1NM-SETTINGS-NMCLI(5)             Configuration            NM-SETTINGS-NMCLI(5)
2
3
4

NAME

6       nm-settings-nmcli - Description of settings and properties of
7       NetworkManager connection profiles for nmcli
8

DESCRIPTION

10       NetworkManager is based on a concept of connection profiles, sometimes
11       referred to as connections only. These connection profiles contain a
12       network configuration. When NetworkManager activates a connection
13       profile on a network device the configuration will be applied and an
14       active network connection will be established. Users are free to create
15       as many connection profiles as they see fit. Thus they are flexible in
16       having various network configurations for different networking needs.
17
18       NetworkManager provides an API for configuring connection profiles, for
19       activating them to configure the network, and inspecting the current
20       network configuration. The command line tool nmcli is a client
21       application to NetworkManager that uses this API. See nmcli(1) for
22       details.
23
24       With commands like nmcli connection add, nmcli connection modify and
25       nmcli connection show, connection profiles can be created, modified and
26       inspected. A profile consists of properties. On D-Bus this follows the
27       format as described by nm-settings-dbus(5), while this manual page
28       describes the settings format how they are expected by nmcli.
29
30       The settings and properties shown in tables below list all available
31       connection configuration options. However, note that not all settings
32       are applicable to all connection types.  nmcli connection editor has
33       also a built-in describe command that can display description of
34       particular settings and properties of this page.
35
36       The setting and property can be abbreviated provided they are unique.
37       The list below also shows aliases that can be used unqualified instead
38       of the full name. For example connection.interface-name and ifname
39       refer to the same property.
40
41   connection setting
42       General Connection Profile Settings.
43
44       Properties:
45
46       auth-retries
47           The number of retries for the authentication. Zero means to try
48           indefinitely; -1 means to use a global default. If the global
49           default is not set, the authentication retries for 3 times before
50           failing the connection. Currently, this only applies to 802-1x
51           authentication.
52
53           Format: int32
54
55       autoconnect
56           Alias: autoconnect
57
58           Whether or not the connection should be automatically connected by
59           NetworkManager when the resources for the connection are available.
60           TRUE to automatically activate the connection, FALSE to require
61           manual intervention to activate the connection. Note that
62           autoconnect is not implemented for VPN profiles. See "secondaries"
63           as an alternative to automatically connect VPN profiles.
64
65           Format: boolean
66
67       autoconnect-priority
68           The autoconnect priority. If the connection is set to autoconnect,
69           connections with higher priority will be preferred. Defaults to 0.
70           The higher number means higher priority.
71
72           Format: int32
73
74       autoconnect-retries
75           The number of times a connection should be tried when
76           autoactivating before giving up. Zero means forever, -1 means the
77           global default (4 times if not overridden). Setting this to 1 means
78           to try activation only once before blocking autoconnect. Note that
79           after a timeout, NetworkManager will try to autoconnect again.
80
81           Format: int32
82
83       autoconnect-slaves
84           Whether or not slaves of this connection should be automatically
85           brought up when NetworkManager activates this connection. This only
86           has a real effect for master connections. The properties
87           "autoconnect", "autoconnect-priority" and "autoconnect-retries" are
88           unrelated to this setting. The permitted values are: 0: leave slave
89           connections untouched, 1: activate all the slave connections with
90           this connection, -1: default. If -1 (default) is set, global
91           connection.autoconnect-slaves is read to determine the real value.
92           If it is default as well, this fallbacks to 0.
93
94           Format: NMSettingConnectionAutoconnectSlaves (int32)
95
96       gateway-ping-timeout
97           If greater than zero, delay success of IP addressing until either
98           the timeout is reached, or an IP gateway replies to a ping.
99
100           Format: uint32
101
102       id
103           Alias: con-name
104
105           A human readable unique identifier for the connection, like "Work
106           Wi-Fi" or "T-Mobile 3G".
107
108           Format: string
109
110       interface-name
111           Alias: ifname
112
113           The name of the network interface this connection is bound to. If
114           not set, then the connection can be attached to any interface of
115           the appropriate type (subject to restrictions imposed by other
116           settings). For software devices this specifies the name of the
117           created device. For connection types where interface names cannot
118           easily be made persistent (e.g. mobile broadband or USB Ethernet),
119           this property should not be used. Setting this property restricts
120           the interfaces a connection can be used with, and if interface
121           names change or are reordered the connection may be applied to the
122           wrong interface.
123
124           Format: string
125
126       lldp
127           Whether LLDP is enabled for the connection.
128
129           Format: int32
130
131       llmnr
132           Whether Link-Local Multicast Name Resolution (LLMNR) is enabled for
133           the connection. LLMNR is a protocol based on the Domain Name System
134           (DNS) packet format that allows both IPv4 and IPv6 hosts to perform
135           name resolution for hosts on the same local link. The permitted
136           values are: "yes" (2) register hostname and resolving for the
137           connection, "no" (0) disable LLMNR for the interface, "resolve" (1)
138           do not register hostname but allow resolving of LLMNR host names If
139           unspecified, "default" ultimately depends on the DNS plugin (which
140           for systemd-resolved currently means "yes"). This feature requires
141           a plugin which supports LLMNR. Otherwise, the setting has no
142           effect. One such plugin is dns-systemd-resolved.
143
144           Format: int32
145
146       master
147           Alias: master
148
149           Interface name of the master device or UUID of the master
150           connection.
151
152           Format: string
153
154       mdns
155           Whether mDNS is enabled for the connection. The permitted values
156           are: "yes" (2) register hostname and resolving for the connection,
157           "no" (0) disable mDNS for the interface, "resolve" (1) do not
158           register hostname but allow resolving of mDNS host names and
159           "default" (-1) to allow lookup of a global default in
160           NetworkManager.conf. If unspecified, "default" ultimately depends
161           on the DNS plugin (which for systemd-resolved currently means
162           "no"). This feature requires a plugin which supports mDNS.
163           Otherwise, the setting has no effect. One such plugin is
164           dns-systemd-resolved.
165
166           Format: int32
167
168       metered
169           Whether the connection is metered. When updating this property on a
170           currently activated connection, the change takes effect
171           immediately.
172
173           Format: NMMetered (int32)
174
175       mud-url
176           If configured, set to a Manufacturer Usage Description (MUD) URL
177           that points to manufacturer-recommended network policies for IoT
178           devices. It is transmitted as a DHCPv4 or DHCPv6 option. The value
179           must be a valid URL starting with "https://". The special value
180           "none" is allowed to indicate that no MUD URL is used. If the
181           per-profile value is unspecified (the default), a global connection
182           default gets consulted. If still unspecified, the ultimate default
183           is "none".
184
185           Format: string
186
187       multi-connect
188           Specifies whether the profile can be active multiple times at a
189           particular moment. The value is of type NMConnectionMultiConnect.
190
191           Format: int32
192
193       permissions
194           An array of strings defining what access a given user has to this
195           connection. If this is NULL or empty, all users are allowed to
196           access this connection; otherwise users are allowed if and only if
197           they are in this list. When this is not empty, the connection can
198           be active only when one of the specified users is logged into an
199           active session. Each entry is of the form "[type]:[id]:[reserved]";
200           for example, "user:dcbw:blah". At this time only the "user" [type]
201           is allowed. Any other values are ignored and reserved for future
202           use. [id] is the username that this permission refers to, which may
203           not contain the ":" character. Any [reserved] information present
204           must be ignored and is reserved for future use. All of [type],
205           [id], and [reserved] must be valid UTF-8.
206
207           Format: array of string
208
209       read-only
210           FALSE if the connection can be modified using the provided settings
211           service's D-Bus interface with the right privileges, or TRUE if the
212           connection is read-only and cannot be modified.
213
214           Format: boolean
215
216       secondaries
217           List of connection UUIDs that should be activated when the base
218           connection itself is activated. Currently, only VPN connections are
219           supported.
220
221           Format: array of string
222
223       slave-type
224           Alias: slave-type
225
226           Setting name of the device type of this slave's master connection
227           (eg, "bond"), or NULL if this connection is not a slave.
228
229           Format: string
230
231       stable-id
232           This represents the identity of the connection used for various
233           purposes. It allows to configure multiple profiles to share the
234           identity. Also, the stable-id can contain placeholders that are
235           substituted dynamically and deterministically depending on the
236           context. The stable-id is used for generating IPv6 stable private
237           addresses with ipv6.addr-gen-mode=stable-privacy. It is also used
238           to seed the generated cloned MAC address for
239           ethernet.cloned-mac-address=stable and
240           wifi.cloned-mac-address=stable. It is also used as DHCP client
241           identifier with ipv4.dhcp-client-id=stable and to derive the DHCP
242           DUID with ipv6.dhcp-duid=stable-[llt,ll,uuid]. Note that depending
243           on the context where it is used, other parameters are also seeded
244           into the generation algorithm. For example, a per-host key is
245           commonly also included, so that different systems end up generating
246           different IDs. Or with ipv6.addr-gen-mode=stable-privacy, also the
247           device's name is included, so that different interfaces yield
248           different addresses. The per-host key is the identity of your
249           machine and stored in /var/lib/NetworkManager/secret-key. The '$'
250           character is treated special to perform dynamic substitutions at
251           runtime. Currently, supported are "${CONNECTION}", "${DEVICE}",
252           "${MAC}", "${BOOT}", "${RANDOM}". These effectively create unique
253           IDs per-connection, per-device, per-boot, or every time. Note that
254           "${DEVICE}" corresponds to the interface name of the device and
255           "${MAC}" is the permanent MAC address of the device. Any
256           unrecognized patterns following '$' are treated verbatim, however
257           are reserved for future use. You are thus advised to avoid '$' or
258           escape it as "$$". For example, set it to
259           "${CONNECTION}-${BOOT}-${DEVICE}" to create a unique id for this
260           connection that changes with every reboot and differs depending on
261           the interface where the profile activates. If the value is unset, a
262           global connection default is consulted. If the value is still
263           unset, the default is similar to "${CONNECTION}" and uses a unique,
264           fixed ID for the connection.
265
266           Format: string
267
268       timestamp
269           The time, in seconds since the Unix Epoch, that the connection was
270           last _successfully_ fully activated. NetworkManager updates the
271           connection timestamp periodically when the connection is active to
272           ensure that an active connection has the latest timestamp. The
273           property is only meant for reading (changes to this property will
274           not be preserved).
275
276           Format: uint64
277
278       type
279           Alias: type
280
281           Base type of the connection. For hardware-dependent connections,
282           should contain the setting name of the hardware-type specific
283           setting (ie, "802-3-ethernet" or "802-11-wireless" or "bluetooth",
284           etc), and for non-hardware dependent connections like VPN or
285           otherwise, should contain the setting name of that setting type
286           (ie, "vpn" or "bridge", etc).
287
288           Format: string
289
290       uuid
291           A universally unique identifier for the connection, for example
292           generated with libuuid. It should be assigned when the connection
293           is created, and never changed as long as the connection still
294           applies to the same network. For example, it should not be changed
295           when the "id" property or NMSettingIP4Config changes, but might
296           need to be re-created when the Wi-Fi SSID, mobile broadband network
297           provider, or "type" property changes. The UUID must be in the
298           format "2815492f-7e56-435e-b2e9-246bd7cdc664" (ie, contains only
299           hexadecimal characters and "-").
300
301           Format: string
302
303       wait-device-timeout
304           Timeout in milliseconds to wait for device at startup. During boot,
305           devices may take a while to be detected by the driver. This
306           property will cause to delay NetworkManager-wait-online.service and
307           nm-online to give the device a chance to appear. This works by
308           waiting for the given timeout until a compatible device for the
309           profile is available and managed. The value 0 means no wait time.
310           The default value is -1, which currently has the same meaning as no
311           wait time.
312
313           Format: int32
314
315       zone
316           The trust level of a the connection. Free form case-insensitive
317           string (for example "Home", "Work", "Public"). NULL or unspecified
318           zone means the connection will be placed in the default zone as
319           defined by the firewall. When updating this property on a currently
320           activated connection, the change takes effect immediately.
321
322           Format: string
323
324   6lowpan setting
325       6LoWPAN Settings.
326
327       Properties:
328
329       parent
330           Alias: dev
331
332           If given, specifies the parent interface name or parent connection
333           UUID from which this 6LowPAN interface should be created.
334
335           Format: string
336
337   802-1x setting
338       IEEE 802.1x Authentication Settings.
339
340       Properties:
341
342       altsubject-matches
343           List of strings to be matched against the altSubjectName of the
344           certificate presented by the authentication server. If the list is
345           empty, no verification of the server certificate's altSubjectName
346           is performed.
347
348           Format: array of string
349
350       anonymous-identity
351           Anonymous identity string for EAP authentication methods. Used as
352           the unencrypted identity with EAP types that support different
353           tunneled identity like EAP-TTLS.
354
355           Format: string
356
357       auth-timeout
358           A timeout for the authentication. Zero means the global default; if
359           the global default is not set, the authentication timeout is 25
360           seconds.
361
362           Format: int32
363
364       ca-cert
365           Contains the CA certificate if used by the EAP method specified in
366           the "eap" property. Certificate data is specified using a "scheme";
367           three are currently supported: blob, path and pkcs#11 URL. When
368           using the blob scheme this property should be set to the
369           certificate's DER encoded data. When using the path scheme, this
370           property should be set to the full UTF-8 encoded path of the
371           certificate, prefixed with the string "file://" and ending with a
372           terminating NUL byte. This property can be unset even if the EAP
373           method supports CA certificates, but this allows man-in-the-middle
374           attacks and is NOT recommended. Note that enabling
375           NMSetting8021x:system-ca-certs will override this setting to use
376           the built-in path, if the built-in path is not a directory.
377
378           Format: byte array
379
380       ca-cert-password
381           The password used to access the CA certificate stored in "ca-cert"
382           property. Only makes sense if the certificate is stored on a
383           PKCS#11 token that requires a login.
384
385           Format: string
386
387       ca-cert-password-flags
388           Flags indicating how to handle the "ca-cert-password" property. See
389           the section called “Secret flag types:” for flag values.
390
391           Format: NMSettingSecretFlags (uint32)
392
393       ca-path
394           UTF-8 encoded path to a directory containing PEM or DER formatted
395           certificates to be added to the verification chain in addition to
396           the certificate specified in the "ca-cert" property. If
397           NMSetting8021x:system-ca-certs is enabled and the built-in CA path
398           is an existing directory, then this setting is ignored.
399
400           Format: string
401
402       client-cert
403           Contains the client certificate if used by the EAP method specified
404           in the "eap" property. Certificate data is specified using a
405           "scheme"; two are currently supported: blob and path. When using
406           the blob scheme (which is backwards compatible with NM 0.7.x) this
407           property should be set to the certificate's DER encoded data. When
408           using the path scheme, this property should be set to the full
409           UTF-8 encoded path of the certificate, prefixed with the string
410           "file://" and ending with a terminating NUL byte.
411
412           Format: byte array
413
414       client-cert-password
415           The password used to access the client certificate stored in
416           "client-cert" property. Only makes sense if the certificate is
417           stored on a PKCS#11 token that requires a login.
