1NM-SETTINGS-NMCLI(5) Configuration NM-SETTINGS-NMCLI(5)
2
6 nm-settings-nmcli - Description of settings and properties of
7 NetworkManager connection profiles for nmcli
8
10 NetworkManager is based on a concept of connection profiles, sometimes
11 referred to as connections only. These connection profiles contain a
12 network configuration. When NetworkManager activates a connection
13 profile on a network device the configuration will be applied and an
14 active network connection will be established. Users are free to create
15 as many connection profiles as they see fit. Thus they are flexible in
16 having various network configurations for different networking needs.
17 NetworkManager provides an API for configuring connection profiles, for
19 activating them to configure the network, and inspecting the current
20 network configuration. The command line tool nmcli is a client
21 application to NetworkManager that uses this API. See nmcli(1) for
22 details.
23 With commands like nmcli connection add, nmcli connection modify and
25 nmcli connection show, connection profiles can be created, modified and
26 inspected. A profile consists of properties. On D-Bus this follows the
27 format as described by nm-settings-dbus(5), while this manual page
28 describes the settings format how they are expected by nmcli.
29 The settings and properties shown in tables below list all available
31 connection configuration options. However, note that not all settings
32 are applicable to all connection types. nmcli connection editor has
33 also a built-in describe command that can display description of
34 particular settings and properties of this page.
35 The setting and property can be abbreviated provided they are unique.
37 The list below also shows aliases that can be used unqualified instead
38 of the full name. For example connection.interface-name and ifname
39 refer to the same property.
40 connection setting
42 General Connection Profile Settings.
43 Properties:
45 auth-retries
47 The number of retries for the authentication. Zero means to try
48 indefinitely; -1 means to use a global default. If the global
49 default is not set, the authentication retries for 3 times before
50 failing the connection. Currently, this only applies to 802-1x
51 authentication.
52 Format: int32
54 autoconnect
56 Alias: autoconnect
57 Whether or not the connection should be automatically connected by
59 NetworkManager when the resources for the connection are available.
60 TRUE to automatically activate the connection, FALSE to require
61 manual intervention to activate the connection. Note that
62 autoconnect is not implemented for VPN profiles. See "secondaries"
63 as an alternative to automatically connect VPN profiles.
64 Format: boolean
66 autoconnect-priority
68 The autoconnect priority. If the connection is set to autoconnect,
69 connections with higher priority will be preferred. Defaults to 0.
70 The higher number means higher priority.
71 Format: int32
73 autoconnect-retries
75 The number of times a connection should be tried when
76 autoactivating before giving up. Zero means forever, -1 means the
77 global default (4 times if not overridden). Setting this to 1 means
78 to try activation only once before blocking autoconnect. Note that
79 after a timeout, NetworkManager will try to autoconnect again.
80 Format: int32
82 autoconnect-slaves
84 Whether or not slaves of this connection should be automatically
85 brought up when NetworkManager activates this connection. This only
86 has a real effect for master connections. The properties
87 "autoconnect", "autoconnect-priority" and "autoconnect-retries" are
88 unrelated to this setting. The permitted values are: 0: leave slave
89 connections untouched, 1: activate all the slave connections with
90 this connection, -1: default. If -1 (default) is set, global
91 connection.autoconnect-slaves is read to determine the real value.
92 If it is default as well, this fallbacks to 0.
93 Format: NMSettingConnectionAutoconnectSlaves (int32)
95 gateway-ping-timeout
97 If greater than zero, delay success of IP addressing until either
98 the timeout is reached, or an IP gateway replies to a ping.
99 Format: uint32
101 id
103 Alias: con-name
104 A human readable unique identifier for the connection, like "Work
106 Wi-Fi" or "T-Mobile 3G".
107 Format: string
109 interface-name
111 Alias: ifname
112 The name of the network interface this connection is bound to. If
114 not set, then the connection can be attached to any interface of
115 the appropriate type (subject to restrictions imposed by other
116 settings). For software devices this specifies the name of the
117 created device. For connection types where interface names cannot
118 easily be made persistent (e.g. mobile broadband or USB Ethernet),
119 this property should not be used. Setting this property restricts
120 the interfaces a connection can be used with, and if interface
121 names change or are reordered the connection may be applied to the
122 wrong interface.
123 Format: string
125 lldp
127 Whether LLDP is enabled for the connection.
128 Format: int32
130 llmnr
132 Whether Link-Local Multicast Name Resolution (LLMNR) is enabled for
133 the connection. LLMNR is a protocol based on the Domain Name System
134 (DNS) packet format that allows both IPv4 and IPv6 hosts to perform
135 name resolution for hosts on the same local link. The permitted
136 values are: "yes" (2) register hostname and resolving for the
137 connection, "no" (0) disable LLMNR for the interface, "resolve" (1)
138 do not register hostname but allow resolving of LLMNR host names If
139 unspecified, "default" ultimately depends on the DNS plugin (which
140 for systemd-resolved currently means "yes"). This feature requires
141 a plugin which supports LLMNR. Otherwise, the setting has no
142 effect. One such plugin is dns-systemd-resolved.
143 Format: int32
145 master
147 Alias: master
148 Interface name of the master device or UUID of the master
150 connection.
151 Format: string
153 mdns
155 Whether mDNS is enabled for the connection. The permitted values
156 are: "yes" (2) register hostname and resolving for the connection,
157 "no" (0) disable mDNS for the interface, "resolve" (1) do not
158 register hostname but allow resolving of mDNS host names and
159 "default" (-1) to allow lookup of a global default in
160 NetworkManager.conf. If unspecified, "default" ultimately depends
161 on the DNS plugin (which for systemd-resolved currently means
162 "no"). This feature requires a plugin which supports mDNS.
163 Otherwise, the setting has no effect. One such plugin is
164 dns-systemd-resolved.
165 Format: int32
167 metered
169 Whether the connection is metered. When updating this property on a
170 currently activated connection, the change takes effect
171 immediately.
172 Format: NMMetered (int32)
174 mud-url
176 If configured, set to a Manufacturer Usage Description (MUD) URL
177 that points to manufacturer-recommended network policies for IoT
178 devices. It is transmitted as a DHCPv4 or DHCPv6 option. The value
179 must be a valid URL starting with "https://". The special value
180 "none" is allowed to indicate that no MUD URL is used. If the
181 per-profile value is unspecified (the default), a global connection
182 default gets consulted. If still unspecified, the ultimate default
183 is "none".
184 Format: string
186 multi-connect
188 Specifies whether the profile can be active multiple times at a
189 particular moment. The value is of type NMConnectionMultiConnect.
190 Format: int32
192 permissions
194 An array of strings defining what access a given user has to this
195 connection. If this is NULL or empty, all users are allowed to
196 access this connection; otherwise users are allowed if and only if
197 they are in this list. When this is not empty, the connection can
198 be active only when one of the specified users is logged into an
199 active session. Each entry is of the form "[type]:[id]:[reserved]";
200 for example, "user:dcbw:blah". At this time only the "user" [type]
201 is allowed. Any other values are ignored and reserved for future
202 use. [id] is the username that this permission refers to, which may
203 not contain the ":" character. Any [reserved] information present
204 must be ignored and is reserved for future use. All of [type],
205 [id], and [reserved] must be valid UTF-8.
206 Format: array of string
208 read-only
210 FALSE if the connection can be modified using the provided settings
211 service's D-Bus interface with the right privileges, or TRUE if the
212 connection is read-only and cannot be modified.
213 Format: boolean
215 secondaries
217 List of connection UUIDs that should be activated when the base
218 connection itself is activated. Currently, only VPN connections are
219 supported.
220 Format: array of string
222 slave-type
224 Alias: slave-type
225 Setting name of the device type of this slave's master connection
227 (eg, "bond"), or NULL if this connection is not a slave.
228 Format: string
230 stable-id
232 This represents the identity of the connection used for various
233 purposes. It allows to configure multiple profiles to share the
234 identity. Also, the stable-id can contain placeholders that are
235 substituted dynamically and deterministically depending on the
236 context. The stable-id is used for generating IPv6 stable private
237 addresses with ipv6.addr-gen-mode=stable-privacy. It is also used
238 to seed the generated cloned MAC address for
239 ethernet.cloned-mac-address=stable and
240 wifi.cloned-mac-address=stable. It is also used as DHCP client
241 identifier with ipv4.dhcp-client-id=stable and to derive the DHCP
242 DUID with ipv6.dhcp-duid=stable-[llt,ll,uuid]. Note that depending
243 on the context where it is used, other parameters are also seeded
244 into the generation algorithm. For example, a per-host key is
245 commonly also included, so that different systems end up generating
246 different IDs. Or with ipv6.addr-gen-mode=stable-privacy, also the
247 device's name is included, so that different interfaces yield
248 different addresses. The per-host key is the identity of your
249 machine and stored in /var/lib/NetworkManager/secret-key. The '$'
250 character is treated special to perform dynamic substitutions at
251 runtime. Currently, supported are "${CONNECTION}", "${DEVICE}",
252 "${MAC}", "${BOOT}", "${RANDOM}". These effectively create unique
253 IDs per-connection, per-device, per-boot, or every time. Note that
254 "${DEVICE}" corresponds to the interface name of the device and
255 "${MAC}" is the permanent MAC address of the device. Any
256 unrecognized patterns following '$' are treated verbatim, however
257 are reserved for future use. You are thus advised to avoid '$' or
258 escape it as "$$". For example, set it to
259 "${CONNECTION}-${BOOT}-${DEVICE}" to create a unique id for this
260 connection that changes with every reboot and differs depending on
261 the interface where the profile activates. If the value is unset, a
262 global connection default is consulted. If the value is still
263 unset, the default is similar to "${CONNECTION}" and uses a unique,
264 fixed ID for the connection.
265 Format: string
267 timestamp
269 The time, in seconds since the Unix Epoch, that the connection was
270 last _successfully_ fully activated. NetworkManager updates the
271 connection timestamp periodically when the connection is active to
272 ensure that an active connection has the latest timestamp. The
273 property is only meant for reading (changes to this property will
274 not be preserved).
275 Format: uint64
277 type
279 Alias: type
280 Base type of the connection. For hardware-dependent connections,
282 should contain the setting name of the hardware-type specific
283 setting (ie, "802-3-ethernet" or "802-11-wireless" or "bluetooth",
284 etc), and for non-hardware dependent connections like VPN or
285 otherwise, should contain the setting name of that setting type
286 (ie, "vpn" or "bridge", etc).
287 Format: string
289 uuid
291 A universally unique identifier for the connection, for example
292 generated with libuuid. It should be assigned when the connection
293 is created, and never changed as long as the connection still
294 applies to the same network. For example, it should not be changed
295 when the "id" property or NMSettingIP4Config changes, but might
296 need to be re-created when the Wi-Fi SSID, mobile broadband network
297 provider, or "type" property changes. The UUID must be in the
298 format "2815492f-7e56-435e-b2e9-246bd7cdc664" (ie, contains only
299 hexadecimal characters and "-").
300 Format: string
302 wait-device-timeout
304 Timeout in milliseconds to wait for device at startup. During boot,
305 devices may take a while to be detected by the driver. This
306 property will cause to delay NetworkManager-wait-online.service and
307 nm-online to give the device a chance to appear. This works by
308 waiting for the given timeout until a compatible device for the
309 profile is available and managed. The value 0 means no wait time.
310 The default value is -1, which currently has the same meaning as no
311 wait time.
312 Format: int32
314 zone
316 The trust level of a the connection. Free form case-insensitive
317 string (for example "Home", "Work", "Public"). NULL or unspecified
318 zone means the connection will be placed in the default zone as
319 defined by the firewall. When updating this property on a currently
320 activated connection, the change takes effect immediately.
321 Format: string
323 6lowpan setting
325 6LoWPAN Settings.
326 Properties:
328 parent
330 Alias: dev
331 If given, specifies the parent interface name or parent connection
333 UUID from which this 6LowPAN interface should be created.
334 Format: string
336 802-1x setting
338 IEEE 802.1x Authentication Settings.
339 Properties:
341 altsubject-matches
343 List of strings to be matched against the altSubjectName of the
344 certificate presented by the authentication server. If the list is
345 empty, no verification of the server certificate's altSubjectName
346 is performed.
347 Format: array of string
349 anonymous-identity
351 Anonymous identity string for EAP authentication methods. Used as
352 the unencrypted identity with EAP types that support different
353 tunneled identity like EAP-TTLS.
354 Format: string
356 auth-timeout
358 A timeout for the authentication. Zero means the global default; if
359 the global default is not set, the authentication timeout is 25
360 seconds.
361 Format: int32
363 ca-cert
365 Contains the CA certificate if used by the EAP method specified in
366 the "eap" property. Certificate data is specified using a "scheme";
367 three are currently supported: blob, path and pkcs#11 URL. When
368 using the blob scheme this property should be set to the
369 certificate's DER encoded data. When using the path scheme, this
370 property should be set to the full UTF-8 encoded path of the
371 certificate, prefixed with the string "file://" and ending with a
372 terminating NUL byte. This property can be unset even if the EAP
373 method supports CA certificates, but this allows man-in-the-middle
374 attacks and is NOT recommended. Note that enabling
375 NMSetting8021x:system-ca-certs will override this setting to use
376 the built-in path, if the built-in path is not a directory.
377 Format: byte array
379 ca-cert-password
381 The password used to access the CA certificate stored in "ca-cert"
382 property. Only makes sense if the certificate is stored on a
383 PKCS#11 token that requires a login.
384 Format: string
386 ca-cert-password-flags
388 Flags indicating how to handle the "ca-cert-password" property. See
389 the section called “Secret flag types:” for flag values.
390 Format: NMSettingSecretFlags (uint32)
392 ca-path
394 UTF-8 encoded path to a directory containing PEM or DER formatted
395 certificates to be added to the verification chain in addition to
396 the certificate specified in the "ca-cert" property. If
397 NMSetting8021x:system-ca-certs is enabled and the built-in CA path
398 is an existing directory, then this setting is ignored.
399 Format: string
401 client-cert
403 Contains the client certificate if used by the EAP method specified
404 in the "eap" property. Certificate data is specified using a
405 "scheme"; two are currently supported: blob and path. When using
406 the blob scheme (which is backwards compatible with NM 0.7.x) this
407 property should be set to the certificate's DER encoded data. When
408 using the path scheme, this property should be set to the full
409 UTF-8 encoded path of the certificate, prefixed with the string
410 "file://" and ending with a terminating NUL byte.
411 Format: byte array
413 client-cert-password
415 The password used to access the client certificate stored in
416 "client-cert" property. Only makes sense if the certificate is
417 stored on a PKCS#11 token that requires a login.
418 Format: string
420 client-cert-password-flags
422 Flags indicating how to handle the "client-cert-password" property.
423 See the section called “Secret flag types:” for flag values.
424 Format: NMSettingSecretFlags (uint32)
426 domain-match
428 Constraint for server domain name. If set, this list of FQDNs is
429 used as a match requirement for dNSName element(s) of the
430 certificate presented by the authentication server. If a matching
431 dNSName is found, this constraint is met. If no dNSName values are
432 present, this constraint is matched against SubjectName CN using
433 the same comparison. Multiple valid FQDNs can be passed as a ";"
434 delimited list.
435 Format: string
437 domain-suffix-match
439 Constraint for server domain name. If set, this FQDN is used as a
440 suffix match requirement for dNSName element(s) of the certificate
441 presented by the authentication server. If a matching dNSName is
442 found, this constraint is met. If no dNSName values are present,
443 this constraint is matched against SubjectName CN using same suffix
444 match comparison. Since version 1.24, multiple valid FQDNs can be
445 passed as a ";" delimited list.
446 Format: string
448 eap
450 The allowed EAP method to be used when authenticating to the
451 network with 802.1x. Valid methods are: "leap", "md5", "tls",
452 "peap", "ttls", "pwd", and "fast". Each method requires different
453 configuration using the properties of this setting; refer to
454 wpa_supplicant documentation for the allowed combinations.
455 Format: array of string
457 identity
459 Identity string for EAP authentication methods. Often the user's
460 user or login name.
461 Format: string
463 optional
465 Whether the 802.1X authentication is optional. If TRUE, the
466 activation will continue even after a timeout or an authentication
467 failure. Setting the property to TRUE is currently allowed only for
468 Ethernet connections. If set to FALSE, the activation can continue
469 only after a successful authentication.
470 Format: boolean
472 pac-file
474 UTF-8 encoded file path containing PAC for EAP-FAST.
475 Format: string
477 password
479 UTF-8 encoded password used for EAP authentication methods. If both
480 the "password" property and the "password-raw" property are
481 specified, "password" is preferred.
482 Format: string
484 password-flags
486 Flags indicating how to handle the "password" property. See the
487 section called “Secret flag types:” for flag values.
488 Format: NMSettingSecretFlags (uint32)
490 password-raw
492 Password used for EAP authentication methods, given as a byte array
493 to allow passwords in other encodings than UTF-8 to be used. If
494 both the "password" property and the "password-raw" property are
495 specified, "password" is preferred.
496 Format: byte array
498 password-raw-flags
500 Flags indicating how to handle the "password-raw" property. See the
501 section called “Secret flag types:” for flag values.
502 Format: NMSettingSecretFlags (uint32)
504 phase1-auth-flags
506 Specifies authentication flags to use in "phase 1" outer
507 authentication using NMSetting8021xAuthFlags options. The
508 individual TLS versions can be explicitly disabled. If a certain
509 TLS disable flag is not set, it is up to the supplicant to allow or
510 forbid it. The TLS options map to tls_disable_tlsv1_x settings. See
511 the wpa_supplicant documentation for more details.
