSettingConnection.
2731 Format: string
2733 password
2735 Alias: password
2736 Password used to authenticate with the PPPoE service.
2738 Format: string
2740 password-flags
2742 Flags indicating how to handle the "password" property. See the
2743 section called “Secret flag types:” for flag values.
2744 Format: NMSettingSecretFlags (uint32)
2746 service
2748 Alias: service
2749 If specified, instruct PPPoE to only initiate sessions with access
2751 concentrators that provide the specified service. For most
2752 providers, this should be left blank. It is only required if there
2753 are multiple access concentrators or a specific service is known to
2754 be required.
2755 Format: string
2757 username
2759 Alias: username
2760 Username used to authenticate with the PPPoE service.
2762 Format: string
2764 proxy setting
2766 WWW Proxy Settings.
2767 Properties:
2769 browser-only
2771 Alias: browser-only
2772 Whether the proxy configuration is for browser only.
2774 Format: boolean
2776 method
2778 Alias: method
2779 Method for proxy configuration, Default is
2781 NM_SETTING_PROXY_METHOD_NONE (0)
2782 Format: int32
2784 pac-script
2786 Alias: pac-script
2787 PAC script for the connection.
2789 Format: string
2791 pac-url
2793 Alias: pac-url
2794 PAC URL for obtaining PAC file.
2796 Format: string
2798 serial setting
2800 Serial Link Settings.
2801 Properties:
2803 baud
2805 Speed to use for communication over the serial port. Note that this
2806 value usually has no effect for mobile broadband modems as they
2807 generally ignore speed settings and use the highest available
2808 speed.
2809 Format: uint32
2811 bits
2813 Byte-width of the serial communication. The 8 in "8n1" for example.
2814 Format: uint32
2816 parity
2818 Parity setting of the serial port.
2819 Format: NMSettingSerialParity (byte)
2821 send-delay
2823 Time to delay between each byte sent to the modem, in microseconds.
2824 Format: uint64
2826 stopbits
2828 Number of stop bits for communication on the serial port. Either 1
2829 or 2. The 1 in "8n1" for example.
2830 Format: uint32
2832 sriov setting
2834 SR-IOV settings.
2835 Properties:
2837 autoprobe-drivers
2839 Whether to autoprobe virtual functions by a compatible driver. If
2840 set to NM_TERNARY_TRUE (1), the kernel will try to bind VFs to a
2841 compatible driver and if this succeeds a new network interface will
2842 be instantiated for each VF. If set to NM_TERNARY_FALSE (0), VFs
2843 will not be claimed and no network interfaces will be created for
2844 them. When set to NM_TERNARY_DEFAULT (-1), the global default is
2845 used; in case the global default is unspecified it is assumed to be
2846 NM_TERNARY_TRUE (1).
2847 Format: NMTernary (int32)
2849 total-vfs
2851 The total number of virtual functions to create. Note that when the
2852 sriov setting is present NetworkManager enforces the number of
2853 virtual functions on the interface (also when it is zero) during
2854 activation and resets it upon deactivation. To prevent any changes
2855 to SR-IOV parameters don't add a sriov setting to the connection.
2856 Format: uint32
2858 vfs
2860 Array of virtual function descriptors. Each VF descriptor is a
2861 dictionary mapping attribute names to GVariant values. The 'index'
2862 entry is mandatory for each VF. When represented as string a VF is
2863 in the form: "INDEX [ATTR=VALUE[ ATTR=VALUE]...]". for example: "2
2864 mac=00:11:22:33:44:55 spoof-check=true". Multiple VFs can be
2865 specified using a comma as separator. Currently the following
2866 attributes are supported: mac, spoof-check, trust, min-tx-rate,
2867 max-tx-rate, vlans. The "vlans" attribute is represented as a
2868 semicolon-separated list of VLAN descriptors, where each descriptor
2869 has the form "ID[.PRIORITY[.PROTO]]". PROTO can be either 'q' for
2870 802.1Q (the default) or 'ad' for 802.1ad.
2871 Format: array of vardict
2873 tc setting
2875 Linux Traffic Control Settings.
2876 Properties:
2878 qdiscs
2880 Array of TC queueing disciplines.
2881 Format: array of vardict
2883 tfilters
2885 Array of TC traffic filters.
2886 Format: array of vardict
2888 team setting
2890 Teaming Settings.
2891 Properties:
2893 config
2895 Alias: config
2896 The JSON configuration for the team network interface. The property
2898 should contain raw JSON configuration data suitable for teamd,
2899 because the value is passed directly to teamd. If not specified,
2900 the default configuration is used. See man teamd.conf for the
2901 format details.
2902 Format: string
2904 link-watchers
2906 Link watchers configuration for the connection: each link watcher
2907 is defined by a dictionary, whose keys depend upon the selected
2908 link watcher. Available link watchers are 'ethtool', 'nsna_ping'
2909 and 'arp_ping' and it is specified in the dictionary with the key
2910 'name'. Available keys are: ethtool: 'delay-up', 'delay-down',
2911 'init-wait'; nsna_ping: 'init-wait', 'interval', 'missed-max',
2912 'target-host'; arp_ping: all the ones in nsna_ping and
2913 'source-host', 'validate-active', 'validate-inactive',
2914 'send-always'. See teamd.conf man for more details.
2915 Format: array of vardict
2917 mcast-rejoin-count
2919 Corresponds to the teamd mcast_rejoin.count.
2920 Format: int32
2922 mcast-rejoin-interval
2924 Corresponds to the teamd mcast_rejoin.interval.
2925 Format: int32
2927 notify-peers-count
2929 Corresponds to the teamd notify_peers.count.
2930 Format: int32
2932 notify-peers-interval
2934 Corresponds to the teamd notify_peers.interval.
2935 Format: int32
2937 runner
2939 Corresponds to the teamd runner.name. Permitted values are:
2940 "roundrobin", "broadcast", "activebackup", "loadbalance", "lacp",
2941 "random".