418
419           Format: string
420
421       client-cert-password-flags
422           Flags indicating how to handle the "client-cert-password" property.
423           See the section called “Secret flag types:” for flag values.
424
425           Format: NMSettingSecretFlags (uint32)
426
427       domain-match
428           Constraint for server domain name. If set, this list of FQDNs is
429           used as a match requirement for dNSName element(s) of the
430           certificate presented by the authentication server. If a matching
431           dNSName is found, this constraint is met. If no dNSName values are
432           present, this constraint is matched against SubjectName CN using
433           the same comparison. Multiple valid FQDNs can be passed as a ";"
434           delimited list.
435
436           Format: string
437
438       domain-suffix-match
439           Constraint for server domain name. If set, this FQDN is used as a
440           suffix match requirement for dNSName element(s) of the certificate
441           presented by the authentication server. If a matching dNSName is
442           found, this constraint is met. If no dNSName values are present,
443           this constraint is matched against SubjectName CN using same suffix
444           match comparison. Since version 1.24, multiple valid FQDNs can be
445           passed as a ";" delimited list.
446
447           Format: string
448
449       eap
450           The allowed EAP method to be used when authenticating to the
451           network with 802.1x. Valid methods are: "leap", "md5", "tls",
452           "peap", "ttls", "pwd", and "fast". Each method requires different
453           configuration using the properties of this setting; refer to
454           wpa_supplicant documentation for the allowed combinations.
455
456           Format: array of string
457
458       identity
459           Identity string for EAP authentication methods. Often the user's
460           user or login name.
461
462           Format: string
463
464       optional
465           Whether the 802.1X authentication is optional. If TRUE, the
466           activation will continue even after a timeout or an authentication
467           failure. Setting the property to TRUE is currently allowed only for
468           Ethernet connections. If set to FALSE, the activation can continue
469           only after a successful authentication.
470
471           Format: boolean
472
473       pac-file
474           UTF-8 encoded file path containing PAC for EAP-FAST.
475
476           Format: string
477
478       password
479           UTF-8 encoded password used for EAP authentication methods. If both
480           the "password" property and the "password-raw" property are
481           specified, "password" is preferred.
482
483           Format: string
484
485       password-flags
486           Flags indicating how to handle the "password" property. See the
487           section called “Secret flag types:” for flag values.
488
489           Format: NMSettingSecretFlags (uint32)
490
491       password-raw
492           Password used for EAP authentication methods, given as a byte array
493           to allow passwords in other encodings than UTF-8 to be used. If
494           both the "password" property and the "password-raw" property are
495           specified, "password" is preferred.
496
497           Format: byte array
498
499       password-raw-flags
500           Flags indicating how to handle the "password-raw" property. See the
501           section called “Secret flag types:” for flag values.
502
503           Format: NMSettingSecretFlags (uint32)
504
505       phase1-auth-flags
506           Specifies authentication flags to use in "phase 1" outer
507           authentication using NMSetting8021xAuthFlags options. The
508           individual TLS versions can be explicitly disabled. If a certain
509           TLS disable flag is not set, it is up to the supplicant to allow or
510           forbid it. The TLS options map to tls_disable_tlsv1_x settings. See
511           the wpa_supplicant documentation for more details.
512
513           Format: uint32
514
515       phase1-fast-provisioning
516           Enables or disables in-line provisioning of EAP-FAST credentials
517           when FAST is specified as the EAP method in the "eap" property.
518           Recognized values are "0" (disabled), "1" (allow unauthenticated
519           provisioning), "2" (allow authenticated provisioning), and "3"
520           (allow both authenticated and unauthenticated provisioning). See
521           the wpa_supplicant documentation for more details.
522
523           Format: string
524
525       phase1-peaplabel
526           Forces use of the new PEAP label during key derivation. Some RADIUS
527           servers may require forcing the new PEAP label to interoperate with
528           PEAPv1. Set to "1" to force use of the new PEAP label. See the
529           wpa_supplicant documentation for more details.
530
531           Format: string
532
533       phase1-peapver
534           Forces which PEAP version is used when PEAP is set as the EAP
535           method in the "eap" property. When unset, the version reported by
536           the server will be used. Sometimes when using older RADIUS servers,
537           it is necessary to force the client to use a particular PEAP
538           version. To do so, this property may be set to "0" or "1" to force
539           that specific PEAP version.
540
541           Format: string
542
543       phase2-altsubject-matches
544           List of strings to be matched against the altSubjectName of the
545           certificate presented by the authentication server during the inner
546           "phase 2" authentication. If the list is empty, no verification of
547           the server certificate's altSubjectName is performed.
548
549           Format: array of string
550
551       phase2-auth
552           Specifies the allowed "phase 2" inner authentication method when an
553           EAP method that uses an inner TLS tunnel is specified in the "eap"
554           property. For TTLS this property selects one of the supported
555           non-EAP inner methods: "pap", "chap", "mschap", "mschapv2" while
556           "phase2-autheap" selects an EAP inner method. For PEAP this selects
557           an inner EAP method, one of: "gtc", "otp", "md5" and "tls". Each
558           "phase 2" inner method requires specific parameters for successful
559           authentication; see the wpa_supplicant documentation for more
560           details. Both "phase2-auth" and "phase2-autheap" cannot be
561           specified.
562
563           Format: string
564
565       phase2-autheap
566           Specifies the allowed "phase 2" inner EAP-based authentication
567           method when TTLS is specified in the "eap" property. Recognized
568           EAP-based "phase 2" methods are "md5", "mschapv2", "otp", "gtc",
569           and "tls". Each "phase 2" inner method requires specific parameters
570           for successful authentication; see the wpa_supplicant documentation
571           for more details.
572
573           Format: string
574
575       phase2-ca-cert
576           Contains the "phase 2" CA certificate if used by the EAP method
577           specified in the "phase2-auth" or "phase2-autheap" properties.
578           Certificate data is specified using a "scheme"; three are currently
579           supported: blob, path and pkcs#11 URL. When using the blob scheme
580           this property should be set to the certificate's DER encoded data.
581           When using the path scheme, this property should be set to the full
582           UTF-8 encoded path of the certificate, prefixed with the string
583           "file://" and ending with a terminating NUL byte. This property can
584           be unset even if the EAP method supports CA certificates, but this
585           allows man-in-the-middle attacks and is NOT recommended. Note that
586           enabling NMSetting8021x:system-ca-certs will override this setting
587           to use the built-in path, if the built-in path is not a directory.
588
589           Format: byte array
590
591       phase2-ca-cert-password
592           The password used to access the "phase2" CA certificate stored in
593           "phase2-ca-cert" property. Only makes sense if the certificate is
594           stored on a PKCS#11 token that requires a login.
595
596           Format: string
597
598       phase2-ca-cert-password-flags
599           Flags indicating how to handle the "phase2-ca-cert-password"
600           property. See the section called “Secret flag types:” for flag
601           values.
602
603           Format: NMSettingSecretFlags (uint32)
604
605       phase2-ca-path
606           UTF-8 encoded path to a directory containing PEM or DER formatted
607           certificates to be added to the verification chain in addition to
608           the certificate specified in the "phase2-ca-cert" property. If
609           NMSetting8021x:system-ca-certs is enabled and the built-in CA path
610           is an existing directory, then this setting is ignored.
611
612           Format: string
613
614       phase2-client-cert
615           Contains the "phase 2" client certificate if used by the EAP method
616           specified in the "phase2-auth" or "phase2-autheap" properties.
617           Certificate data is specified using a "scheme"; two are currently
618           supported: blob and path. When using the blob scheme (which is
619           backwards compatible with NM 0.7.x) this property should be set to
620           the certificate's DER encoded data. When using the path scheme,
621           this property should be set to the full UTF-8 encoded path of the
622           certificate, prefixed with the string "file://" and ending with a
623           terminating NUL byte. This property can be unset even if the EAP
624           method supports CA certificates, but this allows man-in-the-middle
625           attacks and is NOT recommended.
626
627           Format: byte array
628
629       phase2-client-cert-password
630           The password used to access the "phase2" client certificate stored
631           in "phase2-client-cert" property. Only makes sense if the
632           certificate is stored on a PKCS#11 token that requires a login.
633
634           Format: string
635
636       phase2-client-cert-password-flags
637           Flags indicating how to handle the "phase2-client-cert-password"
638           property. See the section called “Secret flag types:” for flag
639           values.
640
641           Format: NMSettingSecretFlags (uint32)
642
643       phase2-domain-match
644           Constraint for server domain name. If set, this list of FQDNs is
645           used as a match requirement for dNSName element(s) of the
646           certificate presented by the authentication server during the inner
647           "phase 2" authentication. If a matching dNSName is found, this
648           constraint is met. If no dNSName values are present, this
649           constraint is matched against SubjectName CN using the same
650           comparison. Multiple valid FQDNs can be passed as a ";" delimited
651           list.
652
653           Format: string
654
655       phase2-domain-suffix-match
656           Constraint for server domain name. If set, this FQDN is used as a
657           suffix match requirement for dNSName element(s) of the certificate
658           presented by the authentication server during the inner "phase 2"
659           authentication. If a matching dNSName is found, this constraint is
660           met. If no dNSName values are present, this constraint is matched
661           against SubjectName CN using same suffix match comparison. Since
662           version 1.24, multiple valid FQDNs can be passed as a ";" delimited
663           list.
664
665           Format: string
666
667       phase2-private-key
668           Contains the "phase 2" inner private key when the "phase2-auth" or
669           "phase2-autheap" property is set to "tls". Key data is specified
670           using a "scheme"; two are currently supported: blob and path. When
671           using the blob scheme and private keys, this property should be set
672           to the key's encrypted PEM encoded data. When using private keys
673           with the path scheme, this property should be set to the full UTF-8
674           encoded path of the key, prefixed with the string "file://" and
675           ending with a terminating NUL byte. When using PKCS#12 format
676           private keys and the blob scheme, this property should be set to
677           the PKCS#12 data and the "phase2-private-key-password" property
678           must be set to password used to decrypt the PKCS#12 certificate and
679           key. When using PKCS#12 files and the path scheme, this property
680           should be set to the full UTF-8 encoded path of the key, prefixed
681           with the string "file://" and ending with a terminating NUL byte,
682           and as with the blob scheme the "phase2-private-key-password"
683           property must be set to the password used to decode the PKCS#12
684           private key and certificate.
685
686           Format: byte array
687
688       phase2-private-key-password
689           The password used to decrypt the "phase 2" private key specified in
690           the "phase2-private-key" property when the private key either uses
691           the path scheme, or is a PKCS#12 format key.
692
693           Format: string
694
695       phase2-private-key-password-flags
696           Flags indicating how to handle the "phase2-private-key-password"
697           property. See the section called “Secret flag types:” for flag
698           values.
699
700           Format: NMSettingSecretFlags (uint32)
701
702       phase2-subject-match
703           Substring to be matched against the subject of the certificate
704           presented by the authentication server during the inner "phase 2"
705           authentication. When unset, no verification of the authentication
706           server certificate's subject is performed. This property provides
707           little security, if any, and its use is deprecated in favor of
708           NMSetting8021x:phase2-domain-suffix-match.
709
710           Format: string
711
712       pin
713           PIN used for EAP authentication methods.
714
715           Format: string
716
717       pin-flags
718           Flags indicating how to handle the "pin" property. See the section
719           called “Secret flag types:” for flag values.
720
721           Format: NMSettingSecretFlags (uint32)
722
723       private-key
724           Contains the private key when the "eap" property is set to "tls".
725           Key data is specified using a "scheme"; two are currently
726           supported: blob and path. When using the blob scheme and private
727           keys, this property should be set to the key's encrypted PEM
728           encoded data. When using private keys with the path scheme, this
729           property should be set to the full UTF-8 encoded path of the key,
730           prefixed with the string "file://" and ending with a terminating
731           NUL byte. When using PKCS#12 format private keys and the blob
732           scheme, this property should be set to the PKCS#12 data and the
733           "private-key-password" property must be set to password used to
734           decrypt the PKCS#12 certificate and key. When using PKCS#12 files
735           and the path scheme, this property should be set to the full UTF-8
736           encoded path of the key, prefixed with the string "file://" and
737           ending with a terminating NUL byte, and as with the blob scheme the
738           "private-key-password" property must be set to the password used to
739           decode the PKCS#12 private key and certificate. WARNING:
740           "private-key" is not a "secret" property, and thus unencrypted
741           private key data using the BLOB scheme may be readable by
742           unprivileged users. Private keys should always be encrypted with a
743           private key password to prevent unauthorized access to unencrypted
744           private key data.
745
746           Format: byte array
747
748       private-key-password
749           The password used to decrypt the private key specified in the
750           "private-key" property when the private key either uses the path
751           scheme, or if the private key is a PKCS#12 format key.
752
753           Format: string
754
755       private-key-password-flags
756           Flags indicating how to handle the "private-key-password" property.
757           See the section called “Secret flag types:” for flag values.
758
759           Format: NMSettingSecretFlags (uint32)
760
761       subject-match
762           Substring to be matched against the subject of the certificate
763           presented by the authentication server. When unset, no verification
764           of the authentication server certificate's subject is performed.
765           This property provides little security, if any, and its use is
766           deprecated in favor of NMSetting8021x:domain-suffix-match.
767
768           Format: string
769
770       system-ca-certs
771           When TRUE, overrides the "ca-path" and "phase2-ca-path" properties
772           using the system CA directory specified at configure time with the
773           --system-ca-path switch. The certificates in this directory are
774           added to the verification chain in addition to any certificates
775           specified by the "ca-cert" and "phase2-ca-cert" properties. If the
776           path provided with --system-ca-path is rather a file name (bundle
777           of trusted CA certificates), it overrides "ca-cert" and
778           "phase2-ca-cert" properties instead (sets ca_cert/ca_cert2 options
779           for wpa_supplicant).
780
781           Format: boolean
782
783   adsl setting
784       ADSL Settings.
785
786       Properties:
787
788       encapsulation
789           Alias: encapsulation
790
791           Encapsulation of ADSL connection. Can be "vcmux" or "llc".
792
793           Format: string
794
795       password
796           Alias: password
797
798           Password used to authenticate with the ADSL service.
799
800           Format: string
801
802       password-flags
803           Flags indicating how to handle the "password" property. See the
804           section called “Secret flag types:” for flag values.
805
806           Format: NMSettingSecretFlags (uint32)
807
808       protocol
809           Alias: protocol
810
811           ADSL connection protocol. Can be "pppoa", "pppoe" or "ipoatm".
812
813           Format: string
814
815       username
816           Alias: username
817
818           Username used to authenticate with the ADSL service.
819
820           Format: string
821
822       vci
823           VCI of ADSL connection
824
825           Format: uint32
826
827       vpi
828           VPI of ADSL connection
829
830           Format: uint32
831
832   bluetooth setting
833       Bluetooth Settings.
834
835       Properties:
836
837       bdaddr
838           Alias: addr
839
840           The Bluetooth address of the device.
841
842           Format: byte array
843
844       type
845           Alias: bt-type
846
847           Either "dun" for Dial-Up Networking connections or "panu" for
848           Personal Area Networking connections to devices supporting the NAP
849           profile.