512 Format: uint32
514 phase1-fast-provisioning
516 Enables or disables in-line provisioning of EAP-FAST credentials
517 when FAST is specified as the EAP method in the "eap" property.
518 Recognized values are "0" (disabled), "1" (allow unauthenticated
519 provisioning), "2" (allow authenticated provisioning), and "3"
520 (allow both authenticated and unauthenticated provisioning). See
521 the wpa_supplicant documentation for more details.
522 Format: string
524 phase1-peaplabel
526 Forces use of the new PEAP label during key derivation. Some RADIUS
527 servers may require forcing the new PEAP label to interoperate with
528 PEAPv1. Set to "1" to force use of the new PEAP label. See the
529 wpa_supplicant documentation for more details.
530 Format: string
532 phase1-peapver
534 Forces which PEAP version is used when PEAP is set as the EAP
535 method in the "eap" property. When unset, the version reported by
536 the server will be used. Sometimes when using older RADIUS servers,
537 it is necessary to force the client to use a particular PEAP
538 version. To do so, this property may be set to "0" or "1" to force
539 that specific PEAP version.
540 Format: string
542 phase2-altsubject-matches
544 List of strings to be matched against the altSubjectName of the
545 certificate presented by the authentication server during the inner
546 "phase 2" authentication. If the list is empty, no verification of
547 the server certificate's altSubjectName is performed.
548 Format: array of string
550 phase2-auth
552 Specifies the allowed "phase 2" inner authentication method when an
553 EAP method that uses an inner TLS tunnel is specified in the "eap"
554 property. For TTLS this property selects one of the supported
555 non-EAP inner methods: "pap", "chap", "mschap", "mschapv2" while
556 "phase2-autheap" selects an EAP inner method. For PEAP this selects
557 an inner EAP method, one of: "gtc", "otp", "md5" and "tls". Each
558 "phase 2" inner method requires specific parameters for successful
559 authentication; see the wpa_supplicant documentation for more
560 details. Both "phase2-auth" and "phase2-autheap" cannot be
561 specified.
562 Format: string
564 phase2-autheap
566 Specifies the allowed "phase 2" inner EAP-based authentication
567 method when TTLS is specified in the "eap" property. Recognized
568 EAP-based "phase 2" methods are "md5", "mschapv2", "otp", "gtc",
569 and "tls". Each "phase 2" inner method requires specific parameters
570 for successful authentication; see the wpa_supplicant documentation
571 for more details.
572 Format: string
574 phase2-ca-cert
576 Contains the "phase 2" CA certificate if used by the EAP method
577 specified in the "phase2-auth" or "phase2-autheap" properties.
578 Certificate data is specified using a "scheme"; three are currently
579 supported: blob, path and pkcs#11 URL. When using the blob scheme
580 this property should be set to the certificate's DER encoded data.
581 When using the path scheme, this property should be set to the full
582 UTF-8 encoded path of the certificate, prefixed with the string
583 "file://" and ending with a terminating NUL byte. This property can
584 be unset even if the EAP method supports CA certificates, but this
585 allows man-in-the-middle attacks and is NOT recommended. Note that
586 enabling NMSetting8021x:system-ca-certs will override this setting
587 to use the built-in path, if the built-in path is not a directory.
588 Format: byte array
590 phase2-ca-cert-password
592 The password used to access the "phase2" CA certificate stored in
593 "phase2-ca-cert" property. Only makes sense if the certificate is
594 stored on a PKCS#11 token that requires a login.
595 Format: string
597 phase2-ca-cert-password-flags
599 Flags indicating how to handle the "phase2-ca-cert-password"
600 property. See the section called “Secret flag types:” for flag
601 values.
602 Format: NMSettingSecretFlags (uint32)
604 phase2-ca-path
606 UTF-8 encoded path to a directory containing PEM or DER formatted
607 certificates to be added to the verification chain in addition to
608 the certificate specified in the "phase2-ca-cert" property. If
609 NMSetting8021x:system-ca-certs is enabled and the built-in CA path
610 is an existing directory, then this setting is ignored.
611 Format: string
613 phase2-client-cert
615 Contains the "phase 2" client certificate if used by the EAP method
616 specified in the "phase2-auth" or "phase2-autheap" properties.
617 Certificate data is specified using a "scheme"; two are currently
618 supported: blob and path. When using the blob scheme (which is
619 backwards compatible with NM 0.7.x) this property should be set to
620 the certificate's DER encoded data. When using the path scheme,
621 this property should be set to the full UTF-8 encoded path of the
622 certificate, prefixed with the string "file://" and ending with a
623 terminating NUL byte. This property can be unset even if the EAP
624 method supports CA certificates, but this allows man-in-the-middle
625 attacks and is NOT recommended.
626 Format: byte array
628 phase2-client-cert-password
630 The password used to access the "phase2" client certificate stored
631 in "phase2-client-cert" property. Only makes sense if the
632 certificate is stored on a PKCS#11 token that requires a login.
633 Format: string
635 phase2-client-cert-password-flags
637 Flags indicating how to handle the "phase2-client-cert-password"
638 property. See the section called “Secret flag types:” for flag
639 values.
640 Format: NMSettingSecretFlags (uint32)
642 phase2-domain-match
644 Constraint for server domain name. If set, this list of FQDNs is
645 used as a match requirement for dNSName element(s) of the
646 certificate presented by the authentication server during the inner
647 "phase 2" authentication. If a matching dNSName is found, this
648 constraint is met. If no dNSName values are present, this
649 constraint is matched against SubjectName CN using the same
650 comparison. Multiple valid FQDNs can be passed as a ";" delimited
651 list.
652 Format: string
654 phase2-domain-suffix-match
656 Constraint for server domain name. If set, this FQDN is used as a
657 suffix match requirement for dNSName element(s) of the certificate
658 presented by the authentication server during the inner "phase 2"
659 authentication. If a matching dNSName is found, this constraint is
660 met. If no dNSName values are present, this constraint is matched
661 against SubjectName CN using same suffix match comparison. Since
662 version 1.24, multiple valid FQDNs can be passed as a ";" delimited
663 list.
664 Format: string
666 phase2-private-key
668 Contains the "phase 2" inner private key when the "phase2-auth" or
669 "phase2-autheap" property is set to "tls". Key data is specified
670 using a "scheme"; two are currently supported: blob and path. When
671 using the blob scheme and private keys, this property should be set
672 to the key's encrypted PEM encoded data. When using private keys
673 with the path scheme, this property should be set to the full UTF-8
674 encoded path of the key, prefixed with the string "file://" and
675 ending with a terminating NUL byte. When using PKCS#12 format
676 private keys and the blob scheme, this property should be set to
677 the PKCS#12 data and the "phase2-private-key-password" property
678 must be set to password used to decrypt the PKCS#12 certificate and
679 key. When using PKCS#12 files and the path scheme, this property
680 should be set to the full UTF-8 encoded path of the key, prefixed
681 with the string "file://" and ending with a terminating NUL byte,
682 and as with the blob scheme the "phase2-private-key-password"
683 property must be set to the password used to decode the PKCS#12
684 private key and certificate.
685 Format: byte array
687 phase2-private-key-password
689 The password used to decrypt the "phase 2" private key specified in
690 the "phase2-private-key" property when the private key either uses
691 the path scheme, or is a PKCS#12 format key.
692 Format: string
694 phase2-private-key-password-flags
696 Flags indicating how to handle the "phase2-private-key-password"
697 property. See the section called “Secret flag types:” for flag
698 values.
699 Format: NMSettingSecretFlags (uint32)
701 phase2-subject-match
703 Substring to be matched against the subject of the certificate
704 presented by the authentication server during the inner "phase 2"
705 authentication. When unset, no verification of the authentication
706 server certificate's subject is performed. This property provides
707 little security, if any, and its use is deprecated in favor of
708 NMSetting8021x:phase2-domain-suffix-match.
709 Format: string
711 pin
713 PIN used for EAP authentication methods.
714 Format: string
716 pin-flags
718 Flags indicating how to handle the "pin" property. See the section
719 called “Secret flag types:” for flag values.
720 Format: NMSettingSecretFlags (uint32)
722 private-key
724 Contains the private key when the "eap" property is set to "tls".
725 Key data is specified using a "scheme"; two are currently
726 supported: blob and path. When using the blob scheme and private
727 keys, this property should be set to the key's encrypted PEM
728 encoded data. When using private keys with the path scheme, this
729 property should be set to the full UTF-8 encoded path of the key,
730 prefixed with the string "file://" and ending with a terminating
731 NUL byte. When using PKCS#12 format private keys and the blob
732 scheme, this property should be set to the PKCS#12 data and the
733 "private-key-password" property must be set to password used to
734 decrypt the PKCS#12 certificate and key. When using PKCS#12 files
735 and the path scheme, this property should be set to the full UTF-8
736 encoded path of the key, prefixed with the string "file://" and
737 ending with a terminating NUL byte, and as with the blob scheme the
738 "private-key-password" property must be set to the password used to
739 decode the PKCS#12 private key and certificate. WARNING:
740 "private-key" is not a "secret" property, and thus unencrypted
741 private key data using the BLOB scheme may be readable by
742 unprivileged users. Private keys should always be encrypted with a
743 private key password to prevent unauthorized access to unencrypted
744 private key data.
745 Format: byte array
747 private-key-password
749 The password used to decrypt the private key specified in the
750 "private-key" property when the private key either uses the path
751 scheme, or if the private key is a PKCS#12 format key.
752 Format: string
754 private-key-password-flags
756 Flags indicating how to handle the "private-key-password" property.
757 See the section called “Secret flag types:” for flag values.
758 Format: NMSettingSecretFlags (uint32)
760 subject-match
762 Substring to be matched against the subject of the certificate
763 presented by the authentication server. When unset, no verification
764 of the authentication server certificate's subject is performed.
765 This property provides little security, if any, and its use is
766 deprecated in favor of NMSetting8021x:domain-suffix-match.
767 Format: string
769 system-ca-certs
771 When TRUE, overrides the "ca-path" and "phase2-ca-path" properties
772 using the system CA directory specified at configure time with the
773 --system-ca-path switch. The certificates in this directory are
774 added to the verification chain in addition to any certificates
775 specified by the "ca-cert" and "phase2-ca-cert" properties. If the
776 path provided with --system-ca-path is rather a file name (bundle
777 of trusted CA certificates), it overrides "ca-cert" and
778 "phase2-ca-cert" properties instead (sets ca_cert/ca_cert2 options
779 for wpa_supplicant).
780 Format: boolean
782 adsl setting
784 ADSL Settings.
785 Properties:
787 encapsulation
789 Alias: encapsulation
790 Encapsulation of ADSL connection. Can be "vcmux" or "llc".
792 Format: string
794 password
796 Alias: password
797 Password used to authenticate with the ADSL service.
799 Format: string
801 password-flags
803 Flags indicating how to handle the "password" property. See the
804 section called “Secret flag types:” for flag values.
805 Format: NMSettingSecretFlags (uint32)
807 protocol
809 Alias: protocol
810 ADSL connection protocol. Can be "pppoa", "pppoe" or "ipoatm".
812 Format: string
814 username
816 Alias: username
817 Username used to authenticate with the ADSL service.
819 Format: string
821 vci
823 VCI of ADSL connection
824 Format: uint32
826 vpi
828 VPI of ADSL connection
829 Format: uint32
831 bluetooth setting
833 Bluetooth Settings.
834 Properties:
836 bdaddr
838 Alias: addr
839 The Bluetooth address of the device.
841 Format: byte array
843 type
845 Alias: bt-type
846 Either "dun" for Dial-Up Networking connections or "panu" for
848 Personal Area Networking connections to devices supporting the NAP
849 profile.
850 Format: string
852 bond setting
854 Bonding Settings.
855 Properties:
857 options
859 Dictionary of key/value pairs of bonding options. Both keys and
860 values must be strings. Option names must contain only alphanumeric
861 characters (ie, [a-zA-Z0-9]).
862 Format: dict of string to string
864 bridge setting
866 Bridging Settings.
867 Properties:
869 ageing-time
871 Alias: ageing-time
872 The Ethernet MAC address aging time, in seconds.
874 Format: uint32
876 forward-delay
878 Alias: forward-delay
879 The Spanning Tree Protocol (STP) forwarding delay, in seconds.
881 Format: uint32
883 group-address
885 If specified, The MAC address of the multicast group this bridge
886 uses for STP. The address must be a link-local address in standard
887 Ethernet MAC address format, ie an address of the form
888 01:80:C2:00:00:0X, with X in [0, 4..F]. If not specified the
889 default value is 01:80:C2:00:00:00.
890 Format: byte array
892 group-forward-mask
894 Alias: group-forward-mask
895 A mask of group addresses to forward. Usually, group addresses in
897 the range from 01:80:C2:00:00:00 to 01:80:C2:00:00:0F are not
898 forwarded according to standards. This property is a mask of 16
899 bits, each corresponding to a group address in that range that must
900 be forwarded. The mask can't have bits 0, 1 or 2 set because they
901 are used for STP, MAC pause frames and LACP.
902 Format: uint32
904 hello-time
906 Alias: hello-time
907 The Spanning Tree Protocol (STP) hello time, in seconds.
909 Format: uint32
911 mac-address
913 Alias: mac
914 If specified, the MAC address of bridge. When creating a new
916 bridge, this MAC address will be set. If this field is left
917 unspecified, the "ethernet.cloned-mac-address" is referred instead
918 to generate the initial MAC address. Note that setting
919 "ethernet.cloned-mac-address" anyway overwrites the MAC address of
920 the bridge later while activating the bridge. Hence, this property
921 is deprecated. Deprecated: 1
922 Format: byte array
924 max-age
926 Alias: max-age
927 The Spanning Tree Protocol (STP) maximum message age, in seconds.
929 Format: uint32
931 multicast-hash-max
933 Set maximum size of multicast hash table (value must be a power of
934 2).
935 Format: uint32
937 multicast-last-member-count
939 Set the number of queries the bridge will send before stopping
940 forwarding a multicast group after a "leave" message has been
941 received.
942 Format: uint32
944 multicast-last-member-interval
946 Set interval (in deciseconds) between queries to find remaining
947 members of a group, after a "leave" message is received.
948 Format: uint64
950 multicast-membership-interval
952 Set delay (in deciseconds) after which the bridge will leave a
953 group, if no membership reports for this group are received.
954 Format: uint64
956 multicast-querier
958 Enable or disable sending of multicast queries by the bridge. If
959 not specified the option is disabled.
960 Format: boolean
962 multicast-querier-interval
964 If no queries are seen after this delay (in deciseconds) has
965 passed, the bridge will start to send its own queries.
966 Format: uint64
968 multicast-query-interval
970 Interval (in deciseconds) between queries sent by the bridge after
971 the end of the startup phase.
972 Format: uint64
974 multicast-query-response-interval
976 Set the Max Response Time/Max Response Delay (in deciseconds) for
977 IGMP/MLD queries sent by the bridge.
978 Format: uint64
980 multicast-query-use-ifaddr
982 If enabled the bridge's own IP address is used as the source
983 address for IGMP queries otherwise the default of 0.0.0.0 is used.
984 Format: boolean
986 multicast-router
988 Sets bridge's multicast router. Multicast-snooping must be enabled
989 for this option to work. Supported values are: 'auto', 'disabled',
990 'enabled' to which kernel assigns the numbers 1, 0, and 2,
991 respectively. If not specified the default value is 'auto' (1).
992 Format: string
994 multicast-snooping
996 Alias: multicast-snooping
997 Controls whether IGMP snooping is enabled for this bridge. Note
999 that if snooping was automatically disabled due to hash collisions,
1000 the system may refuse to enable the feature until the collisions
1001 are resolved.
1002 Format: boolean
1004 multicast-startup-query-count
1006 Set the number of IGMP queries to send during startup phase.
1007 Format: uint32
1009 multicast-startup-query-interval
1011 Sets the time (in deciseconds) between queries sent out at startup
1012 to determine membership information.
1013 Format: uint64
1015 priority
1017 Alias: priority
1018 Sets the Spanning Tree Protocol (STP) priority for this bridge.
1020 Lower values are "better"; the lowest priority bridge will be
1021 elected the root bridge.
1022 Format: uint32
1024 stp
1026 Alias: stp
1027 Controls whether Spanning Tree Protocol (STP) is enabled for this
1029 bridge.
1030 Format: boolean
1032 vlan-default-pvid
1034 The default PVID for the ports of the bridge, that is the VLAN id
1035 assigned to incoming untagged frames.
1036 Format: uint32
1038 vlan-filtering
1040 Control whether VLAN filtering is enabled on the bridge.
1041 Format: boolean
1043 vlan-protocol
1045 If specified, the protocol used for VLAN filtering. Supported
1046 values are: '802.1Q', '802.1ad'. If not specified the default value
1047 is '802.1Q'.
1048 Format: string
1050 vlan-stats-enabled
1052 Controls whether per-VLAN stats accounting is enabled.
1053 Format: boolean
1055 vlans
1057 Array of bridge VLAN objects. In addition to the VLANs specified
1058 here, the bridge will also have the default-pvid VLAN configured by
1059 the bridge.vlan-default-pvid property. In nmcli the VLAN list can
1060 be specified with the following syntax: $vid [pvid] [untagged] [,
1061 $vid [pvid] [untagged]]... where $vid is either a single id between
1062 1 and 4094 or a range, represented as a couple of ids separated by
1063 a dash.
1064 Format: array of vardict
1066 bridge-port setting
1068 Bridge Port Settings.
1069 Properties:
1071 hairpin-mode
1073 Alias: hairpin
1074 Enables or disables "hairpin mode" for the port, which allows
1076 frames to be sent back out through the port the frame was received
1077 on.
1078 Format: boolean
1080 path-cost
1082 Alias: path-cost
1083 The Spanning Tree Protocol (STP) port cost for destinations via
1085 this port.