2942 Format: string
2944 runner-active
2946 Corresponds to the teamd runner.active.
2947 Format: boolean
2949 runner-agg-select-policy
2951 Corresponds to the teamd runner.agg_select_policy.
2952 Format: string
2954 runner-fast-rate
2956 Corresponds to the teamd runner.fast_rate.
2957 Format: boolean
2959 runner-hwaddr-policy
2961 Corresponds to the teamd runner.hwaddr_policy.
2962 Format: string
2964 runner-min-ports
2966 Corresponds to the teamd runner.min_ports.
2967 Format: int32
2969 runner-sys-prio
2971 Corresponds to the teamd runner.sys_prio.
2972 Format: int32
2974 runner-tx-balancer
2976 Corresponds to the teamd runner.tx_balancer.name.
2977 Format: string
2979 runner-tx-balancer-interval
2981 Corresponds to the teamd runner.tx_balancer.interval.
2982 Format: int32
2984 runner-tx-hash
2986 Corresponds to the teamd runner.tx_hash.
2987 Format: array of string
2989 team-port setting
2991 Team Port Settings.
2992 Properties:
2994 config
2996 Alias: config
2997 The JSON configuration for the team port. The property should
2999 contain raw JSON configuration data suitable for teamd, because the
3000 value is passed directly to teamd. If not specified, the default
3001 configuration is used. See man teamd.conf for the format details.
3002 Format: string
3004 lacp-key
3006 Corresponds to the teamd ports.PORTIFNAME.lacp_key.
3007 Format: int32
3009 lacp-prio
3011 Corresponds to the teamd ports.PORTIFNAME.lacp_prio.
3012 Format: int32
3014 link-watchers
3016 Link watchers configuration for the connection: each link watcher
3017 is defined by a dictionary, whose keys depend upon the selected
3018 link watcher. Available link watchers are 'ethtool', 'nsna_ping'
3019 and 'arp_ping' and it is specified in the dictionary with the key
3020 'name'. Available keys are: ethtool: 'delay-up', 'delay-down',
3021 'init-wait'; nsna_ping: 'init-wait', 'interval', 'missed-max',
3022 'target-host'; arp_ping: all the ones in nsna_ping and
3023 'source-host', 'validate-active', 'validate-inactive',
3024 'send-always'. See teamd.conf man for more details.
3025 Format: array of vardict
3027 prio
3029 Corresponds to the teamd ports.PORTIFNAME.prio.
3030 Format: int32
3032 queue-id
3034 Corresponds to the teamd ports.PORTIFNAME.queue_id. When set to -1
3035 means the parameter is skipped from the json config.
3036 Format: int32
3038 sticky
3040 Corresponds to the teamd ports.PORTIFNAME.sticky.
3041 Format: boolean
3043 tun setting
3045 Tunnel Settings.
3046 Properties:
3048 group
3050 Alias: group
3051 The group ID which will own the device. If set to NULL everyone
3053 will be able to use the device.
3054 Format: string
3056 mode
3058 Alias: mode
3059 The operating mode of the virtual device. Allowed values are
3061 NM_SETTING_TUN_MODE_TUN (1) to create a layer 3 device and
3062 NM_SETTING_TUN_MODE_TAP (2) to create an Ethernet-like layer 2 one.
3063 Format: uint32
3065 multi-queue
3067 Alias: multi-queue
3068 If the property is set to TRUE, the interface will support multiple
3070 file descriptors (queues) to parallelize packet sending or
3071 receiving. Otherwise, the interface will only support a single
3072 queue.
3073 Format: boolean
3075 owner
3077 Alias: owner
3078 The user ID which will own the device. If set to NULL everyone will
3080 be able to use the device.
3081 Format: string
3083 pi
3085 Alias: pi
3086 If TRUE the interface will prepend a 4 byte header describing the
3088 physical interface to the packets.
3089 Format: boolean
3091 vnet-hdr
3093 Alias: vnet-hdr
3094 If TRUE the IFF_VNET_HDR the tunnel packets will include a virtio
3096 network header.
3097 Format: boolean
3099 vlan setting
3101 VLAN Settings.
3102 Properties:
3104 egress-priority-map
3106 Alias: egress
3107 For outgoing packets, a list of mappings from Linux SKB priorities
3109 to 802.1p priorities. The mapping is given in the format "from:to"
3110 where both "from" and "to" are unsigned integers, ie "7:3".
3111 Format: array of string
3113 flags
3115 Alias: flags
3116 One or more flags which control the behavior and features of the
3118 VLAN interface. Flags include NM_VLAN_FLAG_REORDER_HEADERS (0x1)
3119 (reordering of output packet headers), NM_VLAN_FLAG_GVRP (0x2) (use
3120 of the GVRP protocol), and NM_VLAN_FLAG_LOOSE_BINDING (0x4) (loose
3121 binding of the interface to its master device's operating state).
3122 NM_VLAN_FLAG_MVRP (0x8) (use of the MVRP protocol). The default
3123 value of this property is NM_VLAN_FLAG_REORDER_HEADERS, but it used
3124 to be 0. To preserve backward compatibility, the default-value in
3125 the D-Bus API continues to be 0 and a missing property on D-Bus is
3126 still considered as 0.
3127 Format: NMVlanFlags (uint32)
3129 id
3131 Alias: id
3132 The VLAN identifier that the interface created by this connection
3134 should be assigned. The valid range is from 0 to 4094, without the
3135 reserved id 4095.