850
851           Format: string
852
853   bond setting
854       Bonding Settings.
855
856       Properties:
857
858       options
859           Dictionary of key/value pairs of bonding options. Both keys and
860           values must be strings. Option names must contain only alphanumeric
861           characters (ie, [a-zA-Z0-9]).
862
863           Format: dict of string to string
864
865   bridge setting
866       Bridging Settings.
867
868       Properties:
869
870       ageing-time
871           Alias: ageing-time
872
873           The Ethernet MAC address aging time, in seconds.
874
875           Format: uint32
876
877       forward-delay
878           Alias: forward-delay
879
880           The Spanning Tree Protocol (STP) forwarding delay, in seconds.
881
882           Format: uint32
883
884       group-address
885           If specified, The MAC address of the multicast group this bridge
886           uses for STP. The address must be a link-local address in standard
887           Ethernet MAC address format, ie an address of the form
888           01:80:C2:00:00:0X, with X in [0, 4..F]. If not specified the
889           default value is 01:80:C2:00:00:00.
890
891           Format: byte array
892
893       group-forward-mask
894           Alias: group-forward-mask
895
896           A mask of group addresses to forward. Usually, group addresses in
897           the range from 01:80:C2:00:00:00 to 01:80:C2:00:00:0F are not
898           forwarded according to standards. This property is a mask of 16
899           bits, each corresponding to a group address in that range that must
900           be forwarded. The mask can't have bits 0, 1 or 2 set because they
901           are used for STP, MAC pause frames and LACP.
902
903           Format: uint32
904
905       hello-time
906           Alias: hello-time
907
908           The Spanning Tree Protocol (STP) hello time, in seconds.
909
910           Format: uint32
911
912       mac-address
913           Alias: mac
914
915           If specified, the MAC address of bridge. When creating a new
916           bridge, this MAC address will be set. If this field is left
917           unspecified, the "ethernet.cloned-mac-address" is referred instead
918           to generate the initial MAC address. Note that setting
919           "ethernet.cloned-mac-address" anyway overwrites the MAC address of
920           the bridge later while activating the bridge. Hence, this property
921           is deprecated. Deprecated: 1
922
923           Format: byte array
924
925       max-age
926           Alias: max-age
927
928           The Spanning Tree Protocol (STP) maximum message age, in seconds.
929
930           Format: uint32
931
932       multicast-hash-max
933           Set maximum size of multicast hash table (value must be a power of
934           2).
935
936           Format: uint32
937
938       multicast-last-member-count
939           Set the number of queries the bridge will send before stopping
940           forwarding a multicast group after a "leave" message has been
941           received.
942
943           Format: uint32
944
945       multicast-last-member-interval
946           Set interval (in deciseconds) between queries to find remaining
947           members of a group, after a "leave" message is received.
948
949           Format: uint64
950
951       multicast-membership-interval
952           Set delay (in deciseconds) after which the bridge will leave a
953           group, if no membership reports for this group are received.
954
955           Format: uint64
956
957       multicast-querier
958           Enable or disable sending of multicast queries by the bridge. If
959           not specified the option is disabled.
960
961           Format: boolean
962
963       multicast-querier-interval
964           If no queries are seen after this delay (in deciseconds) has
965           passed, the bridge will start to send its own queries.
966
967           Format: uint64
968
969       multicast-query-interval
970           Interval (in deciseconds) between queries sent by the bridge after
971           the end of the startup phase.
972
973           Format: uint64
974
975       multicast-query-response-interval
976           Set the Max Response Time/Max Response Delay (in deciseconds) for
977           IGMP/MLD queries sent by the bridge.
978
979           Format: uint64
980
981       multicast-query-use-ifaddr
982           If enabled the bridge's own IP address is used as the source
983           address for IGMP queries otherwise the default of 0.0.0.0 is used.
984
985           Format: boolean
986
987       multicast-router
988           Sets bridge's multicast router. Multicast-snooping must be enabled
989           for this option to work. Supported values are: 'auto', 'disabled',
990           'enabled' to which kernel assigns the numbers 1, 0, and 2,
991           respectively. If not specified the default value is 'auto' (1).
992
993           Format: string
994
995       multicast-snooping
996           Alias: multicast-snooping
997
998           Controls whether IGMP snooping is enabled for this bridge. Note
999           that if snooping was automatically disabled due to hash collisions,
1000           the system may refuse to enable the feature until the collisions
1001           are resolved.
1002
1003           Format: boolean
1004
1005       multicast-startup-query-count
1006           Set the number of IGMP queries to send during startup phase.
1007
1008           Format: uint32
1009
1010       multicast-startup-query-interval
1011           Sets the time (in deciseconds) between queries sent out at startup
1012           to determine membership information.
1013
1014           Format: uint64
1015
1016       priority
1017           Alias: priority
1018
1019           Sets the Spanning Tree Protocol (STP) priority for this bridge.
1020           Lower values are "better"; the lowest priority bridge will be
1021           elected the root bridge.
1022
1023           Format: uint32
1024
1025       stp
1026           Alias: stp
1027
1028           Controls whether Spanning Tree Protocol (STP) is enabled for this
1029           bridge.
1030
1031           Format: boolean
1032
1033       vlan-default-pvid
1034           The default PVID for the ports of the bridge, that is the VLAN id
1035           assigned to incoming untagged frames.
1036
1037           Format: uint32
1038
1039       vlan-filtering
1040           Control whether VLAN filtering is enabled on the bridge.
1041
1042           Format: boolean
1043
1044       vlan-protocol
1045           If specified, the protocol used for VLAN filtering. Supported
1046           values are: '802.1Q', '802.1ad'. If not specified the default value
1047           is '802.1Q'.
1048
1049           Format: string
1050
1051       vlan-stats-enabled
1052           Controls whether per-VLAN stats accounting is enabled.
1053
1054           Format: boolean
1055
1056       vlans
1057           Array of bridge VLAN objects. In addition to the VLANs specified
1058           here, the bridge will also have the default-pvid VLAN configured by
1059           the bridge.vlan-default-pvid property. In nmcli the VLAN list can
1060           be specified with the following syntax: $vid [pvid] [untagged] [,
1061           $vid [pvid] [untagged]]... where $vid is either a single id between
1062           1 and 4094 or a range, represented as a couple of ids separated by
1063           a dash.
1064
1065           Format: array of vardict
1066
1067   bridge-port setting
1068       Bridge Port Settings.
1069
1070       Properties:
1071
1072       hairpin-mode
1073           Alias: hairpin
1074
1075           Enables or disables "hairpin mode" for the port, which allows
1076           frames to be sent back out through the port the frame was received
1077           on.
1078
1079           Format: boolean
1080
1081       path-cost
1082           Alias: path-cost
1083
1084           The Spanning Tree Protocol (STP) port cost for destinations via
1085           this port.
1086
1087           Format: uint32
1088
1089       priority
1090           Alias: priority
1091
1092           The Spanning Tree Protocol (STP) priority of this bridge port.
1093
1094           Format: uint32
1095
1096       vlans
1097           Array of bridge VLAN objects. In addition to the VLANs specified
1098           here, the port will also have the default-pvid VLAN configured on
1099           the bridge by the bridge.vlan-default-pvid property. In nmcli the
1100           VLAN list can be specified with the following syntax: $vid [pvid]
1101           [untagged] [, $vid [pvid] [untagged]]... where $vid is either a
1102           single id between 1 and 4094 or a range, represented as a couple of
1103           ids separated by a dash.
1104
1105           Format: array of vardict
1106
1107   cdma setting
1108       CDMA-based Mobile Broadband Settings.
1109
1110       Properties:
1111
1112       mtu
1113           If non-zero, only transmit packets of the specified size or
1114           smaller, breaking larger packets up into multiple frames.
1115
1116           Format: uint32
1117
1118       number
1119           The number to dial to establish the connection to the CDMA-based
1120           mobile broadband network, if any. If not specified, the default
1121           number (#777) is used when required.
1122
1123           Format: string
1124
1125       password
1126           Alias: password
1127
1128           The password used to authenticate with the network, if required.
1129           Many providers do not require a password, or accept any password.
1130           But if a password is required, it is specified here.
1131
1132           Format: string
1133
1134       password-flags
1135           Flags indicating how to handle the "password" property. See the
1136           section called “Secret flag types:” for flag values.
1137
1138           Format: NMSettingSecretFlags (uint32)
1139
1140       username
1141           Alias: user
1142
1143           The username used to authenticate with the network, if required.
1144           Many providers do not require a username, or accept any username.
1145           But if a username is required, it is specified here.
1146
1147           Format: string
1148
1149   dcb setting
1150       Data Center Bridging Settings.
1151
1152       Properties:
1153
1154       app-fcoe-flags
1155           Specifies the NMSettingDcbFlags for the DCB FCoE application. Flags
1156           may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1157           NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1158           NM_SETTING_DCB_FLAG_WILLING (0x4).
1159
1160           Format: NMSettingDcbFlags (uint32)
1161
1162       app-fcoe-mode
1163           The FCoE controller mode; either "fabric" (default) or "vn2vn".
1164
1165           Format: string
1166
1167       app-fcoe-priority
1168           The highest User Priority (0 - 7) which FCoE frames should use, or
1169           -1 for default priority. Only used when the "app-fcoe-flags"
1170           property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1171
1172           Format: int32
1173
1174       app-fip-flags
1175           Specifies the NMSettingDcbFlags for the DCB FIP application. Flags
1176           may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1177           NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1178           NM_SETTING_DCB_FLAG_WILLING (0x4).
1179
1180           Format: NMSettingDcbFlags (uint32)
1181
1182       app-fip-priority
1183           The highest User Priority (0 - 7) which FIP frames should use, or
1184           -1 for default priority. Only used when the "app-fip-flags"
1185           property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1186
1187           Format: int32
1188
1189       app-iscsi-flags
1190           Specifies the NMSettingDcbFlags for the DCB iSCSI application.
1191           Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1192           NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1193           NM_SETTING_DCB_FLAG_WILLING (0x4).
1194
1195           Format: NMSettingDcbFlags (uint32)
1196
1197       app-iscsi-priority
1198           The highest User Priority (0 - 7) which iSCSI frames should use, or
1199           -1 for default priority. Only used when the "app-iscsi-flags"
1200           property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1201
1202           Format: int32
1203
1204       priority-bandwidth
1205           An array of 8 uint values, where the array index corresponds to the
1206           User Priority (0 - 7) and the value indicates the percentage of
1207           bandwidth of the priority's assigned group that the priority may
1208           use. The sum of all percentages for priorities which belong to the
1209           same group must total 100 percents.
1210
1211           Format: array of uint32
1212
1213       priority-flow-control
1214           An array of 8 boolean values, where the array index corresponds to
1215           the User Priority (0 - 7) and the value indicates whether or not
1216           the corresponding priority should transmit priority pause.
1217
1218           Format: array of uint32
1219
1220       priority-flow-control-flags
1221           Specifies the NMSettingDcbFlags for DCB Priority Flow Control
1222           (PFC). Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE
1223           (0x1), NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1224           NM_SETTING_DCB_FLAG_WILLING (0x4).
1225
1226           Format: NMSettingDcbFlags (uint32)
1227
1228       priority-group-bandwidth
1229           An array of 8 uint values, where the array index corresponds to the
1230           Priority Group ID (0 - 7) and the value indicates the percentage of
1231           link bandwidth allocated to that group. Allowed values are 0 - 100,
1232           and the sum of all values must total 100 percents.
1233
1234           Format: array of uint32
1235
1236       priority-group-flags
1237           Specifies the NMSettingDcbFlags for DCB Priority Groups. Flags may
1238           be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1239           NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1240           NM_SETTING_DCB_FLAG_WILLING (0x4).
1241
1242           Format: NMSettingDcbFlags (uint32)
1243
1244       priority-group-id
1245           An array of 8 uint values, where the array index corresponds to the
1246           User Priority (0 - 7) and the value indicates the Priority Group
1247           ID. Allowed Priority Group ID values are 0 - 7 or 15 for the
1248           unrestricted group.
1249
1250           Format: array of uint32
1251
1252       priority-strict-bandwidth
1253           An array of 8 boolean values, where the array index corresponds to
1254           the User Priority (0 - 7) and the value indicates whether or not
1255           the priority may use all of the bandwidth allocated to its assigned
1256           group.
1257
1258           Format: array of uint32
1259
1260       priority-traffic-class
1261           An array of 8 uint values, where the array index corresponds to the
1262           User Priority (0 - 7) and the value indicates the traffic class (0
1263           - 7) to which the priority is mapped.
1264
1265           Format: array of uint32
1266
1267   ethtool setting
1268       Ethtool Ethernet Settings.
1269
1270       Properties:
1271
1272       coalesce-adaptive-rx
1273
1274       coalesce-adaptive-tx
1275
1276       coalesce-pkt-rate-high
1277
1278       coalesce-pkt-rate-low
1279
1280       coalesce-rx-frames
1281
1282       coalesce-rx-frames-high
1283
1284       coalesce-rx-frames-irq
1285
1286       coalesce-rx-frames-low
1287
1288       coalesce-rx-usecs
1289
1290       coalesce-rx-usecs-high
1291
1292       coalesce-rx-usecs-irq
1293
1294       coalesce-rx-usecs-low
1295
1296       coalesce-sample-interval
1297
1298       coalesce-stats-block-usecs
1299
1300       coalesce-tx-frames
1301
1302       coalesce-tx-frames-high
1303
1304       coalesce-tx-frames-irq
1305
1306       coalesce-tx-frames-low
1307
1308       coalesce-tx-usecs
1309
1310       coalesce-tx-usecs-high
1311
1312       coalesce-tx-usecs-irq
1313
1314       coalesce-tx-usecs-low
1315
1316       feature-esp-hw-offload
1317
1318       feature-esp-tx-csum-hw-offload
1319
1320       feature-fcoe-mtu
1321
1322       feature-gro
1323
1324       feature-gso
1325
1326       feature-highdma
1327
1328       feature-hw-tc-offload
1329
1330       feature-l2-fwd-offload
1331
1332       feature-loopback
1333
1334       feature-lro
1335
1336       feature-macsec-hw-offload
1337
1338       feature-ntuple
1339
1340       feature-rx
1341
1342       feature-rx-all
1343
1344       feature-rx-fcs
1345
1346       feature-rx-gro-hw
1347
1348       feature-rx-gro-list
1349
1350       feature-rx-udp-gro-forwarding
1351
1352       feature-rx-udp_tunnel-port-offload
1353
1354       feature-rx-vlan-filter
1355
1356       feature-rx-vlan-stag-filter
1357
1358       feature-rx-vlan-stag-hw-parse
1359
1360       feature-rxhash
1361
1362       feature-rxvlan
1363
1364       feature-sg
1365
1366       feature-tls-hw-record
1367
1368       feature-tls-hw-rx-offload
1369
1370       feature-tls-hw-tx-offload
1371
1372       feature-tso
1373
1374       feature-tx
1375
1376       feature-tx-checksum-fcoe-crc
1377
1378       feature-tx-checksum-ip-generic
1379
1380       feature-tx-checksum-ipv4
1381
1382       feature-tx-checksum-ipv6
1383
1384       feature-tx-checksum-sctp
1385
1386       feature-tx-esp-segmentation
1387
1388       feature-tx-fcoe-segmentation
1389
1390       feature-tx-gre-csum-segmentation
1391
1392       feature-tx-gre-segmentation
1393
1394       feature-tx-gso-list
1395
1396       feature-tx-gso-partial
1397
1398       feature-tx-gso-robust
1399
1400       feature-tx-ipxip4-segmentation
1401
1402       feature-tx-ipxip6-segmentation
1403
1404       feature-tx-nocache-copy
1405
1406       feature-tx-scatter-gather
1407
1408       feature-tx-scatter-gather-fraglist
1409
1410       feature-tx-sctp-segmentation
1411
1412       feature-tx-tcp-ecn-segmentation
1413
1414       feature-tx-tcp-mangleid-segmentation
1415
1416       feature-tx-tcp-segmentation
1417
1418       feature-tx-tcp6-segmentation
1419
1420       feature-tx-tunnel-remcsum-segmentation
1421
1422       feature-tx-udp-segmentation
1423
1424       feature-tx-udp_tnl-csum-segmentation
1425
1426       feature-tx-udp_tnl-segmentation
1427
1428       feature-tx-vlan-stag-hw-insert
1429
1430       feature-txvlan
1431
1432       pause-autoneg
1433           Whether to automatically negotiate on pause frame of flow control
1434           mechanism defined by IEEE 802.3x standard.