1086 Format: uint32
1088 priority
1090 Alias: priority
1091 The Spanning Tree Protocol (STP) priority of this bridge port.
1093 Format: uint32
1095 vlans
1097 Array of bridge VLAN objects. In addition to the VLANs specified
1098 here, the port will also have the default-pvid VLAN configured on
1099 the bridge by the bridge.vlan-default-pvid property. In nmcli the
1100 VLAN list can be specified with the following syntax: $vid [pvid]
1101 [untagged] [, $vid [pvid] [untagged]]... where $vid is either a
1102 single id between 1 and 4094 or a range, represented as a couple of
1103 ids separated by a dash.
1104 Format: array of vardict
1106 cdma setting
1108 CDMA-based Mobile Broadband Settings.
1109 Properties:
1111 mtu
1113 If non-zero, only transmit packets of the specified size or
1114 smaller, breaking larger packets up into multiple frames.
1115 Format: uint32
1117 number
1119 The number to dial to establish the connection to the CDMA-based
1120 mobile broadband network, if any. If not specified, the default
1121 number (#777) is used when required.
1122 Format: string
1124 password
1126 Alias: password
1127 The password used to authenticate with the network, if required.
1129 Many providers do not require a password, or accept any password.
1130 But if a password is required, it is specified here.
1131 Format: string
1133 password-flags
1135 Flags indicating how to handle the "password" property. See the
1136 section called “Secret flag types:” for flag values.
1137 Format: NMSettingSecretFlags (uint32)
1139 username
1141 Alias: user
1142 The username used to authenticate with the network, if required.
1144 Many providers do not require a username, or accept any username.
1145 But if a username is required, it is specified here.
1146 Format: string
1148 dcb setting
1150 Data Center Bridging Settings.
1151 Properties:
1153 app-fcoe-flags
1155 Specifies the NMSettingDcbFlags for the DCB FCoE application. Flags
1156 may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1157 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1158 NM_SETTING_DCB_FLAG_WILLING (0x4).
1159 Format: NMSettingDcbFlags (uint32)
1161 app-fcoe-mode
1163 The FCoE controller mode; either "fabric" (default) or "vn2vn".
1164 Format: string
1166 app-fcoe-priority
1168 The highest User Priority (0 - 7) which FCoE frames should use, or
1169 -1 for default priority. Only used when the "app-fcoe-flags"
1170 property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1171 Format: int32
1173 app-fip-flags
1175 Specifies the NMSettingDcbFlags for the DCB FIP application. Flags
1176 may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1177 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1178 NM_SETTING_DCB_FLAG_WILLING (0x4).
1179 Format: NMSettingDcbFlags (uint32)
1181 app-fip-priority
1183 The highest User Priority (0 - 7) which FIP frames should use, or
1184 -1 for default priority. Only used when the "app-fip-flags"
1185 property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1186 Format: int32
1188 app-iscsi-flags
1190 Specifies the NMSettingDcbFlags for the DCB iSCSI application.
1191 Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1192 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1193 NM_SETTING_DCB_FLAG_WILLING (0x4).
1194 Format: NMSettingDcbFlags (uint32)
1196 app-iscsi-priority
1198 The highest User Priority (0 - 7) which iSCSI frames should use, or
1199 -1 for default priority. Only used when the "app-iscsi-flags"
1200 property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1201 Format: int32
1203 priority-bandwidth
1205 An array of 8 uint values, where the array index corresponds to the
1206 User Priority (0 - 7) and the value indicates the percentage of
1207 bandwidth of the priority's assigned group that the priority may
1208 use. The sum of all percentages for priorities which belong to the
1209 same group must total 100 percents.
1210 Format: array of uint32
1212 priority-flow-control
1214 An array of 8 boolean values, where the array index corresponds to
1215 the User Priority (0 - 7) and the value indicates whether or not
1216 the corresponding priority should transmit priority pause.
1217 Format: array of uint32
1219 priority-flow-control-flags
1221 Specifies the NMSettingDcbFlags for DCB Priority Flow Control
1222 (PFC). Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE
1223 (0x1), NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1224 NM_SETTING_DCB_FLAG_WILLING (0x4).
1225 Format: NMSettingDcbFlags (uint32)
1227 priority-group-bandwidth
1229 An array of 8 uint values, where the array index corresponds to the
1230 Priority Group ID (0 - 7) and the value indicates the percentage of
1231 link bandwidth allocated to that group. Allowed values are 0 - 100,
1232 and the sum of all values must total 100 percents.
1233 Format: array of uint32
1235 priority-group-flags
1237 Specifies the NMSettingDcbFlags for DCB Priority Groups. Flags may
1238 be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1239 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1240 NM_SETTING_DCB_FLAG_WILLING (0x4).
1241 Format: NMSettingDcbFlags (uint32)
1243 priority-group-id
1245 An array of 8 uint values, where the array index corresponds to the
1246 User Priority (0 - 7) and the value indicates the Priority Group
1247 ID. Allowed Priority Group ID values are 0 - 7 or 15 for the
1248 unrestricted group.
1249 Format: array of uint32
1251 priority-strict-bandwidth
1253 An array of 8 boolean values, where the array index corresponds to
1254 the User Priority (0 - 7) and the value indicates whether or not
1255 the priority may use all of the bandwidth allocated to its assigned
1256 group.
1257 Format: array of uint32
1259 priority-traffic-class
1261 An array of 8 uint values, where the array index corresponds to the
1262 User Priority (0 - 7) and the value indicates the traffic class (0
1263 - 7) to which the priority is mapped.
1264 Format: array of uint32
1266 ethtool setting
1268 Ethtool Ethernet Settings.
1269 Properties:
1271 coalesce-adaptive-rx
1273 coalesce-adaptive-tx
1275 coalesce-pkt-rate-high
1277 coalesce-pkt-rate-low
1279 coalesce-rx-frames
1281 coalesce-rx-frames-high
1283 coalesce-rx-frames-irq
1285 coalesce-rx-frames-low
1287 coalesce-rx-usecs
1289 coalesce-rx-usecs-high
1291 coalesce-rx-usecs-irq
1293 coalesce-rx-usecs-low
1295 coalesce-sample-interval
1297 coalesce-stats-block-usecs
1299 coalesce-tx-frames
1301 coalesce-tx-frames-high
1303 coalesce-tx-frames-irq
1305 coalesce-tx-frames-low
1307 coalesce-tx-usecs
1309 coalesce-tx-usecs-high
1311 coalesce-tx-usecs-irq
1313 coalesce-tx-usecs-low
1315 feature-esp-hw-offload
1317 feature-esp-tx-csum-hw-offload
1319 feature-fcoe-mtu
1321 feature-gro
1323 feature-gso
1325 feature-highdma
1327 feature-hw-tc-offload
1329 feature-l2-fwd-offload
1331 feature-loopback
1333 feature-lro
1335 feature-macsec-hw-offload
1337 feature-ntuple
1339 feature-rx
1341 feature-rx-all
1343 feature-rx-fcs
1345 feature-rx-gro-hw
1347 feature-rx-gro-list
1349 feature-rx-udp-gro-forwarding
1351 feature-rx-udp_tunnel-port-offload
1353 feature-rx-vlan-filter
1355 feature-rx-vlan-stag-filter
1357 feature-rx-vlan-stag-hw-parse
1359 feature-rxhash
1361 feature-rxvlan
1363 feature-sg
1365 feature-tls-hw-record
1367 feature-tls-hw-rx-offload
1369 feature-tls-hw-tx-offload
1371 feature-tso
1373 feature-tx
1375 feature-tx-checksum-fcoe-crc
1377 feature-tx-checksum-ip-generic
1379 feature-tx-checksum-ipv4
1381 feature-tx-checksum-ipv6
1383 feature-tx-checksum-sctp
1385 feature-tx-esp-segmentation
1387 feature-tx-fcoe-segmentation
1389 feature-tx-gre-csum-segmentation
1391 feature-tx-gre-segmentation
1393 feature-tx-gso-list
1395 feature-tx-gso-partial
1397 feature-tx-gso-robust
1399 feature-tx-ipxip4-segmentation
1401 feature-tx-ipxip6-segmentation
1403 feature-tx-nocache-copy
1405 feature-tx-scatter-gather
1407 feature-tx-scatter-gather-fraglist
1409 feature-tx-sctp-segmentation
1411 feature-tx-tcp-ecn-segmentation
1413 feature-tx-tcp-mangleid-segmentation
1415 feature-tx-tcp-segmentation
1417 feature-tx-tcp6-segmentation
1419 feature-tx-tunnel-remcsum-segmentation
1421 feature-tx-udp-segmentation
1423 feature-tx-udp_tnl-csum-segmentation
1425 feature-tx-udp_tnl-segmentation
1427 feature-tx-vlan-stag-hw-insert
1429 feature-txvlan
1431 pause-autoneg
1433 Whether to automatically negotiate on pause frame of flow control
1434 mechanism defined by IEEE 802.3x standard.
1435 pause-rx
1437 Whether RX pause should be enabled. Only valid when automatic
1438 negotiation is disabled
1439 pause-tx
1441 Whether TX pause should be enabled. Only valid when automatic
1442 negotiation is disabled
1443 ring-rx
1445 ring-rx-jumbo
1447 ring-rx-mini
1449 ring-tx
1451 gsm setting
1453 GSM-based Mobile Broadband Settings.
1454 Properties:
1456 apn
1458 Alias: apn
1459 The GPRS Access Point Name specifying the APN used when
1461 establishing a data session with the GSM-based network. The APN
1462 often determines how the user will be billed for their network
1463 usage and whether the user has access to the Internet or just a
1464 provider-specific walled-garden, so it is important to use the
1465 correct APN for the user's mobile broadband plan. The APN may only
1466 be composed of the characters a-z, 0-9, ., and - per GSM 03.60
1467 Section 14.9.
1468 Format: string
1470 auto-config
1472 When TRUE, the settings such as APN, username, or password will
1473 default to values that match the network the modem will register to
1474 in the Mobile Broadband Provider database.
1475 Format: boolean
1477 device-id
1479 The device unique identifier (as given by the WWAN management
1480 service) which this connection applies to. If given, the connection
1481 will only apply to the specified device.
1482 Format: string
1484 home-only
1486 When TRUE, only connections to the home network will be allowed.
1487 Connections to roaming networks will not be made.
1488 Format: boolean
1490 mtu
1492 If non-zero, only transmit packets of the specified size or
1493 smaller, breaking larger packets up into multiple frames.
1494 Format: uint32
1496 network-id
1498 The Network ID (GSM LAI format, ie MCC-MNC) to force specific
1499 network registration. If the Network ID is specified,
1500 NetworkManager will attempt to force the device to register only on
1501 the specified network. This can be used to ensure that the device
1502 does not roam when direct roaming control of the device is not
1503 otherwise possible.
1504 Format: string
1506 number
1508 Legacy setting that used to help establishing PPP data sessions for
1509 GSM-based modems. Deprecated: 1
1510 Format: string
1512 password
1514 Alias: password
1515 The password used to authenticate with the network, if required.
1517 Many providers do not require a password, or accept any password.
1518 But if a password is required, it is specified here.
1519 Format: string
1521 password-flags
1523 Flags indicating how to handle the "password" property. See the
1524 section called “Secret flag types:” for flag values.
1525 Format: NMSettingSecretFlags (uint32)
1527 pin
1529 If the SIM is locked with a PIN it must be unlocked before any
1530 other operations are requested. Specify the PIN here to allow
1531 operation of the device.
1532 Format: string
1534 pin-flags
1536 Flags indicating how to handle the "pin" property. See the section
1537 called “Secret flag types:” for flag values.
1538 Format: NMSettingSecretFlags (uint32)
1540 sim-id
1542 The SIM card unique identifier (as given by the WWAN management
1543 service) which this connection applies to. If given, the connection
1544 will apply to any device also allowed by "device-id" which contains
1545 a SIM card matching the given identifier.
1546 Format: string
1548 sim-operator-id
1550 A MCC/MNC string like "310260" or "21601" identifying the specific
1551 mobile network operator which this connection applies to. If given,
1552 the connection will apply to any device also allowed by "device-id"
1553 and "sim-id" which contains a SIM card provisioned by the given
1554 operator.
1555 Format: string
1557 username
1559 Alias: user
1560 The username used to authenticate with the network, if required.
1562 Many providers do not require a username, or accept any username.
1563 But if a username is required, it is specified here.
1564 Format: string
1566 infiniband setting
1568 Infiniband Settings.
1569 Properties:
1571 mac-address
1573 Alias: mac
1574 If specified, this connection will only apply to the IPoIB device
1576 whose permanent MAC address matches. This property does not change
1577 the MAC address of the device (i.e. MAC spoofing).
1578 Format: byte array
1580 mtu
1582 Alias: mtu
1583 If non-zero, only transmit packets of the specified size or
1585 smaller, breaking larger packets up into multiple frames.
1586 Format: uint32
1588 p-key
1590 Alias: p-key
1591 The InfiniBand P_Key to use for this device. A value of -1 means to
1593 use the default P_Key (aka "the P_Key at index 0"). Otherwise, it
1594 is a 16-bit unsigned integer, whose high bit is set if it is a
1595 "full membership" P_Key.
1596 Format: int32
1598 parent
1600 Alias: parent
1601 The interface name of the parent device of this device. Normally
1603 NULL, but if the "p_key" property is set, then you must specify the
1604 base device by setting either this property or "mac-address".
1605 Format: string
1607 transport-mode
1609 Alias: transport-mode
1610 The IP-over-InfiniBand transport mode. Either "datagram" or
1612 "connected".
1613 Format: string
1615 ipv4 setting
1617 IPv4 Settings.
1618 Properties:
1620 addresses
1622 Alias: ip4
1623 A list of IPv4 addresses and their prefix length. Multiple
1625 addresses can be separated by comma. For example "192.168.1.5/24,
1626 10.1.0.5/24". The addresses are listed in decreasing priority,
1627 meaning the first address will be the primary address.
1628 Format: a comma separated list of addresses
1630 dad-timeout
1632 Timeout in milliseconds used to check for the presence of duplicate
1633 IP addresses on the network. If an address conflict is detected,
1634 the activation will fail. A zero value means that no duplicate
1635 address detection is performed, -1 means the default value (either
1636 configuration ipvx.dad-timeout override or zero). A value greater
1637 than zero is a timeout in milliseconds. The property is currently
1638 implemented only for IPv4.
1639 Format: int32
1641 dhcp-client-id
1643 A string sent to the DHCP server to identify the local machine
1644 which the DHCP server may use to customize the DHCP lease and
1645 options. When the property is a hex string ('aa:bb:cc') it is
1646 interpreted as a binary client ID, in which case the first byte is
1647 assumed to be the 'type' field as per RFC 2132 section 9.14 and the
1648 remaining bytes may be an hardware address (e.g.
1649 '01:xx:xx:xx:xx:xx:xx' where 1 is the Ethernet ARP type and the
1650 rest is a MAC address). If the property is not a hex string it is
1651 considered as a non-hardware-address client ID and the 'type' field
1652 is set to 0. The special values "mac" and "perm-mac" are supported,
1653 which use the current or permanent MAC address of the device to
1654 generate a client identifier with type ethernet (01). Currently,
1655 these options only work for ethernet type of links. The special
1656 value "ipv6-duid" uses the DUID from "ipv6.dhcp-duid" property as
1657 an RFC4361-compliant client identifier. As IAID it uses
1658 "ipv4.dhcp-iaid" and falls back to "ipv6.dhcp-iaid" if unset. The
1659 special value "duid" generates a RFC4361-compliant client
1660 identifier based on "ipv4.dhcp-iaid" and uses a DUID generated by
1661 hashing /etc/machine-id. The special value "stable" is supported to
1662 generate a type 0 client identifier based on the stable-id (see
1663 connection.stable-id) and a per-host key. If you set the stable-id,
1664 you may want to include the "${DEVICE}" or "${MAC}" specifier to
1665 get a per-device key. If unset, a globally configured default is
1666 used. If still unset, the default depends on the DHCP plugin.
1667 Format: string
1669 dhcp-fqdn
1671 If the "dhcp-send-hostname" property is TRUE, then the specified
1672 FQDN will be sent to the DHCP server when acquiring a lease. This
1673 property and "dhcp-hostname" are mutually exclusive and cannot be
1674 set at the same time.
1675 Format: string
1677 dhcp-hostname
1679 If the "dhcp-send-hostname" property is TRUE, then the specified
1680 name will be sent to the DHCP server when acquiring a lease. This
1681 property and "dhcp-fqdn" are mutually exclusive and cannot be set
1682 at the same time.
1683 Format: string
1685 dhcp-hostname-flags
1687 Flags for the DHCP hostname and FQDN. Currently, this property only
1688 includes flags to control the FQDN flags set in the DHCP FQDN
1689 option. Supported FQDN flags are
1690 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1691 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
1692 NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is
1693 set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the
1694 DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag
1695 is set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set,
1696 the standard FQDN flags are set in the request:
1697 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1698 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
1699 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6. When this
1700 property is set to the default value NM_DHCP_HOSTNAME_FLAG_NONE
1701 (0x0), a global default is looked up in NetworkManager
1702 configuration. If that value is unset or also
1703 NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
1704 described above are sent in the DHCP requests.
1705 Format: uint32
1707 dhcp-iaid
1709 A string containing the "Identity Association Identifier" (IAID)
1710 used by the DHCP client. The property is a 32-bit decimal value or
1711 a special value among "mac", "perm-mac", "ifname" and "stable".
