1NM-SETTINGS-NMCLI(5) Configuration NM-SETTINGS-NMCLI(5)
2
6 nm-settings-nmcli - Description of settings and properties of
7 NetworkManager connection profiles for nmcli
8
10 NetworkManager is based on a concept of connection profiles, sometimes
11 referred to as connections only. These connection profiles contain a
12 network configuration. When NetworkManager activates a connection
13 profile on a network device the configuration will be applied and an
14 active network connection will be established. Users are free to create
15 as many connection profiles as they see fit. Thus they are flexible in
16 having various network configurations for different networking needs.
17 NetworkManager provides an API for configuring connection profiles, for
19 activating them to configure the network, and inspecting the current
20 network configuration. The command line tool nmcli is a client
21 application to NetworkManager that uses this API. See nmcli(1) for
22 details.
23 With commands like nmcli connection add, nmcli connection modify and
25 nmcli connection show, connection profiles can be created, modified and
26 inspected. A profile consists of properties. On D-Bus this follows the
27 format as described by nm-settings-dbus(5), while this manual page
28 describes the settings format how they are expected by nmcli.
29 The settings and properties shown in tables below list all available
31 connection configuration options. However, note that not all settings
32 are applicable to all connection types. nmcli connection editor has
33 also a built-in describe command that can display description of
34 particular settings and properties of this page.
35 The setting and property can be abbreviated provided they are unique.
37 The list below also shows aliases that can be used unqualified instead
38 of the full name. For example connection.interface-name and ifname
39 refer to the same property.
40 connection setting
42 General Connection Profile Settings.
43 Properties:
45 auth-retries
47 The number of retries for the authentication. Zero means to try
48 indefinitely; -1 means to use a global default. If the global
49 default is not set, the authentication retries for 3 times before
50 failing the connection. Currently, this only applies to 802-1x
51 authentication.
52 Format: int32
54 autoconnect
56 Alias: autoconnect
57 Whether or not the connection should be automatically connected by
59 NetworkManager when the resources for the connection are available.
60 TRUE to automatically activate the connection, FALSE to require
61 manual intervention to activate the connection. Note that
62 autoconnect is not implemented for VPN profiles. See "secondaries"
63 as an alternative to automatically connect VPN profiles.
64 Format: boolean
66 autoconnect-priority
68 The autoconnect priority. If the connection is set to autoconnect,
69 connections with higher priority will be preferred. Defaults to 0.
70 The higher number means higher priority.
71 Format: int32
73 autoconnect-retries
75 The number of times a connection should be tried when
76 autoactivating before giving up. Zero means forever, -1 means the
77 global default (4 times if not overridden). Setting this to 1 means
78 to try activation only once before blocking autoconnect. Note that
79 after a timeout, NetworkManager will try to autoconnect again.
80 Format: int32
82 autoconnect-slaves
84 Whether or not slaves of this connection should be automatically
85 brought up when NetworkManager activates this connection. This only
86 has a real effect for master connections. The properties
87 "autoconnect", "autoconnect-priority" and "autoconnect-retries" are
88 unrelated to this setting. The permitted values are: 0: leave slave
89 connections untouched, 1: activate all the slave connections with
90 this connection, -1: default. If -1 (default) is set, global
91 connection.autoconnect-slaves is read to determine the real value.
92 If it is default as well, this fallbacks to 0.
93 Format: NMSettingConnectionAutoconnectSlaves (int32)
95 gateway-ping-timeout
97 If greater than zero, delay success of IP addressing until either
98 the timeout is reached, or an IP gateway replies to a ping.
99 Format: uint32
101 id
103 Alias: con-name
104 A human readable unique identifier for the connection, like "Work
106 Wi-Fi" or "T-Mobile 3G".
107 Format: string
109 interface-name
111 Alias: ifname
112 The name of the network interface this connection is bound to. If
114 not set, then the connection can be attached to any interface of
115 the appropriate type (subject to restrictions imposed by other
116 settings). For software devices this specifies the name of the
117 created device. For connection types where interface names cannot
118 easily be made persistent (e.g. mobile broadband or USB Ethernet),
119 this property should not be used. Setting this property restricts
120 the interfaces a connection can be used with, and if interface
121 names change or are reordered the connection may be applied to the
122 wrong interface.
123 Format: string
125 lldp
127 Whether LLDP is enabled for the connection.
128 Format: int32
130 llmnr
132 Whether Link-Local Multicast Name Resolution (LLMNR) is enabled for
133 the connection. LLMNR is a protocol based on the Domain Name System
134 (DNS) packet format that allows both IPv4 and IPv6 hosts to perform
135 name resolution for hosts on the same local link. The permitted
136 values are: "yes" (2) register hostname and resolving for the
137 connection, "no" (0) disable LLMNR for the interface, "resolve" (1)
138 do not register hostname but allow resolving of LLMNR host names If
139 unspecified, "default" ultimately depends on the DNS plugin (which
140 for systemd-resolved currently means "yes"). This feature requires
141 a plugin which supports LLMNR. Otherwise, the setting has no
142 effect. One such plugin is dns-systemd-resolved.
143 Format: int32
145 master
147 Alias: master
148 Interface name of the master device or UUID of the master
150 connection.
151 Format: string
153 mdns
155 Whether mDNS is enabled for the connection. The permitted values
156 are: "yes" (2) register hostname and resolving for the connection,
157 "no" (0) disable mDNS for the interface, "resolve" (1) do not
158 register hostname but allow resolving of mDNS host names and
159 "default" (-1) to allow lookup of a global default in
160 NetworkManager.conf. If unspecified, "default" ultimately depends
161 on the DNS plugin (which for systemd-resolved currently means
162 "no"). This feature requires a plugin which supports mDNS.
163 Otherwise, the setting has no effect. One such plugin is
164 dns-systemd-resolved.
165 Format: int32
167 metered
169 Whether the connection is metered. When updating this property on a
170 currently activated connection, the change takes effect
171 immediately.
172 Format: NMMetered (int32)
174 mud-url
176 If configured, set to a Manufacturer Usage Description (MUD) URL
177 that points to manufacturer-recommended network policies for IoT
178 devices. It is transmitted as a DHCPv4 or DHCPv6 option. The value
179 must be a valid URL starting with "https://". The special value
180 "none" is allowed to indicate that no MUD URL is used. If the
181 per-profile value is unspecified (the default), a global connection
182 default gets consulted. If still unspecified, the ultimate default
183 is "none".
184 Format: string
186 multi-connect
188 Specifies whether the profile can be active multiple times at a
189 particular moment. The value is of type NMConnectionMultiConnect.
190 Format: int32
192 permissions
194 An array of strings defining what access a given user has to this
195 connection. If this is NULL or empty, all users are allowed to
196 access this connection; otherwise users are allowed if and only if
197 they are in this list. When this is not empty, the connection can
198 be active only when one of the specified users is logged into an
199 active session. Each entry is of the form "[type]:[id]:[reserved]";
200 for example, "user:dcbw:blah". At this time only the "user" [type]
201 is allowed. Any other values are ignored and reserved for future
202 use. [id] is the username that this permission refers to, which may
203 not contain the ":" character. Any [reserved] information present
204 must be ignored and is reserved for future use. All of [type],
205 [id], and [reserved] must be valid UTF-8.
206 Format: array of string
208 read-only
210 FALSE if the connection can be modified using the provided settings
211 service's D-Bus interface with the right privileges, or TRUE if the
212 connection is read-only and cannot be modified.
213 Format: boolean
215 secondaries
217 List of connection UUIDs that should be activated when the base
218 connection itself is activated. Currently, only VPN connections are
219 supported.
220 Format: array of string
222 slave-type
224 Alias: slave-type
225 Setting name of the device type of this slave's master connection
227 (eg, "bond"), or NULL if this connection is not a slave.
228 Format: string
230 stable-id
232 This represents the identity of the connection used for various
233 purposes. It allows to configure multiple profiles to share the
234 identity. Also, the stable-id can contain placeholders that are
235 substituted dynamically and deterministically depending on the
236 context. The stable-id is used for generating IPv6 stable private
237 addresses with ipv6.addr-gen-mode=stable-privacy. It is also used
238 to seed the generated cloned MAC address for
239 ethernet.cloned-mac-address=stable and
240 wifi.cloned-mac-address=stable. It is also used as DHCP client
241 identifier with ipv4.dhcp-client-id=stable and to derive the DHCP
242 DUID with ipv6.dhcp-duid=stable-[llt,ll,uuid]. Note that depending
243 on the context where it is used, other parameters are also seeded
244 into the generation algorithm. For example, a per-host key is
245 commonly also included, so that different systems end up generating
246 different IDs. Or with ipv6.addr-gen-mode=stable-privacy, also the
247 device's name is included, so that different interfaces yield
248 different addresses. The per-host key is the identity of your
249 machine and stored in /var/lib/NetworkManager/secret-key. The '$'
250 character is treated special to perform dynamic substitutions at
251 runtime. Currently, supported are "${CONNECTION}", "${DEVICE}",
252 "${MAC}", "${BOOT}", "${RANDOM}". These effectively create unique
253 IDs per-connection, per-device, per-boot, or every time. Note that
254 "${DEVICE}" corresponds to the interface name of the device and
255 "${MAC}" is the permanent MAC address of the device. Any
256 unrecognized patterns following '$' are treated verbatim, however
257 are reserved for future use. You are thus advised to avoid '$' or
258 escape it as "$$". For example, set it to
259 "${CONNECTION}-${BOOT}-${DEVICE}" to create a unique id for this
260 connection that changes with every reboot and differs depending on
261 the interface where the profile activates. If the value is unset, a
262 global connection default is consulted. If the value is still
263 unset, the default is similar to "${CONNECTION}" and uses a unique,
264 fixed ID for the connection.
265 Format: string
267 timestamp
269 The time, in seconds since the Unix Epoch, that the connection was
270 last _successfully_ fully activated. NetworkManager updates the
271 connection timestamp periodically when the connection is active to
272 ensure that an active connection has the latest timestamp. The
273 property is only meant for reading (changes to this property will
274 not be preserved).
275 Format: uint64
277 type
279 Alias: type
280 Base type of the connection. For hardware-dependent connections,
282 should contain the setting name of the hardware-type specific
283 setting (ie, "802-3-ethernet" or "802-11-wireless" or "bluetooth",
284 etc), and for non-hardware dependent connections like VPN or
285 otherwise, should contain the setting name of that setting type
286 (ie, "vpn" or "bridge", etc).
287 Format: string
289 uuid
291 A universally unique identifier for the connection, for example
292 generated with libuuid. It should be assigned when the connection
293 is created, and never changed as long as the connection still
294 applies to the same network. For example, it should not be changed
295 when the "id" property or NMSettingIP4Config changes, but might
296 need to be re-created when the Wi-Fi SSID, mobile broadband network
297 provider, or "type" property changes. The UUID must be in the
298 format "2815492f-7e56-435e-b2e9-246bd7cdc664" (ie, contains only
299 hexadecimal characters and "-").
300 Format: string
302 wait-device-timeout
304 Timeout in milliseconds to wait for device at startup. During boot,
305 devices may take a while to be detected by the driver. This
306 property will cause to delay NetworkManager-wait-online.service and
307 nm-online to give the device a chance to appear. This works by
308 waiting for the given timeout until a compatible device for the
309 profile is available and managed. The value 0 means no wait time.
310 The default value is -1, which currently has the same meaning as no
311 wait time.
312 Format: int32
314 zone
316 The trust level of a the connection. Free form case-insensitive
317 string (for example "Home", "Work", "Public"). NULL or unspecified
318 zone means the connection will be placed in the default zone as
319 defined by the firewall. When updating this property on a currently
320 activated connection, the change takes effect immediately.
321 Format: string
323 6lowpan setting
325 6LoWPAN Settings.
326 Properties:
328 parent
330 Alias: dev
331 If given, specifies the parent interface name or parent connection
333 UUID from which this 6LowPAN interface should be created.
334 Format: string
336 802-1x setting
338 IEEE 802.1x Authentication Settings.
339 Properties:
341 altsubject-matches
343 List of strings to be matched against the altSubjectName of the
344 certificate presented by the authentication server. If the list is
345 empty, no verification of the server certificate's altSubjectName
346 is performed.
347 Format: array of string
349 anonymous-identity
351 Anonymous identity string for EAP authentication methods. Used as
352 the unencrypted identity with EAP types that support different
353 tunneled identity like EAP-TTLS.
354 Format: string
356 auth-timeout
358 A timeout for the authentication. Zero means the global default; if
359 the global default is not set, the authentication timeout is 25
360 seconds.
361 Format: int32
363 ca-cert
365 Contains the CA certificate if used by the EAP method specified in
366 the "eap" property. Certificate data is specified using a "scheme";
367 three are currently supported: blob, path and pkcs#11 URL. When
368 using the blob scheme this property should be set to the
369 certificate's DER encoded data. When using the path scheme, this
370 property should be set to the full UTF-8 encoded path of the
371 certificate, prefixed with the string "file://" and ending with a
372 terminating NUL byte. This property can be unset even if the EAP
373 method supports CA certificates, but this allows man-in-the-middle
374 attacks and is NOT recommended. Note that enabling
375 NMSetting8021x:system-ca-certs will override this setting to use
376 the built-in path, if the built-in path is not a directory.
377 Format: byte array
379 ca-cert-password
381 The password used to access the CA certificate stored in "ca-cert"
382 property. Only makes sense if the certificate is stored on a
383 PKCS#11 token that requires a login.
384 Format: string
386 ca-cert-password-flags
388 Flags indicating how to handle the "ca-cert-password" property. See
389 the section called “Secret flag types:” for flag values.
390 Format: NMSettingSecretFlags (uint32)
392 ca-path
394 UTF-8 encoded path to a directory containing PEM or DER formatted
395 certificates to be added to the verification chain in addition to
396 the certificate specified in the "ca-cert" property. If
397 NMSetting8021x:system-ca-certs is enabled and the built-in CA path
398 is an existing directory, then this setting is ignored.
399 Format: string
401 client-cert
403 Contains the client certificate if used by the EAP method specified
404 in the "eap" property. Certificate data is specified using a
405 "scheme"; two are currently supported: blob and path. When using
406 the blob scheme (which is backwards compatible with NM 0.7.x) this
407 property should be set to the certificate's DER encoded data. When
408 using the path scheme, this property should be set to the full
409 UTF-8 encoded path of the certificate, prefixed with the string
410 "file://" and ending with a terminating NUL byte.
411 Format: byte array
413 client-cert-password
415 The password used to access the client certificate stored in
416 "client-cert" property. Only makes sense if the certificate is
417 stored on a PKCS#11 token that requires a login.
418 Format: string
420 client-cert-password-flags
422 Flags indicating how to handle the "client-cert-password" property.
423 See the section called “Secret flag types:” for flag values.
424 Format: NMSettingSecretFlags (uint32)
426 domain-match
428 Constraint for server domain name. If set, this list of FQDNs is
429 used as a match requirement for dNSName element(s) of the
430 certificate presented by the authentication server. If a matching
431 dNSName is found, this constraint is met. If no dNSName values are
432 present, this constraint is matched against SubjectName CN using
433 the same comparison. Multiple valid FQDNs can be passed as a ";"
434 delimited list.
435 Format: string
437 domain-suffix-match
439 Constraint for server domain name. If set, this FQDN is used as a
440 suffix match requirement for dNSName element(s) of the certificate
441 presented by the authentication server. If a matching dNSName is
442 found, this constraint is met. If no dNSName values are present,
443 this constraint is matched against SubjectName CN using same suffix
444 match comparison. Since version 1.24, multiple valid FQDNs can be
445 passed as a ";" delimited list.
446 Format: string
448 eap
450 The allowed EAP method to be used when authenticating to the
451 network with 802.1x. Valid methods are: "leap", "md5", "tls",
452 "peap", "ttls", "pwd", and "fast". Each method requires different
453 configuration using the properties of this setting; refer to
454 wpa_supplicant documentation for the allowed combinations.
455 Format: array of string
457 identity
459 Identity string for EAP authentication methods. Often the user's
460 user or login name.
461 Format: string
463 optional
465 Whether the 802.1X authentication is optional. If TRUE, the
466 activation will continue even after a timeout or an authentication
467 failure. Setting the property to TRUE is currently allowed only for
468 Ethernet connections. If set to FALSE, the activation can continue
469 only after a successful authentication.
470 Format: boolean
472 pac-file
474 UTF-8 encoded file path containing PAC for EAP-FAST.
475 Format: string
477 password
479 UTF-8 encoded password used for EAP authentication methods. If both
480 the "password" property and the "password-raw" property are
481 specified, "password" is preferred.
482 Format: string
484 password-flags
486 Flags indicating how to handle the "password" property. See the
487 section called “Secret flag types:” for flag values.
488 Format: NMSettingSecretFlags (uint32)
490 password-raw
492 Password used for EAP authentication methods, given as a byte array
493 to allow passwords in other encodings than UTF-8 to be used. If
494 both the "password" property and the "password-raw" property are
495 specified, "password" is preferred.
496 Format: byte array
498 password-raw-flags
500 Flags indicating how to handle the "password-raw" property. See the
501 section called “Secret flag types:” for flag values.