1435
1436       pause-rx
1437           Whether RX pause should be enabled. Only valid when automatic
1438           negotiation is disabled
1439
1440       pause-tx
1441           Whether TX pause should be enabled. Only valid when automatic
1442           negotiation is disabled
1443
1444       ring-rx
1445
1446       ring-rx-jumbo
1447
1448       ring-rx-mini
1449
1450       ring-tx
1451
1452   gsm setting
1453       GSM-based Mobile Broadband Settings.
1454
1455       Properties:
1456
1457       apn
1458           Alias: apn
1459
1460           The GPRS Access Point Name specifying the APN used when
1461           establishing a data session with the GSM-based network. The APN
1462           often determines how the user will be billed for their network
1463           usage and whether the user has access to the Internet or just a
1464           provider-specific walled-garden, so it is important to use the
1465           correct APN for the user's mobile broadband plan. The APN may only
1466           be composed of the characters a-z, 0-9, ., and - per GSM 03.60
1467           Section 14.9.
1468
1469           Format: string
1470
1471       auto-config
1472           When TRUE, the settings such as APN, username, or password will
1473           default to values that match the network the modem will register to
1474           in the Mobile Broadband Provider database.
1475
1476           Format: boolean
1477
1478       device-id
1479           The device unique identifier (as given by the WWAN management
1480           service) which this connection applies to. If given, the connection
1481           will only apply to the specified device.
1482
1483           Format: string
1484
1485       home-only
1486           When TRUE, only connections to the home network will be allowed.
1487           Connections to roaming networks will not be made.
1488
1489           Format: boolean
1490
1491       mtu
1492           If non-zero, only transmit packets of the specified size or
1493           smaller, breaking larger packets up into multiple frames.
1494
1495           Format: uint32
1496
1497       network-id
1498           The Network ID (GSM LAI format, ie MCC-MNC) to force specific
1499           network registration. If the Network ID is specified,
1500           NetworkManager will attempt to force the device to register only on
1501           the specified network. This can be used to ensure that the device
1502           does not roam when direct roaming control of the device is not
1503           otherwise possible.
1504
1505           Format: string
1506
1507       number
1508           Legacy setting that used to help establishing PPP data sessions for
1509           GSM-based modems. Deprecated: 1
1510
1511           Format: string
1512
1513       password
1514           Alias: password
1515
1516           The password used to authenticate with the network, if required.
1517           Many providers do not require a password, or accept any password.
1518           But if a password is required, it is specified here.
1519
1520           Format: string
1521
1522       password-flags
1523           Flags indicating how to handle the "password" property. See the
1524           section called “Secret flag types:” for flag values.
1525
1526           Format: NMSettingSecretFlags (uint32)
1527
1528       pin
1529           If the SIM is locked with a PIN it must be unlocked before any
1530           other operations are requested. Specify the PIN here to allow
1531           operation of the device.
1532
1533           Format: string
1534
1535       pin-flags
1536           Flags indicating how to handle the "pin" property. See the section
1537           called “Secret flag types:” for flag values.
1538
1539           Format: NMSettingSecretFlags (uint32)
1540
1541       sim-id
1542           The SIM card unique identifier (as given by the WWAN management
1543           service) which this connection applies to. If given, the connection
1544           will apply to any device also allowed by "device-id" which contains
1545           a SIM card matching the given identifier.
1546
1547           Format: string
1548
1549       sim-operator-id
1550           A MCC/MNC string like "310260" or "21601" identifying the specific
1551           mobile network operator which this connection applies to. If given,
1552           the connection will apply to any device also allowed by "device-id"
1553           and "sim-id" which contains a SIM card provisioned by the given
1554           operator.
1555
1556           Format: string
1557
1558       username
1559           Alias: user
1560
1561           The username used to authenticate with the network, if required.
1562           Many providers do not require a username, or accept any username.
1563           But if a username is required, it is specified here.
1564
1565           Format: string
1566
1567   infiniband setting
1568       Infiniband Settings.
1569
1570       Properties:
1571
1572       mac-address
1573           Alias: mac
1574
1575           If specified, this connection will only apply to the IPoIB device
1576           whose permanent MAC address matches. This property does not change
1577           the MAC address of the device (i.e. MAC spoofing).
1578
1579           Format: byte array
1580
1581       mtu
1582           Alias: mtu
1583
1584           If non-zero, only transmit packets of the specified size or
1585           smaller, breaking larger packets up into multiple frames.
1586
1587           Format: uint32
1588
1589       p-key
1590           Alias: p-key
1591
1592           The InfiniBand P_Key to use for this device. A value of -1 means to
1593           use the default P_Key (aka "the P_Key at index 0"). Otherwise, it
1594           is a 16-bit unsigned integer, whose high bit is set if it is a
1595           "full membership" P_Key.
1596
1597           Format: int32
1598
1599       parent
1600           Alias: parent
1601
1602           The interface name of the parent device of this device. Normally
1603           NULL, but if the "p_key" property is set, then you must specify the
1604           base device by setting either this property or "mac-address".
1605
1606           Format: string
1607
1608       transport-mode
1609           Alias: transport-mode
1610
1611           The IP-over-InfiniBand transport mode. Either "datagram" or
1612           "connected".
1613
1614           Format: string
1615
1616   ipv4 setting
1617       IPv4 Settings.
1618
1619       Properties:
1620
1621       addresses
1622           Alias: ip4
1623
1624           A list of IPv4 addresses and their prefix length. Multiple
1625           addresses can be separated by comma. For example "192.168.1.5/24,
1626           10.1.0.5/24". The addresses are listed in decreasing priority,
1627           meaning the first address will be the primary address.
1628
1629           Format: a comma separated list of addresses
1630
1631       dad-timeout
1632           Timeout in milliseconds used to check for the presence of duplicate
1633           IP addresses on the network. If an address conflict is detected,
1634           the activation will fail. A zero value means that no duplicate
1635           address detection is performed, -1 means the default value (either
1636           configuration ipvx.dad-timeout override or zero). A value greater
1637           than zero is a timeout in milliseconds. The property is currently
1638           implemented only for IPv4.
1639
1640           Format: int32
1641
1642       dhcp-client-id
1643           A string sent to the DHCP server to identify the local machine
1644           which the DHCP server may use to customize the DHCP lease and
1645           options. When the property is a hex string ('aa:bb:cc') it is
1646           interpreted as a binary client ID, in which case the first byte is
1647           assumed to be the 'type' field as per RFC 2132 section 9.14 and the
1648           remaining bytes may be an hardware address (e.g.
1649           '01:xx:xx:xx:xx:xx:xx' where 1 is the Ethernet ARP type and the
1650           rest is a MAC address). If the property is not a hex string it is
1651           considered as a non-hardware-address client ID and the 'type' field
1652           is set to 0. The special values "mac" and "perm-mac" are supported,
1653           which use the current or permanent MAC address of the device to
1654           generate a client identifier with type ethernet (01). Currently,
1655           these options only work for ethernet type of links. The special
1656           value "ipv6-duid" uses the DUID from "ipv6.dhcp-duid" property as
1657           an RFC4361-compliant client identifier. As IAID it uses
1658           "ipv4.dhcp-iaid" and falls back to "ipv6.dhcp-iaid" if unset. The
1659           special value "duid" generates a RFC4361-compliant client
1660           identifier based on "ipv4.dhcp-iaid" and uses a DUID generated by
1661           hashing /etc/machine-id. The special value "stable" is supported to
1662           generate a type 0 client identifier based on the stable-id (see
1663           connection.stable-id) and a per-host key. If you set the stable-id,
1664           you may want to include the "${DEVICE}" or "${MAC}" specifier to
1665           get a per-device key. If unset, a globally configured default is
1666           used. If still unset, the default depends on the DHCP plugin.
1667
1668           Format: string
1669
1670       dhcp-fqdn
1671           If the "dhcp-send-hostname" property is TRUE, then the specified
1672           FQDN will be sent to the DHCP server when acquiring a lease. This
1673           property and "dhcp-hostname" are mutually exclusive and cannot be
1674           set at the same time.
1675
1676           Format: string
1677
1678       dhcp-hostname
1679           If the "dhcp-send-hostname" property is TRUE, then the specified
1680           name will be sent to the DHCP server when acquiring a lease. This
1681           property and "dhcp-fqdn" are mutually exclusive and cannot be set
1682           at the same time.
1683
1684           Format: string
1685
1686       dhcp-hostname-flags
1687           Flags for the DHCP hostname and FQDN. Currently, this property only
1688           includes flags to control the FQDN flags set in the DHCP FQDN
1689           option. Supported FQDN flags are
1690           NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1691           NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
1692           NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is
1693           set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the
1694           DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag
1695           is set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set,
1696           the standard FQDN flags are set in the request:
1697           NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1698           NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
1699           NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6. When this
1700           property is set to the default value NM_DHCP_HOSTNAME_FLAG_NONE
1701           (0x0), a global default is looked up in NetworkManager
1702           configuration. If that value is unset or also
1703           NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
1704           described above are sent in the DHCP requests.
1705
1706           Format: uint32
1707
1708       dhcp-iaid
1709           A string containing the "Identity Association Identifier" (IAID)
1710           used by the DHCP client. The property is a 32-bit decimal value or
1711           a special value among "mac", "perm-mac", "ifname" and "stable".
1712           When set to "mac" (or "perm-mac"), the last 4 bytes of the current
1713           (or permanent) MAC address are used as IAID. When set to "ifname",
1714           the IAID is computed by hashing the interface name. The special
1715           value "stable" can be used to generate an IAID based on the
1716           stable-id (see connection.stable-id), a per-host key and the
1717           interface name. When the property is unset, the value from global
1718           configuration is used; if no global default is set then the IAID is
1719           assumed to be "ifname". Note that at the moment this property is
1720           ignored for IPv6 by dhclient, which always derives the IAID from
1721           the MAC address.
1722
1723           Format: string
1724
1725       dhcp-reject-servers
1726           Array of servers from which DHCP offers must be rejected. This
1727           property is useful to avoid getting a lease from misconfigured or
1728           rogue servers. For DHCPv4, each element must be an IPv4 address,
1729           optionally followed by a slash and a prefix length (e.g.
1730           "192.168.122.0/24"). This property is currently not implemented for
1731           DHCPv6.
1732
1733           Format: array of string
1734
1735       dhcp-send-hostname
1736           If TRUE, a hostname is sent to the DHCP server when acquiring a
1737           lease. Some DHCP servers use this hostname to update DNS databases,
1738           essentially providing a static hostname for the computer. If the
1739           "dhcp-hostname" property is NULL and this property is TRUE, the
1740           current persistent hostname of the computer is sent.
1741
1742           Format: boolean
1743
1744       dhcp-timeout
1745           A timeout for a DHCP transaction in seconds. If zero (the default),
1746           a globally configured default is used. If still unspecified, a
1747           device specific timeout is used (usually 45 seconds). Set to
1748           2147483647 (MAXINT32) for infinity.
1749
1750           Format: int32
1751
1752       dhcp-vendor-class-identifier
1753           The Vendor Class Identifier DHCP option (60). Special characters in
1754           the data string may be escaped using C-style escapes, nevertheless
1755           this property cannot contain nul bytes. If the per-profile value is
1756           unspecified (the default), a global connection default gets
1757           consulted. If still unspecified, the DHCP option is not sent to the
1758           server. Since 1.28
1759
1760           Format: string
1761
1762       dns
1763           Array of IP addresses of DNS servers.
1764
1765           Format: array of uint32
1766
1767       dns-options
1768           Array of DNS options as described in man 5 resolv.conf. NULL means
1769           that the options are unset and left at the default. In this case
1770           NetworkManager will use default options. This is distinct from an
1771           empty list of properties. The currently supported options are
1772           "attempts", "debug", "edns0", "inet6", "ip6-bytestring",
1773           "ip6-dotint", "ndots", "no-check-names", "no-ip6-dotint",
1774           "no-reload", "no-tld-query", "rotate", "single-request",
1775           "single-request-reopen", "timeout", "trust-ad", "use-vc". The
1776           "trust-ad" setting is only honored if the profile contributes name
1777           servers to resolv.conf, and if all contributing profiles have
1778           "trust-ad" enabled. When using a caching DNS plugin (dnsmasq or
1779           systemd-resolved in NetworkManager.conf) then "edns0" and
1780           "trust-ad" are automatically added.
1781
1782           Format: array of string
1783
1784       dns-priority
1785           DNS servers priority. The relative priority for DNS servers
1786           specified by this setting. A lower numerical value is better
1787           (higher priority). Negative values have the special effect of
1788           excluding other configurations with a greater numerical priority
1789           value; so in presence of at least one negative priority, only DNS
1790           servers from connections with the lowest priority value will be
1791           used. To avoid all DNS leaks, set the priority of the profile that
1792           should be used to the most negative value of all active connections
1793           profiles. Zero selects a globally configured default value. If the
1794           latter is missing or zero too, it defaults to 50 for VPNs
1795           (including WireGuard) and 100 for other connections. Note that the
1796           priority is to order DNS settings for multiple active connections.
1797           It does not disambiguate multiple DNS servers within the same
1798           connection profile. When multiple devices have configurations with
1799           the same priority, VPNs will be considered first, then devices with
1800           the best (lowest metric) default route and then all other devices.
1801           When using dns=default, servers with higher priority will be on top
1802           of resolv.conf. To prioritize a given server over another one
1803           within the same connection, just specify them in the desired order.