1712 When set to "mac" (or "perm-mac"), the last 4 bytes of the current
1713 (or permanent) MAC address are used as IAID. When set to "ifname",
1714 the IAID is computed by hashing the interface name. The special
1715 value "stable" can be used to generate an IAID based on the
1716 stable-id (see connection.stable-id), a per-host key and the
1717 interface name. When the property is unset, the value from global
1718 configuration is used; if no global default is set then the IAID is
1719 assumed to be "ifname". Note that at the moment this property is
1720 ignored for IPv6 by dhclient, which always derives the IAID from
1721 the MAC address.
1722 Format: string
1724 dhcp-reject-servers
1726 Array of servers from which DHCP offers must be rejected. This
1727 property is useful to avoid getting a lease from misconfigured or
1728 rogue servers. For DHCPv4, each element must be an IPv4 address,
1729 optionally followed by a slash and a prefix length (e.g.
1730 "192.168.122.0/24"). This property is currently not implemented for
1731 DHCPv6.
1732 Format: array of string
1734 dhcp-send-hostname
1736 If TRUE, a hostname is sent to the DHCP server when acquiring a
1737 lease. Some DHCP servers use this hostname to update DNS databases,
1738 essentially providing a static hostname for the computer. If the
1739 "dhcp-hostname" property is NULL and this property is TRUE, the
1740 current persistent hostname of the computer is sent.
1741 Format: boolean
1743 dhcp-timeout
1745 A timeout for a DHCP transaction in seconds. If zero (the default),
1746 a globally configured default is used. If still unspecified, a
1747 device specific timeout is used (usually 45 seconds). Set to
1748 2147483647 (MAXINT32) for infinity.
1749 Format: int32
1751 dhcp-vendor-class-identifier
1753 The Vendor Class Identifier DHCP option (60). Special characters in
1754 the data string may be escaped using C-style escapes, nevertheless
1755 this property cannot contain nul bytes. If the per-profile value is
1756 unspecified (the default), a global connection default gets
1757 consulted. If still unspecified, the DHCP option is not sent to the
1758 server. Since 1.28
1759 Format: string
1761 dns
1763 Array of IP addresses of DNS servers.
1764 Format: array of uint32
1766 dns-options
1768 Array of DNS options as described in man 5 resolv.conf. NULL means
1769 that the options are unset and left at the default. In this case
1770 NetworkManager will use default options. This is distinct from an
1771 empty list of properties. The currently supported options are
1772 "attempts", "debug", "edns0", "inet6", "ip6-bytestring",
1773 "ip6-dotint", "ndots", "no-check-names", "no-ip6-dotint",
1774 "no-reload", "no-tld-query", "rotate", "single-request",
1775 "single-request-reopen", "timeout", "trust-ad", "use-vc". The
1776 "trust-ad" setting is only honored if the profile contributes name
1777 servers to resolv.conf, and if all contributing profiles have
1778 "trust-ad" enabled. When using a caching DNS plugin (dnsmasq or
1779 systemd-resolved in NetworkManager.conf) then "edns0" and
1780 "trust-ad" are automatically added.
1781 Format: array of string
1783 dns-priority
1785 DNS servers priority. The relative priority for DNS servers
1786 specified by this setting. A lower numerical value is better
1787 (higher priority). Negative values have the special effect of
1788 excluding other configurations with a greater numerical priority
1789 value; so in presence of at least one negative priority, only DNS
1790 servers from connections with the lowest priority value will be
1791 used. To avoid all DNS leaks, set the priority of the profile that
1792 should be used to the most negative value of all active connections
1793 profiles. Zero selects a globally configured default value. If the
1794 latter is missing or zero too, it defaults to 50 for VPNs
1795 (including WireGuard) and 100 for other connections. Note that the
1796 priority is to order DNS settings for multiple active connections.
1797 It does not disambiguate multiple DNS servers within the same
1798 connection profile. When multiple devices have configurations with
1799 the same priority, VPNs will be considered first, then devices with
1800 the best (lowest metric) default route and then all other devices.
1801 When using dns=default, servers with higher priority will be on top
1802 of resolv.conf. To prioritize a given server over another one
1803 within the same connection, just specify them in the desired order.
1804 Note that commonly the resolver tries name servers in
1805 /etc/resolv.conf in the order listed, proceeding with the next
1806 server in the list on failure. See for example the "rotate" option
1807 of the dns-options setting. If there are any negative DNS
1808 priorities, then only name servers from the devices with that
1809 lowest priority will be considered. When using a DNS resolver that
1810 supports Conditional Forwarding or Split DNS (with dns=dnsmasq or
1811 dns=systemd-resolved settings), each connection is used to query
1812 domains in its search list. The search domains determine which name
1813 servers to ask, and the DNS priority is used to prioritize name
1814 servers based on the domain. Queries for domains not present in any
1815 search list are routed through connections having the '~.' special
1816 wildcard domain, which is added automatically to connections with
1817 the default route (or can be added manually). When multiple
1818 connections specify the same domain, the one with the best priority
1819 (lowest numerical value) wins. If a sub domain is configured on
1820 another interface it will be accepted regardless the priority,
1821 unless parent domain on the other interface has a negative
1822 priority, which causes the sub domain to be shadowed. With Split
1823 DNS one can avoid undesired DNS leaks by properly configuring DNS
1824 priorities and the search domains, so that only name servers of the
1825 desired interface are configured.
1826 Format: int32
1828 dns-search
1830 Array of DNS search domains. Domains starting with a tilde ('~')
1831 are considered 'routing' domains and are used only to decide the
1832 interface over which a query must be forwarded; they are not used
1833 to complete unqualified host names. When using a DNS plugin that
1834 supports Conditional Forwarding or Split DNS, then the search
1835 domains specify which name servers to query. This makes the
1836 behavior different from running with plain /etc/resolv.conf. For
1837 more information see also the dns-priority setting.
1838 Format: array of string
1840 gateway
1842 Alias: gw4
1843 The gateway associated with this configuration. This is only
1845 meaningful if "addresses" is also set. The gateway's main purpose
1846 is to control the next hop of the standard default route on the
1847 device. Hence, the gateway property conflicts with "never-default"
1848 and will be automatically dropped if the IP configuration is set to
1849 never-default. As an alternative to set the gateway, configure a
1850 static default route with /0 as prefix length.
1851 Format: string
1853 ignore-auto-dns
1855 When "method" is set to "auto" and this property to TRUE,
1856 automatically configured name servers and search domains are
1857 ignored and only name servers and search domains specified in the
1858 "dns" and "dns-search" properties, if any, are used.
1859 Format: boolean
1861 ignore-auto-routes
1863 When "method" is set to "auto" and this property to TRUE,
1864 automatically configured routes are ignored and only routes
1865 specified in the "routes" property, if any, are used.
1866 Format: boolean
1868 may-fail
1870 If TRUE, allow overall network configuration to proceed even if the
1871 configuration specified by this property times out. Note that at
1872 least one IP configuration must succeed or overall network
1873 configuration will still fail. For example, in IPv6-only networks,
1874 setting this property to TRUE on the NMSettingIP4Config allows the
1875 overall network configuration to succeed if IPv4 configuration
1876 fails but IPv6 configuration completes successfully.
1877 Format: boolean
1879 method
1881 IP configuration method. NMSettingIP4Config and NMSettingIP6Config
1882 both support "disabled", "auto", "manual", and "link-local". See
1883 the subclass-specific documentation for other values. In general,
1884 for the "auto" method, properties such as "dns" and "routes"
1885 specify information that is added on to the information returned
1886 from automatic configuration. The "ignore-auto-routes" and
1887 "ignore-auto-dns" properties modify this behavior. For methods that
1888 imply no upstream network, such as "shared" or "link-local", these
1889 properties must be empty. For IPv4 method "shared", the IP subnet
1890 can be configured by adding one manual IPv4 address or otherwise
1891 10.42.x.0/24 is chosen. Note that the shared method must be
1892 configured on the interface which shares the internet to a subnet,
1893 not on the uplink which is shared.
1894 Format: string
1896 never-default
1898 If TRUE, this connection will never be the default connection for
1899 this IP type, meaning it will never be assigned the default route
1900 by NetworkManager.
1901 Format: boolean
1903 required-timeout
1905 The minimum time interval in milliseconds for which dynamic IP
1906 configuration should be tried before the connection succeeds. This
1907 property is useful for example if both IPv4 and IPv6 are enabled
1908 and are allowed to fail. Normally the connection succeeds as soon
1909 as one of the two address families completes; by setting a required
1910 timeout for e.g. IPv4, one can ensure that even if IP6 succeeds
1911 earlier than IPv4, NetworkManager waits some time for IPv4 before
1912 the connection becomes active. Note that if "may-fail" is FALSE for
1913 the same address family, this property has no effect as
1914 NetworkManager needs to wait for the full DHCP timeout. A zero
1915 value means that no required timeout is present, -1 means the
1916 default value (either configuration ipvx.required-timeout override
1917 or zero).
1918 Format: int32
1920 route-metric
1922 The default metric for routes that don't explicitly specify a
1923 metric. The default value -1 means that the metric is chosen
1924 automatically based on the device type. The metric applies to
1925 dynamic routes, manual (static) routes that don't have an explicit
1926 metric setting, address prefix routes, and the default route. Note
1927 that for IPv6, the kernel accepts zero (0) but coerces it to 1024
1928 (user default). Hence, setting this property to zero effectively
1929 mean setting it to 1024. For IPv4, zero is a regular value for the
1930 metric.
1931 Format: int64
1933 route-table
1935 Enable policy routing (source routing) and set the routing table
1936 used when adding routes. This affects all routes, including
1937 device-routes, IPv4LL, DHCP, SLAAC, default-routes and static
1938 routes. But note that static routes can individually overwrite the
1939 setting by explicitly specifying a non-zero routing table. If the
1940 table setting is left at zero, it is eligible to be overwritten via
1941 global configuration. If the property is zero even after applying
1942 the global configuration value, policy routing is disabled for the
1943 address family of this connection. Policy routing disabled means
1944 that NetworkManager will add all routes to the main table (except
1945 static routes that explicitly configure a different table).
1946 Additionally, NetworkManager will not delete any extraneous routes
1947 from tables except the main table. This is to preserve backward
1948 compatibility for users who manage routing tables outside of
1949 NetworkManager.
1950 Format: uint32
1952 routes
1954 A list of IPv4 destination addresses, prefix length, optional IPv4
1955 next hop addresses, optional route metric, optional attribute. The
1956 valid syntax is: "ip[/prefix] [next-hop] [metric]
1957 [attribute=val]...[,ip[/prefix]...]". For example "192.0.2.0/24
1958 10.1.1.1 77, 198.51.100.0/24".
1959 Format: a comma separated list of routes
1961 routing-rules
1963 ipv6 setting
1965 IPv6 Settings.
1966 Properties:
1968 addr-gen-mode
1970 Configure method for creating the address for use with RFC4862 IPv6
1971 Stateless Address Autoconfiguration. The permitted values are:
1972 NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_EUI64 (0) or
1973 NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_STABLE_PRIVACY (1). If the
1974 property is set to EUI64, the addresses will be generated using the
1975 interface tokens derived from hardware address. This makes the host
1976 part of the address to stay constant, making it possible to track
1977 host's presence when it changes networks. The address changes when
1978 the interface hardware is replaced. The value of stable-privacy
1979 enables use of cryptographically secure hash of a secret
1980 host-specific key along with the connection's stable-id and the
1981 network address as specified by RFC7217. This makes it impossible
1982 to use the address track host's presence, and makes the address
1983 stable when the network interface hardware is replaced. On D-Bus,
1984 the absence of an addr-gen-mode setting equals enabling
1985 stable-privacy. For keyfile plugin, the absence of the setting on
1986 disk means EUI64 so that the property doesn't change on upgrade
1987 from older versions. Note that this setting is distinct from the
1988 Privacy Extensions as configured by "ip6-privacy" property and it
1989 does not affect the temporary addresses configured with this
1990 option.
1991 Format: int32
1993 addresses
1995 Alias: ip6
1996 A list of IPv6 addresses and their prefix length. Multiple
1998 addresses can be separated by comma. For example
1999 "2001:db8:85a3::8a2e:370:7334/64, 2001:db8:85a3::5/64". The
2000 addresses are listed in increasing priority, meaning the last
2001 address will be the primary address.
2002 Format: a comma separated list of addresses
2004 dhcp-duid
2006 A string containing the DHCPv6 Unique Identifier (DUID) used by the
2007 dhcp client to identify itself to DHCPv6 servers (RFC 3315). The
2008 DUID is carried in the Client Identifier option. If the property is
2009 a hex string ('aa:bb:cc') it is interpreted as a binary DUID and
2010 filled as an opaque value in the Client Identifier option. The
2011 special value "lease" will retrieve the DUID previously used from
2012 the lease file belonging to the connection. If no DUID is found and
2013 "dhclient" is the configured dhcp client, the DUID is searched in
2014 the system-wide dhclient lease file. If still no DUID is found, or
2015 another dhcp client is used, a global and permanent DUID-UUID (RFC
2016 6355) will be generated based on the machine-id. The special values
2017 "llt" and "ll" will generate a DUID of type LLT or LL (see RFC
2018 3315) based on the current MAC address of the device. In order to
2019 try providing a stable DUID-LLT, the time field will contain a
2020 constant timestamp that is used globally (for all profiles) and
2021 persisted to disk. The special values "stable-llt", "stable-ll" and
2022 "stable-uuid" will generate a DUID of the corresponding type,
2023 derived from the connection's stable-id and a per-host unique key.
2024 You may want to include the "${DEVICE}" or "${MAC}" specifier in
2025 the stable-id, in case this profile gets activated on multiple
2026 devices. So, the link-layer address of "stable-ll" and "stable-llt"
2027 will be a generated address derived from the stable id. The
2028 DUID-LLT time value in the "stable-llt" option will be picked among
2029 a static timespan of three years (the upper bound of the interval
2030 is the same constant timestamp used in "llt"). When the property is
2031 unset, the global value provided for "ipv6.dhcp-duid" is used. If
2032 no global value is provided, the default "lease" value is assumed.
2033 Format: string
2035 dhcp-hostname
2037 If the "dhcp-send-hostname" property is TRUE, then the specified
2038 name will be sent to the DHCP server when acquiring a lease. This
2039 property and "dhcp-fqdn" are mutually exclusive and cannot be set
2040 at the same time.
2041 Format: string
2043 dhcp-hostname-flags
2045 Flags for the DHCP hostname and FQDN. Currently, this property only
2046 includes flags to control the FQDN flags set in the DHCP FQDN
2047 option. Supported FQDN flags are
2048 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
2049 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
2050 NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is
2051 set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the
2052 DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag
2053 is set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set,
2054 the standard FQDN flags are set in the request:
2055 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
2056 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
2057 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6. When this
2058 property is set to the default value NM_DHCP_HOSTNAME_FLAG_NONE
2059 (0x0), a global default is looked up in NetworkManager
2060 configuration. If that value is unset or also
2061 NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
2062 described above are sent in the DHCP requests.
2063 Format: uint32
2065 dhcp-iaid
2067 A string containing the "Identity Association Identifier" (IAID)
2068 used by the DHCP client. The property is a 32-bit decimal value or
2069 a special value among "mac", "perm-mac", "ifname" and "stable".
2070 When set to "mac" (or "perm-mac"), the last 4 bytes of the current
2071 (or permanent) MAC address are used as IAID. When set to "ifname",
2072 the IAID is computed by hashing the interface name. The special
2073 value "stable" can be used to generate an IAID based on the
2074 stable-id (see connection.stable-id), a per-host key and the
2075 interface name. When the property is unset, the value from global
2076 configuration is used; if no global default is set then the IAID is
2077 assumed to be "ifname". Note that at the moment this property is
2078 ignored for IPv6 by dhclient, which always derives the IAID from
2079 the MAC address.
2080 Format: string
2082 dhcp-send-hostname
2084 If TRUE, a hostname is sent to the DHCP server when acquiring a
2085 lease. Some DHCP servers use this hostname to update DNS databases,
2086 essentially providing a static hostname for the computer. If the
2087 "dhcp-hostname" property is NULL and this property is TRUE, the
2088 current persistent hostname of the computer is sent.
2089 Format: boolean
2091 dhcp-timeout
2093 A timeout for a DHCP transaction in seconds. If zero (the default),
2094 a globally configured default is used. If still unspecified, a
2095 device specific timeout is used (usually 45 seconds). Set to
2096 2147483647 (MAXINT32) for infinity.
2097 Format: int32
2099 dns
2101 Array of IP addresses of DNS servers.
2102 Format: array of byte array
2104 dns-options
2106 Array of DNS options as described in man 5 resolv.conf. NULL means
2107 that the options are unset and left at the default. In this case
2108 NetworkManager will use default options. This is distinct from an
2109 empty list of properties. The currently supported options are
2110 "attempts", "debug", "edns0", "inet6", "ip6-bytestring",
2111 "ip6-dotint", "ndots", "no-check-names", "no-ip6-dotint",
2112 "no-reload", "no-tld-query", "rotate", "single-request",
2113 "single-request-reopen", "timeout", "trust-ad", "use-vc". The
2114 "trust-ad" setting is only honored if the profile contributes name
2115 servers to resolv.conf, and if all contributing profiles have
2116 "trust-ad" enabled. When using a caching DNS plugin (dnsmasq or
2117 systemd-resolved in NetworkManager.conf) then "edns0" and
2118 "trust-ad" are automatically added.
2119 Format: array of string
2121 dns-priority
2123 DNS servers priority. The relative priority for DNS servers
2124 specified by this setting. A lower numerical value is better
2125 (higher priority). Negative values have the special effect of
2126 excluding other configurations with a greater numerical priority
2127 value; so in presence of at least one negative priority, only DNS
2128 servers from connections with the lowest priority value will be
2129 used. To avoid all DNS leaks, set the priority of the profile that
2130 should be used to the most negative value of all active connections
2131 profiles. Zero selects a globally configured default value. If the
2132 latter is missing or zero too, it defaults to 50 for VPNs
2133 (including WireGuard) and 100 for other connections. Note that the
2134 priority is to order DNS settings for multiple active connections.