3136 Format: uint32
3138 ingress-priority-map
3140 Alias: ingress
3141 For incoming packets, a list of mappings from 802.1p priorities to
3143 Linux SKB priorities. The mapping is given in the format "from:to"
3144 where both "from" and "to" are unsigned integers, ie "7:3".
3145 Format: array of string
3147 parent
3149 Alias: dev
3150 If given, specifies the parent interface name or parent connection
3152 UUID from which this VLAN interface should be created. If this
3153 property is not specified, the connection must contain an
3154 "802-3-ethernet" setting with a "mac-address" property.
3155 Format: string
3157 vpn setting
3159 VPN Settings.
3160 Properties:
3162 data
3164 Dictionary of key/value pairs of VPN plugin specific data. Both
3165 keys and values must be strings.
3166 Format: dict of string to string
3168 persistent
3170 If the VPN service supports persistence, and this property is TRUE,
3171 the VPN will attempt to stay connected across link changes and
3172 outages, until explicitly disconnected.
3173 Format: boolean
3175 secrets
3177 Dictionary of key/value pairs of VPN plugin specific secrets like
3178 passwords or private keys. Both keys and values must be strings.
3179 Format: dict of string to string
3181 service-type
3183 Alias: vpn-type
3184 D-Bus service name of the VPN plugin that this setting uses to
3186 connect to its network. i.e. org.freedesktop.NetworkManager.vpnc
3187 for the vpnc plugin.
3188 Format: string
3190 timeout
3192 Timeout for the VPN service to establish the connection. Some
3193 services may take quite a long time to connect. Value of 0 means a
3194 default timeout, which is 60 seconds (unless overridden by
3195 vpn.timeout in configuration file). Values greater than zero mean
3196 timeout in seconds.
3197 Format: uint32
3199 user-name
3201 Alias: user
3202 If the VPN connection requires a user name for authentication, that
3204 name should be provided here. If the connection is available to
3205 more than one user, and the VPN requires each user to supply a
3206 different name, then leave this property empty. If this property is
3207 empty, NetworkManager will automatically supply the username of the
3208 user which requested the VPN connection.
3209 Format: string
3211 vrf setting
3213 VRF settings.
3214 Properties:
3216 table
3218 Alias: table
3219 The routing table for this VRF.
3221 Format: uint32
3223 vxlan setting
3225 VXLAN Settings.
3226 Properties:
3228 ageing
3230 Specifies the lifetime in seconds of FDB entries learnt by the
3231 kernel.
3232 Format: uint32
3234 destination-port
3236 Alias: destination-port
3237 Specifies the UDP destination port to communicate to the remote
3239 VXLAN tunnel endpoint.
3240 Format: uint32
3242 id
3244 Alias: id
3245 Specifies the VXLAN Network Identifier (or VXLAN Segment
3247 Identifier) to use.
3248 Format: uint32
3250 l2-miss
3252 Specifies whether netlink LL ADDR miss notifications are generated.
3253 Format: boolean
3255 l3-miss
3257 Specifies whether netlink IP ADDR miss notifications are generated.
3258 Format: boolean
3260 learning
3262 Specifies whether unknown source link layer addresses and IP
3263 addresses are entered into the VXLAN device forwarding database.
3264 Format: boolean
3266 limit
3268 Specifies the maximum number of FDB entries. A value of zero means
3269 that the kernel will store unlimited entries.
3270 Format: uint32
3272 local
3274 Alias: local
3275 If given, specifies the source IP address to use in outgoing
3277 packets.
3278 Format: string
3280 parent
3282 Alias: dev
3283 If given, specifies the parent interface name or parent connection
3285 UUID.
3286 Format: string
3288 proxy
3290 Specifies whether ARP proxy is turned on.
3291 Format: boolean
3293 remote
3295 Alias: remote
3296 Specifies the unicast destination IP address to use in outgoing
3298 packets when the destination link layer address is not known in the
3299 VXLAN device forwarding database, or the multicast IP address to
3300 join.
3301 Format: string
3303 rsc
3305 Specifies whether route short circuit is turned on.
3306 Format: boolean
3308 source-port-max
3310 Alias: source-port-max
3311 Specifies the maximum UDP source port to communicate to the remote
3313 VXLAN tunnel endpoint.
3314 Format: uint32
3316 source-port-min
3318 Alias: source-port-min
3319 Specifies the minimum UDP source port to communicate to the remote
3321 VXLAN tunnel endpoint.
3322 Format: uint32
3324 tos
3326 Specifies the TOS value to use in outgoing packets.
3327 Format: uint32
3329 ttl
3331 Specifies the time-to-live value to use in outgoing packets.
3332 Format: uint32
3334 wifi-p2p setting
3336 Wi-Fi P2P Settings.
3337 Properties:
3339 peer
3341 Alias: peer
3342 The P2P device that should be connected to. Currently this is the
3344 only way to create or join a group.
3345 Format: string
3347 wfd-ies
3349 The Wi-Fi Display (WFD) Information Elements (IEs) to set. Wi-Fi
3350 Display requires a protocol specific information element to be set
3351 in certain Wi-Fi frames. These can be specified here for the
3352 purpose of establishing a connection. This setting is only useful
3353 when implementing a Wi-Fi Display client.
3354 Format: byte array
3356 wps-method
3358 Flags indicating which mode of WPS is to be used. There's little
3359 point in changing the default setting as NetworkManager will
3360 automatically determine the best method to use.