1804           Note that commonly the resolver tries name servers in
1805           /etc/resolv.conf in the order listed, proceeding with the next
1806           server in the list on failure. See for example the "rotate" option
1807           of the dns-options setting. If there are any negative DNS
1808           priorities, then only name servers from the devices with that
1809           lowest priority will be considered. When using a DNS resolver that
1810           supports Conditional Forwarding or Split DNS (with dns=dnsmasq or
1811           dns=systemd-resolved settings), each connection is used to query
1812           domains in its search list. The search domains determine which name
1813           servers to ask, and the DNS priority is used to prioritize name
1814           servers based on the domain. Queries for domains not present in any
1815           search list are routed through connections having the '~.' special
1816           wildcard domain, which is added automatically to connections with
1817           the default route (or can be added manually). When multiple
1818           connections specify the same domain, the one with the best priority
1819           (lowest numerical value) wins. If a sub domain is configured on
1820           another interface it will be accepted regardless the priority,
1821           unless parent domain on the other interface has a negative
1822           priority, which causes the sub domain to be shadowed. With Split
1823           DNS one can avoid undesired DNS leaks by properly configuring DNS
1824           priorities and the search domains, so that only name servers of the
1825           desired interface are configured.
1826
1827           Format: int32
1828
1829       dns-search
1830           Array of DNS search domains. Domains starting with a tilde ('~')
1831           are considered 'routing' domains and are used only to decide the
1832           interface over which a query must be forwarded; they are not used
1833           to complete unqualified host names. When using a DNS plugin that
1834           supports Conditional Forwarding or Split DNS, then the search
1835           domains specify which name servers to query. This makes the
1836           behavior different from running with plain /etc/resolv.conf. For
1837           more information see also the dns-priority setting.
1838
1839           Format: array of string
1840
1841       gateway
1842           Alias: gw4
1843
1844           The gateway associated with this configuration. This is only
1845           meaningful if "addresses" is also set. The gateway's main purpose
1846           is to control the next hop of the standard default route on the
1847           device. Hence, the gateway property conflicts with "never-default"
1848           and will be automatically dropped if the IP configuration is set to
1849           never-default. As an alternative to set the gateway, configure a
1850           static default route with /0 as prefix length.
1851
1852           Format: string
1853
1854       ignore-auto-dns
1855           When "method" is set to "auto" and this property to TRUE,
1856           automatically configured name servers and search domains are
1857           ignored and only name servers and search domains specified in the
1858           "dns" and "dns-search" properties, if any, are used.
1859
1860           Format: boolean
1861
1862       ignore-auto-routes
1863           When "method" is set to "auto" and this property to TRUE,
1864           automatically configured routes are ignored and only routes
1865           specified in the "routes" property, if any, are used.
1866
1867           Format: boolean
1868
1869       may-fail
1870           If TRUE, allow overall network configuration to proceed even if the
1871           configuration specified by this property times out. Note that at
1872           least one IP configuration must succeed or overall network
1873           configuration will still fail. For example, in IPv6-only networks,
1874           setting this property to TRUE on the NMSettingIP4Config allows the
1875           overall network configuration to succeed if IPv4 configuration
1876           fails but IPv6 configuration completes successfully.
1877
1878           Format: boolean
1879
1880       method
1881           IP configuration method. NMSettingIP4Config and NMSettingIP6Config
1882           both support "disabled", "auto", "manual", and "link-local". See
1883           the subclass-specific documentation for other values. In general,
1884           for the "auto" method, properties such as "dns" and "routes"
1885           specify information that is added on to the information returned
1886           from automatic configuration. The "ignore-auto-routes" and
1887           "ignore-auto-dns" properties modify this behavior. For methods that
1888           imply no upstream network, such as "shared" or "link-local", these
1889           properties must be empty. For IPv4 method "shared", the IP subnet
1890           can be configured by adding one manual IPv4 address or otherwise
1891           10.42.x.0/24 is chosen. Note that the shared method must be
1892           configured on the interface which shares the internet to a subnet,
1893           not on the uplink which is shared.
1894
1895           Format: string
1896
1897       never-default
1898           If TRUE, this connection will never be the default connection for
1899           this IP type, meaning it will never be assigned the default route
1900           by NetworkManager.
1901
1902           Format: boolean
1903
1904       required-timeout
1905           The minimum time interval in milliseconds for which dynamic IP
1906           configuration should be tried before the connection succeeds. This
1907           property is useful for example if both IPv4 and IPv6 are enabled
1908           and are allowed to fail. Normally the connection succeeds as soon
1909           as one of the two address families completes; by setting a required
1910           timeout for e.g. IPv4, one can ensure that even if IP6 succeeds
1911           earlier than IPv4, NetworkManager waits some time for IPv4 before
1912           the connection becomes active. Note that if "may-fail" is FALSE for
1913           the same address family, this property has no effect as
1914           NetworkManager needs to wait for the full DHCP timeout. A zero
1915           value means that no required timeout is present, -1 means the
1916           default value (either configuration ipvx.required-timeout override
1917           or zero).
1918
1919           Format: int32
1920
1921       route-metric
1922           The default metric for routes that don't explicitly specify a
1923           metric. The default value -1 means that the metric is chosen
1924           automatically based on the device type. The metric applies to
1925           dynamic routes, manual (static) routes that don't have an explicit
1926           metric setting, address prefix routes, and the default route. Note
1927           that for IPv6, the kernel accepts zero (0) but coerces it to 1024
1928           (user default). Hence, setting this property to zero effectively
1929           mean setting it to 1024. For IPv4, zero is a regular value for the
1930           metric.
1931
1932           Format: int64
1933
1934       route-table
1935           Enable policy routing (source routing) and set the routing table
1936           used when adding routes. This affects all routes, including
1937           device-routes, IPv4LL, DHCP, SLAAC, default-routes and static
1938           routes. But note that static routes can individually overwrite the
1939           setting by explicitly specifying a non-zero routing table. If the
1940           table setting is left at zero, it is eligible to be overwritten via
1941           global configuration. If the property is zero even after applying
1942           the global configuration value, policy routing is disabled for the
1943           address family of this connection. Policy routing disabled means
1944           that NetworkManager will add all routes to the main table (except
1945           static routes that explicitly configure a different table).
1946           Additionally, NetworkManager will not delete any extraneous routes
1947           from tables except the main table. This is to preserve backward
1948           compatibility for users who manage routing tables outside of
1949           NetworkManager.
1950
1951           Format: uint32
1952
1953       routes
1954           A list of IPv4 destination addresses, prefix length, optional IPv4
1955           next hop addresses, optional route metric, optional attribute. The
1956           valid syntax is: "ip[/prefix] [next-hop] [metric]
1957           [attribute=val]...[,ip[/prefix]...]". For example "192.0.2.0/24
1958           10.1.1.1 77, 198.51.100.0/24".
1959
1960           Format: a comma separated list of routes
1961
1962       routing-rules
1963
1964   ipv6 setting
1965       IPv6 Settings.
1966
1967       Properties:
1968
1969       addr-gen-mode
1970           Configure method for creating the address for use with RFC4862 IPv6
1971           Stateless Address Autoconfiguration. The permitted values are:
1972           NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_EUI64 (0) or
1973           NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_STABLE_PRIVACY (1). If the
1974           property is set to EUI64, the addresses will be generated using the
1975           interface tokens derived from hardware address. This makes the host
1976           part of the address to stay constant, making it possible to track
1977           host's presence when it changes networks. The address changes when
1978           the interface hardware is replaced. The value of stable-privacy
1979           enables use of cryptographically secure hash of a secret
1980           host-specific key along with the connection's stable-id and the
1981           network address as specified by RFC7217. This makes it impossible
1982           to use the address track host's presence, and makes the address
1983           stable when the network interface hardware is replaced. On D-Bus,
1984           the absence of an addr-gen-mode setting equals enabling
1985           stable-privacy. For keyfile plugin, the absence of the setting on
1986           disk means EUI64 so that the property doesn't change on upgrade
1987           from older versions. Note that this setting is distinct from the
1988           Privacy Extensions as configured by "ip6-privacy" property and it
1989           does not affect the temporary addresses configured with this
1990           option.
1991
1992           Format: int32
1993
1994       addresses
1995           Alias: ip6
1996
1997           A list of IPv6 addresses and their prefix length. Multiple
1998           addresses can be separated by comma. For example
1999           "2001:db8:85a3::8a2e:370:7334/64, 2001:db8:85a3::5/64". The
2000           addresses are listed in increasing priority, meaning the last
2001           address will be the primary address.
2002
2003           Format: a comma separated list of addresses
2004
2005       dhcp-duid
2006           A string containing the DHCPv6 Unique Identifier (DUID) used by the
2007           dhcp client to identify itself to DHCPv6 servers (RFC 3315). The
2008           DUID is carried in the Client Identifier option. If the property is
2009           a hex string ('aa:bb:cc') it is interpreted as a binary DUID and
2010           filled as an opaque value in the Client Identifier option. The
2011           special value "lease" will retrieve the DUID previously used from
2012           the lease file belonging to the connection. If no DUID is found and
2013           "dhclient" is the configured dhcp client, the DUID is searched in
2014           the system-wide dhclient lease file. If still no DUID is found, or
2015           another dhcp client is used, a global and permanent DUID-UUID (RFC
2016           6355) will be generated based on the machine-id. The special values
2017           "llt" and "ll" will generate a DUID of type LLT or LL (see RFC
2018           3315) based on the current MAC address of the device. In order to
2019           try providing a stable DUID-LLT, the time field will contain a
2020           constant timestamp that is used globally (for all profiles) and
2021           persisted to disk. The special values "stable-llt", "stable-ll" and
2022           "stable-uuid" will generate a DUID of the corresponding type,
2023           derived from the connection's stable-id and a per-host unique key.
2024           You may want to include the "${DEVICE}" or "${MAC}" specifier in
2025           the stable-id, in case this profile gets activated on multiple
2026           devices. So, the link-layer address of "stable-ll" and "stable-llt"
2027           will be a generated address derived from the stable id. The
2028           DUID-LLT time value in the "stable-llt" option will be picked among
2029           a static timespan of three years (the upper bound of the interval
2030           is the same constant timestamp used in "llt"). When the property is
2031           unset, the global value provided for "ipv6.dhcp-duid" is used. If
2032           no global value is provided, the default "lease" value is assumed.
2033
2034           Format: string
2035
2036       dhcp-hostname
2037           If the "dhcp-send-hostname" property is TRUE, then the specified
2038           name will be sent to the DHCP server when acquiring a lease. This
2039           property and "dhcp-fqdn" are mutually exclusive and cannot be set
2040           at the same time.
2041
2042           Format: string
2043
2044       dhcp-hostname-flags
2045           Flags for the DHCP hostname and FQDN. Currently, this property only
2046           includes flags to control the FQDN flags set in the DHCP FQDN
2047           option. Supported FQDN flags are
2048           NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
2049           NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
2050           NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is
2051           set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the
2052           DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag
2053           is set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set,
2054           the standard FQDN flags are set in the request:
2055           NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
2056           NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
2057           NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6. When this
2058           property is set to the default value NM_DHCP_HOSTNAME_FLAG_NONE
2059           (0x0), a global default is looked up in NetworkManager
2060           configuration. If that value is unset or also
2061           NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
2062           described above are sent in the DHCP requests.
2063
2064           Format: uint32
2065
2066       dhcp-iaid
2067           A string containing the "Identity Association Identifier" (IAID)
2068           used by the DHCP client. The property is a 32-bit decimal value or
2069           a special value among "mac", "perm-mac", "ifname" and "stable".
2070           When set to "mac" (or "perm-mac"), the last 4 bytes of the current
2071           (or permanent) MAC address are used as IAID. When set to "ifname",
2072           the IAID is computed by hashing the interface name. The special
2073           value "stable" can be used to generate an IAID based on the
2074           stable-id (see connection.stable-id), a per-host key and the
2075           interface name. When the property is unset, the value from global
2076           configuration is used; if no global default is set then the IAID is
2077           assumed to be "ifname". Note that at the moment this property is
2078           ignored for IPv6 by dhclient, which always derives the IAID from
2079           the MAC address.
2080
2081           Format: string
2082
2083       dhcp-send-hostname
2084           If TRUE, a hostname is sent to the DHCP server when acquiring a
2085           lease. Some DHCP servers use this hostname to update DNS databases,
2086           essentially providing a static hostname for the computer. If the
2087           "dhcp-hostname" property is NULL and this property is TRUE, the
2088           current persistent hostname of the computer is sent.
2089
2090           Format: boolean
2091
2092       dhcp-timeout
2093           A timeout for a DHCP transaction in seconds. If zero (the default),
2094           a globally configured default is used. If still unspecified, a
2095           device specific timeout is used (usually 45 seconds). Set to
2096           2147483647 (MAXINT32) for infinity.
2097
2098           Format: int32
2099
2100       dns
2101           Array of IP addresses of DNS servers.
2102
2103           Format: array of byte array
2104
2105       dns-options
2106           Array of DNS options as described in man 5 resolv.conf. NULL means
2107           that the options are unset and left at the default. In this case
2108           NetworkManager will use default options. This is distinct from an
2109           empty list of properties. The currently supported options are
2110           "attempts", "debug", "edns0", "inet6", "ip6-bytestring",
2111           "ip6-dotint", "ndots", "no-check-names", "no-ip6-dotint",
2112           "no-reload", "no-tld-query", "rotate", "single-request",
2113           "single-request-reopen", "timeout", "trust-ad", "use-vc". The
2114           "trust-ad" setting is only honored if the profile contributes name
2115           servers to resolv.conf, and if all contributing profiles have
2116           "trust-ad" enabled. When using a caching DNS plugin (dnsmasq or
2117           systemd-resolved in NetworkManager.conf) then "edns0" and
2118           "trust-ad" are automatically added.
2119
2120           Format: array of string
2121
2122       dns-priority
2123           DNS servers priority. The relative priority for DNS servers
2124           specified by this setting. A lower numerical value is better
2125           (higher priority). Negative values have the special effect of
2126           excluding other configurations with a greater numerical priority
2127           value; so in presence of at least one negative priority, only DNS
2128           servers from connections with the lowest priority value will be
2129           used. To avoid all DNS leaks, set the priority of the profile that
2130           should be used to the most negative value of all active connections
2131           profiles. Zero selects a globally configured default value. If the
2132           latter is missing or zero too, it defaults to 50 for VPNs
2133           (including WireGuard) and 100 for other connections. Note that the
2134           priority is to order DNS settings for multiple active connections.
2135           It does not disambiguate multiple DNS servers within the same
2136           connection profile. When multiple devices have configurations with
2137           the same priority, VPNs will be considered first, then devices with
2138           the best (lowest metric) default route and then all other devices.
2139           When using dns=default, servers with higher priority will be on top
2140           of resolv.conf. To prioritize a given server over another one
2141           within the same connection, just specify them in the desired order.