2135 It does not disambiguate multiple DNS servers within the same
2136 connection profile. When multiple devices have configurations with
2137 the same priority, VPNs will be considered first, then devices with
2138 the best (lowest metric) default route and then all other devices.
2139 When using dns=default, servers with higher priority will be on top
2140 of resolv.conf. To prioritize a given server over another one
2141 within the same connection, just specify them in the desired order.
2142 Note that commonly the resolver tries name servers in
2143 /etc/resolv.conf in the order listed, proceeding with the next
2144 server in the list on failure. See for example the "rotate" option
2145 of the dns-options setting. If there are any negative DNS
2146 priorities, then only name servers from the devices with that
2147 lowest priority will be considered. When using a DNS resolver that
2148 supports Conditional Forwarding or Split DNS (with dns=dnsmasq or
2149 dns=systemd-resolved settings), each connection is used to query
2150 domains in its search list. The search domains determine which name
2151 servers to ask, and the DNS priority is used to prioritize name
2152 servers based on the domain. Queries for domains not present in any
2153 search list are routed through connections having the '~.' special
2154 wildcard domain, which is added automatically to connections with
2155 the default route (or can be added manually). When multiple
2156 connections specify the same domain, the one with the best priority
2157 (lowest numerical value) wins. If a sub domain is configured on
2158 another interface it will be accepted regardless the priority,
2159 unless parent domain on the other interface has a negative
2160 priority, which causes the sub domain to be shadowed. With Split
2161 DNS one can avoid undesired DNS leaks by properly configuring DNS
2162 priorities and the search domains, so that only name servers of the
2163 desired interface are configured.
2164 Format: int32
2166 dns-search
2168 Array of DNS search domains. Domains starting with a tilde ('~')
2169 are considered 'routing' domains and are used only to decide the
2170 interface over which a query must be forwarded; they are not used
2171 to complete unqualified host names. When using a DNS plugin that
2172 supports Conditional Forwarding or Split DNS, then the search
2173 domains specify which name servers to query. This makes the
2174 behavior different from running with plain /etc/resolv.conf. For
2175 more information see also the dns-priority setting.
2176 Format: array of string
2178 gateway
2180 Alias: gw6
2181 The gateway associated with this configuration. This is only
2183 meaningful if "addresses" is also set. The gateway's main purpose
2184 is to control the next hop of the standard default route on the
2185 device. Hence, the gateway property conflicts with "never-default"
2186 and will be automatically dropped if the IP configuration is set to
2187 never-default. As an alternative to set the gateway, configure a
2188 static default route with /0 as prefix length.
2189 Format: string
2191 ignore-auto-dns
2193 When "method" is set to "auto" and this property to TRUE,
2194 automatically configured name servers and search domains are
2195 ignored and only name servers and search domains specified in the
2196 "dns" and "dns-search" properties, if any, are used.
2197 Format: boolean
2199 ignore-auto-routes
2201 When "method" is set to "auto" and this property to TRUE,
2202 automatically configured routes are ignored and only routes
2203 specified in the "routes" property, if any, are used.
2204 Format: boolean
2206 ip6-privacy
2208 Configure IPv6 Privacy Extensions for SLAAC, described in RFC4941.
2209 If enabled, it makes the kernel generate a temporary IPv6 address
2210 in addition to the public one generated from MAC address via
2211 modified EUI-64. This enhances privacy, but could cause problems in
2212 some applications, on the other hand. The permitted values are: -1:
2213 unknown, 0: disabled, 1: enabled (prefer public address), 2:
2214 enabled (prefer temporary addresses). Having a per-connection
2215 setting set to "-1" (unknown) means fallback to global
2216 configuration "ipv6.ip6-privacy". If also global configuration is
2217 unspecified or set to "-1", fallback to read
2218 "/proc/sys/net/ipv6/conf/default/use_tempaddr". Note that this
2219 setting is distinct from the Stable Privacy addresses that can be
2220 enabled with the "addr-gen-mode" property's "stable-privacy"
2221 setting as another way of avoiding host tracking with IPv6
2222 addresses.
2223 Format: NMSettingIP6ConfigPrivacy (int32)
2225 may-fail
2227 If TRUE, allow overall network configuration to proceed even if the
2228 configuration specified by this property times out. Note that at
2229 least one IP configuration must succeed or overall network
2230 configuration will still fail. For example, in IPv6-only networks,
2231 setting this property to TRUE on the NMSettingIP4Config allows the
2232 overall network configuration to succeed if IPv4 configuration
2233 fails but IPv6 configuration completes successfully.
2234 Format: boolean
2236 method
2238 IP configuration method. NMSettingIP4Config and NMSettingIP6Config
2239 both support "disabled", "auto", "manual", and "link-local". See
2240 the subclass-specific documentation for other values. In general,
2241 for the "auto" method, properties such as "dns" and "routes"
2242 specify information that is added on to the information returned
2243 from automatic configuration. The "ignore-auto-routes" and
2244 "ignore-auto-dns" properties modify this behavior. For methods that
2245 imply no upstream network, such as "shared" or "link-local", these
2246 properties must be empty. For IPv4 method "shared", the IP subnet
2247 can be configured by adding one manual IPv4 address or otherwise
2248 10.42.x.0/24 is chosen. Note that the shared method must be
2249 configured on the interface which shares the internet to a subnet,
2250 not on the uplink which is shared.
2251 Format: string
2253 never-default
2255 If TRUE, this connection will never be the default connection for
2256 this IP type, meaning it will never be assigned the default route
2257 by NetworkManager.
2258 Format: boolean
2260 ra-timeout
2262 A timeout for waiting Router Advertisements in seconds. If zero
2263 (the default), a globally configured default is used. If still
2264 unspecified, the timeout depends on the sysctl settings of the
2265 device. Set to 2147483647 (MAXINT32) for infinity.
2266 Format: int32
2268 required-timeout
2270 The minimum time interval in milliseconds for which dynamic IP
2271 configuration should be tried before the connection succeeds. This
2272 property is useful for example if both IPv4 and IPv6 are enabled
2273 and are allowed to fail. Normally the connection succeeds as soon
2274 as one of the two address families completes; by setting a required
2275 timeout for e.g. IPv4, one can ensure that even if IP6 succeeds
2276 earlier than IPv4, NetworkManager waits some time for IPv4 before
2277 the connection becomes active. Note that if "may-fail" is FALSE for
2278 the same address family, this property has no effect as
2279 NetworkManager needs to wait for the full DHCP timeout. A zero
2280 value means that no required timeout is present, -1 means the
2281 default value (either configuration ipvx.required-timeout override
2282 or zero).
2283 Format: int32
2285 route-metric
2287 The default metric for routes that don't explicitly specify a
2288 metric. The default value -1 means that the metric is chosen
2289 automatically based on the device type. The metric applies to
2290 dynamic routes, manual (static) routes that don't have an explicit
2291 metric setting, address prefix routes, and the default route. Note
2292 that for IPv6, the kernel accepts zero (0) but coerces it to 1024
2293 (user default). Hence, setting this property to zero effectively
2294 mean setting it to 1024. For IPv4, zero is a regular value for the
2295 metric.
2296 Format: int64
2298 route-table
2300 Enable policy routing (source routing) and set the routing table
2301 used when adding routes. This affects all routes, including
2302 device-routes, IPv4LL, DHCP, SLAAC, default-routes and static
2303 routes. But note that static routes can individually overwrite the
2304 setting by explicitly specifying a non-zero routing table. If the
2305 table setting is left at zero, it is eligible to be overwritten via
2306 global configuration. If the property is zero even after applying
2307 the global configuration value, policy routing is disabled for the
2308 address family of this connection. Policy routing disabled means
2309 that NetworkManager will add all routes to the main table (except
2310 static routes that explicitly configure a different table).
2311 Additionally, NetworkManager will not delete any extraneous routes
2312 from tables except the main table. This is to preserve backward
2313 compatibility for users who manage routing tables outside of
2314 NetworkManager.
2315 Format: uint32
2317 routes
2319 Array of IP routes.
2320 Format: array of legacy IPv6 route struct
2322 routing-rules
2324 token
2326 Configure the token for
2327 draft-chown-6man-tokenised-ipv6-identifiers-02 IPv6 tokenized
2328 interface identifiers. Useful with eui64 addr-gen-mode.
2329 Format: string
2331 ip-tunnel setting
2333 IP Tunneling Settings.
2334 Properties:
2336 encapsulation-limit
2338 How many additional levels of encapsulation are permitted to be
2339 prepended to packets. This property applies only to IPv6 tunnels.
2340 Format: uint32
2342 flags
2344 Tunnel flags. Currently, the following values are supported:
2345 NM_IP_TUNNEL_FLAG_IP6_IGN_ENCAP_LIMIT (0x1),
2346 NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_TCLASS (0x2),
2347 NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FLOWLABEL (0x4),
2348 NM_IP_TUNNEL_FLAG_IP6_MIP6_DEV (0x8),
2349 NM_IP_TUNNEL_FLAG_IP6_RCV_DSCP_COPY (0x10),
2350 NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FWMARK (0x20). They are valid only
2351 for IPv6 tunnels.
2352 Format: uint32
2354 flow-label
2356 The flow label to assign to tunnel packets. This property applies
2357 only to IPv6 tunnels.
2358 Format: uint32
2360 input-key
2362 The key used for tunnel input packets; the property is valid only
2363 for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
2364 Format: string
2366 local
2368 Alias: local
2369 The local endpoint of the tunnel; the value can be empty, otherwise
2371 it must contain an IPv4 or IPv6 address.
2372 Format: string
2374 mode
2376 Alias: mode
2377 The tunneling mode, for example NM_IP_TUNNEL_MODE_IPIP (1) or
2379 NM_IP_TUNNEL_MODE_GRE (2).
2380 Format: uint32
2382 mtu
2384 If non-zero, only transmit packets of the specified size or
2385 smaller, breaking larger packets up into multiple fragments.
2386 Format: uint32
2388 output-key
2390 The key used for tunnel output packets; the property is valid only
2391 for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
2392 Format: string
2394 parent
2396 Alias: dev
2397 If given, specifies the parent interface name or parent connection
2399 UUID the new device will be bound to so that tunneled packets will
2400 only be routed via that interface.
2401 Format: string
2403 path-mtu-discovery
2405 Whether to enable Path MTU Discovery on this tunnel.
2406 Format: boolean
2408 remote
2410 Alias: remote
2411 The remote endpoint of the tunnel; the value must contain an IPv4
2413 or IPv6 address.
2414 Format: string
2416 tos
2418 The type of service (IPv4) or traffic class (IPv6) field to be set
2419 on tunneled packets.
2420 Format: uint32
2422 ttl
2424 The TTL to assign to tunneled packets. 0 is a special value meaning
2425 that packets inherit the TTL value.
2426 Format: uint32
2428 macsec setting
2430 MACSec Settings.
2431 Properties:
2433 encrypt
2435 Alias: encrypt
2436 Whether the transmitted traffic must be encrypted.
2438 Format: boolean
2440 mka-cak
2442 Alias: cak
2443 The pre-shared CAK (Connectivity Association Key) for MACsec Key
2445 Agreement.
2446 Format: string
2448 mka-cak-flags
2450 Flags indicating how to handle the "mka-cak" property. See the
2451 section called “Secret flag types:” for flag values.
2452 Format: NMSettingSecretFlags (uint32)
2454 mka-ckn
2456 Alias: ckn
2457 The pre-shared CKN (Connectivity-association Key Name) for MACsec
2459 Key Agreement.
2460 Format: string
2462 mode
2464 Alias: mode
2465 Specifies how the CAK (Connectivity Association Key) for MKA
2467 (MACsec Key Agreement) is obtained.
2468 Format: int32
2470 parent
2472 Alias: dev
2473 If given, specifies the parent interface name or parent connection
2475 UUID from which this MACSEC interface should be created. If this
2476 property is not specified, the connection must contain an
2477 "802-3-ethernet" setting with a "mac-address" property.
2478 Format: string
2480 port
2482 Alias: port
2483 The port component of the SCI (Secure Channel Identifier), between
2485 1 and 65534.
2486 Format: int32
2488 send-sci
2490 Specifies whether the SCI (Secure Channel Identifier) is included
2491 in every packet.
2492 Format: boolean
2494 validation
2496 Specifies the validation mode for incoming frames.
2497 Format: int32
2499 macvlan setting
2501 MAC VLAN Settings.
2502 Properties:
2504 mode
2506 Alias: mode
2507 The macvlan mode, which specifies the communication mechanism
2509 between multiple macvlans on the same lower device.
2510 Format: uint32
2512 parent
2514 Alias: dev
2515 If given, specifies the parent interface name or parent connection
2517 UUID from which this MAC-VLAN interface should be created. If this
2518 property is not specified, the connection must contain an
2519 "802-3-ethernet" setting with a "mac-address" property.
2520 Format: string
2522 promiscuous
2524 Whether the interface should be put in promiscuous mode.
2525 Format: boolean
2527 tap
2529 Alias: tap
2530 Whether the interface should be a MACVTAP.
2532 Format: boolean
2534 match setting
2536 Match settings.
2537 Properties:
2539 driver
2541 A list of driver names to match. Each element is a shell wildcard
2542 pattern. See NMSettingMatch:interface-name for how special
2543 characters '|', '&', '!' and '\' are used for optional and
2544 mandatory matches and inverting the pattern.
2545 Format: array of string
2547 interface-name
2549 A list of interface names to match. Each element is a shell
2550 wildcard pattern. An element can be prefixed with a pipe symbol (|)
2551 or an ampersand (&). The former means that the element is optional
2552 and the latter means that it is mandatory. If there are any
2553 optional elements, than the match evaluates to true if at least one
2554 of the optional element matches (logical OR). If there are any
2555 mandatory elements, then they all must match (logical AND). By
2556 default, an element is optional. This means that an element "foo"
2557 behaves the same as "|foo". An element can also be inverted with
2558 exclamation mark (!) between the pipe symbol (or the ampersand) and
2559 before the pattern. Note that "!foo" is a shortcut for the
2560 mandatory match "&!foo". Finally, a backslash can be used at the
2561 beginning of the element (after the optional special characters) to
2562 escape the start of the pattern. For example, "&\!a" is an
2563 mandatory match for literally "!a".
2564 Format: array of string
2566 kernel-command-line
2568 A list of kernel command line arguments to match. This may be used
2569 to check whether a specific kernel command line option is set (or
2570 unset, if prefixed with the exclamation mark). The argument must
2571 either be a single word, or an assignment (i.e. two words, joined
2572 by "="). In the former case the kernel command line is searched for
2573 the word appearing as is, or as left hand side of an assignment. In
2574 the latter case, the exact assignment is looked for with right and
2575 left hand side matching. Wildcard patterns are not supported. See
2576 NMSettingMatch:interface-name for how special characters '|', '&',
2577 '!' and '\' are used for optional and mandatory matches and
2578 inverting the match.
2579 Format: array of string
2581 path
2583 A list of paths to match against the ID_PATH udev property of
2584 devices. ID_PATH represents the topological persistent path of a
2585 device. It typically contains a subsystem string (pci, usb,
2586 platform, etc.) and a subsystem-specific identifier. For PCI
2587 devices the path has the form "pci-$domain:$bus:$device.$function",
2588 where each variable is an hexadecimal value; for example
2589 "pci-0000:0a:00.0". The path of a device can be obtained with
2590 "udevadm info /sys/class/net/$dev | grep ID_PATH=" or by looking at
2591 the "path" property exported by NetworkManager ("nmcli -f
2592 general.path device show $dev"). Each element of the list is a
2593 shell wildcard pattern. See NMSettingMatch:interface-name for how
2594 special characters '|', '&', '!' and '\' are used for optional and
2595 mandatory matches and inverting the pattern.
2596 Format: array of string
2598 802-11-olpc-mesh setting
2600 Alias: olpc-mesh
2601 OLPC Wireless Mesh Settings.
2603 Properties:
2605 channel
2607 Alias: channel
2608 Channel on which the mesh network to join is located.
2610 Format: uint32
2612 dhcp-anycast-address
2614 Alias: dhcp-anycast
2615 Anycast DHCP MAC address used when requesting an IP address via
2617 DHCP. The specific anycast address used determines which DHCP
2618 server class answers the request. This is currently only
2619 implemented by dhclient DHCP plugin.
2620 Format: byte array
2622 ssid
2624 Alias: ssid
2625 SSID of the mesh network to join.
2627 Format: byte array
2629 ovs-bridge setting
2631 OvsBridge Link Settings.
2632 Properties:
2634 datapath-type
2636 The data path type. One of "system", "netdev" or empty.
2637 Format: string
2639 fail-mode
2641 The bridge failure mode. One of "secure", "standalone" or empty.
2642 Format: string
2644 mcast-snooping-enable
2646 Enable or disable multicast snooping.
2647 Format: boolean
2649 rstp-enable
2651 Enable or disable RSTP.
2652 Format: boolean
2654 stp-enable
2656 Enable or disable STP.
2657 Format: boolean
2659 ovs-dpdk setting
2661 OvsDpdk Link Settings.
2662 Properties:
2664 devargs
2666 Open vSwitch DPDK device arguments.
2667 Format: string
2669 ovs-interface setting
2671 Open vSwitch Interface Settings.
2672 Properties:
2674 type
2676 The interface type. Either "internal", "system", "patch", "dpdk",
2677 or empty.