502 Format: NMSettingSecretFlags (uint32)
504 phase1-auth-flags
506 Specifies authentication flags to use in "phase 1" outer
507 authentication using NMSetting8021xAuthFlags options. The
508 individual TLS versions can be explicitly disabled. If a certain
509 TLS disable flag is not set, it is up to the supplicant to allow or
510 forbid it. The TLS options map to tls_disable_tlsv1_x settings. See
511 the wpa_supplicant documentation for more details.
512 Format: uint32
514 phase1-fast-provisioning
516 Enables or disables in-line provisioning of EAP-FAST credentials
517 when FAST is specified as the EAP method in the "eap" property.
518 Recognized values are "0" (disabled), "1" (allow unauthenticated
519 provisioning), "2" (allow authenticated provisioning), and "3"
520 (allow both authenticated and unauthenticated provisioning). See
521 the wpa_supplicant documentation for more details.
522 Format: string
524 phase1-peaplabel
526 Forces use of the new PEAP label during key derivation. Some RADIUS
527 servers may require forcing the new PEAP label to interoperate with
528 PEAPv1. Set to "1" to force use of the new PEAP label. See the
529 wpa_supplicant documentation for more details.
530 Format: string
532 phase1-peapver
534 Forces which PEAP version is used when PEAP is set as the EAP
535 method in the "eap" property. When unset, the version reported by
536 the server will be used. Sometimes when using older RADIUS servers,
537 it is necessary to force the client to use a particular PEAP
538 version. To do so, this property may be set to "0" or "1" to force
539 that specific PEAP version.
540 Format: string
542 phase2-altsubject-matches
544 List of strings to be matched against the altSubjectName of the
545 certificate presented by the authentication server during the inner
546 "phase 2" authentication. If the list is empty, no verification of
547 the server certificate's altSubjectName is performed.
548 Format: array of string
550 phase2-auth
552 Specifies the allowed "phase 2" inner authentication method when an
553 EAP method that uses an inner TLS tunnel is specified in the "eap"
554 property. For TTLS this property selects one of the supported
555 non-EAP inner methods: "pap", "chap", "mschap", "mschapv2" while
556 "phase2-autheap" selects an EAP inner method. For PEAP this selects
557 an inner EAP method, one of: "gtc", "otp", "md5" and "tls". Each
558 "phase 2" inner method requires specific parameters for successful
559 authentication; see the wpa_supplicant documentation for more
560 details. Both "phase2-auth" and "phase2-autheap" cannot be
561 specified.
562 Format: string
564 phase2-autheap
566 Specifies the allowed "phase 2" inner EAP-based authentication
567 method when TTLS is specified in the "eap" property. Recognized
568 EAP-based "phase 2" methods are "md5", "mschapv2", "otp", "gtc",
569 and "tls". Each "phase 2" inner method requires specific parameters
570 for successful authentication; see the wpa_supplicant documentation
571 for more details.
572 Format: string
574 phase2-ca-cert
576 Contains the "phase 2" CA certificate if used by the EAP method
577 specified in the "phase2-auth" or "phase2-autheap" properties.
578 Certificate data is specified using a "scheme"; three are currently
579 supported: blob, path and pkcs#11 URL. When using the blob scheme
580 this property should be set to the certificate's DER encoded data.
581 When using the path scheme, this property should be set to the full
582 UTF-8 encoded path of the certificate, prefixed with the string
583 "file://" and ending with a terminating NUL byte. This property can
584 be unset even if the EAP method supports CA certificates, but this
585 allows man-in-the-middle attacks and is NOT recommended. Note that
586 enabling NMSetting8021x:system-ca-certs will override this setting
587 to use the built-in path, if the built-in path is not a directory.
588 Format: byte array
590 phase2-ca-cert-password
592 The password used to access the "phase2" CA certificate stored in
593 "phase2-ca-cert" property. Only makes sense if the certificate is
594 stored on a PKCS#11 token that requires a login.
595 Format: string
597 phase2-ca-cert-password-flags
599 Flags indicating how to handle the "phase2-ca-cert-password"
600 property. See the section called “Secret flag types:” for flag
601 values.
602 Format: NMSettingSecretFlags (uint32)
604 phase2-ca-path
606 UTF-8 encoded path to a directory containing PEM or DER formatted
607 certificates to be added to the verification chain in addition to
608 the certificate specified in the "phase2-ca-cert" property. If
609 NMSetting8021x:system-ca-certs is enabled and the built-in CA path
610 is an existing directory, then this setting is ignored.
611 Format: string
613 phase2-client-cert
615 Contains the "phase 2" client certificate if used by the EAP method
616 specified in the "phase2-auth" or "phase2-autheap" properties.
617 Certificate data is specified using a "scheme"; two are currently
618 supported: blob and path. When using the blob scheme (which is
619 backwards compatible with NM 0.7.x) this property should be set to
620 the certificate's DER encoded data. When using the path scheme,
621 this property should be set to the full UTF-8 encoded path of the
622 certificate, prefixed with the string "file://" and ending with a
623 terminating NUL byte. This property can be unset even if the EAP
624 method supports CA certificates, but this allows man-in-the-middle
625 attacks and is NOT recommended.
626 Format: byte array
628 phase2-client-cert-password
630 The password used to access the "phase2" client certificate stored
631 in "phase2-client-cert" property. Only makes sense if the
632 certificate is stored on a PKCS#11 token that requires a login.
633 Format: string
635 phase2-client-cert-password-flags
637 Flags indicating how to handle the "phase2-client-cert-password"
638 property. See the section called “Secret flag types:” for flag
639 values.
640 Format: NMSettingSecretFlags (uint32)
642 phase2-domain-match
644 Constraint for server domain name. If set, this list of FQDNs is
645 used as a match requirement for dNSName element(s) of the
646 certificate presented by the authentication server during the inner
647 "phase 2" authentication. If a matching dNSName is found, this
648 constraint is met. If no dNSName values are present, this
649 constraint is matched against SubjectName CN using the same
650 comparison. Multiple valid FQDNs can be passed as a ";" delimited
651 list.
652 Format: string
654 phase2-domain-suffix-match
656 Constraint for server domain name. If set, this FQDN is used as a
657 suffix match requirement for dNSName element(s) of the certificate
658 presented by the authentication server during the inner "phase 2"
659 authentication. If a matching dNSName is found, this constraint is
660 met. If no dNSName values are present, this constraint is matched
661 against SubjectName CN using same suffix match comparison. Since
662 version 1.24, multiple valid FQDNs can be passed as a ";" delimited
663 list.
664 Format: string
666 phase2-private-key
668 Contains the "phase 2" inner private key when the "phase2-auth" or
669 "phase2-autheap" property is set to "tls". Key data is specified
670 using a "scheme"; two are currently supported: blob and path. When
671 using the blob scheme and private keys, this property should be set
672 to the key's encrypted PEM encoded data. When using private keys
673 with the path scheme, this property should be set to the full UTF-8
674 encoded path of the key, prefixed with the string "file://" and
675 ending with a terminating NUL byte. When using PKCS#12 format
676 private keys and the blob scheme, this property should be set to
677 the PKCS#12 data and the "phase2-private-key-password" property
678 must be set to password used to decrypt the PKCS#12 certificate and
679 key. When using PKCS#12 files and the path scheme, this property
680 should be set to the full UTF-8 encoded path of the key, prefixed
681 with the string "file://" and ending with a terminating NUL byte,
682 and as with the blob scheme the "phase2-private-key-password"
683 property must be set to the password used to decode the PKCS#12
684 private key and certificate.
685 Format: byte array
687 phase2-private-key-password
689 The password used to decrypt the "phase 2" private key specified in
690 the "phase2-private-key" property when the private key either uses
691 the path scheme, or is a PKCS#12 format key.
692 Format: string
694 phase2-private-key-password-flags
696 Flags indicating how to handle the "phase2-private-key-password"
697 property. See the section called “Secret flag types:” for flag
698 values.
699 Format: NMSettingSecretFlags (uint32)
701 phase2-subject-match
703 Substring to be matched against the subject of the certificate
704 presented by the authentication server during the inner "phase 2"
705 authentication. When unset, no verification of the authentication
706 server certificate's subject is performed. This property provides
707 little security, if any, and its use is deprecated in favor of
708 NMSetting8021x:phase2-domain-suffix-match.
709 Format: string
711 pin
713 PIN used for EAP authentication methods.
714 Format: string
716 pin-flags
718 Flags indicating how to handle the "pin" property. See the section
719 called “Secret flag types:” for flag values.
720 Format: NMSettingSecretFlags (uint32)
722 private-key
724 Contains the private key when the "eap" property is set to "tls".
725 Key data is specified using a "scheme"; two are currently
726 supported: blob and path. When using the blob scheme and private
727 keys, this property should be set to the key's encrypted PEM
728 encoded data. When using private keys with the path scheme, this
729 property should be set to the full UTF-8 encoded path of the key,
730 prefixed with the string "file://" and ending with a terminating
731 NUL byte. When using PKCS#12 format private keys and the blob
732 scheme, this property should be set to the PKCS#12 data and the
733 "private-key-password" property must be set to password used to
734 decrypt the PKCS#12 certificate and key. When using PKCS#12 files
735 and the path scheme, this property should be set to the full UTF-8
736 encoded path of the key, prefixed with the string "file://" and
737 ending with a terminating NUL byte, and as with the blob scheme the
738 "private-key-password" property must be set to the password used to
739 decode the PKCS#12 private key and certificate. WARNING:
740 "private-key" is not a "secret" property, and thus unencrypted
741 private key data using the BLOB scheme may be readable by
742 unprivileged users. Private keys should always be encrypted with a
743 private key password to prevent unauthorized access to unencrypted
744 private key data.
745 Format: byte array
747 private-key-password
749 The password used to decrypt the private key specified in the
750 "private-key" property when the private key either uses the path
751 scheme, or if the private key is a PKCS#12 format key.
752 Format: string
754 private-key-password-flags
756 Flags indicating how to handle the "private-key-password" property.
757 See the section called “Secret flag types:” for flag values.
758 Format: NMSettingSecretFlags (uint32)
760 subject-match
762 Substring to be matched against the subject of the certificate
763 presented by the authentication server. When unset, no verification
764 of the authentication server certificate's subject is performed.
765 This property provides little security, if any, and its use is
766 deprecated in favor of NMSetting8021x:domain-suffix-match.
767 Format: string
769 system-ca-certs
771 When TRUE, overrides the "ca-path" and "phase2-ca-path" properties
772 using the system CA directory specified at configure time with the
773 --system-ca-path switch. The certificates in this directory are
774 added to the verification chain in addition to any certificates
775 specified by the "ca-cert" and "phase2-ca-cert" properties. If the
776 path provided with --system-ca-path is rather a file name (bundle
777 of trusted CA certificates), it overrides "ca-cert" and
778 "phase2-ca-cert" properties instead (sets ca_cert/ca_cert2 options
779 for wpa_supplicant).
780 Format: boolean
782 adsl setting
784 ADSL Settings.
785 Properties:
787 encapsulation
789 Alias: encapsulation
790 Encapsulation of ADSL connection. Can be "vcmux" or "llc".
792 Format: string
794 password
796 Alias: password
797 Password used to authenticate with the ADSL service.
799 Format: string
801 password-flags
803 Flags indicating how to handle the "password" property. See the
804 section called “Secret flag types:” for flag values.
805 Format: NMSettingSecretFlags (uint32)
807 protocol
809 Alias: protocol
810 ADSL connection protocol. Can be "pppoa", "pppoe" or "ipoatm".
812 Format: string
814 username
816 Alias: username
817 Username used to authenticate with the ADSL service.
819 Format: string
821 vci
823 VCI of ADSL connection
824 Format: uint32
826 vpi
828 VPI of ADSL connection
829 Format: uint32
831 bluetooth setting
833 Bluetooth Settings.
834 Properties:
836 bdaddr
838 Alias: addr
839 The Bluetooth address of the device.
841 Format: byte array
843 type
845 Alias: bt-type
846 Either "dun" for Dial-Up Networking connections or "panu" for
848 Personal Area Networking connections to devices supporting the NAP
849 profile.
850 Format: string
852 bond setting
854 Bonding Settings.
855 Properties:
857 options
859 Dictionary of key/value pairs of bonding options. Both keys and
860 values must be strings. Option names must contain only alphanumeric
861 characters (ie, [a-zA-Z0-9]).
862 Format: dict of string to string
864 bridge setting
866 Bridging Settings.
867 Properties:
869 ageing-time
871 Alias: ageing-time
872 The Ethernet MAC address aging time, in seconds.
874 Format: uint32
876 forward-delay
878 Alias: forward-delay
879 The Spanning Tree Protocol (STP) forwarding delay, in seconds.
881 Format: uint32
883 group-address
885 If specified, The MAC address of the multicast group this bridge
886 uses for STP. The address must be a link-local address in standard
887 Ethernet MAC address format, ie an address of the form
888 01:80:C2:00:00:0X, with X in [0, 4..F]. If not specified the
889 default value is 01:80:C2:00:00:00.
890 Format: byte array
892 group-forward-mask
894 Alias: group-forward-mask
895 A mask of group addresses to forward. Usually, group addresses in
897 the range from 01:80:C2:00:00:00 to 01:80:C2:00:00:0F are not
898 forwarded according to standards. This property is a mask of 16
899 bits, each corresponding to a group address in that range that must
900 be forwarded. The mask can't have bits 0, 1 or 2 set because they
901 are used for STP, MAC pause frames and LACP.
902 Format: uint32
904 hello-time
906 Alias: hello-time
907 The Spanning Tree Protocol (STP) hello time, in seconds.
909 Format: uint32
911 mac-address
913 Alias: mac
914 If specified, the MAC address of bridge. When creating a new
916 bridge, this MAC address will be set. If this field is left
917 unspecified, the "ethernet.cloned-mac-address" is referred instead
918 to generate the initial MAC address. Note that setting
919 "ethernet.cloned-mac-address" anyway overwrites the MAC address of
920 the bridge later while activating the bridge. Hence, this property
921 is deprecated. Deprecated: 1
922 Format: byte array
924 max-age
926 Alias: max-age
927 The Spanning Tree Protocol (STP) maximum message age, in seconds.
929 Format: uint32
931 multicast-hash-max
933 Set maximum size of multicast hash table (value must be a power of
934 2).
935 Format: uint32
937 multicast-last-member-count
939 Set the number of queries the bridge will send before stopping
940 forwarding a multicast group after a "leave" message has been
941 received.
942 Format: uint32
944 multicast-last-member-interval
946 Set interval (in deciseconds) between queries to find remaining
947 members of a group, after a "leave" message is received.
948 Format: uint64
950 multicast-membership-interval
952 Set delay (in deciseconds) after which the bridge will leave a
953 group, if no membership reports for this group are received.
954 Format: uint64
956 multicast-querier
958 Enable or disable sending of multicast queries by the bridge. If
959 not specified the option is disabled.
960 Format: boolean
962 multicast-querier-interval
964 If no queries are seen after this delay (in deciseconds) has
965 passed, the bridge will start to send its own queries.
966 Format: uint64
968 multicast-query-interval
970 Interval (in deciseconds) between queries sent by the bridge after
971 the end of the startup phase.
972 Format: uint64
974 multicast-query-response-interval
976 Set the Max Response Time/Max Response Delay (in deciseconds) for
977 IGMP/MLD queries sent by the bridge.
978 Format: uint64
980 multicast-query-use-ifaddr
982 If enabled the bridge's own IP address is used as the source
983 address for IGMP queries otherwise the default of 0.0.0.0 is used.
984 Format: boolean
986 multicast-router
988 Sets bridge's multicast router. Multicast-snooping must be enabled
989 for this option to work. Supported values are: 'auto', 'disabled',
990 'enabled' to which kernel assigns the numbers 1, 0, and 2,
991 respectively. If not specified the default value is 'auto' (1).
992 Format: string
994 multicast-snooping
996 Alias: multicast-snooping
997 Controls whether IGMP snooping is enabled for this bridge. Note
999 that if snooping was automatically disabled due to hash collisions,
1000 the system may refuse to enable the feature until the collisions
1001 are resolved.
1002 Format: boolean
1004 multicast-startup-query-count
1006 Set the number of IGMP queries to send during startup phase.
1007 Format: uint32
1009 multicast-startup-query-interval
1011 Sets the time (in deciseconds) between queries sent out at startup
1012 to determine membership information.
1013 Format: uint64
1015 priority
1017 Alias: priority
1018 Sets the Spanning Tree Protocol (STP) priority for this bridge.
1020 Lower values are "better"; the lowest priority bridge will be
1021 elected the root bridge.
1022 Format: uint32
1024 stp
1026 Alias: stp
1027 Controls whether Spanning Tree Protocol (STP) is enabled for this
1029 bridge.
1030 Format: boolean
1032 vlan-default-pvid
1034 The default PVID for the ports of the bridge, that is the VLAN id
1035 assigned to incoming untagged frames.
1036 Format: uint32
1038 vlan-filtering
1040 Control whether VLAN filtering is enabled on the bridge.
1041 Format: boolean
1043 vlan-protocol
1045 If specified, the protocol used for VLAN filtering. Supported
1046 values are: '802.1Q', '802.1ad'. If not specified the default value
1047 is '802.1Q'.