2142           Note that commonly the resolver tries name servers in
2143           /etc/resolv.conf in the order listed, proceeding with the next
2144           server in the list on failure. See for example the "rotate" option
2145           of the dns-options setting. If there are any negative DNS
2146           priorities, then only name servers from the devices with that
2147           lowest priority will be considered. When using a DNS resolver that
2148           supports Conditional Forwarding or Split DNS (with dns=dnsmasq or
2149           dns=systemd-resolved settings), each connection is used to query
2150           domains in its search list. The search domains determine which name
2151           servers to ask, and the DNS priority is used to prioritize name
2152           servers based on the domain. Queries for domains not present in any
2153           search list are routed through connections having the '~.' special
2154           wildcard domain, which is added automatically to connections with
2155           the default route (or can be added manually). When multiple
2156           connections specify the same domain, the one with the best priority
2157           (lowest numerical value) wins. If a sub domain is configured on
2158           another interface it will be accepted regardless the priority,
2159           unless parent domain on the other interface has a negative
2160           priority, which causes the sub domain to be shadowed. With Split
2161           DNS one can avoid undesired DNS leaks by properly configuring DNS
2162           priorities and the search domains, so that only name servers of the
2163           desired interface are configured.
2164
2165           Format: int32
2166
2167       dns-search
2168           Array of DNS search domains. Domains starting with a tilde ('~')
2169           are considered 'routing' domains and are used only to decide the
2170           interface over which a query must be forwarded; they are not used
2171           to complete unqualified host names. When using a DNS plugin that
2172           supports Conditional Forwarding or Split DNS, then the search
2173           domains specify which name servers to query. This makes the
2174           behavior different from running with plain /etc/resolv.conf. For
2175           more information see also the dns-priority setting.
2176
2177           Format: array of string
2178
2179       gateway
2180           Alias: gw6
2181
2182           The gateway associated with this configuration. This is only
2183           meaningful if "addresses" is also set. The gateway's main purpose
2184           is to control the next hop of the standard default route on the
2185           device. Hence, the gateway property conflicts with "never-default"
2186           and will be automatically dropped if the IP configuration is set to
2187           never-default. As an alternative to set the gateway, configure a
2188           static default route with /0 as prefix length.
2189
2190           Format: string
2191
2192       ignore-auto-dns
2193           When "method" is set to "auto" and this property to TRUE,
2194           automatically configured name servers and search domains are
2195           ignored and only name servers and search domains specified in the
2196           "dns" and "dns-search" properties, if any, are used.
2197
2198           Format: boolean
2199
2200       ignore-auto-routes
2201           When "method" is set to "auto" and this property to TRUE,
2202           automatically configured routes are ignored and only routes
2203           specified in the "routes" property, if any, are used.
2204
2205           Format: boolean
2206
2207       ip6-privacy
2208           Configure IPv6 Privacy Extensions for SLAAC, described in RFC4941.
2209           If enabled, it makes the kernel generate a temporary IPv6 address
2210           in addition to the public one generated from MAC address via
2211           modified EUI-64. This enhances privacy, but could cause problems in
2212           some applications, on the other hand. The permitted values are: -1:
2213           unknown, 0: disabled, 1: enabled (prefer public address), 2:
2214           enabled (prefer temporary addresses). Having a per-connection
2215           setting set to "-1" (unknown) means fallback to global
2216           configuration "ipv6.ip6-privacy". If also global configuration is
2217           unspecified or set to "-1", fallback to read
2218           "/proc/sys/net/ipv6/conf/default/use_tempaddr". Note that this
2219           setting is distinct from the Stable Privacy addresses that can be
2220           enabled with the "addr-gen-mode" property's "stable-privacy"
2221           setting as another way of avoiding host tracking with IPv6
2222           addresses.
2223
2224           Format: NMSettingIP6ConfigPrivacy (int32)
2225
2226       may-fail
2227           If TRUE, allow overall network configuration to proceed even if the
2228           configuration specified by this property times out. Note that at
2229           least one IP configuration must succeed or overall network
2230           configuration will still fail. For example, in IPv6-only networks,
2231           setting this property to TRUE on the NMSettingIP4Config allows the
2232           overall network configuration to succeed if IPv4 configuration
2233           fails but IPv6 configuration completes successfully.
2234
2235           Format: boolean
2236
2237       method
2238           IP configuration method. NMSettingIP4Config and NMSettingIP6Config
2239           both support "disabled", "auto", "manual", and "link-local". See
2240           the subclass-specific documentation for other values. In general,
2241           for the "auto" method, properties such as "dns" and "routes"
2242           specify information that is added on to the information returned
2243           from automatic configuration. The "ignore-auto-routes" and
2244           "ignore-auto-dns" properties modify this behavior. For methods that
2245           imply no upstream network, such as "shared" or "link-local", these
2246           properties must be empty. For IPv4 method "shared", the IP subnet
2247           can be configured by adding one manual IPv4 address or otherwise
2248           10.42.x.0/24 is chosen. Note that the shared method must be
2249           configured on the interface which shares the internet to a subnet,
2250           not on the uplink which is shared.
2251
2252           Format: string
2253
2254       never-default
2255           If TRUE, this connection will never be the default connection for
2256           this IP type, meaning it will never be assigned the default route
2257           by NetworkManager.
2258
2259           Format: boolean
2260
2261       ra-timeout
2262           A timeout for waiting Router Advertisements in seconds. If zero
2263           (the default), a globally configured default is used. If still
2264           unspecified, the timeout depends on the sysctl settings of the
2265           device. Set to 2147483647 (MAXINT32) for infinity.
2266
2267           Format: int32
2268
2269       required-timeout
2270           The minimum time interval in milliseconds for which dynamic IP
2271           configuration should be tried before the connection succeeds. This
2272           property is useful for example if both IPv4 and IPv6 are enabled
2273           and are allowed to fail. Normally the connection succeeds as soon
2274           as one of the two address families completes; by setting a required
2275           timeout for e.g. IPv4, one can ensure that even if IP6 succeeds
2276           earlier than IPv4, NetworkManager waits some time for IPv4 before
2277           the connection becomes active. Note that if "may-fail" is FALSE for
2278           the same address family, this property has no effect as
2279           NetworkManager needs to wait for the full DHCP timeout. A zero
2280           value means that no required timeout is present, -1 means the
2281           default value (either configuration ipvx.required-timeout override
2282           or zero).
2283
2284           Format: int32
2285
2286       route-metric
2287           The default metric for routes that don't explicitly specify a
2288           metric. The default value -1 means that the metric is chosen
2289           automatically based on the device type. The metric applies to
2290           dynamic routes, manual (static) routes that don't have an explicit
2291           metric setting, address prefix routes, and the default route. Note
2292           that for IPv6, the kernel accepts zero (0) but coerces it to 1024
2293           (user default). Hence, setting this property to zero effectively
2294           mean setting it to 1024. For IPv4, zero is a regular value for the
2295           metric.
2296
2297           Format: int64
2298
2299       route-table
2300           Enable policy routing (source routing) and set the routing table
2301           used when adding routes. This affects all routes, including
2302           device-routes, IPv4LL, DHCP, SLAAC, default-routes and static
2303           routes. But note that static routes can individually overwrite the
2304           setting by explicitly specifying a non-zero routing table. If the
2305           table setting is left at zero, it is eligible to be overwritten via
2306           global configuration. If the property is zero even after applying
2307           the global configuration value, policy routing is disabled for the
2308           address family of this connection. Policy routing disabled means
2309           that NetworkManager will add all routes to the main table (except
2310           static routes that explicitly configure a different table).
2311           Additionally, NetworkManager will not delete any extraneous routes
2312           from tables except the main table. This is to preserve backward
2313           compatibility for users who manage routing tables outside of
2314           NetworkManager.
2315
2316           Format: uint32
2317
2318       routes
2319           Array of IP routes.
2320
2321           Format: array of legacy IPv6 route struct
2322
2323       routing-rules
2324
2325       token
2326           Configure the token for
2327           draft-chown-6man-tokenised-ipv6-identifiers-02 IPv6 tokenized
2328           interface identifiers. Useful with eui64 addr-gen-mode.
2329
2330           Format: string
2331
2332   ip-tunnel setting
2333       IP Tunneling Settings.
2334
2335       Properties:
2336
2337       encapsulation-limit
2338           How many additional levels of encapsulation are permitted to be
2339           prepended to packets. This property applies only to IPv6 tunnels.
2340
2341           Format: uint32
2342
2343       flags
2344           Tunnel flags. Currently, the following values are supported:
2345           NM_IP_TUNNEL_FLAG_IP6_IGN_ENCAP_LIMIT (0x1),
2346           NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_TCLASS (0x2),
2347           NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FLOWLABEL (0x4),
2348           NM_IP_TUNNEL_FLAG_IP6_MIP6_DEV (0x8),
2349           NM_IP_TUNNEL_FLAG_IP6_RCV_DSCP_COPY (0x10),
2350           NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FWMARK (0x20). They are valid only
2351           for IPv6 tunnels.
2352
2353           Format: uint32
2354
2355       flow-label
2356           The flow label to assign to tunnel packets. This property applies
2357           only to IPv6 tunnels.
2358
2359           Format: uint32
2360
2361       input-key
2362           The key used for tunnel input packets; the property is valid only
2363           for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
2364
2365           Format: string
2366
2367       local
2368           Alias: local
2369
2370           The local endpoint of the tunnel; the value can be empty, otherwise
2371           it must contain an IPv4 or IPv6 address.
2372
2373           Format: string
2374
2375       mode
2376           Alias: mode
2377
2378           The tunneling mode, for example NM_IP_TUNNEL_MODE_IPIP (1) or
2379           NM_IP_TUNNEL_MODE_GRE (2).
2380
2381           Format: uint32
2382
2383       mtu
2384           If non-zero, only transmit packets of the specified size or
2385           smaller, breaking larger packets up into multiple fragments.
2386
2387           Format: uint32
2388
2389       output-key
2390           The key used for tunnel output packets; the property is valid only
2391           for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
2392
2393           Format: string
2394
2395       parent
2396           Alias: dev
2397
2398           If given, specifies the parent interface name or parent connection
2399           UUID the new device will be bound to so that tunneled packets will
2400           only be routed via that interface.
2401
2402           Format: string
2403
2404       path-mtu-discovery
2405           Whether to enable Path MTU Discovery on this tunnel.
2406
2407           Format: boolean
2408
2409       remote
2410           Alias: remote
2411
2412           The remote endpoint of the tunnel; the value must contain an IPv4
2413           or IPv6 address.
2414
2415           Format: string
2416
2417       tos
2418           The type of service (IPv4) or traffic class (IPv6) field to be set
2419           on tunneled packets.
2420
2421           Format: uint32
2422
2423       ttl
2424           The TTL to assign to tunneled packets. 0 is a special value meaning
2425           that packets inherit the TTL value.
2426
2427           Format: uint32
2428
2429   macsec setting
2430       MACSec Settings.
2431
2432       Properties:
2433
2434       encrypt
2435           Alias: encrypt
2436
2437           Whether the transmitted traffic must be encrypted.
2438
2439           Format: boolean
2440
2441       mka-cak
2442           Alias: cak
2443
2444           The pre-shared CAK (Connectivity Association Key) for MACsec Key
2445           Agreement.
2446
2447           Format: string
2448
2449       mka-cak-flags
2450           Flags indicating how to handle the "mka-cak" property. See the
2451           section called “Secret flag types:” for flag values.
2452
2453           Format: NMSettingSecretFlags (uint32)
2454
2455       mka-ckn
2456           Alias: ckn
2457
2458           The pre-shared CKN (Connectivity-association Key Name) for MACsec
2459           Key Agreement.
2460
2461           Format: string
2462
2463       mode
2464           Alias: mode
2465
2466           Specifies how the CAK (Connectivity Association Key) for MKA
2467           (MACsec Key Agreement) is obtained.
2468
2469           Format: int32
2470
2471       parent
2472           Alias: dev
2473
2474           If given, specifies the parent interface name or parent connection
2475           UUID from which this MACSEC interface should be created. If this
2476           property is not specified, the connection must contain an
2477           "802-3-ethernet" setting with a "mac-address" property.
2478
2479           Format: string
2480
2481       port
2482           Alias: port
2483
2484           The port component of the SCI (Secure Channel Identifier), between
2485           1 and 65534.
2486
2487           Format: int32
2488
2489       send-sci
2490           Specifies whether the SCI (Secure Channel Identifier) is included
2491           in every packet.
2492
2493           Format: boolean
2494
2495       validation
2496           Specifies the validation mode for incoming frames.
2497
2498           Format: int32
2499
2500   macvlan setting
2501       MAC VLAN Settings.
2502
2503       Properties:
2504
2505       mode
2506           Alias: mode
2507
2508           The macvlan mode, which specifies the communication mechanism
2509           between multiple macvlans on the same lower device.
2510
2511           Format: uint32
2512
2513       parent
2514           Alias: dev
2515
2516           If given, specifies the parent interface name or parent connection
2517           UUID from which this MAC-VLAN interface should be created. If this
2518           property is not specified, the connection must contain an
2519           "802-3-ethernet" setting with a "mac-address" property.
2520
2521           Format: string
2522
2523       promiscuous
2524           Whether the interface should be put in promiscuous mode.
2525
2526           Format: boolean
2527
2528       tap
2529           Alias: tap
2530
2531           Whether the interface should be a MACVTAP.
2532
2533           Format: boolean
2534
2535   match setting
2536       Match settings.
2537
2538       Properties:
2539
2540       driver
2541           A list of driver names to match. Each element is a shell wildcard
2542           pattern. See NMSettingMatch:interface-name for how special
2543           characters '|', '&', '!' and '\' are used for optional and
2544           mandatory matches and inverting the pattern.
2545
2546           Format: array of string
2547
2548       interface-name
2549           A list of interface names to match. Each element is a shell
2550           wildcard pattern. An element can be prefixed with a pipe symbol (|)
2551           or an ampersand (&). The former means that the element is optional
2552           and the latter means that it is mandatory. If there are any
2553           optional elements, than the match evaluates to true if at least one
2554           of the optional element matches (logical OR). If there are any
2555           mandatory elements, then they all must match (logical AND). By
2556           default, an element is optional. This means that an element "foo"
2557           behaves the same as "|foo". An element can also be inverted with
2558           exclamation mark (!) between the pipe symbol (or the ampersand) and
2559           before the pattern. Note that "!foo" is a shortcut for the
2560           mandatory match "&!foo". Finally, a backslash can be used at the
2561           beginning of the element (after the optional special characters) to
2562           escape the start of the pattern. For example, "&\!a" is an
2563           mandatory match for literally "!a".
2564
2565           Format: array of string
2566
2567       kernel-command-line
2568           A list of kernel command line arguments to match. This may be used
2569           to check whether a specific kernel command line option is set (or
2570           unset, if prefixed with the exclamation mark). The argument must
2571           either be a single word, or an assignment (i.e. two words, joined
2572           by "="). In the former case the kernel command line is searched for
2573           the word appearing as is, or as left hand side of an assignment. In
2574           the latter case, the exact assignment is looked for with right and
2575           left hand side matching. Wildcard patterns are not supported. See
2576           NMSettingMatch:interface-name for how special characters '|', '&',
2577           '!' and '\' are used for optional and mandatory matches and
2578           inverting the match.