2678 Format: string
2680 ovs-patch setting
2682 OvsPatch Link Settings.
2683 Properties:
2685 peer
2687 Specifies the name of the interface for the other side of the
2688 patch. The patch on the other side must also set this interface as
2689 peer.
2690 Format: string
2692 ovs-port setting
2694 OvsPort Link Settings.
2695 Properties:
2697 bond-downdelay
2699 The time port must be inactive in order to be considered down.
2700 Format: uint32
2702 bond-mode
2704 Bonding mode. One of "active-backup", "balance-slb", or
2705 "balance-tcp".
2706 Format: string
2708 bond-updelay
2710 The time port must be active before it starts forwarding traffic.
2711 Format: uint32
2713 lacp
2715 LACP mode. One of "active", "off", or "passive".
2716 Format: string
2718 tag
2720 The VLAN tag in the range 0-4095.
2721 Format: uint32
2723 vlan-mode
2725 The VLAN mode. One of "access", "native-tagged", "native-untagged",
2726 "trunk" or unset.
2727 Format: string
2729 ppp setting
2731 Point-to-Point Protocol Settings.
2732 Properties:
2734 baud
2736 If non-zero, instruct pppd to set the serial port to the specified
2737 baudrate. This value should normally be left as 0 to automatically
2738 choose the speed.
2739 Format: uint32
2741 crtscts
2743 If TRUE, specify that pppd should set the serial port to use
2744 hardware flow control with RTS and CTS signals. This value should
2745 normally be set to FALSE.
2746 Format: boolean
2748 lcp-echo-failure
2750 If non-zero, instruct pppd to presume the connection to the peer
2751 has failed if the specified number of LCP echo-requests go
2752 unanswered by the peer. The "lcp-echo-interval" property must also
2753 be set to a non-zero value if this property is used.
2754 Format: uint32
2756 lcp-echo-interval
2758 If non-zero, instruct pppd to send an LCP echo-request frame to the
2759 peer every n seconds (where n is the specified value). Note that
2760 some PPP peers will respond to echo requests and some will not, and
2761 it is not possible to autodetect this.
2762 Format: uint32
2764 mppe-stateful
2766 If TRUE, stateful MPPE is used. See pppd documentation for more
2767 information on stateful MPPE.
2768 Format: boolean
2770 mru
2772 If non-zero, instruct pppd to request that the peer send packets no
2773 larger than the specified size. If non-zero, the MRU should be
2774 between 128 and 16384.
2775 Format: uint32
2777 mtu
2779 If non-zero, instruct pppd to send packets no larger than the
2780 specified size.
2781 Format: uint32
2783 no-vj-comp
2785 If TRUE, Van Jacobsen TCP header compression will not be requested.
2786 Format: boolean
2788 noauth
2790 If TRUE, do not require the other side (usually the PPP server) to
2791 authenticate itself to the client. If FALSE, require authentication
2792 from the remote side. In almost all cases, this should be TRUE.
2793 Format: boolean
2795 nobsdcomp
2797 If TRUE, BSD compression will not be requested.
2798 Format: boolean
2800 nodeflate
2802 If TRUE, "deflate" compression will not be requested.
2803 Format: boolean
2805 refuse-chap
2807 If TRUE, the CHAP authentication method will not be used.
2808 Format: boolean
2810 refuse-eap
2812 If TRUE, the EAP authentication method will not be used.
2813 Format: boolean
2815 refuse-mschap
2817 If TRUE, the MSCHAP authentication method will not be used.
2818 Format: boolean
2820 refuse-mschapv2
2822 If TRUE, the MSCHAPv2 authentication method will not be used.
2823 Format: boolean
2825 refuse-pap
2827 If TRUE, the PAP authentication method will not be used.
2828 Format: boolean
2830 require-mppe
2832 If TRUE, MPPE (Microsoft Point-to-Point Encryption) will be
2833 required for the PPP session. If either 64-bit or 128-bit MPPE is
2834 not available the session will fail. Note that MPPE is not used on
2835 mobile broadband connections.
2836 Format: boolean
2838 require-mppe-128
2840 If TRUE, 128-bit MPPE (Microsoft Point-to-Point Encryption) will be
2841 required for the PPP session, and the "require-mppe" property must
2842 also be set to TRUE. If 128-bit MPPE is not available the session
2843 will fail.
2844 Format: boolean
2846 pppoe setting
2848 PPP-over-Ethernet Settings.
2849 Properties:
2851 parent
2853 Alias: parent
2854 If given, specifies the parent interface name on which this PPPoE
2856 connection should be created. If this property is not specified,
2857 the connection is activated on the interface specified in
2858 "interface-name" of NMSettingConnection.
2859 Format: string
2861 password
2863 Alias: password
2864 Password used to authenticate with the PPPoE service.
2866 Format: string
2868 password-flags
2870 Flags indicating how to handle the "password" property. See the
2871 section called “Secret flag types:” for flag values.
2872 Format: NMSettingSecretFlags (uint32)
2874 service
2876 Alias: service
2877 If specified, instruct PPPoE to only initiate sessions with access
2879 concentrators that provide the specified service. For most
2880 providers, this should be left blank. It is only required if there
2881 are multiple access concentrators or a specific service is known to
2882 be required.
2883 Format: string
2885 username
2887 Alias: username
2888 Username used to authenticate with the PPPoE service.
2890 Format: string
2892 proxy setting
2894 WWW Proxy Settings.
2895 Properties:
2897 browser-only
2899 Alias: browser-only
2900 Whether the proxy configuration is for browser only.
2902 Format: boolean
2904 method
2906 Alias: method
2907 Method for proxy configuration, Default is
2909 NM_SETTING_PROXY_METHOD_NONE (0)
2910 Format: int32
2912 pac-script
2914 Alias: pac-script
2915 PAC script for the connection.
2917 Format: string
2919 pac-url
2921 Alias: pac-url
2922 PAC URL for obtaining PAC file.
2924 Format: string
2926 serial setting
2928 Serial Link Settings.
2929 Properties:
2931 baud
2933 Speed to use for communication over the serial port. Note that this
2934 value usually has no effect for mobile broadband modems as they
2935 generally ignore speed settings and use the highest available
2936 speed.
2937 Format: uint32
2939 bits
2941 Byte-width of the serial communication. The 8 in "8n1" for example.
2942 Format: uint32
2944 parity
2946 Parity setting of the serial port.
2947 Format: NMSettingSerialParity (byte)
2949 send-delay
2951 Time to delay between each byte sent to the modem, in microseconds.
2952 Format: uint64
2954 stopbits
2956 Number of stop bits for communication on the serial port. Either 1
2957 or 2. The 1 in "8n1" for example.
2958 Format: uint32
2960 sriov setting
2962 SR-IOV settings.
2963 Properties:
2965 autoprobe-drivers
2967 Whether to autoprobe virtual functions by a compatible driver. If
2968 set to NM_TERNARY_TRUE (1), the kernel will try to bind VFs to a
2969 compatible driver and if this succeeds a new network interface will
2970 be instantiated for each VF. If set to NM_TERNARY_FALSE (0), VFs
2971 will not be claimed and no network interfaces will be created for
2972 them. When set to NM_TERNARY_DEFAULT (-1), the global default is
2973 used; in case the global default is unspecified it is assumed to be
2974 NM_TERNARY_TRUE (1).
2975 Format: NMTernary (int32)
2977 total-vfs
2979 The total number of virtual functions to create. Note that when the
2980 sriov setting is present NetworkManager enforces the number of
2981 virtual functions on the interface (also when it is zero) during
2982 activation and resets it upon deactivation. To prevent any changes
2983 to SR-IOV parameters don't add a sriov setting to the connection.
2984 Format: uint32
2986 vfs
2988 Array of virtual function descriptors. Each VF descriptor is a
2989 dictionary mapping attribute names to GVariant values. The 'index'
2990 entry is mandatory for each VF. When represented as string a VF is
2991 in the form: "INDEX [ATTR=VALUE[ ATTR=VALUE]...]". for example: "2
2992 mac=00:11:22:33:44:55 spoof-check=true". Multiple VFs can be
2993 specified using a comma as separator. Currently, the following
2994 attributes are supported: mac, spoof-check, trust, min-tx-rate,
2995 max-tx-rate, vlans. The "vlans" attribute is represented as a
2996 semicolon-separated list of VLAN descriptors, where each descriptor
2997 has the form "ID[.PRIORITY[.PROTO]]". PROTO can be either 'q' for
2998 802.1Q (the default) or 'ad' for 802.1ad.
2999 Format: array of vardict
3001 tc setting
3003 Linux Traffic Control Settings.
3004 Properties:
3006 qdiscs
3008 Array of TC queueing disciplines. When the "tc" setting is present,
3009 qdiscs from this property are applied upon activation. If the
3010 property is empty, all qdiscs are removed and the device will only
3011 have the default qdisc assigned by kernel according to the
3012 "net.core.default_qdisc" sysctl. If the "tc" setting is not
3013 present, NetworkManager doesn't touch the qdiscs present on the
3014 interface.
3015 Format: array of vardict
3017 tfilters
3019 Array of TC traffic filters. When the "tc" setting is present,
3020 filters from this property are applied upon activation. If the
3021 property is empty, NetworkManager removes all the filters. If the
3022 "tc" setting is not present, NetworkManager doesn't touch the
3023 filters present on the interface.
3024 Format: array of vardict
3026 team setting
3028 Teaming Settings.
3029 Properties:
3031 config
3033 Alias: config
3034 The JSON configuration for the team network interface. The property
3036 should contain raw JSON configuration data suitable for teamd,
3037 because the value is passed directly to teamd. If not specified,
3038 the default configuration is used. See man teamd.conf for the
3039 format details.
3040 Format: string
3042 link-watchers
3044 Link watchers configuration for the connection: each link watcher
3045 is defined by a dictionary, whose keys depend upon the selected
3046 link watcher. Available link watchers are 'ethtool', 'nsna_ping'
3047 and 'arp_ping' and it is specified in the dictionary with the key
3048 'name'. Available keys are: ethtool: 'delay-up', 'delay-down',
3049 'init-wait'; nsna_ping: 'init-wait', 'interval', 'missed-max',
3050 'target-host'; arp_ping: all the ones in nsna_ping and
3051 'source-host', 'validate-active', 'validate-inactive',
3052 'send-always'. See teamd.conf man for more details.
3053 Format: array of vardict
3055 mcast-rejoin-count
3057 Corresponds to the teamd mcast_rejoin.count.
3058 Format: int32
3060 mcast-rejoin-interval
3062 Corresponds to the teamd mcast_rejoin.interval.
3063 Format: int32
3065 notify-peers-count
3067 Corresponds to the teamd notify_peers.count.
3068 Format: int32
3070 notify-peers-interval
3072 Corresponds to the teamd notify_peers.interval.
3073 Format: int32
3075 runner
3077 Corresponds to the teamd runner.name. Permitted values are:
3078 "roundrobin", "broadcast", "activebackup", "loadbalance", "lacp",
3079 "random".
3080 Format: string
3082 runner-active
3084 Corresponds to the teamd runner.active.
3085 Format: boolean
3087 runner-agg-select-policy
3089 Corresponds to the teamd runner.agg_select_policy.
3090 Format: string
3092 runner-fast-rate
3094 Corresponds to the teamd runner.fast_rate.
3095 Format: boolean
3097 runner-hwaddr-policy
3099 Corresponds to the teamd runner.hwaddr_policy.
3100 Format: string
3102 runner-min-ports
3104 Corresponds to the teamd runner.min_ports.
3105 Format: int32
3107 runner-sys-prio
3109 Corresponds to the teamd runner.sys_prio.
3110 Format: int32
3112 runner-tx-balancer
3114 Corresponds to the teamd runner.tx_balancer.name.
3115 Format: string
3117 runner-tx-balancer-interval
3119 Corresponds to the teamd runner.tx_balancer.interval.
3120 Format: int32
3122 runner-tx-hash
3124 Corresponds to the teamd runner.tx_hash.
3125 Format: array of string
3127 team-port setting
3129 Team Port Settings.
3130 Properties:
3132 config
3134 Alias: config
3135 The JSON configuration for the team port. The property should
3137 contain raw JSON configuration data suitable for teamd, because the
3138 value is passed directly to teamd. If not specified, the default
3139 configuration is used. See man teamd.conf for the format details.
3140 Format: string
3142 lacp-key
3144 Corresponds to the teamd ports.PORTIFNAME.lacp_key.
3145 Format: int32
3147 lacp-prio
3149 Corresponds to the teamd ports.PORTIFNAME.lacp_prio.
3150 Format: int32
3152 link-watchers
3154 Link watchers configuration for the connection: each link watcher
3155 is defined by a dictionary, whose keys depend upon the selected
3156 link watcher. Available link watchers are 'ethtool', 'nsna_ping'
3157 and 'arp_ping' and it is specified in the dictionary with the key
3158 'name'. Available keys are: ethtool: 'delay-up', 'delay-down',
3159 'init-wait'; nsna_ping: 'init-wait', 'interval', 'missed-max',
3160 'target-host'; arp_ping: all the ones in nsna_ping and
3161 'source-host', 'validate-active', 'validate-inactive',
3162 'send-always'. See teamd.conf man for more details.
3163 Format: array of vardict
3165 prio
3167 Corresponds to the teamd ports.PORTIFNAME.prio.
3168 Format: int32
3170 queue-id
3172 Corresponds to the teamd ports.PORTIFNAME.queue_id. When set to -1
3173 means the parameter is skipped from the json config.
3174 Format: int32
3176 sticky
3178 Corresponds to the teamd ports.PORTIFNAME.sticky.
3179 Format: boolean
3181 tun setting
3183 Tunnel Settings.
3184 Properties:
3186 group
3188 Alias: group
3189 The group ID which will own the device. If set to NULL everyone
3191 will be able to use the device.
3192 Format: string
3194 mode
3196 Alias: mode
3197 The operating mode of the virtual device. Allowed values are
3199 NM_SETTING_TUN_MODE_TUN (1) to create a layer 3 device and
3200 NM_SETTING_TUN_MODE_TAP (2) to create an Ethernet-like layer 2 one.
3201 Format: uint32
3203 multi-queue
3205 Alias: multi-queue
3206 If the property is set to TRUE, the interface will support multiple
3208 file descriptors (queues) to parallelize packet sending or
3209 receiving. Otherwise, the interface will only support a single
3210 queue.
3211 Format: boolean
3213 owner
3215 Alias: owner
3216 The user ID which will own the device. If set to NULL everyone will
3218 be able to use the device.
3219 Format: string
3221 pi
3223 Alias: pi
3224 If TRUE the interface will prepend a 4 byte header describing the
3226 physical interface to the packets.
3227 Format: boolean
3229 vnet-hdr
3231 Alias: vnet-hdr
3232 If TRUE the IFF_VNET_HDR the tunnel packets will include a virtio
3234 network header.
3235 Format: boolean
3237 vlan setting
3239 VLAN Settings.
3240 Properties:
3242 egress-priority-map
3244 Alias: egress
3245 For outgoing packets, a list of mappings from Linux SKB priorities
3247 to 802.1p priorities. The mapping is given in the format "from:to"
3248 where both "from" and "to" are unsigned integers, ie "7:3".
3249 Format: array of string
3251 flags
3253 Alias: flags
3254 One or more flags which control the behavior and features of the
3256 VLAN interface. Flags include NM_VLAN_FLAG_REORDER_HEADERS (0x1)
3257 (reordering of output packet headers), NM_VLAN_FLAG_GVRP (0x2) (use
3258 of the GVRP protocol), and NM_VLAN_FLAG_LOOSE_BINDING (0x4) (loose
3259 binding of the interface to its master device's operating state).
3260 NM_VLAN_FLAG_MVRP (0x8) (use of the MVRP protocol). The default
3261 value of this property is NM_VLAN_FLAG_REORDER_HEADERS, but it used
3262 to be 0. To preserve backward compatibility, the default-value in
3263 the D-Bus API continues to be 0 and a missing property on D-Bus is
3264 still considered as 0.
3265 Format: NMVlanFlags (uint32)
3267 id
3269 Alias: id
3270 The VLAN identifier that the interface created by this connection
3272 should be assigned. The valid range is from 0 to 4094, without the
3273 reserved id 4095.
3274 Format: uint32
3276 ingress-priority-map
3278 Alias: ingress
3279 For incoming packets, a list of mappings from 802.1p priorities to
3281 Linux SKB priorities. The mapping is given in the format "from:to"
3282 where both "from" and "to" are unsigned integers, ie "7:3".
3283 Format: array of string
3285 parent
3287 Alias: dev
3288 If given, specifies the parent interface name or parent connection
3290 UUID from which this VLAN interface should be created. If this
3291 property is not specified, the connection must contain an
3292 "802-3-ethernet" setting with a "mac-address" property.
3293 Format: string
3295 vpn setting
3297 VPN Settings.
3298 Properties:
3300 data
3302 Dictionary of key/value pairs of VPN plugin specific data. Both
3303 keys and values must be strings.
3304 Format: dict of string to string
3306 persistent
3308 If the VPN service supports persistence, and this property is TRUE,
3309 the VPN will attempt to stay connected across link changes and
3310 outages, until explicitly disconnected.
3311 Format: boolean
3313 secrets
3315 Dictionary of key/value pairs of VPN plugin specific secrets like
3316 passwords or private keys. Both keys and values must be strings.
3317 Format: dict of string to string
3319 service-type
3321 Alias: vpn-type
3322 D-Bus service name of the VPN plugin that this setting uses to
3324 connect to its network. i.e. org.freedesktop.NetworkManager.vpnc
3325 for the vpnc plugin.
3326 Format: string
3328 timeout
3330 Timeout for the VPN service to establish the connection. Some
3331 services may take quite a long time to connect. Value of 0 means a
3332 default timeout, which is 60 seconds (unless overridden by
3333 vpn.timeout in configuration file). Values greater than zero mean
3334 timeout in seconds.