1048 Format: string
1050 vlan-stats-enabled
1052 Controls whether per-VLAN stats accounting is enabled.
1053 Format: boolean
1055 vlans
1057 Array of bridge VLAN objects. In addition to the VLANs specified
1058 here, the bridge will also have the default-pvid VLAN configured by
1059 the bridge.vlan-default-pvid property. In nmcli the VLAN list can
1060 be specified with the following syntax: $vid [pvid] [untagged] [,
1061 $vid [pvid] [untagged]]... where $vid is either a single id between
1062 1 and 4094 or a range, represented as a couple of ids separated by
1063 a dash.
1064 Format: array of vardict
1066 bridge-port setting
1068 Bridge Port Settings.
1069 Properties:
1071 hairpin-mode
1073 Alias: hairpin
1074 Enables or disables "hairpin mode" for the port, which allows
1076 frames to be sent back out through the port the frame was received
1077 on.
1078 Format: boolean
1080 path-cost
1082 Alias: path-cost
1083 The Spanning Tree Protocol (STP) port cost for destinations via
1085 this port.
1086 Format: uint32
1088 priority
1090 Alias: priority
1091 The Spanning Tree Protocol (STP) priority of this bridge port.
1093 Format: uint32
1095 vlans
1097 Array of bridge VLAN objects. In addition to the VLANs specified
1098 here, the port will also have the default-pvid VLAN configured on
1099 the bridge by the bridge.vlan-default-pvid property. In nmcli the
1100 VLAN list can be specified with the following syntax: $vid [pvid]
1101 [untagged] [, $vid [pvid] [untagged]]... where $vid is either a
1102 single id between 1 and 4094 or a range, represented as a couple of
1103 ids separated by a dash.
1104 Format: array of vardict
1106 cdma setting
1108 CDMA-based Mobile Broadband Settings.
1109 Properties:
1111 mtu
1113 If non-zero, only transmit packets of the specified size or
1114 smaller, breaking larger packets up into multiple frames.
1115 Format: uint32
1117 number
1119 The number to dial to establish the connection to the CDMA-based
1120 mobile broadband network, if any. If not specified, the default
1121 number (#777) is used when required.
1122 Format: string
1124 password
1126 Alias: password
1127 The password used to authenticate with the network, if required.
1129 Many providers do not require a password, or accept any password.
1130 But if a password is required, it is specified here.
1131 Format: string
1133 password-flags
1135 Flags indicating how to handle the "password" property. See the
1136 section called “Secret flag types:” for flag values.
1137 Format: NMSettingSecretFlags (uint32)
1139 username
1141 Alias: user
1142 The username used to authenticate with the network, if required.
1144 Many providers do not require a username, or accept any username.
1145 But if a username is required, it is specified here.
1146 Format: string
1148 dcb setting
1150 Data Center Bridging Settings.
1151 Properties:
1153 app-fcoe-flags
1155 Specifies the NMSettingDcbFlags for the DCB FCoE application. Flags
1156 may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1157 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1158 NM_SETTING_DCB_FLAG_WILLING (0x4).
1159 Format: NMSettingDcbFlags (uint32)
1161 app-fcoe-mode
1163 The FCoE controller mode; either "fabric" (default) or "vn2vn".
1164 Format: string
1166 app-fcoe-priority
1168 The highest User Priority (0 - 7) which FCoE frames should use, or
1169 -1 for default priority. Only used when the "app-fcoe-flags"
1170 property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1171 Format: int32
1173 app-fip-flags
1175 Specifies the NMSettingDcbFlags for the DCB FIP application. Flags
1176 may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1177 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1178 NM_SETTING_DCB_FLAG_WILLING (0x4).
1179 Format: NMSettingDcbFlags (uint32)
1181 app-fip-priority
1183 The highest User Priority (0 - 7) which FIP frames should use, or
1184 -1 for default priority. Only used when the "app-fip-flags"
1185 property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1186 Format: int32
1188 app-iscsi-flags
1190 Specifies the NMSettingDcbFlags for the DCB iSCSI application.
1191 Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1192 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1193 NM_SETTING_DCB_FLAG_WILLING (0x4).
1194 Format: NMSettingDcbFlags (uint32)
1196 app-iscsi-priority
1198 The highest User Priority (0 - 7) which iSCSI frames should use, or
1199 -1 for default priority. Only used when the "app-iscsi-flags"
1200 property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1201 Format: int32
1203 priority-bandwidth
1205 An array of 8 uint values, where the array index corresponds to the
1206 User Priority (0 - 7) and the value indicates the percentage of
1207 bandwidth of the priority's assigned group that the priority may
1208 use. The sum of all percentages for priorities which belong to the
1209 same group must total 100 percents.
1210 Format: array of uint32
1212 priority-flow-control
1214 An array of 8 boolean values, where the array index corresponds to
1215 the User Priority (0 - 7) and the value indicates whether or not
1216 the corresponding priority should transmit priority pause.
1217 Format: array of uint32
1219 priority-flow-control-flags
1221 Specifies the NMSettingDcbFlags for DCB Priority Flow Control
1222 (PFC). Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE
1223 (0x1), NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1224 NM_SETTING_DCB_FLAG_WILLING (0x4).
1225 Format: NMSettingDcbFlags (uint32)
1227 priority-group-bandwidth
1229 An array of 8 uint values, where the array index corresponds to the
1230 Priority Group ID (0 - 7) and the value indicates the percentage of
1231 link bandwidth allocated to that group. Allowed values are 0 - 100,
1232 and the sum of all values must total 100 percents.
1233 Format: array of uint32
1235 priority-group-flags
1237 Specifies the NMSettingDcbFlags for DCB Priority Groups. Flags may
1238 be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1239 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1240 NM_SETTING_DCB_FLAG_WILLING (0x4).
1241 Format: NMSettingDcbFlags (uint32)
1243 priority-group-id
1245 An array of 8 uint values, where the array index corresponds to the
1246 User Priority (0 - 7) and the value indicates the Priority Group
1247 ID. Allowed Priority Group ID values are 0 - 7 or 15 for the
1248 unrestricted group.
1249 Format: array of uint32
1251 priority-strict-bandwidth
1253 An array of 8 boolean values, where the array index corresponds to
1254 the User Priority (0 - 7) and the value indicates whether or not
1255 the priority may use all of the bandwidth allocated to its assigned
1256 group.
1257 Format: array of uint32
1259 priority-traffic-class
1261 An array of 8 uint values, where the array index corresponds to the
1262 User Priority (0 - 7) and the value indicates the traffic class (0
1263 - 7) to which the priority is mapped.
1264 Format: array of uint32
1266 ethtool setting
1268 Ethtool Ethernet Settings.
1269 Properties:
1271 coalesce-adaptive-rx
1273 coalesce-adaptive-tx
1275 coalesce-pkt-rate-high
1277 coalesce-pkt-rate-low
1279 coalesce-rx-frames
1281 coalesce-rx-frames-high
1283 coalesce-rx-frames-irq
1285 coalesce-rx-frames-low
1287 coalesce-rx-usecs
1289 coalesce-rx-usecs-high
1291 coalesce-rx-usecs-irq
1293 coalesce-rx-usecs-low
1295 coalesce-sample-interval
1297 coalesce-stats-block-usecs
1299 coalesce-tx-frames
1301 coalesce-tx-frames-high
1303 coalesce-tx-frames-irq
1305 coalesce-tx-frames-low
1307 coalesce-tx-usecs
1309 coalesce-tx-usecs-high
1311 coalesce-tx-usecs-irq
1313 coalesce-tx-usecs-low
1315 feature-esp-hw-offload
1317 feature-esp-tx-csum-hw-offload
1319 feature-fcoe-mtu
1321 feature-gro
1323 feature-gso
1325 feature-highdma
1327 feature-hw-tc-offload
1329 feature-l2-fwd-offload
1331 feature-loopback
1333 feature-lro
1335 feature-macsec-hw-offload
1337 feature-ntuple
1339 feature-rx
1341 feature-rx-all
1343 feature-rx-fcs
1345 feature-rx-gro-hw
1347 feature-rx-gro-list
1349 feature-rx-udp-gro-forwarding
1351 feature-rx-udp_tunnel-port-offload
1353 feature-rx-vlan-filter
1355 feature-rx-vlan-stag-filter
1357 feature-rx-vlan-stag-hw-parse
1359 feature-rxhash
1361 feature-rxvlan
1363 feature-sg
1365 feature-tls-hw-record
1367 feature-tls-hw-rx-offload
1369 feature-tls-hw-tx-offload
1371 feature-tso
1373 feature-tx
1375 feature-tx-checksum-fcoe-crc
1377 feature-tx-checksum-ip-generic
1379 feature-tx-checksum-ipv4
1381 feature-tx-checksum-ipv6
1383 feature-tx-checksum-sctp
1385 feature-tx-esp-segmentation
1387 feature-tx-fcoe-segmentation
1389 feature-tx-gre-csum-segmentation
1391 feature-tx-gre-segmentation
1393 feature-tx-gso-list
1395 feature-tx-gso-partial
1397 feature-tx-gso-robust
1399 feature-tx-ipxip4-segmentation
1401 feature-tx-ipxip6-segmentation
1403 feature-tx-nocache-copy
1405 feature-tx-scatter-gather
1407 feature-tx-scatter-gather-fraglist
1409 feature-tx-sctp-segmentation
1411 feature-tx-tcp-ecn-segmentation
1413 feature-tx-tcp-mangleid-segmentation
1415 feature-tx-tcp-segmentation
1417 feature-tx-tcp6-segmentation
1419 feature-tx-tunnel-remcsum-segmentation
1421 feature-tx-udp-segmentation
1423 feature-tx-udp_tnl-csum-segmentation
1425 feature-tx-udp_tnl-segmentation
1427 feature-tx-vlan-stag-hw-insert
1429 feature-txvlan
1431 ring-rx
1433 ring-rx-jumbo
1435 ring-rx-mini
1437 ring-tx
1439 gsm setting
1441 GSM-based Mobile Broadband Settings.
1442 Properties:
1444 apn
1446 Alias: apn
1447 The GPRS Access Point Name specifying the APN used when
1449 establishing a data session with the GSM-based network. The APN
1450 often determines how the user will be billed for their network
1451 usage and whether the user has access to the Internet or just a
1452 provider-specific walled-garden, so it is important to use the
1453 correct APN for the user's mobile broadband plan. The APN may only
1454 be composed of the characters a-z, 0-9, ., and - per GSM 03.60
1455 Section 14.9.
1456 Format: string
1458 auto-config
1460 When TRUE, the settings such as APN, username, or password will
1461 default to values that match the network the modem will register to
1462 in the Mobile Broadband Provider database.
1463 Format: boolean
1465 device-id
1467 The device unique identifier (as given by the WWAN management
1468 service) which this connection applies to. If given, the connection
1469 will only apply to the specified device.
1470 Format: string
1472 home-only
1474 When TRUE, only connections to the home network will be allowed.
1475 Connections to roaming networks will not be made.
1476 Format: boolean
1478 mtu
1480 If non-zero, only transmit packets of the specified size or
1481 smaller, breaking larger packets up into multiple frames.
1482 Format: uint32
1484 network-id
1486 The Network ID (GSM LAI format, ie MCC-MNC) to force specific
1487 network registration. If the Network ID is specified,
1488 NetworkManager will attempt to force the device to register only on
1489 the specified network. This can be used to ensure that the device
1490 does not roam when direct roaming control of the device is not
1491 otherwise possible.
1492 Format: string
1494 number
1496 Legacy setting that used to help establishing PPP data sessions for
1497 GSM-based modems. Deprecated: 1
1498 Format: string
1500 password
1502 Alias: password
1503 The password used to authenticate with the network, if required.
1505 Many providers do not require a password, or accept any password.
1506 But if a password is required, it is specified here.
1507 Format: string
1509 password-flags
1511 Flags indicating how to handle the "password" property. See the
1512 section called “Secret flag types:” for flag values.
1513 Format: NMSettingSecretFlags (uint32)
1515 pin
1517 If the SIM is locked with a PIN it must be unlocked before any
1518 other operations are requested. Specify the PIN here to allow
1519 operation of the device.
1520 Format: string
1522 pin-flags
1524 Flags indicating how to handle the "pin" property. See the section
1525 called “Secret flag types:” for flag values.
1526 Format: NMSettingSecretFlags (uint32)
1528 sim-id
1530 The SIM card unique identifier (as given by the WWAN management
1531 service) which this connection applies to. If given, the connection
1532 will apply to any device also allowed by "device-id" which contains
1533 a SIM card matching the given identifier.
1534 Format: string
1536 sim-operator-id
1538 A MCC/MNC string like "310260" or "21601" identifying the specific
1539 mobile network operator which this connection applies to. If given,
1540 the connection will apply to any device also allowed by "device-id"
1541 and "sim-id" which contains a SIM card provisioned by the given
1542 operator.
1543 Format: string
1545 username
1547 Alias: user
1548 The username used to authenticate with the network, if required.
1550 Many providers do not require a username, or accept any username.
1551 But if a username is required, it is specified here.
1552 Format: string
1554 infiniband setting
1556 Infiniband Settings.
1557 Properties:
1559 mac-address
1561 Alias: mac
1562 If specified, this connection will only apply to the IPoIB device
1564 whose permanent MAC address matches. This property does not change
1565 the MAC address of the device (i.e. MAC spoofing).
1566 Format: byte array
1568 mtu
1570 Alias: mtu
1571 If non-zero, only transmit packets of the specified size or
1573 smaller, breaking larger packets up into multiple frames.
1574 Format: uint32
1576 p-key
1578 Alias: p-key
1579 The InfiniBand P_Key to use for this device. A value of -1 means to
1581 use the default P_Key (aka "the P_Key at index 0"). Otherwise, it
1582 is a 16-bit unsigned integer, whose high bit is set if it is a
1583 "full membership" P_Key.
1584 Format: int32
1586 parent
1588 Alias: parent
1589 The interface name of the parent device of this device. Normally
1591 NULL, but if the "p_key" property is set, then you must specify the
1592 base device by setting either this property or "mac-address".
1593 Format: string
1595 transport-mode
1597 Alias: transport-mode
1598 The IP-over-InfiniBand transport mode. Either "datagram" or
1600 "connected".
1601 Format: string
1603 ipv4 setting
1605 IPv4 Settings.
1606 Properties:
1608 addresses
1610 Alias: ip4
1611 Array of IP addresses.
1613 Format: array of array of uint32
1615 dad-timeout
1617 Timeout in milliseconds used to check for the presence of duplicate
1618 IP addresses on the network. If an address conflict is detected,
1619 the activation will fail. A zero value means that no duplicate
1620 address detection is performed, -1 means the default value (either
1621 configuration ipvx.dad-timeout override or zero). A value greater
1622 than zero is a timeout in milliseconds. The property is currently
1623 implemented only for IPv4.
1624 Format: int32
1626 dhcp-client-id
1628 A string sent to the DHCP server to identify the local machine
1629 which the DHCP server may use to customize the DHCP lease and
1630 options. When the property is a hex string ('aa:bb:cc') it is
1631 interpreted as a binary client ID, in which case the first byte is
1632 assumed to be the 'type' field as per RFC 2132 section 9.14 and the
1633 remaining bytes may be an hardware address (e.g.
1634 '01:xx:xx:xx:xx:xx:xx' where 1 is the Ethernet ARP type and the
1635 rest is a MAC address). If the property is not a hex string it is
1636 considered as a non-hardware-address client ID and the 'type' field
1637 is set to 0. The special values "mac" and "perm-mac" are supported,
1638 which use the current or permanent MAC address of the device to
1639 generate a client identifier with type ethernet (01). Currently,
1640 these options only work for ethernet type of links. The special
1641 value "ipv6-duid" uses the DUID from "ipv6.dhcp-duid" property as
1642 an RFC4361-compliant client identifier. As IAID it uses
1643 "ipv4.dhcp-iaid" and falls back to "ipv6.dhcp-iaid" if unset. The
1644 special value "duid" generates a RFC4361-compliant client
1645 identifier based on "ipv4.dhcp-iaid" and uses a DUID generated by
1646 hashing /etc/machine-id. The special value "stable" is supported to
1647 generate a type 0 client identifier based on the stable-id (see
1648 connection.stable-id) and a per-host key. If you set the stable-id,
1649 you may want to include the "${DEVICE}" or "${MAC}" specifier to
1650 get a per-device key. If unset, a globally configured default is
1651 used. If still unset, the default depends on the DHCP plugin.
1652 Format: string
1654 dhcp-fqdn
1656 If the "dhcp-send-hostname" property is TRUE, then the specified
1657 FQDN will be sent to the DHCP server when acquiring a lease. This
1658 property and "dhcp-hostname" are mutually exclusive and cannot be
1659 set at the same time.
1660 Format: string
1662 dhcp-hostname
1664 If the "dhcp-send-hostname" property is TRUE, then the specified
1665 name will be sent to the DHCP server when acquiring a lease. This
1666 property and "dhcp-fqdn" are mutually exclusive and cannot be set
1667 at the same time.