3361 Format: uint32
3363 wimax setting
3365 WiMax Settings.
3366 Properties:
3368 mac-address
3370 Alias: mac
3371 If specified, this connection will only apply to the WiMAX device
3373 whose MAC address matches. This property does not change the MAC
3374 address of the device (known as MAC spoofing). Deprecated: 1
3375 Format: byte array
3377 network-name
3379 Alias: nsp
3380 Network Service Provider (NSP) name of the WiMAX network this
3382 connection should use. Deprecated: 1
3383 Format: string
3385 802-3-ethernet setting
3387 Alias: ethernet
3388 Wired Ethernet Settings.
3390 Properties:
3392 auto-negotiate
3394 When TRUE, enforce auto-negotiation of speed and duplex mode. If
3395 "speed" and "duplex" properties are both specified, only that
3396 single mode will be advertised and accepted during the link
3397 auto-negotiation process: this works only for BASE-T 802.3
3398 specifications and is useful for enforcing gigabits modes, as in
3399 these cases link negotiation is mandatory. When FALSE, "speed" and
3400 "duplex" properties should be both set or link configuration will
3401 be skipped.
3402 Format: boolean
3404 cloned-mac-address
3406 Alias: cloned-mac
3407 If specified, request that the device use this MAC address instead.
3409 This is known as MAC cloning or spoofing. Beside explicitly
3410 specifying a MAC address, the special values "preserve",
3411 "permanent", "random" and "stable" are supported. "preserve" means
3412 not to touch the MAC address on activation. "permanent" means to
3413 use the permanent hardware address if the device has one (otherwise
3414 this is treated as "preserve"). "random" creates a random MAC
3415 address on each connect. "stable" creates a hashed MAC address
3416 based on connection.stable-id and a machine dependent key. If
3417 unspecified, the value can be overwritten via global defaults, see
3418 manual of NetworkManager.conf. If still unspecified, it defaults to
3419 "preserve" (older versions of NetworkManager may use a different
3420 default value). On D-Bus, this field is expressed as
3421 "assigned-mac-address" or the deprecated "cloned-mac-address".
3422 Format: byte array
3424 duplex
3426 When a value is set, either "half" or "full", configures the device
3427 to use the specified duplex mode. If "auto-negotiate" is "yes" the
3428 specified duplex mode will be the only one advertised during link
3429 negotiation: this works only for BASE-T 802.3 specifications and is
3430 useful for enforcing gigabits modes, as in these cases link
3431 negotiation is mandatory. If the value is unset (the default), the
3432 link configuration will be either skipped (if "auto-negotiate" is
3433 "no", the default) or will be auto-negotiated (if "auto-negotiate"
3434 is "yes") and the local device will advertise all the supported
3435 duplex modes. Must be set together with the "speed" property if
3436 specified. Before specifying a duplex mode be sure your device
3437 supports it.
3438 Format: string
3440 generate-mac-address-mask
3442 With "cloned-mac-address" setting "random" or "stable", by default
3443 all bits of the MAC address are scrambled and a
3444 locally-administered, unicast MAC address is created. This property
3445 allows to specify that certain bits are fixed. Note that the least
3446 significant bit of the first MAC address will always be unset to
3447 create a unicast MAC address. If the property is NULL, it is
3448 eligible to be overwritten by a default connection setting. If the
3449 value is still NULL or an empty string, the default is to create a
3450 locally-administered, unicast MAC address. If the value contains
3451 one MAC address, this address is used as mask. The set bits of the
3452 mask are to be filled with the current MAC address of the device,
3453 while the unset bits are subject to randomization. Setting
3454 "FE:FF:FF:00:00:00" means to preserve the OUI of the current MAC
3455 address and only randomize the lower 3 bytes using the "random" or
3456 "stable" algorithm. If the value contains one additional MAC
3457 address after the mask, this address is used instead of the current
3458 MAC address to fill the bits that shall not be randomized. For
3459 example, a value of "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set
3460 the OUI of the MAC address to 68:F7:28, while the lower bits are
3461 randomized. A value of "02:00:00:00:00:00 00:00:00:00:00:00" will
3462 create a fully scrambled globally-administered, burned-in MAC
3463 address. If the value contains more than one additional MAC
3464 addresses, one of them is chosen randomly. For example,
3465 "02:00:00:00:00:00 00:00:00:00:00:00 02:00:00:00:00:00" will create
3466 a fully scrambled MAC address, randomly locally or globally
3467 administered.
3468 Format: string
3470 mac-address
3472 Alias: mac
3473 If specified, this connection will only apply to the Ethernet
3475 device whose permanent MAC address matches. This property does not
3476 change the MAC address of the device (i.e. MAC spoofing).
3477 Format: byte array
3479 mac-address-blacklist
3481 If specified, this connection will never apply to the Ethernet
3482 device whose permanent MAC address matches an address in the list.
3483 Each MAC address is in the standard hex-digits-and-colons notation
3484 (00:11:22:33:44:55).
3485 Format: array of string
3487 mtu
3489 Alias: mtu
3490 If non-zero, only transmit packets of the specified size or
3492 smaller, breaking larger packets up into multiple Ethernet frames.
3493 Format: uint32
3495 port
3497 Specific port type to use if the device supports multiple
3498 attachment methods. One of "tp" (Twisted Pair), "aui" (Attachment
3499 Unit Interface), "bnc" (Thin Ethernet) or "mii" (Media Independent
3500 Interface). If the device supports only one port type, this setting
3501 is ignored.
3502 Format: string
3504 s390-nettype
3506 s390 network device type; one of "qeth", "lcs", or "ctc",
3507 representing the different types of virtual network devices
3508 available on s390 systems.
3509 Format: string
3511 s390-options
3513 Dictionary of key/value pairs of s390-specific device options. Both
3514 keys and values must be strings. Allowed keys include "portno",
3515 "layer2", "portname", "protocol", among others. Key names must
3516 contain only alphanumeric characters (ie, [a-zA-Z0-9]).