3335 Format: uint32
3337 user-name
3339 Alias: user
3340 If the VPN connection requires a user name for authentication, that
3342 name should be provided here. If the connection is available to
3343 more than one user, and the VPN requires each user to supply a
3344 different name, then leave this property empty. If this property is
3345 empty, NetworkManager will automatically supply the username of the
3346 user which requested the VPN connection.
3347 Format: string
3349 vrf setting
3351 VRF settings.
3352 Properties:
3354 table
3356 Alias: table
3357 The routing table for this VRF.
3359 Format: uint32
3361 vxlan setting
3363 VXLAN Settings.
3364 Properties:
3366 ageing
3368 Specifies the lifetime in seconds of FDB entries learnt by the
3369 kernel.
3370 Format: uint32
3372 destination-port
3374 Alias: destination-port
3375 Specifies the UDP destination port to communicate to the remote
3377 VXLAN tunnel endpoint.
3378 Format: uint32
3380 id
3382 Alias: id
3383 Specifies the VXLAN Network Identifier (or VXLAN Segment
3385 Identifier) to use.
3386 Format: uint32
3388 l2-miss
3390 Specifies whether netlink LL ADDR miss notifications are generated.
3391 Format: boolean
3393 l3-miss
3395 Specifies whether netlink IP ADDR miss notifications are generated.
3396 Format: boolean
3398 learning
3400 Specifies whether unknown source link layer addresses and IP
3401 addresses are entered into the VXLAN device forwarding database.
3402 Format: boolean
3404 limit
3406 Specifies the maximum number of FDB entries. A value of zero means
3407 that the kernel will store unlimited entries.
3408 Format: uint32
3410 local
3412 Alias: local
3413 If given, specifies the source IP address to use in outgoing
3415 packets.
3416 Format: string
3418 parent
3420 Alias: dev
3421 If given, specifies the parent interface name or parent connection
3423 UUID.
3424 Format: string
3426 proxy
3428 Specifies whether ARP proxy is turned on.
3429 Format: boolean
3431 remote
3433 Alias: remote
3434 Specifies the unicast destination IP address to use in outgoing
3436 packets when the destination link layer address is not known in the
3437 VXLAN device forwarding database, or the multicast IP address to
3438 join.
3439 Format: string
3441 rsc
3443 Specifies whether route short circuit is turned on.
3444 Format: boolean
3446 source-port-max
3448 Alias: source-port-max
3449 Specifies the maximum UDP source port to communicate to the remote
3451 VXLAN tunnel endpoint.
3452 Format: uint32
3454 source-port-min
3456 Alias: source-port-min
3457 Specifies the minimum UDP source port to communicate to the remote
3459 VXLAN tunnel endpoint.
3460 Format: uint32
3462 tos
3464 Specifies the TOS value to use in outgoing packets.
3465 Format: uint32
3467 ttl
3469 Specifies the time-to-live value to use in outgoing packets.
3470 Format: uint32
3472 wifi-p2p setting
3474 Wi-Fi P2P Settings.
3475 Properties:
3477 peer
3479 Alias: peer
3480 The P2P device that should be connected to. Currently, this is the
3482 only way to create or join a group.
3483 Format: string
3485 wfd-ies
3487 The Wi-Fi Display (WFD) Information Elements (IEs) to set. Wi-Fi
3488 Display requires a protocol specific information element to be set
3489 in certain Wi-Fi frames. These can be specified here for the
3490 purpose of establishing a connection. This setting is only useful
3491 when implementing a Wi-Fi Display client.
3492 Format: byte array
3494 wps-method
3496 Flags indicating which mode of WPS is to be used. There's little
3497 point in changing the default setting as NetworkManager will
3498 automatically determine the best method to use.
3499 Format: uint32
3501 wimax setting
3503 WiMax Settings.
3504 Properties:
3506 mac-address
3508 Alias: mac
3509 If specified, this connection will only apply to the WiMAX device
3511 whose MAC address matches. This property does not change the MAC
3512 address of the device (known as MAC spoofing). Deprecated: 1
3513 Format: byte array
3515 network-name
3517 Alias: nsp
3518 Network Service Provider (NSP) name of the WiMAX network this
3520 connection should use. Deprecated: 1
3521 Format: string
3523 802-3-ethernet setting
3525 Alias: ethernet
3526 Wired Ethernet Settings.
3528 Properties:
3530 accept-all-mac-addresses
3532 When TRUE, setup the interface to accept packets for all MAC
3533 addresses. This is enabling the kernel interface flag IFF_PROMISC.
3534 When FALSE, the interface will only accept the packets with the
3535 interface destination mac address or broadcast.
3536 Format: NMTernary (int32)
3538 auto-negotiate
3540 When TRUE, enforce auto-negotiation of speed and duplex mode. If
3541 "speed" and "duplex" properties are both specified, only that
3542 single mode will be advertised and accepted during the link
3543 auto-negotiation process: this works only for BASE-T 802.3
3544 specifications and is useful for enforcing gigabits modes, as in
3545 these cases link negotiation is mandatory. When FALSE, "speed" and
3546 "duplex" properties should be both set or link configuration will
3547 be skipped.
3548 Format: boolean
3550 cloned-mac-address
3552 Alias: cloned-mac
3553 If specified, request that the device use this MAC address instead.
3555 This is known as MAC cloning or spoofing. Beside explicitly
3556 specifying a MAC address, the special values "preserve",
3557 "permanent", "random" and "stable" are supported. "preserve" means
3558 not to touch the MAC address on activation. "permanent" means to
3559 use the permanent hardware address if the device has one (otherwise
3560 this is treated as "preserve"). "random" creates a random MAC
3561 address on each connect. "stable" creates a hashed MAC address
3562 based on connection.stable-id and a machine dependent key. If
3563 unspecified, the value can be overwritten via global defaults, see
3564 manual of NetworkManager.conf. If still unspecified, it defaults to
3565 "preserve" (older versions of NetworkManager may use a different
3566 default value). On D-Bus, this field is expressed as
3567 "assigned-mac-address" or the deprecated "cloned-mac-address".
3568 Format: byte array
3570 duplex
3572 When a value is set, either "half" or "full", configures the device
3573 to use the specified duplex mode. If "auto-negotiate" is "yes" the
3574 specified duplex mode will be the only one advertised during link
3575 negotiation: this works only for BASE-T 802.3 specifications and is
3576 useful for enforcing gigabits modes, as in these cases link
3577 negotiation is mandatory. If the value is unset (the default), the
3578 link configuration will be either skipped (if "auto-negotiate" is
3579 "no", the default) or will be auto-negotiated (if "auto-negotiate"
3580 is "yes") and the local device will advertise all the supported
3581 duplex modes. Must be set together with the "speed" property if
3582 specified. Before specifying a duplex mode be sure your device
3583 supports it.
3584 Format: string
3586 generate-mac-address-mask
3588 With "cloned-mac-address" setting "random" or "stable", by default
3589 all bits of the MAC address are scrambled and a
3590 locally-administered, unicast MAC address is created. This property
3591 allows to specify that certain bits are fixed. Note that the least
3592 significant bit of the first MAC address will always be unset to
3593 create a unicast MAC address. If the property is NULL, it is
3594 eligible to be overwritten by a default connection setting. If the
3595 value is still NULL or an empty string, the default is to create a
3596 locally-administered, unicast MAC address. If the value contains
3597 one MAC address, this address is used as mask. The set bits of the
3598 mask are to be filled with the current MAC address of the device,
3599 while the unset bits are subject to randomization. Setting
3600 "FE:FF:FF:00:00:00" means to preserve the OUI of the current MAC
3601 address and only randomize the lower 3 bytes using the "random" or
3602 "stable" algorithm. If the value contains one additional MAC
3603 address after the mask, this address is used instead of the current
3604 MAC address to fill the bits that shall not be randomized. For
3605 example, a value of "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set
3606 the OUI of the MAC address to 68:F7:28, while the lower bits are
3607 randomized. A value of "02:00:00:00:00:00 00:00:00:00:00:00" will
3608 create a fully scrambled globally-administered, burned-in MAC
3609 address. If the value contains more than one additional MAC
3610 addresses, one of them is chosen randomly. For example,
3611 "02:00:00:00:00:00 00:00:00:00:00:00 02:00:00:00:00:00" will create
3612 a fully scrambled MAC address, randomly locally or globally
3613 administered.
3614 Format: string
3616 mac-address
3618 Alias: mac
3619 If specified, this connection will only apply to the Ethernet
3621 device whose permanent MAC address matches. This property does not
3622 change the MAC address of the device (i.e. MAC spoofing).
3623 Format: byte array
3625 mac-address-blacklist
3627 If specified, this connection will never apply to the Ethernet
3628 device whose permanent MAC address matches an address in the list.
3629 Each MAC address is in the standard hex-digits-and-colons notation
3630 (00:11:22:33:44:55).
3631 Format: array of string
3633 mtu
3635 Alias: mtu
3636 If non-zero, only transmit packets of the specified size or
3638 smaller, breaking larger packets up into multiple Ethernet frames.
3639 Format: uint32
3641 port
3643 Specific port type to use if the device supports multiple
3644 attachment methods. One of "tp" (Twisted Pair), "aui" (Attachment
3645 Unit Interface), "bnc" (Thin Ethernet) or "mii" (Media Independent
3646 Interface). If the device supports only one port type, this setting
3647 is ignored.
3648 Format: string
3650 s390-nettype
3652 s390 network device type; one of "qeth", "lcs", or "ctc",
3653 representing the different types of virtual network devices
3654 available on s390 systems.
3655 Format: string
3657 s390-options
3659 Dictionary of key/value pairs of s390-specific device options. Both
3660 keys and values must be strings. Allowed keys include "portno",
3661 "layer2", "portname", "protocol", among others. Key names must
3662 contain only alphanumeric characters (ie, [a-zA-Z0-9]).
3663 Format: dict of string to string
3665 s390-subchannels
3667 Identifies specific subchannels that this network device uses for
3668 communication with z/VM or s390 host. Like the "mac-address"
3669 property for non-z/VM devices, this property can be used to ensure
3670 this connection only applies to the network device that uses these
3671 subchannels. The list should contain exactly 3 strings, and each
3672 string may only be composed of hexadecimal characters and the
3673 period (.) character.
3674 Format: array of string
3676 speed
3678 When a value greater than 0 is set, configures the device to use
3679 the specified speed. If "auto-negotiate" is "yes" the specified
3680 speed will be the only one advertised during link negotiation: this
3681 works only for BASE-T 802.3 specifications and is useful for
3682 enforcing gigabit speeds, as in this case link negotiation is
3683 mandatory. If the value is unset (0, the default), the link
3684 configuration will be either skipped (if "auto-negotiate" is "no",
3685 the default) or will be auto-negotiated (if "auto-negotiate" is
3686 "yes") and the local device will advertise all the supported
3687 speeds. In Mbit/s, ie 100 == 100Mbit/s. Must be set together with
3688 the "duplex" property when non-zero. Before specifying a speed
3689 value be sure your device supports it.
3690 Format: uint32
3692 wake-on-lan
3694 The NMSettingWiredWakeOnLan options to enable. Not all devices
3695 support all options. May be any combination of
3696 NM_SETTING_WIRED_WAKE_ON_LAN_PHY (0x2),
3697 NM_SETTING_WIRED_WAKE_ON_LAN_UNICAST (0x4),
3698 NM_SETTING_WIRED_WAKE_ON_LAN_MULTICAST (0x8),
3699 NM_SETTING_WIRED_WAKE_ON_LAN_BROADCAST (0x10),
3700 NM_SETTING_WIRED_WAKE_ON_LAN_ARP (0x20),
3701 NM_SETTING_WIRED_WAKE_ON_LAN_MAGIC (0x40) or the special values
3702 NM_SETTING_WIRED_WAKE_ON_LAN_DEFAULT (0x1) (to use global settings)
3703 and NM_SETTING_WIRED_WAKE_ON_LAN_IGNORE (0x8000) (to disable
3704 management of Wake-on-LAN in NetworkManager).
3705 Format: uint32
3707 wake-on-lan-password
3709 If specified, the password used with magic-packet-based
3710 Wake-on-LAN, represented as an Ethernet MAC address. If NULL, no
3711 password will be required.
3712 Format: string
3714 wireguard setting
3716 WireGuard Settings.
3717 Properties:
3719 fwmark
3721 The use of fwmark is optional and is by default off. Setting it to
3722 0 disables it. Otherwise, it is a 32-bit fwmark for outgoing
3723 packets. Note that "ip4-auto-default-route" or
3724 "ip6-auto-default-route" enabled, implies to automatically choose a
3725 fwmark.
3726 Format: uint32
3728 ip4-auto-default-route
3730 Whether to enable special handling of the IPv4 default route. If
3731 enabled, the IPv4 default route from wireguard.peer-routes will be
3732 placed to a dedicated routing-table and two policy routing rules
3733 will be added. The fwmark number is also used as routing-table for
3734 the default-route, and if fwmark is zero, an unused fwmark/table is
3735 chosen automatically. This corresponds to what wg-quick does with
3736 Table=auto and what WireGuard calls "Improved Rule-based Routing".
3737 Note that for this automatism to work, you usually don't want to
3738 set ipv4.gateway, because that will result in a conflicting default
3739 route. Leaving this at the default will enable this option
3740 automatically if ipv4.never-default is not set and there are any
3741 peers that use a default-route as allowed-ips.
3742 Format: NMTernary (int32)
3744 ip6-auto-default-route
3746 Like ip4-auto-default-route, but for the IPv6 default route.
3747 Format: NMTernary (int32)
3749 listen-port
3751 The listen-port. If listen-port is not specified, the port will be
3752 chosen randomly when the interface comes up.
3753 Format: uint32
3755 mtu
3757 If non-zero, only transmit packets of the specified size or
3758 smaller, breaking larger packets up into multiple fragments. If
3759 zero a default MTU is used. Note that contrary to wg-quick's MTU
3760 setting, this does not take into account the current routes at the
3761 time of activation.
3762 Format: uint32
3764 peer-routes
3766 Whether to automatically add routes for the AllowedIPs ranges of
3767 the peers. If TRUE (the default), NetworkManager will automatically
3768 add routes in the routing tables according to ipv4.route-table and
3769 ipv6.route-table. Usually you want this automatism enabled. If
3770 FALSE, no such routes are added automatically. In this case, the
3771 user may want to configure static routes in ipv4.routes and
3772 ipv6.routes, respectively. Note that if the peer's AllowedIPs is
3773 "0.0.0.0/0" or "::/0" and the profile's ipv4.never-default or
3774 ipv6.never-default setting is enabled, the peer route for this peer
3775 won't be added automatically.
3776 Format: boolean
3778 private-key
3780 The 256 bit private-key in base64 encoding.
3781 Format: string
3783 private-key-flags
3785 Flags indicating how to handle the "private-key" property. See the
3786 section called “Secret flag types:” for flag values.
3787 Format: NMSettingSecretFlags (uint32)
3789 802-11-wireless setting
3791 Alias: wifi
3792 Wi-Fi Settings.
3794 Properties:
3796 ap-isolation
3798 Configures AP isolation, which prevents communication between
3799 wireless devices connected to this AP. This property can be set to
3800 a value different from NM_TERNARY_DEFAULT (-1) only when the
3801 interface is configured in AP mode. If set to NM_TERNARY_TRUE (1),
3802 devices are not able to communicate with each other. This increases
3803 security because it protects devices against attacks from other
3804 clients in the network. At the same time, it prevents devices to
3805 access resources on the same wireless networks as file shares,
3806 printers, etc. If set to NM_TERNARY_FALSE (0), devices can talk to
3807 each other. When set to NM_TERNARY_DEFAULT (-1), the global default
3808 is used; in case the global default is unspecified it is assumed to
3809 be NM_TERNARY_FALSE (0).
3810 Format: NMTernary (int32)
3812 band
3814 802.11 frequency band of the network. One of "a" for 5GHz 802.11a
3815 or "bg" for 2.4GHz 802.11. This will lock associations to the Wi-Fi
3816 network to the specific band, i.e. if "a" is specified, the device
3817 will not associate with the same network in the 2.4GHz band even if
3818 the network's settings are compatible. This setting depends on
3819 specific driver capability and may not work with all drivers.
3820 Format: string
3822 bssid
3824 If specified, directs the device to only associate with the given
3825 access point. This capability is highly driver dependent and not
3826 supported by all devices. Note: this property does not control the
3827 BSSID used when creating an Ad-Hoc network and is unlikely to in
3828 the future.
3829 Format: byte array
3831 channel
3833 Wireless channel to use for the Wi-Fi connection. The device will
3834 only join (or create for Ad-Hoc networks) a Wi-Fi network on the
3835 specified channel. Because channel numbers overlap between bands,
3836 this property also requires the "band" property to be set.
3837 Format: uint32
3839 cloned-mac-address
3841 Alias: cloned-mac
3842 If specified, request that the device use this MAC address instead.
3844 This is known as MAC cloning or spoofing. Beside explicitly
3845 specifying a MAC address, the special values "preserve",
3846 "permanent", "random" and "stable" are supported. "preserve" means
3847 not to touch the MAC address on activation. "permanent" means to
3848 use the permanent hardware address of the device. "random" creates
3849 a random MAC address on each connect. "stable" creates a hashed MAC
3850 address based on connection.stable-id and a machine dependent key.
3851 If unspecified, the value can be overwritten via global defaults,
3852 see manual of NetworkManager.conf. If still unspecified, it
3853 defaults to "preserve" (older versions of NetworkManager may use a
3854 different default value). On D-Bus, this field is expressed as
3855 "assigned-mac-address" or the deprecated "cloned-mac-address".