1668 Format: string
1670 dhcp-hostname-flags
1672 Flags for the DHCP hostname and FQDN. Currently, this property only
1673 includes flags to control the FQDN flags set in the DHCP FQDN
1674 option. Supported FQDN flags are
1675 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1676 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
1677 NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is
1678 set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the
1679 DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag
1680 is set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set,
1681 the standard FQDN flags are set in the request:
1682 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1683 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
1684 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6. When this
1685 property is set to the default value NM_DHCP_HOSTNAME_FLAG_NONE
1686 (0x0), a global default is looked up in NetworkManager
1687 configuration. If that value is unset or also
1688 NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
1689 described above are sent in the DHCP requests.
1690 Format: uint32
1692 dhcp-iaid
1694 A string containing the "Identity Association Identifier" (IAID)
1695 used by the DHCP client. The property is a 32-bit decimal value or
1696 a special value among "mac", "perm-mac", "ifname" and "stable".
1697 When set to "mac" (or "perm-mac"), the last 4 bytes of the current
1698 (or permanent) MAC address are used as IAID. When set to "ifname",
1699 the IAID is computed by hashing the interface name. The special
1700 value "stable" can be used to generate an IAID based on the
1701 stable-id (see connection.stable-id), a per-host key and the
1702 interface name. When the property is unset, the value from global
1703 configuration is used; if no global default is set then the IAID is
1704 assumed to be "ifname". Note that at the moment this property is
1705 ignored for IPv6 by dhclient, which always derives the IAID from
1706 the MAC address.
1707 Format: string
1709 dhcp-reject-servers
1711 Array of servers from which DHCP offers must be rejected. This
1712 property is useful to avoid getting a lease from misconfigured or
1713 rogue servers. For DHCPv4, each element must be an IPv4 address,
1714 optionally followed by a slash and a prefix length (e.g.
1715 "192.168.122.0/24"). This property is currently not implemented for
1716 DHCPv6.
1717 Format: array of string
1719 dhcp-send-hostname
1721 If TRUE, a hostname is sent to the DHCP server when acquiring a
1722 lease. Some DHCP servers use this hostname to update DNS databases,
1723 essentially providing a static hostname for the computer. If the
1724 "dhcp-hostname" property is NULL and this property is TRUE, the
1725 current persistent hostname of the computer is sent.
1726 Format: boolean
1728 dhcp-timeout
1730 A timeout for a DHCP transaction in seconds. If zero (the default),
1731 a globally configured default is used. If still unspecified, a
1732 device specific timeout is used (usually 45 seconds). Set to
1733 2147483647 (MAXINT32) for infinity.
1734 Format: int32
1736 dhcp-vendor-class-identifier
1738 The Vendor Class Identifier DHCP option (60). Special characters in
1739 the data string may be escaped using C-style escapes, nevertheless
1740 this property cannot contain nul bytes. If the per-profile value is
1741 unspecified (the default), a global connection default gets
1742 consulted. If still unspecified, the DHCP option is not sent to the
1743 server. Since 1.28
1744 Format: string
1746 dns
1748 Array of IP addresses of DNS servers.
1749 Format: array of uint32
1751 dns-options
1753 Array of DNS options as described in man 5 resolv.conf. NULL means
1754 that the options are unset and left at the default. In this case
1755 NetworkManager will use default options. This is distinct from an
1756 empty list of properties. The currently supported options are
1757 "attempts", "debug", "edns0", "inet6", "ip6-bytestring",
1758 "ip6-dotint", "ndots", "no-check-names", "no-ip6-dotint",
1759 "no-reload", "no-tld-query", "rotate", "single-request",
1760 "single-request-reopen", "timeout", "trust-ad", "use-vc". The
1761 "trust-ad" setting is only honored if the profile contributes name
1762 servers to resolv.conf, and if all contributing profiles have
1763 "trust-ad" enabled. When using a caching DNS plugin (dnsmasq or
1764 systemd-resolved in NetworkManager.conf) then "edns0" and
1765 "trust-ad" are automatically added.
1766 Format: array of string
1768 dns-priority
1770 DNS servers priority. The relative priority for DNS servers
1771 specified by this setting. A lower numerical value is better
1772 (higher priority). Negative values have the special effect of
1773 excluding other configurations with a greater numerical priority
1774 value; so in presence of at least one negative priority, only DNS
1775 servers from connections with the lowest priority value will be
1776 used. To avoid all DNS leaks, set the priority of the profile that
1777 should be used to the most negative value of all active connections
1778 profiles. Zero selects a globally configured default value. If the
1779 latter is missing or zero too, it defaults to 50 for VPNs
1780 (including WireGuard) and 100 for other connections. Note that the
1781 priority is to order DNS settings for multiple active connections.
1782 It does not disambiguate multiple DNS servers within the same
1783 connection profile. When multiple devices have configurations with
1784 the same priority, VPNs will be considered first, then devices with
1785 the best (lowest metric) default route and then all other devices.
1786 When using dns=default, servers with higher priority will be on top
1787 of resolv.conf. To prioritize a given server over another one
1788 within the same connection, just specify them in the desired order.
1789 Note that commonly the resolver tries name servers in
1790 /etc/resolv.conf in the order listed, proceeding with the next
1791 server in the list on failure. See for example the "rotate" option
1792 of the dns-options setting. If there are any negative DNS
1793 priorities, then only name servers from the devices with that
1794 lowest priority will be considered. When using a DNS resolver that
1795 supports Conditional Forwarding or Split DNS (with dns=dnsmasq or
1796 dns=systemd-resolved settings), each connection is used to query
1797 domains in its search list. The search domains determine which name
1798 servers to ask, and the DNS priority is used to prioritize name
1799 servers based on the domain. Queries for domains not present in any
1800 search list are routed through connections having the '~.' special
1801 wildcard domain, which is added automatically to connections with
1802 the default route (or can be added manually). When multiple
1803 connections specify the same domain, the one with the best priority
1804 (lowest numerical value) wins. If a sub domain is configured on
1805 another interface it will be accepted regardless the priority,
1806 unless parent domain on the other interface has a negative
1807 priority, which causes the sub domain to be shadowed. With Split
1808 DNS one can avoid undesired DNS leaks by properly configuring DNS
1809 priorities and the search domains, so that only name servers of the
1810 desired interface are configured.
1811 Format: int32
1813 dns-search
1815 Array of DNS search domains. Domains starting with a tilde ('~')
1816 are considered 'routing' domains and are used only to decide the
1817 interface over which a query must be forwarded; they are not used
1818 to complete unqualified host names. When using a DNS plugin that
1819 supports Conditional Forwarding or Split DNS, then the search
1820 domains specify which name servers to query. This makes the
1821 behavior different from running with plain /etc/resolv.conf. For
1822 more information see also the dns-priority setting.
1823 Format: array of string
1825 gateway
1827 Alias: gw4
1828 The gateway associated with this configuration. This is only
1830 meaningful if "addresses" is also set. The gateway's main purpose
1831 is to control the next hop of the standard default route on the
1832 device. Hence, the gateway property conflicts with "never-default"
1833 and will be automatically dropped if the IP configuration is set to
1834 never-default. As an alternative to set the gateway, configure a
1835 static default route with /0 as prefix length.
1836 Format: string
1838 ignore-auto-dns
1840 When "method" is set to "auto" and this property to TRUE,
1841 automatically configured name servers and search domains are
1842 ignored and only name servers and search domains specified in the
1843 "dns" and "dns-search" properties, if any, are used.
1844 Format: boolean
1846 ignore-auto-routes
1848 When "method" is set to "auto" and this property to TRUE,
1849 automatically configured routes are ignored and only routes
1850 specified in the "routes" property, if any, are used.
1851 Format: boolean
1853 may-fail
1855 If TRUE, allow overall network configuration to proceed even if the
1856 configuration specified by this property times out. Note that at
1857 least one IP configuration must succeed or overall network
1858 configuration will still fail. For example, in IPv6-only networks,
1859 setting this property to TRUE on the NMSettingIP4Config allows the
1860 overall network configuration to succeed if IPv4 configuration
1861 fails but IPv6 configuration completes successfully.
1862 Format: boolean
1864 method
1866 IP configuration method. NMSettingIP4Config and NMSettingIP6Config
1867 both support "disabled", "auto", "manual", and "link-local". See
1868 the subclass-specific documentation for other values. In general,
1869 for the "auto" method, properties such as "dns" and "routes"
1870 specify information that is added on to the information returned
1871 from automatic configuration. The "ignore-auto-routes" and
1872 "ignore-auto-dns" properties modify this behavior. For methods that
1873 imply no upstream network, such as "shared" or "link-local", these
1874 properties must be empty. For IPv4 method "shared", the IP subnet
1875 can be configured by adding one manual IPv4 address or otherwise
1876 10.42.x.0/24 is chosen. Note that the shared method must be
1877 configured on the interface which shares the internet to a subnet,
1878 not on the uplink which is shared.
1879 Format: string
1881 never-default
1883 If TRUE, this connection will never be the default connection for
1884 this IP type, meaning it will never be assigned the default route
1885 by NetworkManager.
1886 Format: boolean
1888 route-metric
1890 The default metric for routes that don't explicitly specify a
1891 metric. The default value -1 means that the metric is chosen
1892 automatically based on the device type. The metric applies to
1893 dynamic routes, manual (static) routes that don't have an explicit
1894 metric setting, address prefix routes, and the default route. Note
1895 that for IPv6, the kernel accepts zero (0) but coerces it to 1024
1896 (user default). Hence, setting this property to zero effectively
1897 mean setting it to 1024. For IPv4, zero is a regular value for the
1898 metric.
1899 Format: int64
1901 route-table
1903 Enable policy routing (source routing) and set the routing table
1904 used when adding routes. This affects all routes, including
1905 device-routes, IPv4LL, DHCP, SLAAC, default-routes and static
1906 routes. But note that static routes can individually overwrite the
1907 setting by explicitly specifying a non-zero routing table. If the
1908 table setting is left at zero, it is eligible to be overwritten via
1909 global configuration. If the property is zero even after applying
1910 the global configuration value, policy routing is disabled for the
1911 address family of this connection. Policy routing disabled means
1912 that NetworkManager will add all routes to the main table (except
1913 static routes that explicitly configure a different table).
1914 Additionally, NetworkManager will not delete any extraneous routes
1915 from tables except the main table. This is to preserve backward
1916 compatibility for users who manage routing tables outside of
1917 NetworkManager.
1918 Format: uint32
1920 routes
1922 Array of IP routes.
1923 Format: array of array of uint32
1925 routing-rules
1927 ipv6 setting
1929 IPv6 Settings.
1930 Properties:
1932 addr-gen-mode
1934 Configure method for creating the address for use with RFC4862 IPv6
1935 Stateless Address Autoconfiguration. The permitted values are:
1936 NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_EUI64 (0) or
1937 NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_STABLE_PRIVACY (1). If the
1938 property is set to EUI64, the addresses will be generated using the
1939 interface tokens derived from hardware address. This makes the host
1940 part of the address to stay constant, making it possible to track
1941 host's presence when it changes networks. The address changes when
1942 the interface hardware is replaced. The value of stable-privacy
1943 enables use of cryptographically secure hash of a secret
1944 host-specific key along with the connection's stable-id and the
1945 network address as specified by RFC7217. This makes it impossible
1946 to use the address track host's presence, and makes the address
1947 stable when the network interface hardware is replaced. On D-Bus,
1948 the absence of an addr-gen-mode setting equals enabling
1949 stable-privacy. For keyfile plugin, the absence of the setting on
1950 disk means EUI64 so that the property doesn't change on upgrade
1951 from older versions. Note that this setting is distinct from the
1952 Privacy Extensions as configured by "ip6-privacy" property and it
1953 does not affect the temporary addresses configured with this
1954 option.
1955 Format: int32
1957 addresses
1959 Alias: ip6
1960 Array of IP addresses.
1962 Format: array of legacy IPv6 address struct
1964 dhcp-duid
1966 A string containing the DHCPv6 Unique Identifier (DUID) used by the
1967 dhcp client to identify itself to DHCPv6 servers (RFC 3315). The
1968 DUID is carried in the Client Identifier option. If the property is
1969 a hex string ('aa:bb:cc') it is interpreted as a binary DUID and
1970 filled as an opaque value in the Client Identifier option. The
1971 special value "lease" will retrieve the DUID previously used from
1972 the lease file belonging to the connection. If no DUID is found and
1973 "dhclient" is the configured dhcp client, the DUID is searched in
1974 the system-wide dhclient lease file. If still no DUID is found, or
1975 another dhcp client is used, a global and permanent DUID-UUID (RFC
1976 6355) will be generated based on the machine-id. The special values
1977 "llt" and "ll" will generate a DUID of type LLT or LL (see RFC
1978 3315) based on the current MAC address of the device. In order to
1979 try providing a stable DUID-LLT, the time field will contain a
1980 constant timestamp that is used globally (for all profiles) and
1981 persisted to disk. The special values "stable-llt", "stable-ll" and
1982 "stable-uuid" will generate a DUID of the corresponding type,
1983 derived from the connection's stable-id and a per-host unique key.
1984 You may want to include the "${DEVICE}" or "${MAC}" specifier in
1985 the stable-id, in case this profile gets activated on multiple
1986 devices. So, the link-layer address of "stable-ll" and "stable-llt"
1987 will be a generated address derived from the stable id. The
1988 DUID-LLT time value in the "stable-llt" option will be picked among
1989 a static timespan of three years (the upper bound of the interval
1990 is the same constant timestamp used in "llt"). When the property is
1991 unset, the global value provided for "ipv6.dhcp-duid" is used. If
1992 no global value is provided, the default "lease" value is assumed.
1993 Format: string
1995 dhcp-hostname
1997 If the "dhcp-send-hostname" property is TRUE, then the specified
1998 name will be sent to the DHCP server when acquiring a lease. This
1999 property and "dhcp-fqdn" are mutually exclusive and cannot be set
2000 at the same time.
2001 Format: string
2003 dhcp-hostname-flags
2005 Flags for the DHCP hostname and FQDN. Currently, this property only
2006 includes flags to control the FQDN flags set in the DHCP FQDN
2007 option. Supported FQDN flags are
2008 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
2009 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
2010 NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is
2011 set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the
2012 DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag
2013 is set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set,
2014 the standard FQDN flags are set in the request:
2015 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
2016 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
2017 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6. When this
2018 property is set to the default value NM_DHCP_HOSTNAME_FLAG_NONE
2019 (0x0), a global default is looked up in NetworkManager
2020 configuration. If that value is unset or also
2021 NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
2022 described above are sent in the DHCP requests.
2023 Format: uint32
2025 dhcp-iaid
2027 A string containing the "Identity Association Identifier" (IAID)
2028 used by the DHCP client. The property is a 32-bit decimal value or
2029 a special value among "mac", "perm-mac", "ifname" and "stable".
2030 When set to "mac" (or "perm-mac"), the last 4 bytes of the current
2031 (or permanent) MAC address are used as IAID. When set to "ifname",
2032 the IAID is computed by hashing the interface name. The special
2033 value "stable" can be used to generate an IAID based on the
2034 stable-id (see connection.stable-id), a per-host key and the
2035 interface name. When the property is unset, the value from global
2036 configuration is used; if no global default is set then the IAID is
2037 assumed to be "ifname". Note that at the moment this property is
2038 ignored for IPv6 by dhclient, which always derives the IAID from
2039 the MAC address.
2040 Format: string
2042 dhcp-send-hostname
2044 If TRUE, a hostname is sent to the DHCP server when acquiring a
2045 lease. Some DHCP servers use this hostname to update DNS databases,
2046 essentially providing a static hostname for the computer. If the
2047 "dhcp-hostname" property is NULL and this property is TRUE, the
2048 current persistent hostname of the computer is sent.
2049 Format: boolean
2051 dhcp-timeout
2053 A timeout for a DHCP transaction in seconds. If zero (the default),
2054 a globally configured default is used. If still unspecified, a
2055 device specific timeout is used (usually 45 seconds). Set to
2056 2147483647 (MAXINT32) for infinity.
2057 Format: int32
2059 dns
2061 Array of IP addresses of DNS servers.
2062 Format: array of byte array
2064 dns-options
2066 Array of DNS options as described in man 5 resolv.conf. NULL means
2067 that the options are unset and left at the default. In this case
2068 NetworkManager will use default options. This is distinct from an
2069 empty list of properties. The currently supported options are
2070 "attempts", "debug", "edns0", "inet6", "ip6-bytestring",
2071 "ip6-dotint", "ndots", "no-check-names", "no-ip6-dotint",
2072 "no-reload", "no-tld-query", "rotate", "single-request",
2073 "single-request-reopen", "timeout", "trust-ad", "use-vc". The
2074 "trust-ad" setting is only honored if the profile contributes name
2075 servers to resolv.conf, and if all contributing profiles have
2076 "trust-ad" enabled. When using a caching DNS plugin (dnsmasq or
2077 systemd-resolved in NetworkManager.conf) then "edns0" and
2078 "trust-ad" are automatically added.
2079 Format: array of string
2081 dns-priority
2083 DNS servers priority. The relative priority for DNS servers
2084 specified by this setting. A lower numerical value is better
2085 (higher priority). Negative values have the special effect of
2086 excluding other configurations with a greater numerical priority
2087 value; so in presence of at least one negative priority, only DNS
2088 servers from connections with the lowest priority value will be
2089 used. To avoid all DNS leaks, set the priority of the profile that
2090 should be used to the most negative value of all active connections
2091 profiles. Zero selects a globally configured default value. If the
2092 latter is missing or zero too, it defaults to 50 for VPNs
2093 (including WireGuard) and 100 for other connections. Note that the
2094 priority is to order DNS settings for multiple active connections.