2579
2580           Format: array of string
2581
2582       path
2583           A list of paths to match against the ID_PATH udev property of
2584           devices. ID_PATH represents the topological persistent path of a
2585           device. It typically contains a subsystem string (pci, usb,
2586           platform, etc.) and a subsystem-specific identifier. For PCI
2587           devices the path has the form "pci-$domain:$bus:$device.$function",
2588           where each variable is an hexadecimal value; for example
2589           "pci-0000:0a:00.0". The path of a device can be obtained with
2590           "udevadm info /sys/class/net/$dev | grep ID_PATH=" or by looking at
2591           the "path" property exported by NetworkManager ("nmcli -f
2592           general.path device show $dev"). Each element of the list is a
2593           shell wildcard pattern. See NMSettingMatch:interface-name for how
2594           special characters '|', '&', '!' and '\' are used for optional and
2595           mandatory matches and inverting the pattern.
2596
2597           Format: array of string
2598
2599   802-11-olpc-mesh setting
2600       Alias: olpc-mesh
2601
2602       OLPC Wireless Mesh Settings.
2603
2604       Properties:
2605
2606       channel
2607           Alias: channel
2608
2609           Channel on which the mesh network to join is located.
2610
2611           Format: uint32
2612
2613       dhcp-anycast-address
2614           Alias: dhcp-anycast
2615
2616           Anycast DHCP MAC address used when requesting an IP address via
2617           DHCP. The specific anycast address used determines which DHCP
2618           server class answers the request. This is currently only
2619           implemented by dhclient DHCP plugin.
2620
2621           Format: byte array
2622
2623       ssid
2624           Alias: ssid
2625
2626           SSID of the mesh network to join.
2627
2628           Format: byte array
2629
2630   ovs-bridge setting
2631       OvsBridge Link Settings.
2632
2633       Properties:
2634
2635       datapath-type
2636           The data path type. One of "system", "netdev" or empty.
2637
2638           Format: string
2639
2640       fail-mode
2641           The bridge failure mode. One of "secure", "standalone" or empty.
2642
2643           Format: string
2644
2645       mcast-snooping-enable
2646           Enable or disable multicast snooping.
2647
2648           Format: boolean
2649
2650       rstp-enable
2651           Enable or disable RSTP.
2652
2653           Format: boolean
2654
2655       stp-enable
2656           Enable or disable STP.
2657
2658           Format: boolean
2659
2660   ovs-dpdk setting
2661       OvsDpdk Link Settings.
2662
2663       Properties:
2664
2665       devargs
2666           Open vSwitch DPDK device arguments.
2667
2668           Format: string
2669
2670   ovs-interface setting
2671       Open vSwitch Interface Settings.
2672
2673       Properties:
2674
2675       type
2676           The interface type. Either "internal", "system", "patch", "dpdk",
2677           or empty.
2678
2679           Format: string
2680
2681   ovs-patch setting
2682       OvsPatch Link Settings.
2683
2684       Properties:
2685
2686       peer
2687           Specifies the name of the interface for the other side of the
2688           patch. The patch on the other side must also set this interface as
2689           peer.
2690
2691           Format: string
2692
2693   ovs-port setting
2694       OvsPort Link Settings.
2695
2696       Properties:
2697
2698       bond-downdelay
2699           The time port must be inactive in order to be considered down.
2700
2701           Format: uint32
2702
2703       bond-mode
2704           Bonding mode. One of "active-backup", "balance-slb", or
2705           "balance-tcp".
2706
2707           Format: string
2708
2709       bond-updelay
2710           The time port must be active before it starts forwarding traffic.
2711
2712           Format: uint32
2713
2714       lacp
2715           LACP mode. One of "active", "off", or "passive".
2716
2717           Format: string
2718
2719       tag
2720           The VLAN tag in the range 0-4095.
2721
2722           Format: uint32
2723
2724       vlan-mode
2725           The VLAN mode. One of "access", "native-tagged", "native-untagged",
2726           "trunk" or unset.
2727
2728           Format: string
2729
2730   ppp setting
2731       Point-to-Point Protocol Settings.
2732
2733       Properties:
2734
2735       baud
2736           If non-zero, instruct pppd to set the serial port to the specified
2737           baudrate. This value should normally be left as 0 to automatically
2738           choose the speed.
2739
2740           Format: uint32
2741
2742       crtscts
2743           If TRUE, specify that pppd should set the serial port to use
2744           hardware flow control with RTS and CTS signals. This value should
2745           normally be set to FALSE.
2746
2747           Format: boolean
2748
2749       lcp-echo-failure
2750           If non-zero, instruct pppd to presume the connection to the peer
2751           has failed if the specified number of LCP echo-requests go
2752           unanswered by the peer. The "lcp-echo-interval" property must also
2753           be set to a non-zero value if this property is used.
2754
2755           Format: uint32
2756
2757       lcp-echo-interval
2758           If non-zero, instruct pppd to send an LCP echo-request frame to the
2759           peer every n seconds (where n is the specified value). Note that
2760           some PPP peers will respond to echo requests and some will not, and
2761           it is not possible to autodetect this.
2762
2763           Format: uint32
2764
2765       mppe-stateful
2766           If TRUE, stateful MPPE is used. See pppd documentation for more
2767           information on stateful MPPE.
2768
2769           Format: boolean
2770
2771       mru
2772           If non-zero, instruct pppd to request that the peer send packets no
2773           larger than the specified size. If non-zero, the MRU should be
2774           between 128 and 16384.
2775
2776           Format: uint32
2777
2778       mtu
2779           If non-zero, instruct pppd to send packets no larger than the
2780           specified size.
2781
2782           Format: uint32
2783
2784       no-vj-comp
2785           If TRUE, Van Jacobsen TCP header compression will not be requested.
2786
2787           Format: boolean
2788
2789       noauth
2790           If TRUE, do not require the other side (usually the PPP server) to
2791           authenticate itself to the client. If FALSE, require authentication
2792           from the remote side. In almost all cases, this should be TRUE.
2793
2794           Format: boolean
2795
2796       nobsdcomp
2797           If TRUE, BSD compression will not be requested.
2798
2799           Format: boolean
2800
2801       nodeflate
2802           If TRUE, "deflate" compression will not be requested.
2803
2804           Format: boolean
2805
2806       refuse-chap
2807           If TRUE, the CHAP authentication method will not be used.
2808
2809           Format: boolean
2810
2811       refuse-eap
2812           If TRUE, the EAP authentication method will not be used.
2813
2814           Format: boolean
2815
2816       refuse-mschap
2817           If TRUE, the MSCHAP authentication method will not be used.
2818
2819           Format: boolean
2820
2821       refuse-mschapv2
2822           If TRUE, the MSCHAPv2 authentication method will not be used.
2823
2824           Format: boolean
2825
2826       refuse-pap
2827           If TRUE, the PAP authentication method will not be used.
2828
2829           Format: boolean
2830
2831       require-mppe
2832           If TRUE, MPPE (Microsoft Point-to-Point Encryption) will be
2833           required for the PPP session. If either 64-bit or 128-bit MPPE is
2834           not available the session will fail. Note that MPPE is not used on
2835           mobile broadband connections.
2836
2837           Format: boolean
2838
2839       require-mppe-128
2840           If TRUE, 128-bit MPPE (Microsoft Point-to-Point Encryption) will be
2841           required for the PPP session, and the "require-mppe" property must
2842           also be set to TRUE. If 128-bit MPPE is not available the session
2843           will fail.
2844
2845           Format: boolean
2846
2847   pppoe setting
2848       PPP-over-Ethernet Settings.
2849
2850       Properties:
2851
2852       parent
2853           Alias: parent
2854
2855           If given, specifies the parent interface name on which this PPPoE
2856           connection should be created. If this property is not specified,
2857           the connection is activated on the interface specified in
2858           "interface-name" of NMSettingConnection.
2859
2860           Format: string
2861
2862       password
2863           Alias: password
2864
2865           Password used to authenticate with the PPPoE service.
2866
2867           Format: string
2868
2869       password-flags
2870           Flags indicating how to handle the "password" property. See the
2871           section called “Secret flag types:” for flag values.
2872
2873           Format: NMSettingSecretFlags (uint32)
2874
2875       service
2876           Alias: service
2877
2878           If specified, instruct PPPoE to only initiate sessions with access
2879           concentrators that provide the specified service. For most
2880           providers, this should be left blank. It is only required if there
2881           are multiple access concentrators or a specific service is known to
2882           be required.
2883
2884           Format: string
2885
2886       username
2887           Alias: username
2888
2889           Username used to authenticate with the PPPoE service.
2890
2891           Format: string
2892
2893   proxy setting
2894       WWW Proxy Settings.
2895
2896       Properties:
2897
2898       browser-only
2899           Alias: browser-only
2900
2901           Whether the proxy configuration is for browser only.
2902
2903           Format: boolean
2904
2905       method
2906           Alias: method
2907
2908           Method for proxy configuration, Default is
2909           NM_SETTING_PROXY_METHOD_NONE (0)
2910
2911           Format: int32
2912
2913       pac-script
2914           Alias: pac-script
2915
2916           PAC script for the connection.
2917
2918           Format: string
2919
2920       pac-url
2921           Alias: pac-url
2922
2923           PAC URL for obtaining PAC file.
2924
2925           Format: string
2926
2927   serial setting
2928       Serial Link Settings.
2929
2930       Properties:
2931
2932       baud
2933           Speed to use for communication over the serial port. Note that this
2934           value usually has no effect for mobile broadband modems as they
2935           generally ignore speed settings and use the highest available
2936           speed.
2937
2938           Format: uint32
2939
2940       bits
2941           Byte-width of the serial communication. The 8 in "8n1" for example.
2942
2943           Format: uint32
2944
2945       parity
2946           Parity setting of the serial port.
2947
2948           Format: NMSettingSerialParity (byte)
2949
2950       send-delay
2951           Time to delay between each byte sent to the modem, in microseconds.
2952
2953           Format: uint64
2954
2955       stopbits
2956           Number of stop bits for communication on the serial port. Either 1
2957           or 2. The 1 in "8n1" for example.
2958
2959           Format: uint32
2960
2961   sriov setting
2962       SR-IOV settings.
2963
2964       Properties:
2965
2966       autoprobe-drivers
2967           Whether to autoprobe virtual functions by a compatible driver. If
2968           set to NM_TERNARY_TRUE (1), the kernel will try to bind VFs to a
2969           compatible driver and if this succeeds a new network interface will
2970           be instantiated for each VF. If set to NM_TERNARY_FALSE (0), VFs
2971           will not be claimed and no network interfaces will be created for
2972           them. When set to NM_TERNARY_DEFAULT (-1), the global default is
2973           used; in case the global default is unspecified it is assumed to be
2974           NM_TERNARY_TRUE (1).
2975
2976           Format: NMTernary (int32)
2977
2978       total-vfs
2979           The total number of virtual functions to create. Note that when the
2980           sriov setting is present NetworkManager enforces the number of
2981           virtual functions on the interface (also when it is zero) during
2982           activation and resets it upon deactivation. To prevent any changes
2983           to SR-IOV parameters don't add a sriov setting to the connection.
2984
2985           Format: uint32
2986
2987       vfs
2988           Array of virtual function descriptors. Each VF descriptor is a
2989           dictionary mapping attribute names to GVariant values. The 'index'
2990           entry is mandatory for each VF. When represented as string a VF is
2991           in the form: "INDEX [ATTR=VALUE[ ATTR=VALUE]...]". for example: "2
2992           mac=00:11:22:33:44:55 spoof-check=true". Multiple VFs can be
2993           specified using a comma as separator. Currently, the following
2994           attributes are supported: mac, spoof-check, trust, min-tx-rate,
2995           max-tx-rate, vlans. The "vlans" attribute is represented as a
2996           semicolon-separated list of VLAN descriptors, where each descriptor
2997           has the form "ID[.PRIORITY[.PROTO]]". PROTO can be either 'q' for
2998           802.1Q (the default) or 'ad' for 802.1ad.
2999
3000           Format: array of vardict
3001
3002   tc setting
3003       Linux Traffic Control Settings.
3004
3005       Properties:
3006
3007       qdiscs
3008           Array of TC queueing disciplines. When the "tc" setting is present,
3009           qdiscs from this property are applied upon activation. If the
3010           property is empty, all qdiscs are removed and the device will only
3011           have the default qdisc assigned by kernel according to the
3012           "net.core.default_qdisc" sysctl. If the "tc" setting is not
3013           present, NetworkManager doesn't touch the qdiscs present on the
3014           interface.
3015
3016           Format: array of vardict
3017
3018       tfilters
3019           Array of TC traffic filters. When the "tc" setting is present,
3020           filters from this property are applied upon activation. If the
3021           property is empty, NetworkManager removes all the filters. If the
3022           "tc" setting is not present, NetworkManager doesn't touch the
3023           filters present on the interface.
3024
3025           Format: array of vardict
3026
3027   team setting
3028       Teaming Settings.
3029
3030       Properties:
3031
3032       config
3033           Alias: config
3034
3035           The JSON configuration for the team network interface. The property
3036           should contain raw JSON configuration data suitable for teamd,
3037           because the value is passed directly to teamd. If not specified,
3038           the default configuration is used. See man teamd.conf for the
3039           format details.
3040
3041           Format: string
3042
3043       link-watchers
3044           Link watchers configuration for the connection: each link watcher
3045           is defined by a dictionary, whose keys depend upon the selected
3046           link watcher. Available link watchers are 'ethtool', 'nsna_ping'
3047           and 'arp_ping' and it is specified in the dictionary with the key
3048           'name'. Available keys are: ethtool: 'delay-up', 'delay-down',
3049           'init-wait'; nsna_ping: 'init-wait', 'interval', 'missed-max',
3050           'target-host'; arp_ping: all the ones in nsna_ping and
3051           'source-host', 'validate-active', 'validate-inactive',
3052           'send-always'. See teamd.conf man for more details.
3053
3054           Format: array of vardict
3055
3056       mcast-rejoin-count
3057           Corresponds to the teamd mcast_rejoin.count.
3058
3059           Format: int32
3060
3061       mcast-rejoin-interval
3062           Corresponds to the teamd mcast_rejoin.interval.
3063
3064           Format: int32
3065
3066       notify-peers-count
3067           Corresponds to the teamd notify_peers.count.
3068
3069           Format: int32
3070
3071       notify-peers-interval
3072           Corresponds to the teamd notify_peers.interval.
3073
3074           Format: int32
3075
3076       runner
3077           Corresponds to the teamd runner.name. Permitted values are:
3078           "roundrobin", "broadcast", "activebackup", "loadbalance", "lacp",
3079           "random".