3856 Format: byte array
3858 generate-mac-address-mask
3860 With "cloned-mac-address" setting "random" or "stable", by default
3861 all bits of the MAC address are scrambled and a
3862 locally-administered, unicast MAC address is created. This property
3863 allows to specify that certain bits are fixed. Note that the least
3864 significant bit of the first MAC address will always be unset to
3865 create a unicast MAC address. If the property is NULL, it is
3866 eligible to be overwritten by a default connection setting. If the
3867 value is still NULL or an empty string, the default is to create a
3868 locally-administered, unicast MAC address. If the value contains
3869 one MAC address, this address is used as mask. The set bits of the
3870 mask are to be filled with the current MAC address of the device,
3871 while the unset bits are subject to randomization. Setting
3872 "FE:FF:FF:00:00:00" means to preserve the OUI of the current MAC
3873 address and only randomize the lower 3 bytes using the "random" or
3874 "stable" algorithm. If the value contains one additional MAC
3875 address after the mask, this address is used instead of the current
3876 MAC address to fill the bits that shall not be randomized. For
3877 example, a value of "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set
3878 the OUI of the MAC address to 68:F7:28, while the lower bits are
3879 randomized. A value of "02:00:00:00:00:00 00:00:00:00:00:00" will
3880 create a fully scrambled globally-administered, burned-in MAC
3881 address. If the value contains more than one additional MAC
3882 addresses, one of them is chosen randomly. For example,
3883 "02:00:00:00:00:00 00:00:00:00:00:00 02:00:00:00:00:00" will create
3884 a fully scrambled MAC address, randomly locally or globally
3885 administered.
3886 Format: string
3888 hidden
3890 If TRUE, indicates that the network is a non-broadcasting network
3891 that hides its SSID. This works both in infrastructure and AP mode.
3892 In infrastructure mode, various workarounds are used for a more
3893 reliable discovery of hidden networks, such as probe-scanning the
3894 SSID. However, these workarounds expose inherent insecurities with
3895 hidden SSID networks, and thus hidden SSID networks should be used
3896 with caution. In AP mode, the created network does not broadcast
3897 its SSID. Note that marking the network as hidden may be a privacy
3898 issue for you (in infrastructure mode) or client stations (in AP
3899 mode), as the explicit probe-scans are distinctly recognizable on
3900 the air.
3901 Format: boolean
3903 mac-address
3905 Alias: mac
3906 If specified, this connection will only apply to the Wi-Fi device
3908 whose permanent MAC address matches. This property does not change
3909 the MAC address of the device (i.e. MAC spoofing).
3910 Format: byte array
3912 mac-address-blacklist
3914 A list of permanent MAC addresses of Wi-Fi devices to which this
3915 connection should never apply. Each MAC address should be given in
3916 the standard hex-digits-and-colons notation (eg
3917 "00:11:22:33:44:55").
3918 Format: array of string
3920 mac-address-randomization
3922 One of NM_SETTING_MAC_RANDOMIZATION_DEFAULT (0) (never randomize
3923 unless the user has set a global default to randomize and the
3924 supplicant supports randomization),
3925 NM_SETTING_MAC_RANDOMIZATION_NEVER (1) (never randomize the MAC
3926 address), or NM_SETTING_MAC_RANDOMIZATION_ALWAYS (2) (always
3927 randomize the MAC address). This property is deprecated for
3928 'cloned-mac-address'. Deprecated: 1
3929 Format: uint32
3931 mode
3933 Alias: mode
3934 Wi-Fi network mode; one of "infrastructure", "mesh", "adhoc" or
3936 "ap". If blank, infrastructure is assumed.
3937 Format: string
3939 mtu
3941 Alias: mtu
3942 If non-zero, only transmit packets of the specified size or
3944 smaller, breaking larger packets up into multiple Ethernet frames.
3945 Format: uint32
3947 powersave
3949 One of NM_SETTING_WIRELESS_POWERSAVE_DISABLE (2) (disable Wi-Fi
3950 power saving), NM_SETTING_WIRELESS_POWERSAVE_ENABLE (3) (enable
3951 Wi-Fi power saving), NM_SETTING_WIRELESS_POWERSAVE_IGNORE (1)
3952 (don't touch currently configure setting) or
3953 NM_SETTING_WIRELESS_POWERSAVE_DEFAULT (0) (use the globally
3954 configured value). All other values are reserved.
3955 Format: uint32
3957 rate
3959 If non-zero, directs the device to only use the specified bitrate
3960 for communication with the access point. Units are in Kb/s, ie 5500
3961 = 5.5 Mbit/s. This property is highly driver dependent and not all
3962 devices support setting a static bitrate.
3963 Format: uint32
3965 seen-bssids
3967 A list of BSSIDs (each BSSID formatted as a MAC address like
3968 "00:11:22:33:44:55") that have been detected as part of the Wi-Fi
3969 network. NetworkManager internally tracks previously seen BSSIDs.
3970 The property is only meant for reading and reflects the BSSID list
3971 of NetworkManager. The changes you make to this property will not
3972 be preserved.
3973 Format: array of string
3975 ssid
3977 Alias: ssid
3978 SSID of the Wi-Fi network. Must be specified.
3980 Format: byte array
3982 tx-power
3984 If non-zero, directs the device to use the specified transmit
3985 power. Units are dBm. This property is highly driver dependent and
3986 not all devices support setting a static transmit power.
3987 Format: uint32
3989 wake-on-wlan
3991 The NMSettingWirelessWakeOnWLan options to enable. Not all devices
3992 support all options. May be any combination of
3993 NM_SETTING_WIRELESS_WAKE_ON_WLAN_ANY (0x2),
3994 NM_SETTING_WIRELESS_WAKE_ON_WLAN_DISCONNECT (0x4),
3995 NM_SETTING_WIRELESS_WAKE_ON_WLAN_MAGIC (0x8),
3996 NM_SETTING_WIRELESS_WAKE_ON_WLAN_GTK_REKEY_FAILURE (0x10),
3997 NM_SETTING_WIRELESS_WAKE_ON_WLAN_EAP_IDENTITY_REQUEST (0x20),
3998 NM_SETTING_WIRELESS_WAKE_ON_WLAN_4WAY_HANDSHAKE (0x40),
3999 NM_SETTING_WIRELESS_WAKE_ON_WLAN_RFKILL_RELEASE (0x80),
4000 NM_SETTING_WIRELESS_WAKE_ON_WLAN_TCP (0x100) or the special values
4001 NM_SETTING_WIRELESS_WAKE_ON_WLAN_DEFAULT (0x1) (to use global
4002 settings) and NM_SETTING_WIRELESS_WAKE_ON_WLAN_IGNORE (0x8000) (to
4003 disable management of Wake-on-LAN in NetworkManager).
4004 Format: uint32
4006 802-11-wireless-security setting
4008 Alias: wifi-sec
4009 Wi-Fi Security Settings.
4011 Properties:
4013 auth-alg
4015 When WEP is used (ie, key-mgmt = "none" or "ieee8021x") indicate
4016 the 802.11 authentication algorithm required by the AP here. One of
4017 "open" for Open System, "shared" for Shared Key, or "leap" for
4018 Cisco LEAP. When using Cisco LEAP (ie, key-mgmt = "ieee8021x" and
4019 auth-alg = "leap") the "leap-username" and "leap-password"
4020 properties must be specified.
4021 Format: string
4023 fils
4025 Indicates whether Fast Initial Link Setup (802.11ai) must be
4026 enabled for the connection. One of
4027 NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) (use global default
4028 value), NM_SETTING_WIRELESS_SECURITY_FILS_DISABLE (1) (disable
4029 FILS), NM_SETTING_WIRELESS_SECURITY_FILS_OPTIONAL (2) (enable FILS
4030 if the supplicant and the access point support it) or
4031 NM_SETTING_WIRELESS_SECURITY_FILS_REQUIRED (3) (enable FILS and
4032 fail if not supported). When set to
4033 NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) and no global default
4034 is set, FILS will be optionally enabled.
4035 Format: int32
4037 group
4039 A list of group/broadcast encryption algorithms which prevents
4040 connections to Wi-Fi networks that do not utilize one of the
4041 algorithms in the list. For maximum compatibility leave this
4042 property empty. Each list element may be one of "wep40", "wep104",
4043 "tkip", or "ccmp".
4044 Format: array of string
4046 key-mgmt
4048 Key management used for the connection. One of "none" (WEP or no
4049 password protection), "ieee8021x" (Dynamic WEP), "owe"
4050 (Opportunistic Wireless Encryption), "wpa-psk" (WPA2 + WPA3
4051 personal), "sae" (WPA3 personal only), "wpa-eap" (WPA2 + WPA3
4052 enterprise) or "wpa-eap-suite-b-192" (WPA3 enterprise only). This
4053 property must be set for any Wi-Fi connection that uses security.
4054 Format: string
4056 leap-password
4058 The login password for legacy LEAP connections (ie, key-mgmt =
4059 "ieee8021x" and auth-alg = "leap").
4060 Format: string
4062 leap-password-flags
4064 Flags indicating how to handle the "leap-password" property. See
4065 the section called “Secret flag types:” for flag values.
4066 Format: NMSettingSecretFlags (uint32)
4068 leap-username
4070 The login username for legacy LEAP connections (ie, key-mgmt =
4071 "ieee8021x" and auth-alg = "leap").
4072 Format: string
4074 pairwise
4076 A list of pairwise encryption algorithms which prevents connections
4077 to Wi-Fi networks that do not utilize one of the algorithms in the
4078 list. For maximum compatibility leave this property empty. Each
4079 list element may be one of "tkip" or "ccmp".
4080 Format: array of string
4082 pmf
4084 Indicates whether Protected Management Frames (802.11w) must be
4085 enabled for the connection. One of
4086 NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) (use global default
4087 value), NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE (1) (disable PMF),
4088 NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL (2) (enable PMF if the
4089 supplicant and the access point support it) or
4090 NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED (3) (enable PMF and fail
4091 if not supported). When set to
4092 NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) and no global default
4093 is set, PMF will be optionally enabled.
4094 Format: int32
4096 proto
4098 List of strings specifying the allowed WPA protocol versions to
4099 use. Each element may be one "wpa" (allow WPA) or "rsn" (allow
4100 WPA2/RSN). If not specified, both WPA and RSN connections are
4101 allowed.
4102 Format: array of string
4104 psk
4106 Pre-Shared-Key for WPA networks. For WPA-PSK, it's either an ASCII
4107 passphrase of 8 to 63 characters that is (as specified in the
4108 802.11i standard) hashed to derive the actual key, or the key in
4109 form of 64 hexadecimal character. The WPA3-Personal networks use a
4110 passphrase of any length for SAE authentication.
4111 Format: string
4113 psk-flags
4115 Flags indicating how to handle the "psk" property. See the section
4116 called “Secret flag types:” for flag values.
4117 Format: NMSettingSecretFlags (uint32)
4119 wep-key-flags
4121 Flags indicating how to handle the "wep-key0", "wep-key1",
4122 "wep-key2", and "wep-key3" properties. See the section called
4123 “Secret flag types:” for flag values.
4124 Format: NMSettingSecretFlags (uint32)
4126 wep-key-type
4128 Controls the interpretation of WEP keys. Allowed values are
4129 NM_WEP_KEY_TYPE_KEY (1), in which case the key is either a 10- or
4130 26-character hexadecimal string, or a 5- or 13-character ASCII
4131 password; or NM_WEP_KEY_TYPE_PASSPHRASE (2), in which case the
4132 passphrase is provided as a string and will be hashed using the
4133 de-facto MD5 method to derive the actual WEP key.
4134 Format: NMWepKeyType (uint32)
4136 wep-key0
4138 Index 0 WEP key. This is the WEP key used in most networks. See the
4139 "wep-key-type" property for a description of how this key is
4140 interpreted.
4141 Format: string
4143 wep-key1
4145 Index 1 WEP key. This WEP index is not used by most networks. See
4146 the "wep-key-type" property for a description of how this key is
4147 interpreted.
4148 Format: string
4150 wep-key2
4152 Index 2 WEP key. This WEP index is not used by most networks. See
4153 the "wep-key-type" property for a description of how this key is
4154 interpreted.
4155 Format: string
4157 wep-key3
4159 Index 3 WEP key. This WEP index is not used by most networks. See
4160 the "wep-key-type" property for a description of how this key is
4161 interpreted.
4162 Format: string
4164 wep-tx-keyidx
4166 When static WEP is used (ie, key-mgmt = "none") and a non-default
4167 WEP key index is used by the AP, put that WEP key index here. Valid
4168 values are 0 (default key) through 3. Note that some consumer
4169 access points (like the Linksys WRT54G) number the keys 1 - 4.
4170 Format: uint32
4172 wps-method
4174 Flags indicating which mode of WPS is to be used if any. There's
4175 little point in changing the default setting as NetworkManager will
4176 automatically determine whether it's feasible to start WPS
4177 enrollment from the Access Point capabilities. WPS can be disabled
4178 by setting this property to a value of 1.
4179 Format: uint32
4181 wpan setting
4183 IEEE 802.15.4 (WPAN) MAC Settings.
4184 Properties:
4186 channel
4188 Alias: channel
4189 IEEE 802.15.4 channel. A positive integer or -1, meaning "do not
4191 set, use whatever the device is already set to".
4192 Format: int32
4194 mac-address
4196 Alias: mac
4197 If specified, this connection will only apply to the IEEE 802.15.4
4199 (WPAN) MAC layer device whose permanent MAC address matches.
4200 Format: string
4202 page
4204 Alias: page
4205 IEEE 802.15.4 channel page. A positive integer or -1, meaning "do
4207 not set, use whatever the device is already set to".
4208 Format: int32
4210 pan-id
4212 Alias: pan-id
4213 IEEE 802.15.4 Personal Area Network (PAN) identifier.
4215 Format: uint32
4217 short-address
4219 Alias: short-addr
4220 Short IEEE 802.15.4 address to be used within a restricted
4222 environment.
4223 Format: uint32
4225 hostname setting
4227 Hostname settings.
4228 Properties:
4230 from-dhcp
4232 Whether the system hostname can be determined from DHCP on this
4233 connection. When set to NM_TERNARY_DEFAULT (-1), the value from
4234 global configuration is used. If the property doesn't have a value
4235 in the global configuration, NetworkManager assumes the value to be
4236 NM_TERNARY_TRUE (1).
4237 Format: NMTernary (int32)
4239 from-dns-lookup
4241 Whether the system hostname can be determined from reverse DNS
4242 lookup of addresses on this device. When set to NM_TERNARY_DEFAULT
4243 (-1), the value from global configuration is used. If the property
4244 doesn't have a value in the global configuration, NetworkManager
4245 assumes the value to be NM_TERNARY_TRUE (1).
4246 Format: NMTernary (int32)
4248 only-from-default
4250 If set to NM_TERNARY_TRUE (1), NetworkManager attempts to get the
4251 hostname via DHCPv4/DHCPv6 or reverse DNS lookup on this device
4252 only when the device has the default route for the given address
4253 family (IPv4/IPv6). If set to NM_TERNARY_FALSE (0), the hostname
4254 can be set from this device even if it doesn't have the default
4255 route. When set to NM_TERNARY_DEFAULT (-1), the value from global
4256 configuration is used. If the property doesn't have a value in the
4257 global configuration, NetworkManager assumes the value to be
4258 NM_TERNARY_FALSE (0).
4259 Format: NMTernary (int32)
4261 priority
4263 The relative priority of this connection to determine the system
4264 hostname. A lower numerical value is better (higher priority). A
4265 connection with higher priority is considered before connections
4266 with lower priority. If the value is zero, it can be overridden by
4267 a global value from NetworkManager configuration. If the property
4268 doesn't have a value in the global configuration, the value is
4269 assumed to be 100. Negative values have the special effect of
4270 excluding other connections with a greater numerical priority
4271 value; so in presence of at least one negative priority, only
4272 connections with the lowest priority value will be used to
4273 determine the hostname.
4274 Format: int32
4276 veth setting
4278 Veth Settings.
4279 Properties:
4281 peer
4283 Alias: peer
4284 This property specifies the peer interface name of the veth. This
4286 property is mandatory.
4287 Format: string
4289 Secret flag types:
4291 Each password or secret property in a setting has an associated flags
4292 property that describes how to handle that secret. The flags property
4293 is a bitfield that contains zero or more of the following values
4294 logically OR-ed together.
4295 • 0x0 (none) - the system is responsible for providing and storing
4297 this secret. This may be required so that secrets are already
4298 available before the user logs in. It also commonly means that the
4299 secret will be stored in plain text on disk, accessible to root
4300 only. For example via the keyfile settings plugin as described in
4301 the "PLUGINS" section in NetworkManager.conf(5).
4302 • 0x1 (agent-owned) - a user-session secret agent is responsible for
4304 providing and storing this secret; when it is required, agents will
4305 be asked to provide it.
4306 • 0x2 (not-saved) - this secret should not be saved but should be
4308 requested from the user each time it is required. This flag should
4309 be used for One-Time-Pad secrets, PIN codes from hardware tokens,
4310 or if the user simply does not want to save the secret.
4311 • 0x4 (not-required) - in some situations it cannot be automatically
4313 determined that a secret is required or not. This flag hints that
4314 the secret is not required and should not be requested from the
4315 user.
4316
4318 /etc/NetworkManager/system-connections or distro plugin-specific
4319 location
4320
4322 nmcli(1), nmcli-examples(7), NetworkManager(8), nm-settings-dbus(5),
4323 nm-settings-keyfile(5), NetworkManager.conf(5)
4324NetworkManager 1.32.12 NM-SETTINGS-NMCLI(5)