2095 It does not disambiguate multiple DNS servers within the same
2096 connection profile. When multiple devices have configurations with
2097 the same priority, VPNs will be considered first, then devices with
2098 the best (lowest metric) default route and then all other devices.
2099 When using dns=default, servers with higher priority will be on top
2100 of resolv.conf. To prioritize a given server over another one
2101 within the same connection, just specify them in the desired order.
2102 Note that commonly the resolver tries name servers in
2103 /etc/resolv.conf in the order listed, proceeding with the next
2104 server in the list on failure. See for example the "rotate" option
2105 of the dns-options setting. If there are any negative DNS
2106 priorities, then only name servers from the devices with that
2107 lowest priority will be considered. When using a DNS resolver that
2108 supports Conditional Forwarding or Split DNS (with dns=dnsmasq or
2109 dns=systemd-resolved settings), each connection is used to query
2110 domains in its search list. The search domains determine which name
2111 servers to ask, and the DNS priority is used to prioritize name
2112 servers based on the domain. Queries for domains not present in any
2113 search list are routed through connections having the '~.' special
2114 wildcard domain, which is added automatically to connections with
2115 the default route (or can be added manually). When multiple
2116 connections specify the same domain, the one with the best priority
2117 (lowest numerical value) wins. If a sub domain is configured on
2118 another interface it will be accepted regardless the priority,
2119 unless parent domain on the other interface has a negative
2120 priority, which causes the sub domain to be shadowed. With Split
2121 DNS one can avoid undesired DNS leaks by properly configuring DNS
2122 priorities and the search domains, so that only name servers of the
2123 desired interface are configured.
2124 Format: int32
2126 dns-search
2128 Array of DNS search domains. Domains starting with a tilde ('~')
2129 are considered 'routing' domains and are used only to decide the
2130 interface over which a query must be forwarded; they are not used
2131 to complete unqualified host names. When using a DNS plugin that
2132 supports Conditional Forwarding or Split DNS, then the search
2133 domains specify which name servers to query. This makes the
2134 behavior different from running with plain /etc/resolv.conf. For
2135 more information see also the dns-priority setting.
2136 Format: array of string
2138 gateway
2140 Alias: gw6
2141 The gateway associated with this configuration. This is only
2143 meaningful if "addresses" is also set. The gateway's main purpose
2144 is to control the next hop of the standard default route on the
2145 device. Hence, the gateway property conflicts with "never-default"
2146 and will be automatically dropped if the IP configuration is set to
2147 never-default. As an alternative to set the gateway, configure a
2148 static default route with /0 as prefix length.
2149 Format: string
2151 ignore-auto-dns
2153 When "method" is set to "auto" and this property to TRUE,
2154 automatically configured name servers and search domains are
2155 ignored and only name servers and search domains specified in the
2156 "dns" and "dns-search" properties, if any, are used.
2157 Format: boolean
2159 ignore-auto-routes
2161 When "method" is set to "auto" and this property to TRUE,
2162 automatically configured routes are ignored and only routes
2163 specified in the "routes" property, if any, are used.
2164 Format: boolean
2166 ip6-privacy
2168 Configure IPv6 Privacy Extensions for SLAAC, described in RFC4941.
2169 If enabled, it makes the kernel generate a temporary IPv6 address
2170 in addition to the public one generated from MAC address via
2171 modified EUI-64. This enhances privacy, but could cause problems in
2172 some applications, on the other hand. The permitted values are: -1:
2173 unknown, 0: disabled, 1: enabled (prefer public address), 2:
2174 enabled (prefer temporary addresses). Having a per-connection
2175 setting set to "-1" (unknown) means fallback to global
2176 configuration "ipv6.ip6-privacy". If also global configuration is
2177 unspecified or set to "-1", fallback to read
2178 "/proc/sys/net/ipv6/conf/default/use_tempaddr". Note that this
2179 setting is distinct from the Stable Privacy addresses that can be
2180 enabled with the "addr-gen-mode" property's "stable-privacy"
2181 setting as another way of avoiding host tracking with IPv6
2182 addresses.
2183 Format: NMSettingIP6ConfigPrivacy (int32)
2185 may-fail
2187 If TRUE, allow overall network configuration to proceed even if the
2188 configuration specified by this property times out. Note that at
2189 least one IP configuration must succeed or overall network
2190 configuration will still fail. For example, in IPv6-only networks,
2191 setting this property to TRUE on the NMSettingIP4Config allows the
2192 overall network configuration to succeed if IPv4 configuration
2193 fails but IPv6 configuration completes successfully.
2194 Format: boolean
2196 method
2198 IP configuration method. NMSettingIP4Config and NMSettingIP6Config
2199 both support "disabled", "auto", "manual", and "link-local". See
2200 the subclass-specific documentation for other values. In general,
2201 for the "auto" method, properties such as "dns" and "routes"
2202 specify information that is added on to the information returned
2203 from automatic configuration. The "ignore-auto-routes" and
2204 "ignore-auto-dns" properties modify this behavior. For methods that
2205 imply no upstream network, such as "shared" or "link-local", these
2206 properties must be empty. For IPv4 method "shared", the IP subnet
2207 can be configured by adding one manual IPv4 address or otherwise
2208 10.42.x.0/24 is chosen. Note that the shared method must be
2209 configured on the interface which shares the internet to a subnet,
2210 not on the uplink which is shared.
2211 Format: string
2213 never-default
2215 If TRUE, this connection will never be the default connection for
2216 this IP type, meaning it will never be assigned the default route
2217 by NetworkManager.
2218 Format: boolean
2220 ra-timeout
2222 A timeout for waiting Router Advertisements in seconds. If zero
2223 (the default), a globally configured default is used. If still
2224 unspecified, the timeout depends on the sysctl settings of the
2225 device. Set to 2147483647 (MAXINT32) for infinity.
2226 Format: int32
2228 route-metric
2230 The default metric for routes that don't explicitly specify a
2231 metric. The default value -1 means that the metric is chosen
2232 automatically based on the device type. The metric applies to
2233 dynamic routes, manual (static) routes that don't have an explicit
2234 metric setting, address prefix routes, and the default route. Note
2235 that for IPv6, the kernel accepts zero (0) but coerces it to 1024
2236 (user default). Hence, setting this property to zero effectively
2237 mean setting it to 1024. For IPv4, zero is a regular value for the
2238 metric.
2239 Format: int64
2241 route-table
2243 Enable policy routing (source routing) and set the routing table
2244 used when adding routes. This affects all routes, including
2245 device-routes, IPv4LL, DHCP, SLAAC, default-routes and static
2246 routes. But note that static routes can individually overwrite the
2247 setting by explicitly specifying a non-zero routing table. If the
2248 table setting is left at zero, it is eligible to be overwritten via
2249 global configuration. If the property is zero even after applying
2250 the global configuration value, policy routing is disabled for the
2251 address family of this connection. Policy routing disabled means
2252 that NetworkManager will add all routes to the main table (except
2253 static routes that explicitly configure a different table).
2254 Additionally, NetworkManager will not delete any extraneous routes
2255 from tables except the main table. This is to preserve backward
2256 compatibility for users who manage routing tables outside of
2257 NetworkManager.
2258 Format: uint32
2260 routes
2262 Array of IP routes.
2263 Format: array of legacy IPv6 route struct
2265 routing-rules
2267 token
2269 Configure the token for
2270 draft-chown-6man-tokenised-ipv6-identifiers-02 IPv6 tokenized
2271 interface identifiers. Useful with eui64 addr-gen-mode.
2272 Format: string
2274 ip-tunnel setting
2276 IP Tunneling Settings.
2277 Properties:
2279 encapsulation-limit
2281 How many additional levels of encapsulation are permitted to be
2282 prepended to packets. This property applies only to IPv6 tunnels.
2283 Format: uint32
2285 flags
2287 Tunnel flags. Currently, the following values are supported:
2288 NM_IP_TUNNEL_FLAG_IP6_IGN_ENCAP_LIMIT (0x1),
2289 NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_TCLASS (0x2),
2290 NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FLOWLABEL (0x4),
2291 NM_IP_TUNNEL_FLAG_IP6_MIP6_DEV (0x8),
2292 NM_IP_TUNNEL_FLAG_IP6_RCV_DSCP_COPY (0x10),
2293 NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FWMARK (0x20). They are valid only
2294 for IPv6 tunnels.
2295 Format: uint32
2297 flow-label
2299 The flow label to assign to tunnel packets. This property applies
2300 only to IPv6 tunnels.
2301 Format: uint32
2303 input-key
2305 The key used for tunnel input packets; the property is valid only
2306 for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
2307 Format: string
2309 local
2311 Alias: local
2312 The local endpoint of the tunnel; the value can be empty, otherwise
2314 it must contain an IPv4 or IPv6 address.
2315 Format: string
2317 mode
2319 Alias: mode
2320 The tunneling mode, for example NM_IP_TUNNEL_MODE_IPIP (1) or
2322 NM_IP_TUNNEL_MODE_GRE (2).
2323 Format: uint32
2325 mtu
2327 If non-zero, only transmit packets of the specified size or
2328 smaller, breaking larger packets up into multiple fragments.
2329 Format: uint32
2331 output-key
2333 The key used for tunnel output packets; the property is valid only
2334 for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
2335 Format: string
2337 parent
2339 Alias: dev
2340 If given, specifies the parent interface name or parent connection
2342 UUID the new device will be bound to so that tunneled packets will
2343 only be routed via that interface.
2344 Format: string
2346 path-mtu-discovery
2348 Whether to enable Path MTU Discovery on this tunnel.
2349 Format: boolean
2351 remote
2353 Alias: remote
2354 The remote endpoint of the tunnel; the value must contain an IPv4
2356 or IPv6 address.
2357 Format: string
2359 tos
2361 The type of service (IPv4) or traffic class (IPv6) field to be set
2362 on tunneled packets.
2363 Format: uint32
2365 ttl
2367 The TTL to assign to tunneled packets. 0 is a special value meaning
2368 that packets inherit the TTL value.
2369 Format: uint32
2371 macsec setting
2373 MACSec Settings.
2374 Properties:
2376 encrypt
2378 Alias: encrypt
2379 Whether the transmitted traffic must be encrypted.
2381 Format: boolean
2383 mka-cak
2385 Alias: cak
2386 The pre-shared CAK (Connectivity Association Key) for MACsec Key
2388 Agreement.
2389 Format: string
2391 mka-cak-flags
2393 Flags indicating how to handle the "mka-cak" property. See the
2394 section called “Secret flag types:” for flag values.
2395 Format: NMSettingSecretFlags (uint32)
2397 mka-ckn
2399 Alias: ckn
2400 The pre-shared CKN (Connectivity-association Key Name) for MACsec
2402 Key Agreement.
2403 Format: string
2405 mode
2407 Alias: mode
2408 Specifies how the CAK (Connectivity Association Key) for MKA
2410 (MACsec Key Agreement) is obtained.
2411 Format: int32
2413 parent
2415 Alias: dev
2416 If given, specifies the parent interface name or parent connection
2418 UUID from which this MACSEC interface should be created. If this
2419 property is not specified, the connection must contain an
2420 "802-3-ethernet" setting with a "mac-address" property.
2421 Format: string
2423 port
2425 Alias: port
2426 The port component of the SCI (Secure Channel Identifier), between
2428 1 and 65534.
2429 Format: int32
2431 send-sci
2433 Specifies whether the SCI (Secure Channel Identifier) is included
2434 in every packet.
2435 Format: boolean
2437 validation
2439 Specifies the validation mode for incoming frames.
2440 Format: int32
2442 macvlan setting
2444 MAC VLAN Settings.
2445 Properties:
2447 mode
2449 Alias: mode
2450 The macvlan mode, which specifies the communication mechanism
2452 between multiple macvlans on the same lower device.
2453 Format: uint32
2455 parent
2457 Alias: dev
2458 If given, specifies the parent interface name or parent connection
2460 UUID from which this MAC-VLAN interface should be created. If this
2461 property is not specified, the connection must contain an
2462 "802-3-ethernet" setting with a "mac-address" property.
2463 Format: string
2465 promiscuous
2467 Whether the interface should be put in promiscuous mode.
2468 Format: boolean
2470 tap
2472 Alias: tap
2473 Whether the interface should be a MACVTAP.
2475 Format: boolean
2477 match setting
2479 Match settings.
2480 Properties:
2482 driver
2484 A list of driver names to match. Each element is a shell wildcard
2485 pattern. See NMSettingMatch:interface-name for how special
2486 characters '|', '&', '!' and '\' are used for optional and
2487 mandatory matches and inverting the pattern.
2488 Format: array of string
2490 interface-name
2492 A list of interface names to match. Each element is a shell
2493 wildcard pattern. An element can be prefixed with a pipe symbol (|)
2494 or an ampersand (&). The former means that the element is optional
2495 and the latter means that it is mandatory. If there are any
2496 optional elements, than the match evaluates to true if at least one
2497 of the optional element matches (logical OR). If there are any
2498 mandatory elements, then they all must match (logical AND). By
2499 default, an element is optional. This means that an element "foo"
2500 behaves the same as "|foo". An element can also be inverted with
2501 exclamation mark (!) between the pipe symbol (or the ampersand) and
2502 before the pattern. Note that "!foo" is a shortcut for the
2503 mandatory match "&!foo". Finally, a backslash can be used at the
2504 beginning of the element (after the optional special characters) to
2505 escape the start of the pattern. For example, "&\!a" is an
2506 mandatory match for literally "!a".
2507 Format: array of string
2509 kernel-command-line
2511 A list of kernel command line arguments to match. This may be used
2512 to check whether a specific kernel command line option is set (or
2513 if prefixed with the exclamation mark unset). The argument must
2514 either be a single word, or an assignment (i.e. two words,
2515 separated "="). In the former case the kernel command line is
2516 searched for the word appearing as is, or as left hand side of an
2517 assignment. In the latter case, the exact assignment is looked for
2518 with right and left hand side matching. See
2519 NMSettingMatch:interface-name for how special characters '|', '&',
2520 '!' and '\' are used for optional and mandatory matches and
2521 inverting the pattern.
2522 Format: array of string
2524 path
2526 A list of paths to match against the ID_PATH udev property of
2527 devices. ID_PATH represents the topological persistent path of a
2528 device. It typically contains a subsystem string (pci, usb,
2529 platform, etc.) and a subsystem-specific identifier. For PCI
2530 devices the path has the form "pci-$domain:$bus:$device.$function",
2531 where each variable is an hexadecimal value; for example
2532 "pci-0000:0a:00.0". The path of a device can be obtained with
2533 "udevadm info /sys/class/net/$dev | grep ID_PATH=" or by looking at
2534 the "path" property exported by NetworkManager ("nmcli -f
2535 general.path device show $dev"). Each element of the list is a
2536 shell wildcard pattern. See NMSettingMatch:interface-name for how
2537 special characters '|', '&', '!' and '\' are used for optional and
2538 mandatory matches and inverting the pattern.
2539 Format: array of string
2541 802-11-olpc-mesh setting
2543 Alias: olpc-mesh
2544 OLPC Wireless Mesh Settings.
2546 Properties:
2548 channel
2550 Alias: channel
2551 Channel on which the mesh network to join is located.
2553 Format: uint32
2555 dhcp-anycast-address
2557 Alias: dhcp-anycast
2558 Anycast DHCP MAC address used when requesting an IP address via
2560 DHCP. The specific anycast address used determines which DHCP
2561 server class answers the request.
2562 Format: byte array
2564 ssid
2566 Alias: ssid
2567 SSID of the mesh network to join.
2569 Format: byte array
2571 ovs-bridge setting
2573 OvsBridge Link Settings.
2574 Properties:
2576 datapath-type
2578 The data path type. One of "system", "netdev" or empty.
2579 Format: string
2581 fail-mode
2583 The bridge failure mode. One of "secure", "standalone" or empty.
2584 Format: string
2586 mcast-snooping-enable
2588 Enable or disable multicast snooping.
2589 Format: boolean
2591 rstp-enable
2593 Enable or disable RSTP.
2594 Format: boolean
2596 stp-enable
2598 Enable or disable STP.
2599 Format: boolean
2601 ovs-dpdk setting
2603 OvsDpdk Link Settings.
2604 Properties:
2606 devargs
2608 Open vSwitch DPDK device arguments.
2609 Format: string
2611 ovs-interface setting
2613 Open vSwitch Interface Settings.
2614 Properties:
2616 type
2618 The interface type. Either "internal", "system", "patch", "dpdk",
2619 or empty.
2620 Format: string
2622 ovs-patch setting
2624 OvsPatch Link Settings.
2625 Properties:
2627 peer
2629 Specifies the name of the interface for the other side of the
2630 patch. The patch on the other side must also set this interface as
2631 peer.
2632 Format: string
2634 ovs-port setting
2636 OvsPort Link Settings.
2637 Properties:
2639 bond-downdelay
2641 The time port must be inactive in order to be considered down.
2642 Format: uint32
2644 bond-mode
2646 Bonding mode. One of "active-backup", "balance-slb", or
2647 "balance-tcp".