3517 Format: dict of string to string
3519 s390-subchannels
3521 Identifies specific subchannels that this network device uses for
3522 communication with z/VM or s390 host. Like the "mac-address"
3523 property for non-z/VM devices, this property can be used to ensure
3524 this connection only applies to the network device that uses these
3525 subchannels. The list should contain exactly 3 strings, and each
3526 string may only be composed of hexadecimal characters and the
3527 period (.) character.
3528 Format: array of string
3530 speed
3532 When a value greater than 0 is set, configures the device to use
3533 the specified speed. If "auto-negotiate" is "yes" the specified
3534 speed will be the only one advertised during link negotiation: this
3535 works only for BASE-T 802.3 specifications and is useful for
3536 enforcing gigabit speeds, as in this case link negotiation is
3537 mandatory. If the value is unset (0, the default), the link
3538 configuration will be either skipped (if "auto-negotiate" is "no",
3539 the default) or will be auto-negotiated (if "auto-negotiate" is
3540 "yes") and the local device will advertise all the supported
3541 speeds. In Mbit/s, ie 100 == 100Mbit/s. Must be set together with
3542 the "duplex" property when non-zero. Before specifying a speed
3543 value be sure your device supports it.
3544 Format: uint32
3546 wake-on-lan
3548 The NMSettingWiredWakeOnLan options to enable. Not all devices
3549 support all options. May be any combination of
3550 NM_SETTING_WIRED_WAKE_ON_LAN_PHY (0x2),
3551 NM_SETTING_WIRED_WAKE_ON_LAN_UNICAST (0x4),
3552 NM_SETTING_WIRED_WAKE_ON_LAN_MULTICAST (0x8),
3553 NM_SETTING_WIRED_WAKE_ON_LAN_BROADCAST (0x10),
3554 NM_SETTING_WIRED_WAKE_ON_LAN_ARP (0x20),
3555 NM_SETTING_WIRED_WAKE_ON_LAN_MAGIC (0x40) or the special values
3556 NM_SETTING_WIRED_WAKE_ON_LAN_DEFAULT (0x1) (to use global settings)
3557 and NM_SETTING_WIRED_WAKE_ON_LAN_IGNORE (0x8000) (to disable
3558 management of Wake-on-LAN in NetworkManager).
3559 Format: uint32
3561 wake-on-lan-password
3563 If specified, the password used with magic-packet-based
3564 Wake-on-LAN, represented as an Ethernet MAC address. If NULL, no
3565 password will be required.
3566 Format: string
3568 wireguard setting
3570 WireGuard Settings.
3571 Properties:
3573 fwmark
3575 The use of fwmark is optional and is by default off. Setting it to
3576 0 disables it. Otherwise it is a 32-bit fwmark for outgoing
3577 packets. Note that "ip4-auto-default-route" or
3578 "ip6-auto-default-route" enabled, implies to automatically choose a
3579 fwmark.
3580 Format: uint32
3582 ip4-auto-default-route
3584 Whether to enable special handling of the IPv4 default route. If
3585 enabled, the IPv4 default route from wireguard.peer-routes will be
3586 placed to a dedicated routing-table and two policy routing rules
3587 will be added. The fwmark number is also used as routing-table for
3588 the default-route, and if fwmark is zero, an unused fwmark/table is
3589 chosen automatically. This corresponds to what wg-quick does with
3590 Table=auto and what WireGuard calls "Improved Rule-based Routing".
3591 Note that for this automatism to work, you usually don't want to
3592 set ipv4.gateway, because that will result in a conflicting default
3593 route. Leaving this at the default will enable this option
3594 automatically if ipv4.never-default is not set and there are any
3595 peers that use a default-route as allowed-ips.
3596 Format: NMTernary (int32)
3598 ip6-auto-default-route
3600 Like ip4-auto-default-route, but for the IPv6 default route.
3601 Format: NMTernary (int32)
3603 listen-port
3605 The listen-port. If listen-port is not specified, the port will be
3606 chosen randomly when the interface comes up.
3607 Format: uint32
3609 mtu
3611 If non-zero, only transmit packets of the specified size or
3612 smaller, breaking larger packets up into multiple fragments. If
3613 zero a default MTU is used. Note that contrary to wg-quick's MTU
3614 setting, this does not take into account the current routes at the
3615 time of activation.
3616 Format: uint32
3618 peer-routes
3620 Whether to automatically add routes for the AllowedIPs ranges of
3621 the peers. If TRUE (the default), NetworkManager will automatically
3622 add routes in the routing tables according to ipv4.route-table and
3623 ipv6.route-table. Usually you want this automatism enabled. If
3624 FALSE, no such routes are added automatically. In this case, the
3625 user may want to configure static routes in ipv4.routes and
3626 ipv6.routes, respectively. Note that if the peer's AllowedIPs is
3627 "0.0.0.0/0" or "::/0" and the profile's ipv4.never-default or
3628 ipv6.never-default setting is enabled, the peer route for this peer
3629 won't be added automatically.
3630 Format: boolean
3632 private-key
3634 The 256 bit private-key in base64 encoding.
3635 Format: string
3637 private-key-flags
3639 Flags indicating how to handle the "private-key" property. See the
3640 section called “Secret flag types:” for flag values.
3641 Format: NMSettingSecretFlags (uint32)
3643 802-11-wireless setting
3645 Alias: wifi
3646 Wi-Fi Settings.
3648 Properties:
3650 band
3652 802.11 frequency band of the network. One of "a" for 5GHz 802.11a
3653 or "bg" for 2.4GHz 802.11. This will lock associations to the Wi-Fi
3654 network to the specific band, i.e. if "a" is specified, the device
3655 will not associate with the same network in the 2.4GHz band even if
3656 the network's settings are compatible. This setting depends on
3657 specific driver capability and may not work with all drivers.