2648 Format: string
2650 bond-updelay
2652 The time port must be active before it starts forwarding traffic.
2653 Format: uint32
2655 lacp
2657 LACP mode. One of "active", "off", or "passive".
2658 Format: string
2660 tag
2662 The VLAN tag in the range 0-4095.
2663 Format: uint32
2665 vlan-mode
2667 The VLAN mode. One of "access", "native-tagged", "native-untagged",
2668 "trunk" or unset.
2669 Format: string
2671 ppp setting
2673 Point-to-Point Protocol Settings.
2674 Properties:
2676 baud
2678 If non-zero, instruct pppd to set the serial port to the specified
2679 baudrate. This value should normally be left as 0 to automatically
2680 choose the speed.
2681 Format: uint32
2683 crtscts
2685 If TRUE, specify that pppd should set the serial port to use
2686 hardware flow control with RTS and CTS signals. This value should
2687 normally be set to FALSE.
2688 Format: boolean
2690 lcp-echo-failure
2692 If non-zero, instruct pppd to presume the connection to the peer
2693 has failed if the specified number of LCP echo-requests go
2694 unanswered by the peer. The "lcp-echo-interval" property must also
2695 be set to a non-zero value if this property is used.
2696 Format: uint32
2698 lcp-echo-interval
2700 If non-zero, instruct pppd to send an LCP echo-request frame to the
2701 peer every n seconds (where n is the specified value). Note that
2702 some PPP peers will respond to echo requests and some will not, and
2703 it is not possible to autodetect this.
2704 Format: uint32
2706 mppe-stateful
2708 If TRUE, stateful MPPE is used. See pppd documentation for more
2709 information on stateful MPPE.
2710 Format: boolean
2712 mru
2714 If non-zero, instruct pppd to request that the peer send packets no
2715 larger than the specified size. If non-zero, the MRU should be
2716 between 128 and 16384.
2717 Format: uint32
2719 mtu
2721 If non-zero, instruct pppd to send packets no larger than the
2722 specified size.
2723 Format: uint32
2725 no-vj-comp
2727 If TRUE, Van Jacobsen TCP header compression will not be requested.
2728 Format: boolean
2730 noauth
2732 If TRUE, do not require the other side (usually the PPP server) to
2733 authenticate itself to the client. If FALSE, require authentication
2734 from the remote side. In almost all cases, this should be TRUE.
2735 Format: boolean
2737 nobsdcomp
2739 If TRUE, BSD compression will not be requested.
2740 Format: boolean
2742 nodeflate
2744 If TRUE, "deflate" compression will not be requested.
2745 Format: boolean
2747 refuse-chap
2749 If TRUE, the CHAP authentication method will not be used.
2750 Format: boolean
2752 refuse-eap
2754 If TRUE, the EAP authentication method will not be used.
2755 Format: boolean
2757 refuse-mschap
2759 If TRUE, the MSCHAP authentication method will not be used.
2760 Format: boolean
2762 refuse-mschapv2
2764 If TRUE, the MSCHAPv2 authentication method will not be used.
2765 Format: boolean
2767 refuse-pap
2769 If TRUE, the PAP authentication method will not be used.
2770 Format: boolean
2772 require-mppe
2774 If TRUE, MPPE (Microsoft Point-to-Point Encryption) will be
2775 required for the PPP session. If either 64-bit or 128-bit MPPE is
2776 not available the session will fail. Note that MPPE is not used on
2777 mobile broadband connections.
2778 Format: boolean
2780 require-mppe-128
2782 If TRUE, 128-bit MPPE (Microsoft Point-to-Point Encryption) will be
2783 required for the PPP session, and the "require-mppe" property must
2784 also be set to TRUE. If 128-bit MPPE is not available the session
2785 will fail.
2786 Format: boolean
2788 pppoe setting
2790 PPP-over-Ethernet Settings.
2791 Properties:
2793 parent
2795 Alias: parent
2796 If given, specifies the parent interface name on which this PPPoE
2798 connection should be created. If this property is not specified,
2799 the connection is activated on the interface specified in
2800 "interface-name" of NMSettingConnection.
2801 Format: string
2803 password
2805 Alias: password
2806 Password used to authenticate with the PPPoE service.
2808 Format: string
2810 password-flags
2812 Flags indicating how to handle the "password" property. See the
2813 section called “Secret flag types:” for flag values.
2814 Format: NMSettingSecretFlags (uint32)
2816 service
2818 Alias: service
2819 If specified, instruct PPPoE to only initiate sessions with access
2821 concentrators that provide the specified service. For most
2822 providers, this should be left blank. It is only required if there
2823 are multiple access concentrators or a specific service is known to
2824 be required.
2825 Format: string
2827 username
2829 Alias: username
2830 Username used to authenticate with the PPPoE service.
2832 Format: string
2834 proxy setting
2836 WWW Proxy Settings.
2837 Properties:
2839 browser-only
2841 Alias: browser-only
2842 Whether the proxy configuration is for browser only.
2844 Format: boolean
2846 method
2848 Alias: method
2849 Method for proxy configuration, Default is
2851 NM_SETTING_PROXY_METHOD_NONE (0)
2852 Format: int32
2854 pac-script
2856 Alias: pac-script
2857 PAC script for the connection.
2859 Format: string
2861 pac-url
2863 Alias: pac-url
2864 PAC URL for obtaining PAC file.
2866 Format: string
2868 serial setting
2870 Serial Link Settings.
2871 Properties:
2873 baud
2875 Speed to use for communication over the serial port. Note that this
2876 value usually has no effect for mobile broadband modems as they
2877 generally ignore speed settings and use the highest available
2878 speed.
2879 Format: uint32
2881 bits
2883 Byte-width of the serial communication. The 8 in "8n1" for example.
2884 Format: uint32
2886 parity
2888 Parity setting of the serial port.
2889 Format: NMSettingSerialParity (byte)
2891 send-delay
2893 Time to delay between each byte sent to the modem, in microseconds.
2894 Format: uint64
2896 stopbits
2898 Number of stop bits for communication on the serial port. Either 1
2899 or 2. The 1 in "8n1" for example.
2900 Format: uint32
2902 sriov setting
2904 SR-IOV settings.
2905 Properties:
2907 autoprobe-drivers
2909 Whether to autoprobe virtual functions by a compatible driver. If
2910 set to NM_TERNARY_TRUE (1), the kernel will try to bind VFs to a
2911 compatible driver and if this succeeds a new network interface will
2912 be instantiated for each VF. If set to NM_TERNARY_FALSE (0), VFs
2913 will not be claimed and no network interfaces will be created for
2914 them. When set to NM_TERNARY_DEFAULT (-1), the global default is
2915 used; in case the global default is unspecified it is assumed to be
2916 NM_TERNARY_TRUE (1).
2917 Format: NMTernary (int32)
2919 total-vfs
2921 The total number of virtual functions to create. Note that when the
2922 sriov setting is present NetworkManager enforces the number of
2923 virtual functions on the interface (also when it is zero) during
2924 activation and resets it upon deactivation. To prevent any changes
2925 to SR-IOV parameters don't add a sriov setting to the connection.
2926 Format: uint32
2928 vfs
2930 Array of virtual function descriptors. Each VF descriptor is a
2931 dictionary mapping attribute names to GVariant values. The 'index'
2932 entry is mandatory for each VF. When represented as string a VF is
2933 in the form: "INDEX [ATTR=VALUE[ ATTR=VALUE]...]". for example: "2
2934 mac=00:11:22:33:44:55 spoof-check=true". Multiple VFs can be
2935 specified using a comma as separator. Currently, the following
2936 attributes are supported: mac, spoof-check, trust, min-tx-rate,
2937 max-tx-rate, vlans. The "vlans" attribute is represented as a
2938 semicolon-separated list of VLAN descriptors, where each descriptor
2939 has the form "ID[.PRIORITY[.PROTO]]". PROTO can be either 'q' for
2940 802.1Q (the default) or 'ad' for 802.1ad.
2941 Format: array of vardict
2943 tc setting
2945 Linux Traffic Control Settings.
2946 Properties:
2948 qdiscs
2950 Array of TC queueing disciplines.
2951 Format: array of vardict
2953 tfilters
2955 Array of TC traffic filters.
2956 Format: array of vardict
2958 team setting
2960 Teaming Settings.
2961 Properties:
2963 config
2965 Alias: config
2966 The JSON configuration for the team network interface. The property
2968 should contain raw JSON configuration data suitable for teamd,
2969 because the value is passed directly to teamd. If not specified,
2970 the default configuration is used. See man teamd.conf for the
2971 format details.
2972 Format: string
2974 link-watchers
2976 Link watchers configuration for the connection: each link watcher
2977 is defined by a dictionary, whose keys depend upon the selected
2978 link watcher. Available link watchers are 'ethtool', 'nsna_ping'
2979 and 'arp_ping' and it is specified in the dictionary with the key
2980 'name'. Available keys are: ethtool: 'delay-up', 'delay-down',
2981 'init-wait'; nsna_ping: 'init-wait', 'interval', 'missed-max',
2982 'target-host'; arp_ping: all the ones in nsna_ping and
2983 'source-host', 'validate-active', 'validate-inactive',
2984 'send-always'. See teamd.conf man for more details.
2985 Format: array of vardict
2987 mcast-rejoin-count
2989 Corresponds to the teamd mcast_rejoin.count.
2990 Format: int32
2992 mcast-rejoin-interval
2994 Corresponds to the teamd mcast_rejoin.interval.
2995 Format: int32
2997 notify-peers-count
2999 Corresponds to the teamd notify_peers.count.
3000 Format: int32
3002 notify-peers-interval
3004 Corresponds to the teamd notify_peers.interval.
3005 Format: int32
3007 runner
3009 Corresponds to the teamd runner.name. Permitted values are:
3010 "roundrobin", "broadcast", "activebackup", "loadbalance", "lacp",
3011 "random".
3012 Format: string
3014 runner-active
3016 Corresponds to the teamd runner.active.
3017 Format: boolean
3019 runner-agg-select-policy
3021 Corresponds to the teamd runner.agg_select_policy.
3022 Format: string
3024 runner-fast-rate
3026 Corresponds to the teamd runner.fast_rate.
3027 Format: boolean
3029 runner-hwaddr-policy
3031 Corresponds to the teamd runner.hwaddr_policy.
3032 Format: string
3034 runner-min-ports
3036 Corresponds to the teamd runner.min_ports.
3037 Format: int32
3039 runner-sys-prio
3041 Corresponds to the teamd runner.sys_prio.
3042 Format: int32
3044 runner-tx-balancer
3046 Corresponds to the teamd runner.tx_balancer.name.
3047 Format: string
3049 runner-tx-balancer-interval
3051 Corresponds to the teamd runner.tx_balancer.interval.
3052 Format: int32
3054 runner-tx-hash
3056 Corresponds to the teamd runner.tx_hash.
3057 Format: array of string
3059 team-port setting
3061 Team Port Settings.
3062 Properties:
3064 config
3066 Alias: config
3067 The JSON configuration for the team port. The property should
3069 contain raw JSON configuration data suitable for teamd, because the
3070 value is passed directly to teamd. If not specified, the default
3071 configuration is used. See man teamd.conf for the format details.
3072 Format: string
3074 lacp-key
3076 Corresponds to the teamd ports.PORTIFNAME.lacp_key.
3077 Format: int32
3079 lacp-prio
3081 Corresponds to the teamd ports.PORTIFNAME.lacp_prio.
3082 Format: int32
3084 link-watchers
3086 Link watchers configuration for the connection: each link watcher
3087 is defined by a dictionary, whose keys depend upon the selected
3088 link watcher. Available link watchers are 'ethtool', 'nsna_ping'
3089 and 'arp_ping' and it is specified in the dictionary with the key
3090 'name'. Available keys are: ethtool: 'delay-up', 'delay-down',
3091 'init-wait'; nsna_ping: 'init-wait', 'interval', 'missed-max',
3092 'target-host'; arp_ping: all the ones in nsna_ping and
3093 'source-host', 'validate-active', 'validate-inactive',
3094 'send-always'. See teamd.conf man for more details.
3095 Format: array of vardict
3097 prio
3099 Corresponds to the teamd ports.PORTIFNAME.prio.
3100 Format: int32
3102 queue-id
3104 Corresponds to the teamd ports.PORTIFNAME.queue_id. When set to -1
3105 means the parameter is skipped from the json config.
3106 Format: int32
3108 sticky
3110 Corresponds to the teamd ports.PORTIFNAME.sticky.
3111 Format: boolean
3113 tun setting
3115 Tunnel Settings.
3116 Properties:
3118 group
3120 Alias: group
3121 The group ID which will own the device. If set to NULL everyone
3123 will be able to use the device.
3124 Format: string
3126 mode
3128 Alias: mode
3129 The operating mode of the virtual device. Allowed values are
3131 NM_SETTING_TUN_MODE_TUN (1) to create a layer 3 device and
3132 NM_SETTING_TUN_MODE_TAP (2) to create an Ethernet-like layer 2 one.
3133 Format: uint32
3135 multi-queue
3137 Alias: multi-queue
3138 If the property is set to TRUE, the interface will support multiple
3140 file descriptors (queues) to parallelize packet sending or
3141 receiving. Otherwise, the interface will only support a single
3142 queue.
3143 Format: boolean
3145 owner
3147 Alias: owner
3148 The user ID which will own the device. If set to NULL everyone will
3150 be able to use the device.
3151 Format: string
3153 pi
3155 Alias: pi
3156 If TRUE the interface will prepend a 4 byte header describing the
3158 physical interface to the packets.
3159 Format: boolean
3161 vnet-hdr
3163 Alias: vnet-hdr
3164 If TRUE the IFF_VNET_HDR the tunnel packets will include a virtio
3166 network header.
3167 Format: boolean
3169 vlan setting
3171 VLAN Settings.
3172 Properties:
3174 egress-priority-map
3176 Alias: egress
3177 For outgoing packets, a list of mappings from Linux SKB priorities
3179 to 802.1p priorities. The mapping is given in the format "from:to"
3180 where both "from" and "to" are unsigned integers, ie "7:3".
3181 Format: array of string
3183 flags
3185 Alias: flags
3186 One or more flags which control the behavior and features of the
3188 VLAN interface. Flags include NM_VLAN_FLAG_REORDER_HEADERS (0x1)
3189 (reordering of output packet headers), NM_VLAN_FLAG_GVRP (0x2) (use
3190 of the GVRP protocol), and NM_VLAN_FLAG_LOOSE_BINDING (0x4) (loose
3191 binding of the interface to its master device's operating state).
3192 NM_VLAN_FLAG_MVRP (0x8) (use of the MVRP protocol). The default
3193 value of this property is NM_VLAN_FLAG_REORDER_HEADERS, but it used
3194 to be 0. To preserve backward compatibility, the default-value in
3195 the D-Bus API continues to be 0 and a missing property on D-Bus is
3196 still considered as 0.
3197 Format: NMVlanFlags (uint32)
3199 id
3201 Alias: id
3202 The VLAN identifier that the interface created by this connection
3204 should be assigned. The valid range is from 0 to 4094, without the
3205 reserved id 4095.
3206 Format: uint32
3208 ingress-priority-map
3210 Alias: ingress
3211 For incoming packets, a list of mappings from 802.1p priorities to
3213 Linux SKB priorities. The mapping is given in the format "from:to"
3214 where both "from" and "to" are unsigned integers, ie "7:3".
3215 Format: array of string
3217 parent
3219 Alias: dev
3220 If given, specifies the parent interface name or parent connection
3222 UUID from which this VLAN interface should be created. If this
3223 property is not specified, the connection must contain an
3224 "802-3-ethernet" setting with a "mac-address" property.
3225 Format: string
3227 vpn setting
3229 VPN Settings.
3230 Properties:
3232 data
3234 Dictionary of key/value pairs of VPN plugin specific data. Both
3235 keys and values must be strings.
3236 Format: dict of string to string
3238 persistent
3240 If the VPN service supports persistence, and this property is TRUE,
3241 the VPN will attempt to stay connected across link changes and
3242 outages, until explicitly disconnected.
3243 Format: boolean
3245 secrets
3247 Dictionary of key/value pairs of VPN plugin specific secrets like
3248 passwords or private keys. Both keys and values must be strings.
3249 Format: dict of string to string
3251 service-type
3253 Alias: vpn-type
3254 D-Bus service name of the VPN plugin that this setting uses to
3256 connect to its network. i.e. org.freedesktop.NetworkManager.vpnc
3257 for the vpnc plugin.
3258 Format: string
3260 timeout
3262 Timeout for the VPN service to establish the connection. Some
3263 services may take quite a long time to connect. Value of 0 means a
3264 default timeout, which is 60 seconds (unless overridden by
3265 vpn.timeout in configuration file). Values greater than zero mean
3266 timeout in seconds.
3267 Format: uint32
3269 user-name
3271 Alias: user
3272 If the VPN connection requires a user name for authentication, that
3274 name should be provided here. If the connection is available to
3275 more than one user, and the VPN requires each user to supply a
3276 different name, then leave this property empty. If this property is
3277 empty, NetworkManager will automatically supply the username of the
3278 user which requested the VPN connection.
3279 Format: string
3281 vrf setting
3283 VRF settings.
3284 Properties:
3286 table
3288 Alias: table
3289 The routing table for this VRF.
3291 Format: uint32
3293 vxlan setting
3295 VXLAN Settings.
3296 Properties:
3298 ageing
3300 Specifies the lifetime in seconds of FDB entries learnt by the
3301 kernel.
3302 Format: uint32
3304 destination-port
3306 Alias: destination-port
3307 Specifies the UDP destination port to communicate to the remote
3309 VXLAN tunnel endpoint.
3310 Format: uint32
3312 id
3314 Alias: id
3315 Specifies the VXLAN Network Identifier (or VXLAN Segment
3317 Identifier) to use.
3318 Format: uint32
3320 l2-miss
3322 Specifies whether netlink LL ADDR miss notifications are generated.
3323 Format: boolean
3325 l3-miss
3327 Specifies whether netlink IP ADDR miss notifications are generated.
3328 Format: boolean
3330 learning
3332 Specifies whether unknown source link layer addresses and IP
3333 addresses are entered into the VXLAN device forwarding database.
3334 Format: boolean
3336 limit
3338 Specifies the maximum number of FDB entries. A value of zero means
3339 that the kernel will store unlimited entries.
3340 Format: uint32
3342 local
3344 Alias: local
3345 If given, specifies the source IP address to use in outgoing
3347 packets.
3348 Format: string
3350 parent
3352 Alias: dev
3353 If given, specifies the parent interface name or parent connection
3355 UUID.
3356 Format: string
3358 proxy
3360 Specifies whether ARP proxy is turned on.
3361 Format: boolean
3363 remote
3365 Alias: remote
3366 Specifies the unicast destination IP address to use in outgoing
3368 packets when the destination link layer address is not known in the
3369 VXLAN device forwarding database, or the multicast IP address to
3370 join.
3371 Format: string
3373 rsc
3375 Specifies whether route short circuit is turned on.
3376 Format: boolean
3378 source-port-max
3380 Alias: source-port-max
3381 Specifies the maximum UDP source port to communicate to the remote
3383 VXLAN tunnel endpoint.
3384 Format: uint32
3386 source-port-min
3388 Alias: source-port-min
3389 Specifies the minimum UDP source port to communicate to the remote
3391 VXLAN tunnel endpoint.
3392 Format: uint32
3394 tos
3396 Specifies the TOS value to use in outgoing packets.
3397 Format: uint32
3399 ttl
3401 Specifies the time-to-live value to use in outgoing packets.
3402 Format: uint32
3404 wifi-p2p setting
3406 Wi-Fi P2P Settings.
3407 Properties:
3409 peer
3411 Alias: peer
3412 The P2P device that should be connected to. Currently, this is the
3414 only way to create or join a group.
3415 Format: string
3417 wfd-ies
3419 The Wi-Fi Display (WFD) Information Elements (IEs) to set. Wi-Fi
3420 Display requires a protocol specific information element to be set
3421 in certain Wi-Fi frames. These can be specified here for the
3422 purpose of establishing a connection. This setting is only useful
3423 when implementing a Wi-Fi Display client.
3424 Format: byte array
3426 wps-method
3428 Flags indicating which mode of WPS is to be used. There's little
3429 point in changing the default setting as NetworkManager will
3430 automatically determine the best method to use.
3431 Format: uint32
3433 wimax setting
3435 WiMax Settings.
3436 Properties:
3438 mac-address
3440 Alias: mac
3441 If specified, this connection will only apply to the WiMAX device
3443 whose MAC address matches. This property does not change the MAC
3444 address of the device (known as MAC spoofing). Deprecated: 1
3445 Format: byte array
3447 network-name
3449 Alias: nsp
3450 Network Service Provider (NSP) name of the WiMAX network this
3452 connection should use. Deprecated: 1
3453 Format: string
3455 802-3-ethernet setting
3457 Alias: ethernet
3458 Wired Ethernet Settings.
3460 Properties:
3462 auto-negotiate
3464 When TRUE, enforce auto-negotiation of speed and duplex mode. If
3465 "speed" and "duplex" properties are both specified, only that
3466 single mode will be advertised and accepted during the link
3467 auto-negotiation process: this works only for BASE-T 802.3
3468 specifications and is useful for enforcing gigabits modes, as in
3469 these cases link negotiation is mandatory. When FALSE, "speed" and
3470 "duplex" properties should be both set or link configuration will
3471 be skipped.
3472 Format: boolean
3474 cloned-mac-address
3476 Alias: cloned-mac
3477 If specified, request that the device use this MAC address instead.
3479 This is known as MAC cloning or spoofing. Beside explicitly
3480 specifying a MAC address, the special values "preserve",
3481 "permanent", "random" and "stable" are supported. "preserve" means
3482 not to touch the MAC address on activation. "permanent" means to
3483 use the permanent hardware address if the device has one (otherwise
3484 this is treated as "preserve"). "random" creates a random MAC
3485 address on each connect. "stable" creates a hashed MAC address
3486 based on connection.stable-id and a machine dependent key. If
3487 unspecified, the value can be overwritten via global defaults, see
3488 manual of NetworkManager.conf. If still unspecified, it defaults to
3489 "preserve" (older versions of NetworkManager may use a different
3490 default value). On D-Bus, this field is expressed as
3491 "assigned-mac-address" or the deprecated "cloned-mac-address".
3492 Format: byte array
3494 duplex
3496 When a value is set, either "half" or "full", configures the device
3497 to use the specified duplex mode. If "auto-negotiate" is "yes" the
3498 specified duplex mode will be the only one advertised during link
3499 negotiation: this works only for BASE-T 802.3 specifications and is
3500 useful for enforcing gigabits modes, as in these cases link
3501 negotiation is mandatory. If the value is unset (the default), the
3502 link configuration will be either skipped (if "auto-negotiate" is
3503 "no", the default) or will be auto-negotiated (if "auto-negotiate"
3504 is "yes") and the local device will advertise all the supported
3505 duplex modes. Must be set together with the "speed" property if
3506 specified. Before specifying a duplex mode be sure your device
3507 supports it.
3508 Format: string
3510 generate-mac-address-mask
3512 With "cloned-mac-address" setting "random" or "stable", by default
3513 all bits of the MAC address are scrambled and a
3514 locally-administered, unicast MAC address is created. This property
3515 allows to specify that certain bits are fixed. Note that the least
3516 significant bit of the first MAC address will always be unset to
3517 create a unicast MAC address. If the property is NULL, it is
3518 eligible to be overwritten by a default connection setting. If the
3519 value is still NULL or an empty string, the default is to create a
3520 locally-administered, unicast MAC address. If the value contains
3521 one MAC address, this address is used as mask. The set bits of the
3522 mask are to be filled with the current MAC address of the device,
3523 while the unset bits are subject to randomization. Setting
3524 "FE:FF:FF:00:00:00" means to preserve the OUI of the current MAC
3525 address and only randomize the lower 3 bytes using the "random" or
3526 "stable" algorithm. If the value contains one additional MAC
3527 address after the mask, this address is used instead of the current
3528 MAC address to fill the bits that shall not be randomized. For
3529 example, a value of "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set
3530 the OUI of the MAC address to 68:F7:28, while the lower bits are
3531 randomized. A value of "02:00:00:00:00:00 00:00:00:00:00:00" will
3532 create a fully scrambled globally-administered, burned-in MAC
3533 address. If the value contains more than one additional MAC
3534 addresses, one of them is chosen randomly. For example,
3535 "02:00:00:00:00:00 00:00:00:00:00:00 02:00:00:00:00:00" will create
3536 a fully scrambled MAC address, randomly locally or globally
3537 administered.
3538 Format: string
3540 mac-address
3542 Alias: mac
3543 If specified, this connection will only apply to the Ethernet
3545 device whose permanent MAC address matches. This property does not
3546 change the MAC address of the device (i.e. MAC spoofing).
3547 Format: byte array
3549 mac-address-blacklist
3551 If specified, this connection will never apply to the Ethernet
3552 device whose permanent MAC address matches an address in the list.
3553 Each MAC address is in the standard hex-digits-and-colons notation
3554 (00:11:22:33:44:55).
3555 Format: array of string
3557 mtu
3559 Alias: mtu
3560 If non-zero, only transmit packets of the specified size or
3562 smaller, breaking larger packets up into multiple Ethernet frames.
3563 Format: uint32
3565 port
3567 Specific port type to use if the device supports multiple
3568 attachment methods. One of "tp" (Twisted Pair), "aui" (Attachment
3569 Unit Interface), "bnc" (Thin Ethernet) or "mii" (Media Independent
3570 Interface). If the device supports only one port type, this setting
3571 is ignored.
3572 Format: string
3574 s390-nettype
3576 s390 network device type; one of "qeth", "lcs", or "ctc",
3577 representing the different types of virtual network devices
3578 available on s390 systems.
3579 Format: string
3581 s390-options
3583 Dictionary of key/value pairs of s390-specific device options. Both
3584 keys and values must be strings. Allowed keys include "portno",
3585 "layer2", "portname", "protocol", among others. Key names must
3586 contain only alphanumeric characters (ie, [a-zA-Z0-9]).
3587 Format: dict of string to string
3589 s390-subchannels
3591 Identifies specific subchannels that this network device uses for
3592 communication with z/VM or s390 host. Like the "mac-address"
3593 property for non-z/VM devices, this property can be used to ensure
3594 this connection only applies to the network device that uses these
3595 subchannels. The list should contain exactly 3 strings, and each
3596 string may only be composed of hexadecimal characters and the
3597 period (.) character.
3598 Format: array of string
3600 speed
3602 When a value greater than 0 is set, configures the device to use
3603 the specified speed. If "auto-negotiate" is "yes" the specified
3604 speed will be the only one advertised during link negotiation: this
3605 works only for BASE-T 802.3 specifications and is useful for
3606 enforcing gigabit speeds, as in this case link negotiation is
3607 mandatory. If the value is unset (0, the default), the link
3608 configuration will be either skipped (if "auto-negotiate" is "no",
3609 the default) or will be auto-negotiated (if "auto-negotiate" is
3610 "yes") and the local device will advertise all the supported
3611 speeds. In Mbit/s, ie 100 == 100Mbit/s. Must be set together with
3612 the "duplex" property when non-zero. Before specifying a speed
3613 value be sure your device supports it.
3614 Format: uint32
3616 wake-on-lan
3618 The NMSettingWiredWakeOnLan options to enable. Not all devices
3619 support all options. May be any combination of
3620 NM_SETTING_WIRED_WAKE_ON_LAN_PHY (0x2),
3621 NM_SETTING_WIRED_WAKE_ON_LAN_UNICAST (0x4),
3622 NM_SETTING_WIRED_WAKE_ON_LAN_MULTICAST (0x8),
3623 NM_SETTING_WIRED_WAKE_ON_LAN_BROADCAST (0x10),
3624 NM_SETTING_WIRED_WAKE_ON_LAN_ARP (0x20),
3625 NM_SETTING_WIRED_WAKE_ON_LAN_MAGIC (0x40) or the special values
3626 NM_SETTING_WIRED_WAKE_ON_LAN_DEFAULT (0x1) (to use global settings)
3627 and NM_SETTING_WIRED_WAKE_ON_LAN_IGNORE (0x8000) (to disable
3628 management of Wake-on-LAN in NetworkManager).
3629 Format: uint32
3631 wake-on-lan-password
3633 If specified, the password used with magic-packet-based
3634 Wake-on-LAN, represented as an Ethernet MAC address. If NULL, no
3635 password will be required.
3636 Format: string
3638 wireguard setting
3640 WireGuard Settings.
3641 Properties:
3643 fwmark
3645 The use of fwmark is optional and is by default off. Setting it to
3646 0 disables it. Otherwise, it is a 32-bit fwmark for outgoing
3647 packets. Note that "ip4-auto-default-route" or
3648 "ip6-auto-default-route" enabled, implies to automatically choose a
3649 fwmark.
3650 Format: uint32
3652 ip4-auto-default-route
3654 Whether to enable special handling of the IPv4 default route. If
3655 enabled, the IPv4 default route from wireguard.peer-routes will be
3656 placed to a dedicated routing-table and two policy routing rules
3657 will be added. The fwmark number is also used as routing-table for
3658 the default-route, and if fwmark is zero, an unused fwmark/table is
3659 chosen automatically. This corresponds to what wg-quick does with
3660 Table=auto and what WireGuard calls "Improved Rule-based Routing".
3661 Note that for this automatism to work, you usually don't want to
3662 set ipv4.gateway, because that will result in a conflicting default
3663 route. Leaving this at the default will enable this option
3664 automatically if ipv4.never-default is not set and there are any
3665 peers that use a default-route as allowed-ips.
3666 Format: NMTernary (int32)
3668 ip6-auto-default-route
3670 Like ip4-auto-default-route, but for the IPv6 default route.
3671 Format: NMTernary (int32)
3673 listen-port
3675 The listen-port. If listen-port is not specified, the port will be
3676 chosen randomly when the interface comes up.
3677 Format: uint32
3679 mtu
3681 If non-zero, only transmit packets of the specified size or
3682 smaller, breaking larger packets up into multiple fragments. If
3683 zero a default MTU is used. Note that contrary to wg-quick's MTU
3684 setting, this does not take into account the current routes at the
3685 time of activation.
3686 Format: uint32
3688 peer-routes
3690 Whether to automatically add routes for the AllowedIPs ranges of
3691 the peers. If TRUE (the default), NetworkManager will automatically
3692 add routes in the routing tables according to ipv4.route-table and
3693 ipv6.route-table. Usually you want this automatism enabled. If
3694 FALSE, no such routes are added automatically. In this case, the
3695 user may want to configure static routes in ipv4.routes and
3696 ipv6.routes, respectively. Note that if the peer's AllowedIPs is
3697 "0.0.0.0/0" or "::/0" and the profile's ipv4.never-default or
3698 ipv6.never-default setting is enabled, the peer route for this peer
3699 won't be added automatically.
3700 Format: boolean
3702 private-key
3704 The 256 bit private-key in base64 encoding.
3705 Format: string
3707 private-key-flags
3709 Flags indicating how to handle the "private-key" property. See the
3710 section called “Secret flag types:” for flag values.
3711 Format: NMSettingSecretFlags (uint32)
3713 802-11-wireless setting
3715 Alias: wifi
3716 Wi-Fi Settings.
3718 Properties:
3720 ap-isolation
3722 Configures AP isolation, which prevents communication between
3723 wireless devices connected to this AP. This property can be set to
3724 a value different from NM_TERNARY_DEFAULT (-1) only when the
3725 interface is configured in AP mode. If set to NM_TERNARY_TRUE (1),
3726 devices are not able to communicate with each other. This increases
3727 security because it protects devices against attacks from other
3728 clients in the network. At the same time, it prevents devices to
3729 access resources on the same wireless networks as file shares,
3730 printers, etc. If set to NM_TERNARY_FALSE (0), devices can talk to
3731 each other. When set to NM_TERNARY_DEFAULT (-1), the global default
3732 is used; in case the global default is unspecified it is assumed to
3733 be NM_TERNARY_FALSE (0).
3734 Format: NMTernary (int32)
3736 band
3738 802.11 frequency band of the network. One of "a" for 5GHz 802.11a
3739 or "bg" for 2.4GHz 802.11. This will lock associations to the Wi-Fi
3740 network to the specific band, i.e. if "a" is specified, the device
3741 will not associate with the same network in the 2.4GHz band even if
3742 the network's settings are compatible. This setting depends on
3743 specific driver capability and may not work with all drivers.
3744 Format: string
3746 bssid
3748 If specified, directs the device to only associate with the given
3749 access point. This capability is highly driver dependent and not
3750 supported by all devices. Note: this property does not control the
3751 BSSID used when creating an Ad-Hoc network and is unlikely to in
3752 the future.
3753 Format: byte array
3755 channel
3757 Wireless channel to use for the Wi-Fi connection. The device will
3758 only join (or create for Ad-Hoc networks) a Wi-Fi network on the
3759 specified channel. Because channel numbers overlap between bands,
3760 this property also requires the "band" property to be set.
3761 Format: uint32
3763 cloned-mac-address
3765 Alias: cloned-mac
3766 If specified, request that the device use this MAC address instead.
3768 This is known as MAC cloning or spoofing. Beside explicitly
3769 specifying a MAC address, the special values "preserve",
3770 "permanent", "random" and "stable" are supported. "preserve" means
3771 not to touch the MAC address on activation. "permanent" means to
3772 use the permanent hardware address of the device. "random" creates
3773 a random MAC address on each connect. "stable" creates a hashed MAC
3774 address based on connection.stable-id and a machine dependent key.
3775 If unspecified, the value can be overwritten via global defaults,
3776 see manual of NetworkManager.conf. If still unspecified, it
3777 defaults to "preserve" (older versions of NetworkManager may use a
3778 different default value). On D-Bus, this field is expressed as
3779 "assigned-mac-address" or the deprecated "cloned-mac-address".