3658 Format: string
3660 bssid
3662 If specified, directs the device to only associate with the given
3663 access point. This capability is highly driver dependent and not
3664 supported by all devices. Note: this property does not control the
3665 BSSID used when creating an Ad-Hoc network and is unlikely to in
3666 the future.
3667 Format: byte array
3669 channel
3671 Wireless channel to use for the Wi-Fi connection. The device will
3672 only join (or create for Ad-Hoc networks) a Wi-Fi network on the
3673 specified channel. Because channel numbers overlap between bands,
3674 this property also requires the "band" property to be set.
3675 Format: uint32
3677 cloned-mac-address
3679 Alias: cloned-mac
3680 If specified, request that the device use this MAC address instead.
3682 This is known as MAC cloning or spoofing. Beside explicitly
3683 specifying a MAC address, the special values "preserve",
3684 "permanent", "random" and "stable" are supported. "preserve" means
3685 not to touch the MAC address on activation. "permanent" means to
3686 use the permanent hardware address of the device. "random" creates
3687 a random MAC address on each connect. "stable" creates a hashed MAC
3688 address based on connection.stable-id and a machine dependent key.
3689 If unspecified, the value can be overwritten via global defaults,
3690 see manual of NetworkManager.conf. If still unspecified, it
3691 defaults to "preserve" (older versions of NetworkManager may use a
3692 different default value). On D-Bus, this field is expressed as
3693 "assigned-mac-address" or the deprecated "cloned-mac-address".
3694 Format: byte array
3696 generate-mac-address-mask
3698 With "cloned-mac-address" setting "random" or "stable", by default
3699 all bits of the MAC address are scrambled and a
3700 locally-administered, unicast MAC address is created. This property
3701 allows to specify that certain bits are fixed. Note that the least
3702 significant bit of the first MAC address will always be unset to
3703 create a unicast MAC address. If the property is NULL, it is
3704 eligible to be overwritten by a default connection setting. If the
3705 value is still NULL or an empty string, the default is to create a
3706 locally-administered, unicast MAC address. If the value contains
3707 one MAC address, this address is used as mask. The set bits of the
3708 mask are to be filled with the current MAC address of the device,
3709 while the unset bits are subject to randomization. Setting
3710 "FE:FF:FF:00:00:00" means to preserve the OUI of the current MAC
3711 address and only randomize the lower 3 bytes using the "random" or
3712 "stable" algorithm. If the value contains one additional MAC
3713 address after the mask, this address is used instead of the current
3714 MAC address to fill the bits that shall not be randomized. For
3715 example, a value of "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set
3716 the OUI of the MAC address to 68:F7:28, while the lower bits are
3717 randomized. A value of "02:00:00:00:00:00 00:00:00:00:00:00" will
3718 create a fully scrambled globally-administered, burned-in MAC
3719 address. If the value contains more than one additional MAC
3720 addresses, one of them is chosen randomly. For example,
3721 "02:00:00:00:00:00 00:00:00:00:00:00 02:00:00:00:00:00" will create
3722 a fully scrambled MAC address, randomly locally or globally
3723 administered.
3724 Format: string
3726 hidden
3728 If TRUE, indicates that the network is a non-broadcasting network
3729 that hides its SSID. This works both in infrastructure and AP mode.
3730 In infrastructure mode, various workarounds are used for a more
3731 reliable discovery of hidden networks, such as probe-scanning the
3732 SSID. However, these workarounds expose inherent insecurities with
3733 hidden SSID networks, and thus hidden SSID networks should be used
3734 with caution. In AP mode, the created network does not broadcast
3735 its SSID. Note that marking the network as hidden may be a privacy
3736 issue for you (in infrastructure mode) or client stations (in AP
3737 mode), as the explicit probe-scans are distinctly recognizable on
3738 the air.
3739 Format: boolean
3741 mac-address
3743 Alias: mac
3744 If specified, this connection will only apply to the Wi-Fi device
3746 whose permanent MAC address matches. This property does not change
3747 the MAC address of the device (i.e. MAC spoofing).
3748 Format: byte array
3750 mac-address-blacklist
3752 A list of permanent MAC addresses of Wi-Fi devices to which this
3753 connection should never apply. Each MAC address should be given in
3754 the standard hex-digits-and-colons notation (eg
3755 "00:11:22:33:44:55").
3756 Format: array of string
3758 mac-address-randomization
3760 One of NM_SETTING_MAC_RANDOMIZATION_DEFAULT (0) (never randomize
3761 unless the user has set a global default to randomize and the
3762 supplicant supports randomization),
3763 NM_SETTING_MAC_RANDOMIZATION_NEVER (1) (never randomize the MAC
3764 address), or NM_SETTING_MAC_RANDOMIZATION_ALWAYS (2) (always
3765 randomize the MAC address). This property is deprecated for
3766 'cloned-mac-address'. Deprecated: 1
3767 Format: uint32
3769 mode
3771 Alias: mode
3772 Wi-Fi network mode; one of "infrastructure", "mesh", "adhoc" or
3774 "ap". If blank, infrastructure is assumed.
3775 Format: string
3777 mtu
3779 Alias: mtu
3780 If non-zero, only transmit packets of the specified size or
3782 smaller, breaking larger packets up into multiple Ethernet frames.
3783 Format: uint32
3785 powersave
3787 One of NM_SETTING_WIRELESS_POWERSAVE_DISABLE (2) (disable Wi-Fi
3788 power saving), NM_SETTING_WIRELESS_POWERSAVE_ENABLE (3) (enable
3789 Wi-Fi power saving), NM_SETTING_WIRELESS_POWERSAVE_IGNORE (1)
3790 (don't touch currently configure setting) or
3791 NM_SETTING_WIRELESS_POWERSAVE_DEFAULT (0) (use the globally
3792 configured value). All other values are reserved.
3793 Format: uint32
3795 rate
3797 If non-zero, directs the device to only use the specified bitrate
3798 for communication with the access point. Units are in Kb/s, ie 5500
3799 = 5.5 Mbit/s. This property is highly driver dependent and not all
3800 devices support setting a static bitrate.
3801 Format: uint32
3803 seen-bssids
3805 A list of BSSIDs (each BSSID formatted as a MAC address like
3806 "00:11:22:33:44:55") that have been detected as part of the Wi-Fi
3807 network. NetworkManager internally tracks previously seen BSSIDs.
3808 The property is only meant for reading and reflects the BSSID list
3809 of NetworkManager. The changes you make to this property will not
3810 be preserved.
3811 Format: array of string
3813 ssid
3815 Alias: ssid
3816 SSID of the Wi-Fi network. Must be specified.
3818 Format: byte array
3820 tx-power
3822 If non-zero, directs the device to use the specified transmit
3823 power. Units are dBm. This property is highly driver dependent and
3824 not all devices support setting a static transmit power.
3825 Format: uint32
3827 wake-on-wlan
3829 The NMSettingWirelessWakeOnWLan options to enable. Not all devices
3830 support all options. May be any combination of
3831 NM_SETTING_WIRELESS_WAKE_ON_WLAN_ANY (0x2),
3832 NM_SETTING_WIRELESS_WAKE_ON_WLAN_DISCONNECT (0x4),
3833 NM_SETTING_WIRELESS_WAKE_ON_WLAN_MAGIC (0x8),
3834 NM_SETTING_WIRELESS_WAKE_ON_WLAN_GTK_REKEY_FAILURE (0x10),
3835 NM_SETTING_WIRELESS_WAKE_ON_WLAN_EAP_IDENTITY_REQUEST (0x20),
3836 NM_SETTING_WIRELESS_WAKE_ON_WLAN_4WAY_HANDSHAKE (0x40),
3837 NM_SETTING_WIRELESS_WAKE_ON_WLAN_RFKILL_RELEASE (0x80),
3838 NM_SETTING_WIRELESS_WAKE_ON_WLAN_TCP (0x100) or the special values
3839 NM_SETTING_WIRELESS_WAKE_ON_WLAN_DEFAULT (0x1) (to use global
3840 settings) and NM_SETTING_WIRELESS_WAKE_ON_WLAN_IGNORE (0x8000) (to
3841 disable management of Wake-on-LAN in NetworkManager).
3842 Format: uint32
3844 802-11-wireless-security setting
3846 Alias: wifi-sec
3847 Wi-Fi Security Settings.
3849 Properties:
3851 auth-alg
3853 When WEP is used (ie, key-mgmt = "none" or "ieee8021x") indicate
3854 the 802.11 authentication algorithm required by the AP here. One of
3855 "open" for Open System, "shared" for Shared Key, or "leap" for
3856 Cisco LEAP. When using Cisco LEAP (ie, key-mgmt = "ieee8021x" and
3857 auth-alg = "leap") the "leap-username" and "leap-password"
3858 properties must be specified.
3859 Format: string
3861 fils
3863 Indicates whether Fast Initial Link Setup (802.11ai) must be
3864 enabled for the connection. One of
3865 NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) (use global default
3866 value), NM_SETTING_WIRELESS_SECURITY_FILS_DISABLE (1) (disable
3867 FILS), NM_SETTING_WIRELESS_SECURITY_FILS_OPTIONAL (2) (enable FILS
3868 if the supplicant and the access point support it) or
3869 NM_SETTING_WIRELESS_SECURITY_FILS_REQUIRED (3) (enable FILS and
3870 fail if not supported). When set to
3871 NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) and no global default
3872 is set, FILS will be optionally enabled.
3873 Format: int32
3875 group
3877 A list of group/broadcast encryption algorithms which prevents
3878 connections to Wi-Fi networks that do not utilize one of the
3879 algorithms in the list. For maximum compatibility leave this
3880 property empty. Each list element may be one of "wep40", "wep104",
3881 "tkip", or "ccmp".
3882 Format: array of string
3884 key-mgmt
3886 Key management used for the connection. One of "none" (WEP),
3887 "ieee8021x" (Dynamic WEP), "wpa-psk" (infrastructure WPA-PSK),
3888 "sae" (SAE), "owe" (Opportunistic Wireless Encryption) or "wpa-eap"
3889 (WPA-Enterprise). This property must be set for any Wi-Fi
3890 connection that uses security.
3891 Format: string
3893 leap-password
3895 The login password for legacy LEAP connections (ie, key-mgmt =
3896 "ieee8021x" and auth-alg = "leap").
3897 Format: string
3899 leap-password-flags
3901 Flags indicating how to handle the "leap-password" property. See
3902 the section called “Secret flag types:” for flag values.
3903 Format: NMSettingSecretFlags (uint32)
3905 leap-username
3907 The login username for legacy LEAP connections (ie, key-mgmt =
3908 "ieee8021x" and auth-alg = "leap").
3909 Format: string
3911 pairwise
3913 A list of pairwise encryption algorithms which prevents connections
3914 to Wi-Fi networks that do not utilize one of the algorithms in the
3915 list. For maximum compatibility leave this property empty. Each
3916 list element may be one of "tkip" or "ccmp".
3917 Format: array of string
3919 pmf
3921 Indicates whether Protected Management Frames (802.11w) must be
3922 enabled for the connection. One of
3923 NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) (use global default
3924 value), NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE (1) (disable PMF),
3925 NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL (2) (enable PMF if the
3926 supplicant and the access point support it) or
3927 NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED (3) (enable PMF and fail
3928 if not supported). When set to
3929 NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) and no global default
3930 is set, PMF will be optionally enabled.