3780 Format: byte array
3782 generate-mac-address-mask
3784 With "cloned-mac-address" setting "random" or "stable", by default
3785 all bits of the MAC address are scrambled and a
3786 locally-administered, unicast MAC address is created. This property
3787 allows to specify that certain bits are fixed. Note that the least
3788 significant bit of the first MAC address will always be unset to
3789 create a unicast MAC address. If the property is NULL, it is
3790 eligible to be overwritten by a default connection setting. If the
3791 value is still NULL or an empty string, the default is to create a
3792 locally-administered, unicast MAC address. If the value contains
3793 one MAC address, this address is used as mask. The set bits of the
3794 mask are to be filled with the current MAC address of the device,
3795 while the unset bits are subject to randomization. Setting
3796 "FE:FF:FF:00:00:00" means to preserve the OUI of the current MAC
3797 address and only randomize the lower 3 bytes using the "random" or
3798 "stable" algorithm. If the value contains one additional MAC
3799 address after the mask, this address is used instead of the current
3800 MAC address to fill the bits that shall not be randomized. For
3801 example, a value of "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set
3802 the OUI of the MAC address to 68:F7:28, while the lower bits are
3803 randomized. A value of "02:00:00:00:00:00 00:00:00:00:00:00" will
3804 create a fully scrambled globally-administered, burned-in MAC
3805 address. If the value contains more than one additional MAC
3806 addresses, one of them is chosen randomly. For example,
3807 "02:00:00:00:00:00 00:00:00:00:00:00 02:00:00:00:00:00" will create
3808 a fully scrambled MAC address, randomly locally or globally
3809 administered.
3810 Format: string
3812 hidden
3814 If TRUE, indicates that the network is a non-broadcasting network
3815 that hides its SSID. This works both in infrastructure and AP mode.
3816 In infrastructure mode, various workarounds are used for a more
3817 reliable discovery of hidden networks, such as probe-scanning the
3818 SSID. However, these workarounds expose inherent insecurities with
3819 hidden SSID networks, and thus hidden SSID networks should be used
3820 with caution. In AP mode, the created network does not broadcast
3821 its SSID. Note that marking the network as hidden may be a privacy
3822 issue for you (in infrastructure mode) or client stations (in AP
3823 mode), as the explicit probe-scans are distinctly recognizable on
3824 the air.
3825 Format: boolean
3827 mac-address
3829 Alias: mac
3830 If specified, this connection will only apply to the Wi-Fi device
3832 whose permanent MAC address matches. This property does not change
3833 the MAC address of the device (i.e. MAC spoofing).
3834 Format: byte array
3836 mac-address-blacklist
3838 A list of permanent MAC addresses of Wi-Fi devices to which this
3839 connection should never apply. Each MAC address should be given in
3840 the standard hex-digits-and-colons notation (eg
3841 "00:11:22:33:44:55").
3842 Format: array of string
3844 mac-address-randomization
3846 One of NM_SETTING_MAC_RANDOMIZATION_DEFAULT (0) (never randomize
3847 unless the user has set a global default to randomize and the
3848 supplicant supports randomization),
3849 NM_SETTING_MAC_RANDOMIZATION_NEVER (1) (never randomize the MAC
3850 address), or NM_SETTING_MAC_RANDOMIZATION_ALWAYS (2) (always
3851 randomize the MAC address). This property is deprecated for
3852 'cloned-mac-address'. Deprecated: 1
3853 Format: uint32
3855 mode
3857 Alias: mode
3858 Wi-Fi network mode; one of "infrastructure", "mesh", "adhoc" or
3860 "ap". If blank, infrastructure is assumed.
3861 Format: string
3863 mtu
3865 Alias: mtu
3866 If non-zero, only transmit packets of the specified size or
3868 smaller, breaking larger packets up into multiple Ethernet frames.
3869 Format: uint32
3871 powersave
3873 One of NM_SETTING_WIRELESS_POWERSAVE_DISABLE (2) (disable Wi-Fi
3874 power saving), NM_SETTING_WIRELESS_POWERSAVE_ENABLE (3) (enable
3875 Wi-Fi power saving), NM_SETTING_WIRELESS_POWERSAVE_IGNORE (1)
3876 (don't touch currently configure setting) or
3877 NM_SETTING_WIRELESS_POWERSAVE_DEFAULT (0) (use the globally
3878 configured value). All other values are reserved.
3879 Format: uint32
3881 rate
3883 If non-zero, directs the device to only use the specified bitrate
3884 for communication with the access point. Units are in Kb/s, ie 5500
3885 = 5.5 Mbit/s. This property is highly driver dependent and not all
3886 devices support setting a static bitrate.
3887 Format: uint32
3889 seen-bssids
3891 A list of BSSIDs (each BSSID formatted as a MAC address like
3892 "00:11:22:33:44:55") that have been detected as part of the Wi-Fi
3893 network. NetworkManager internally tracks previously seen BSSIDs.
3894 The property is only meant for reading and reflects the BSSID list
3895 of NetworkManager. The changes you make to this property will not
3896 be preserved.
3897 Format: array of string
3899 ssid
3901 Alias: ssid
3902 SSID of the Wi-Fi network. Must be specified.
3904 Format: byte array
3906 tx-power
3908 If non-zero, directs the device to use the specified transmit
3909 power. Units are dBm. This property is highly driver dependent and
3910 not all devices support setting a static transmit power.
3911 Format: uint32
3913 wake-on-wlan
3915 The NMSettingWirelessWakeOnWLan options to enable. Not all devices
3916 support all options. May be any combination of
3917 NM_SETTING_WIRELESS_WAKE_ON_WLAN_ANY (0x2),
3918 NM_SETTING_WIRELESS_WAKE_ON_WLAN_DISCONNECT (0x4),
3919 NM_SETTING_WIRELESS_WAKE_ON_WLAN_MAGIC (0x8),
3920 NM_SETTING_WIRELESS_WAKE_ON_WLAN_GTK_REKEY_FAILURE (0x10),
3921 NM_SETTING_WIRELESS_WAKE_ON_WLAN_EAP_IDENTITY_REQUEST (0x20),
3922 NM_SETTING_WIRELESS_WAKE_ON_WLAN_4WAY_HANDSHAKE (0x40),
3923 NM_SETTING_WIRELESS_WAKE_ON_WLAN_RFKILL_RELEASE (0x80),
3924 NM_SETTING_WIRELESS_WAKE_ON_WLAN_TCP (0x100) or the special values
3925 NM_SETTING_WIRELESS_WAKE_ON_WLAN_DEFAULT (0x1) (to use global
3926 settings) and NM_SETTING_WIRELESS_WAKE_ON_WLAN_IGNORE (0x8000) (to
3927 disable management of Wake-on-LAN in NetworkManager).
3928 Format: uint32
3930 802-11-wireless-security setting
3932 Alias: wifi-sec
3933 Wi-Fi Security Settings.
3935 Properties:
3937 auth-alg
3939 When WEP is used (ie, key-mgmt = "none" or "ieee8021x") indicate
3940 the 802.11 authentication algorithm required by the AP here. One of
3941 "open" for Open System, "shared" for Shared Key, or "leap" for
3942 Cisco LEAP. When using Cisco LEAP (ie, key-mgmt = "ieee8021x" and
3943 auth-alg = "leap") the "leap-username" and "leap-password"
3944 properties must be specified.
3945 Format: string
3947 fils
3949 Indicates whether Fast Initial Link Setup (802.11ai) must be
3950 enabled for the connection. One of
3951 NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) (use global default
3952 value), NM_SETTING_WIRELESS_SECURITY_FILS_DISABLE (1) (disable
3953 FILS), NM_SETTING_WIRELESS_SECURITY_FILS_OPTIONAL (2) (enable FILS
3954 if the supplicant and the access point support it) or
3955 NM_SETTING_WIRELESS_SECURITY_FILS_REQUIRED (3) (enable FILS and
3956 fail if not supported). When set to
3957 NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) and no global default
3958 is set, FILS will be optionally enabled.
3959 Format: int32
3961 group
3963 A list of group/broadcast encryption algorithms which prevents
3964 connections to Wi-Fi networks that do not utilize one of the
3965 algorithms in the list. For maximum compatibility leave this
3966 property empty. Each list element may be one of "wep40", "wep104",
3967 "tkip", or "ccmp".
3968 Format: array of string
3970 key-mgmt
3972 Key management used for the connection. One of "none" (WEP),
3973 "ieee8021x" (Dynamic WEP), "wpa-psk" (infrastructure WPA-PSK),
3974 "sae" (SAE), "owe" (Opportunistic Wireless Encryption), "wpa-eap"
3975 (WPA-Enterprise) or "wpa-eap-suite-b-192" (WPA3-Enterprise Suite
3976 B). This property must be set for any Wi-Fi connection that uses
3977 security.
3978 Format: string
3980 leap-password
3982 The login password for legacy LEAP connections (ie, key-mgmt =
3983 "ieee8021x" and auth-alg = "leap").
3984 Format: string
3986 leap-password-flags
3988 Flags indicating how to handle the "leap-password" property. See
3989 the section called “Secret flag types:” for flag values.
3990 Format: NMSettingSecretFlags (uint32)
3992 leap-username
3994 The login username for legacy LEAP connections (ie, key-mgmt =
3995 "ieee8021x" and auth-alg = "leap").
3996 Format: string
3998 pairwise
4000 A list of pairwise encryption algorithms which prevents connections
4001 to Wi-Fi networks that do not utilize one of the algorithms in the
4002 list. For maximum compatibility leave this property empty. Each
4003 list element may be one of "tkip" or "ccmp".
4004 Format: array of string
4006 pmf
4008 Indicates whether Protected Management Frames (802.11w) must be
4009 enabled for the connection. One of
4010 NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) (use global default
4011 value), NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE (1) (disable PMF),
4012 NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL (2) (enable PMF if the
4013 supplicant and the access point support it) or
4014 NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED (3) (enable PMF and fail
4015 if not supported). When set to
4016 NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) and no global default
4017 is set, PMF will be optionally enabled.
4018 Format: int32
4020 proto
4022 List of strings specifying the allowed WPA protocol versions to
4023 use. Each element may be one "wpa" (allow WPA) or "rsn" (allow
4024 WPA2/RSN). If not specified, both WPA and RSN connections are
4025 allowed.
4026 Format: array of string
4028 psk
4030 Pre-Shared-Key for WPA networks. For WPA-PSK, it's either an ASCII
4031 passphrase of 8 to 63 characters that is (as specified in the
4032 802.11i standard) hashed to derive the actual key, or the key in
4033 form of 64 hexadecimal character. The WPA3-Personal networks use a
4034 passphrase of any length for SAE authentication.
4035 Format: string
4037 psk-flags
4039 Flags indicating how to handle the "psk" property. See the section
4040 called “Secret flag types:” for flag values.
4041 Format: NMSettingSecretFlags (uint32)
4043 wep-key-flags
4045 Flags indicating how to handle the "wep-key0", "wep-key1",
4046 "wep-key2", and "wep-key3" properties. See the section called
4047 “Secret flag types:” for flag values.
4048 Format: NMSettingSecretFlags (uint32)
4050 wep-key-type
4052 Controls the interpretation of WEP keys. Allowed values are
4053 NM_WEP_KEY_TYPE_KEY (1), in which case the key is either a 10- or
4054 26-character hexadecimal string, or a 5- or 13-character ASCII
4055 password; or NM_WEP_KEY_TYPE_PASSPHRASE (2), in which case the
4056 passphrase is provided as a string and will be hashed using the
4057 de-facto MD5 method to derive the actual WEP key.
4058 Format: NMWepKeyType (uint32)
4060 wep-key0
4062 Index 0 WEP key. This is the WEP key used in most networks. See the
4063 "wep-key-type" property for a description of how this key is
4064 interpreted.
4065 Format: string
4067 wep-key1
4069 Index 1 WEP key. This WEP index is not used by most networks. See
4070 the "wep-key-type" property for a description of how this key is
4071 interpreted.
4072 Format: string
4074 wep-key2
4076 Index 2 WEP key. This WEP index is not used by most networks. See
4077 the "wep-key-type" property for a description of how this key is
4078 interpreted.
4079 Format: string
4081 wep-key3
4083 Index 3 WEP key. This WEP index is not used by most networks. See
4084 the "wep-key-type" property for a description of how this key is
4085 interpreted.
4086 Format: string
4088 wep-tx-keyidx
4090 When static WEP is used (ie, key-mgmt = "none") and a non-default
4091 WEP key index is used by the AP, put that WEP key index here. Valid
4092 values are 0 (default key) through 3. Note that some consumer
4093 access points (like the Linksys WRT54G) number the keys 1 - 4.
4094 Format: uint32
4096 wps-method
4098 Flags indicating which mode of WPS is to be used if any. There's
4099 little point in changing the default setting as NetworkManager will
4100 automatically determine whether it's feasible to start WPS
4101 enrollment from the Access Point capabilities. WPS can be disabled
4102 by setting this property to a value of 1.
4103 Format: uint32
4105 wpan setting
4107 IEEE 802.15.4 (WPAN) MAC Settings.
4108 Properties:
4110 channel
4112 Alias: channel
4113 IEEE 802.15.4 channel. A positive integer or -1, meaning "do not
4115 set, use whatever the device is already set to".
4116 Format: int32
4118 mac-address
4120 Alias: mac
4121 If specified, this connection will only apply to the IEEE 802.15.4
4123 (WPAN) MAC layer device whose permanent MAC address matches.
4124 Format: string
4126 page
4128 Alias: page
4129 IEEE 802.15.4 channel page. A positive integer or -1, meaning "do
4131 not set, use whatever the device is already set to".
4132 Format: int32
4134 pan-id
4136 Alias: pan-id
4137 IEEE 802.15.4 Personal Area Network (PAN) identifier.
4139 Format: uint32
4141 short-address
4143 Alias: short-addr
4144 Short IEEE 802.15.4 address to be used within a restricted
4146 environment.
4147 Format: uint32
4149 hostname setting
4151 Hostname settings.
4152 Properties:
4154 from-dhcp
4156 Whether the system hostname can be determined from DHCP on this
4157 connection. When set to NM_TERNARY_DEFAULT (-1), the value from
4158 global configuration is used. If the property doesn't have a value
4159 in the global configuration, NetworkManager assumes the value to be
4160 NM_TERNARY_TRUE (1).
4161 Format: NMTernary (int32)
4163 from-dns-lookup
4165 Whether the system hostname can be determined from reverse DNS
4166 lookup of addresses on this device. When set to NM_TERNARY_DEFAULT
4167 (-1), the value from global configuration is used. If the property
4168 doesn't have a value in the global configuration, NetworkManager
4169 assumes the value to be NM_TERNARY_TRUE (1).
4170 Format: NMTernary (int32)
4172 only-from-default
4174 If set to NM_TERNARY_TRUE (1), NetworkManager attempts to get the
4175 hostname via DHCPv4/DHCPv6 or reverse DNS lookup on this device
4176 only when the device has the default route for the given address
4177 family (IPv4/IPv6). If set to NM_TERNARY_FALSE (0), the hostname
4178 can be set from this device even if it doesn't have the default
4179 route. When set to NM_TERNARY_DEFAULT (-1), the value from global
4180 configuration is used. If the property doesn't have a value in the
4181 global configuration, NetworkManager assumes the value to be
4182 NM_TERNARY_FALSE (0).
4183 Format: NMTernary (int32)
4185 priority
4187 The relative priority of this connection to determine the system
4188 hostname. A lower numerical value is better (higher priority). A
4189 connection with higher priority is considered before connections
4190 with lower priority. If the value is zero, it can be overridden by
4191 a global value from NetworkManager configuration. If the property
4192 doesn't have a value in the global configuration, the value is
4193 assumed to be 100. Negative values have the special effect of
4194 excluding other connections with a greater numerical priority
4195 value; so in presence of at least one negative priority, only
4196 connections with the lowest priority value will be used to
4197 determine the hostname.
4198 Format: int32
4200 veth setting
4202 Veth Settings.
4203 Properties:
4205 peer
4207 Alias: peer
4208 This property specifies the peer interface name of the veth. This
4210 property is mandatory.
4211 Format: string
4213 Secret flag types:
4215 Each password or secret property in a setting has an associated flags
4216 property that describes how to handle that secret. The flags property
4217 is a bitfield that contains zero or more of the following values
4218 logically OR-ed together.
4219 • 0x0 (none) - the system is responsible for providing and storing
4221 this secret. This may be required so that secrets are already
4222 available before the user logs in. It also commonly means that the
4223 secret will be stored in plain text on disk, accessible to root
4224 only. For example via the keyfile settings plugin as described in
4225 the "PLUGINS" section in NetworkManager.conf(5).
4226 • 0x1 (agent-owned) - a user-session secret agent is responsible for
4228 providing and storing this secret; when it is required, agents will
4229 be asked to provide it.
4230 • 0x2 (not-saved) - this secret should not be saved but should be
4232 requested from the user each time it is required. This flag should
4233 be used for One-Time-Pad secrets, PIN codes from hardware tokens,
4234 or if the user simply does not want to save the secret.
4235 • 0x4 (not-required) - in some situations it cannot be automatically
4237 determined that a secret is required or not. This flag hints that
4238 the secret is not required and should not be requested from the
4239 user.
4240
4242 /etc/NetworkManager/system-connections or distro plugin-specific
4243 location
4244
4246 nmcli(1), nmcli-examples(7), NetworkManager(8), nm-settings-dbus(5),
4247 nm-settings-keyfile(5), NetworkManager.conf(5)
4248NetworkManager 1.30.4 NM-SETTINGS-NMCLI(5)