3931 Format: int32
3933 proto
3935 List of strings specifying the allowed WPA protocol versions to
3936 use. Each element may be one "wpa" (allow WPA) or "rsn" (allow
3937 WPA2/RSN). If not specified, both WPA and RSN connections are
3938 allowed.
3939 Format: array of string
3941 psk
3943 Pre-Shared-Key for WPA networks. For WPA-PSK, it's either an ASCII
3944 passphrase of 8 to 63 characters that is (as specified in the
3945 802.11i standard) hashed to derive the actual key, or the key in
3946 form of 64 hexadecimal character. The WPA3-Personal networks use a
3947 passphrase of any length for SAE authentication.
3948 Format: string
3950 psk-flags
3952 Flags indicating how to handle the "psk" property. See the section
3953 called “Secret flag types:” for flag values.
3954 Format: NMSettingSecretFlags (uint32)
3956 wep-key-flags
3958 Flags indicating how to handle the "wep-key0", "wep-key1",
3959 "wep-key2", and "wep-key3" properties. See the section called
3960 “Secret flag types:” for flag values.
3961 Format: NMSettingSecretFlags (uint32)
3963 wep-key-type
3965 Controls the interpretation of WEP keys. Allowed values are
3966 NM_WEP_KEY_TYPE_KEY (1), in which case the key is either a 10- or
3967 26-character hexadecimal string, or a 5- or 13-character ASCII
3968 password; or NM_WEP_KEY_TYPE_PASSPHRASE (2), in which case the
3969 passphrase is provided as a string and will be hashed using the
3970 de-facto MD5 method to derive the actual WEP key.
3971 Format: NMWepKeyType (uint32)
3973 wep-key0
3975 Index 0 WEP key. This is the WEP key used in most networks. See the
3976 "wep-key-type" property for a description of how this key is
3977 interpreted.
3978 Format: string
3980 wep-key1
3982 Index 1 WEP key. This WEP index is not used by most networks. See
3983 the "wep-key-type" property for a description of how this key is
3984 interpreted.
3985 Format: string
3987 wep-key2
3989 Index 2 WEP key. This WEP index is not used by most networks. See
3990 the "wep-key-type" property for a description of how this key is
3991 interpreted.
3992 Format: string
3994 wep-key3
3996 Index 3 WEP key. This WEP index is not used by most networks. See
3997 the "wep-key-type" property for a description of how this key is
3998 interpreted.
3999 Format: string
4001 wep-tx-keyidx
4003 When static WEP is used (ie, key-mgmt = "none") and a non-default
4004 WEP key index is used by the AP, put that WEP key index here. Valid
4005 values are 0 (default key) through 3. Note that some consumer
4006 access points (like the Linksys WRT54G) number the keys 1 - 4.
4007 Format: uint32
4009 wps-method
4011 Flags indicating which mode of WPS is to be used if any. There's
4012 little point in changing the default setting as NetworkManager will
4013 automatically determine whether it's feasible to start WPS
4014 enrollment from the Access Point capabilities. WPS can be disabled
4015 by setting this property to a value of 1.
4016 Format: uint32
4018 wpan setting
4020 IEEE 802.15.4 (WPAN) MAC Settings.
4021 Properties:
4023 channel
4025 Alias: channel
4026 IEEE 802.15.4 channel. A positive integer or -1, meaning "do not
4028 set, use whatever the device is already set to".
4029 Format: int32
4031 mac-address
4033 Alias: mac
4034 If specified, this connection will only apply to the IEEE 802.15.4
4036 (WPAN) MAC layer device whose permanent MAC address matches.
4037 Format: string
4039 page
4041 Alias: page
4042 IEEE 802.15.4 channel page. A positive integer or -1, meaning "do
4044 not set, use whatever the device is already set to".
4045 Format: int32
4047 pan-id
4049 Alias: pan-id
4050 IEEE 802.15.4 Personal Area Network (PAN) identifier.
4052 Format: uint32
4054 short-address
4056 Alias: short-addr
4057 Short IEEE 802.15.4 address to be used within a restricted
4059 environment.
4060 Format: uint32
4062 Secret flag types:
4064 Each password or secret property in a setting has an associated flags
4065 property that describes how to handle that secret. The flags property
4066 is a bitfield that contains zero or more of the following values
4067 logically OR-ed together.
4068 · 0x0 (none) - the system is responsible for providing and storing
4070 this secret. This may be required so that secrets are already
4071 available before the user logs in. It also commonly means that the
4072 secret will be stored in plain text on disk, accessible to root
4073 only. For example via the keyfile settings plugin as described in
4074 the "PLUGINS" section in NetworkManager.conf(5).
4075 · 0x1 (agent-owned) - a user-session secret agent is responsible for
4077 providing and storing this secret; when it is required, agents will
4078 be asked to provide it.
4079 · 0x2 (not-saved) - this secret should not be saved but should be
4081 requested from the user each time it is required. This flag should
4082 be used for One-Time-Pad secrets, PIN codes from hardware tokens,
4083 or if the user simply does not want to save the secret.
4084 · 0x4 (not-required) - in some situations it cannot be automatically
4086 determined that a secret is required or not. This flag hints that
4087 the secret is not required and should not be requested from the
4088 user.
4089
4091 /etc/NetworkManager/system-connections or distro plugin-specific
4092 location
4093
4095 nmcli(1), nmcli-examples(7), NetworkManager(8), nm-settings-dbus(5),
4096 nm-settings-keyfile(5), NetworkManager.conf(5)
4097NetworkManager 1.26.6 NM-SETTINGS-NMCLI(5)