3080
3081           Format: string
3082
3083       runner-active
3084           Corresponds to the teamd runner.active.
3085
3086           Format: boolean
3087
3088       runner-agg-select-policy
3089           Corresponds to the teamd runner.agg_select_policy.
3090
3091           Format: string
3092
3093       runner-fast-rate
3094           Corresponds to the teamd runner.fast_rate.
3095
3096           Format: boolean
3097
3098       runner-hwaddr-policy
3099           Corresponds to the teamd runner.hwaddr_policy.
3100
3101           Format: string
3102
3103       runner-min-ports
3104           Corresponds to the teamd runner.min_ports.
3105
3106           Format: int32
3107
3108       runner-sys-prio
3109           Corresponds to the teamd runner.sys_prio.
3110
3111           Format: int32
3112
3113       runner-tx-balancer
3114           Corresponds to the teamd runner.tx_balancer.name.
3115
3116           Format: string
3117
3118       runner-tx-balancer-interval
3119           Corresponds to the teamd runner.tx_balancer.interval.
3120
3121           Format: int32
3122
3123       runner-tx-hash
3124           Corresponds to the teamd runner.tx_hash.
3125
3126           Format: array of string
3127
3128   team-port setting
3129       Team Port Settings.
3130
3131       Properties:
3132
3133       config
3134           Alias: config
3135
3136           The JSON configuration for the team port. The property should
3137           contain raw JSON configuration data suitable for teamd, because the
3138           value is passed directly to teamd. If not specified, the default
3139           configuration is used. See man teamd.conf for the format details.
3140
3141           Format: string
3142
3143       lacp-key
3144           Corresponds to the teamd ports.PORTIFNAME.lacp_key.
3145
3146           Format: int32
3147
3148       lacp-prio
3149           Corresponds to the teamd ports.PORTIFNAME.lacp_prio.
3150
3151           Format: int32
3152
3153       link-watchers
3154           Link watchers configuration for the connection: each link watcher
3155           is defined by a dictionary, whose keys depend upon the selected
3156           link watcher. Available link watchers are 'ethtool', 'nsna_ping'
3157           and 'arp_ping' and it is specified in the dictionary with the key
3158           'name'. Available keys are: ethtool: 'delay-up', 'delay-down',
3159           'init-wait'; nsna_ping: 'init-wait', 'interval', 'missed-max',
3160           'target-host'; arp_ping: all the ones in nsna_ping and
3161           'source-host', 'validate-active', 'validate-inactive',
3162           'send-always'. See teamd.conf man for more details.
3163
3164           Format: array of vardict
3165
3166       prio
3167           Corresponds to the teamd ports.PORTIFNAME.prio.
3168
3169           Format: int32
3170
3171       queue-id
3172           Corresponds to the teamd ports.PORTIFNAME.queue_id. When set to -1
3173           means the parameter is skipped from the json config.
3174
3175           Format: int32
3176
3177       sticky
3178           Corresponds to the teamd ports.PORTIFNAME.sticky.
3179
3180           Format: boolean
3181
3182   tun setting
3183       Tunnel Settings.
3184
3185       Properties:
3186
3187       group
3188           Alias: group
3189
3190           The group ID which will own the device. If set to NULL everyone
3191           will be able to use the device.
3192
3193           Format: string
3194
3195       mode
3196           Alias: mode
3197
3198           The operating mode of the virtual device. Allowed values are
3199           NM_SETTING_TUN_MODE_TUN (1) to create a layer 3 device and
3200           NM_SETTING_TUN_MODE_TAP (2) to create an Ethernet-like layer 2 one.
3201
3202           Format: uint32
3203
3204       multi-queue
3205           Alias: multi-queue
3206
3207           If the property is set to TRUE, the interface will support multiple
3208           file descriptors (queues) to parallelize packet sending or
3209           receiving. Otherwise, the interface will only support a single
3210           queue.
3211
3212           Format: boolean
3213
3214       owner
3215           Alias: owner
3216
3217           The user ID which will own the device. If set to NULL everyone will
3218           be able to use the device.
3219
3220           Format: string
3221
3222       pi
3223           Alias: pi
3224
3225           If TRUE the interface will prepend a 4 byte header describing the
3226           physical interface to the packets.
3227
3228           Format: boolean
3229
3230       vnet-hdr
3231           Alias: vnet-hdr
3232
3233           If TRUE the IFF_VNET_HDR the tunnel packets will include a virtio
3234           network header.
3235
3236           Format: boolean
3237
3238   vlan setting
3239       VLAN Settings.
3240
3241       Properties:
3242
3243       egress-priority-map
3244           Alias: egress
3245
3246           For outgoing packets, a list of mappings from Linux SKB priorities
3247           to 802.1p priorities. The mapping is given in the format "from:to"
3248           where both "from" and "to" are unsigned integers, ie "7:3".
3249
3250           Format: array of string
3251
3252       flags
3253           Alias: flags
3254
3255           One or more flags which control the behavior and features of the
3256           VLAN interface. Flags include NM_VLAN_FLAG_REORDER_HEADERS (0x1)
3257           (reordering of output packet headers), NM_VLAN_FLAG_GVRP (0x2) (use
3258           of the GVRP protocol), and NM_VLAN_FLAG_LOOSE_BINDING (0x4) (loose
3259           binding of the interface to its master device's operating state).
3260           NM_VLAN_FLAG_MVRP (0x8) (use of the MVRP protocol). The default
3261           value of this property is NM_VLAN_FLAG_REORDER_HEADERS, but it used
3262           to be 0. To preserve backward compatibility, the default-value in
3263           the D-Bus API continues to be 0 and a missing property on D-Bus is
3264           still considered as 0.
3265
3266           Format: NMVlanFlags (uint32)
3267
3268       id
3269           Alias: id
3270
3271           The VLAN identifier that the interface created by this connection
3272           should be assigned. The valid range is from 0 to 4094, without the
3273           reserved id 4095.
3274
3275           Format: uint32
3276
3277       ingress-priority-map
3278           Alias: ingress
3279
3280           For incoming packets, a list of mappings from 802.1p priorities to
3281           Linux SKB priorities. The mapping is given in the format "from:to"
3282           where both "from" and "to" are unsigned integers, ie "7:3".
3283
3284           Format: array of string
3285
3286       parent
3287           Alias: dev
3288
3289           If given, specifies the parent interface name or parent connection
3290           UUID from which this VLAN interface should be created. If this
3291           property is not specified, the connection must contain an
3292           "802-3-ethernet" setting with a "mac-address" property.
3293
3294           Format: string
3295
3296   vpn setting
3297       VPN Settings.
3298
3299       Properties:
3300
3301       data
3302           Dictionary of key/value pairs of VPN plugin specific data. Both
3303           keys and values must be strings.
3304
3305           Format: dict of string to string
3306
3307       persistent
3308           If the VPN service supports persistence, and this property is TRUE,
3309           the VPN will attempt to stay connected across link changes and
3310           outages, until explicitly disconnected.
3311
3312           Format: boolean
3313
3314       secrets
3315           Dictionary of key/value pairs of VPN plugin specific secrets like
3316           passwords or private keys. Both keys and values must be strings.
3317
3318           Format: dict of string to string
3319
3320       service-type
3321           Alias: vpn-type
3322
3323           D-Bus service name of the VPN plugin that this setting uses to
3324           connect to its network. i.e. org.freedesktop.NetworkManager.vpnc
3325           for the vpnc plugin.
3326
3327           Format: string
3328
3329       timeout
3330           Timeout for the VPN service to establish the connection. Some
3331           services may take quite a long time to connect. Value of 0 means a
3332           default timeout, which is 60 seconds (unless overridden by
3333           vpn.timeout in configuration file). Values greater than zero mean
3334           timeout in seconds.
3335
3336           Format: uint32
3337
3338       user-name
3339           Alias: user
3340
3341           If the VPN connection requires a user name for authentication, that
3342           name should be provided here. If the connection is available to
3343           more than one user, and the VPN requires each user to supply a
3344           different name, then leave this property empty. If this property is
3345           empty, NetworkManager will automatically supply the username of the
3346           user which requested the VPN connection.
3347
3348           Format: string
3349
3350   vrf setting
3351       VRF settings.
3352
3353       Properties:
3354
3355       table
3356           Alias: table
3357
3358           The routing table for this VRF.
3359
3360           Format: uint32
3361
3362   vxlan setting
3363       VXLAN Settings.
3364
3365       Properties:
3366
3367       ageing
3368           Specifies the lifetime in seconds of FDB entries learnt by the
3369           kernel.
3370
3371           Format: uint32
3372
3373       destination-port
3374           Alias: destination-port
3375
3376           Specifies the UDP destination port to communicate to the remote
3377           VXLAN tunnel endpoint.
3378
3379           Format: uint32
3380
3381       id
3382           Alias: id
3383
3384           Specifies the VXLAN Network Identifier (or VXLAN Segment
3385           Identifier) to use.
3386
3387           Format: uint32
3388
3389       l2-miss
3390           Specifies whether netlink LL ADDR miss notifications are generated.
3391
3392           Format: boolean
3393
3394       l3-miss
3395           Specifies whether netlink IP ADDR miss notifications are generated.
3396
3397           Format: boolean
3398
3399       learning
3400           Specifies whether unknown source link layer addresses and IP
3401           addresses are entered into the VXLAN device forwarding database.
3402
3403           Format: boolean
3404
3405       limit
3406           Specifies the maximum number of FDB entries. A value of zero means
3407           that the kernel will store unlimited entries.
3408
3409           Format: uint32
3410
3411       local
3412           Alias: local
3413
3414           If given, specifies the source IP address to use in outgoing
3415           packets.
3416
3417           Format: string
3418
3419       parent
3420           Alias: dev
3421
3422           If given, specifies the parent interface name or parent connection
3423           UUID.
3424
3425           Format: string
3426
3427       proxy
3428           Specifies whether ARP proxy is turned on.
3429
3430           Format: boolean
3431
3432       remote
3433           Alias: remote
3434
3435           Specifies the unicast destination IP address to use in outgoing
3436           packets when the destination link layer address is not known in the
3437           VXLAN device forwarding database, or the multicast IP address to
3438           join.
3439
3440           Format: string
3441
3442       rsc
3443           Specifies whether route short circuit is turned on.
3444
3445           Format: boolean
3446
3447       source-port-max
3448           Alias: source-port-max
3449
3450           Specifies the maximum UDP source port to communicate to the remote
3451           VXLAN tunnel endpoint.
3452
3453           Format: uint32
3454
3455       source-port-min
3456           Alias: source-port-min
3457
3458           Specifies the minimum UDP source port to communicate to the remote
3459           VXLAN tunnel endpoint.
3460
3461           Format: uint32
3462
3463       tos
3464           Specifies the TOS value to use in outgoing packets.
3465
3466           Format: uint32
3467
3468       ttl
3469           Specifies the time-to-live value to use in outgoing packets.
3470
3471           Format: uint32
3472
3473   wifi-p2p setting
3474       Wi-Fi P2P Settings.
3475
3476       Properties:
3477
3478       peer
3479           Alias: peer
3480
3481           The P2P device that should be connected to. Currently, this is the
3482           only way to create or join a group.
3483
3484           Format: string
3485
3486       wfd-ies
3487           The Wi-Fi Display (WFD) Information Elements (IEs) to set. Wi-Fi
3488           Display requires a protocol specific information element to be set
3489           in certain Wi-Fi frames. These can be specified here for the
3490           purpose of establishing a connection. This setting is only useful
3491           when implementing a Wi-Fi Display client.
3492
3493           Format: byte array
3494
3495       wps-method
3496           Flags indicating which mode of WPS is to be used. There's little
3497           point in changing the default setting as NetworkManager will
3498           automatically determine the best method to use.
3499
3500           Format: uint32
3501
3502   wimax setting
3503       WiMax Settings.
3504
3505       Properties:
3506
3507       mac-address
3508           Alias: mac
3509
3510           If specified, this connection will only apply to the WiMAX device
3511           whose MAC address matches. This property does not change the MAC
3512           address of the device (known as MAC spoofing). Deprecated: 1
3513
3514           Format: byte array
3515
3516       network-name
3517           Alias: nsp
3518
3519           Network Service Provider (NSP) name of the WiMAX network this
3520           connection should use. Deprecated: 1
3521
3522           Format: string
3523
3524   802-3-ethernet setting
3525       Alias: ethernet
3526
3527       Wired Ethernet Settings.
3528
3529       Properties:
3530
3531       accept-all-mac-addresses
3532           When TRUE, setup the interface to accept packets for all MAC
3533           addresses. This is enabling the kernel interface flag IFF_PROMISC.
3534           When FALSE, the interface will only accept the packets with the
3535           interface destination mac address or broadcast.
3536
3537           Format: NMTernary (int32)
3538
3539       auto-negotiate
3540           When TRUE, enforce auto-negotiation of speed and duplex mode. If
3541           "speed" and "duplex" properties are both specified, only that
3542           single mode will be advertised and accepted during the link
3543           auto-negotiation process: this works only for BASE-T 802.3
3544           specifications and is useful for enforcing gigabits modes, as in
3545           these cases link negotiation is mandatory. When FALSE, "speed" and
3546           "duplex" properties should be both set or link configuration will
3547           be skipped.
3548
3549           Format: boolean
3550
3551       cloned-mac-address
3552           Alias: cloned-mac
3553
3554           If specified, request that the device use this MAC address instead.
3555           This is known as MAC cloning or spoofing. Beside explicitly
3556           specifying a MAC address, the special values "preserve",
3557           "permanent", "random" and "stable" are supported. "preserve" means
3558           not to touch the MAC address on activation. "permanent" means to
3559           use the permanent hardware address if the device has one (otherwise
3560           this is treated as "preserve"). "random" creates a random MAC
3561           address on each connect. "stable" creates a hashed MAC address
3562           based on connection.stable-id and a machine dependent key. If
3563           unspecified, the value can be overwritten via global defaults, see
3564           manual of NetworkManager.conf. If still unspecified, it defaults to
3565           "preserve" (older versions of NetworkManager may use a different
3566           default value). On D-Bus, this field is expressed as
3567           "assigned-mac-address" or the deprecated "cloned-mac-address".
3568
3569           Format: byte array
3570
3571       duplex
3572           When a value is set, either "half" or "full", configures the device
3573           to use the specified duplex mode. If "auto-negotiate" is "yes" the
3574           specified duplex mode will be the only one advertised during link
3575           negotiation: this works only for BASE-T 802.3 specifications and is
3576           useful for enforcing gigabits modes, as in these cases link
3577           negotiation is mandatory. If the value is unset (the default), the
3578           link configuration will be either skipped (if "auto-negotiate" is
3579           "no", the default) or will be auto-negotiated (if "auto-negotiate"
3580           is "yes") and the local device will advertise all the supported
3581           duplex modes. Must be set together with the "speed" property if
3582           specified. Before specifying a duplex mode be sure your device
3583           supports it.
3584
3585           Format: string
3586
3587       generate-mac-address-mask
3588           With "cloned-mac-address" setting "random" or "stable", by default
3589           all bits of the MAC address are scrambled and a
3590           locally-administered, unicast MAC address is created. This property
3591           allows to specify that certain bits are fixed. Note that the least
3592           significant bit of the first MAC address will always be unset to
3593           create a unicast MAC address. If the property is NULL, it is
3594           eligible to be overwritten by a default connection setting. If the
3595           value is still NULL or an empty string, the default is to create a
3596           locally-administered, unicast MAC address. If the value contains
3597           one MAC address, this address is used as mask. The set bits of the
3598           mask are to be filled with the current MAC address of the device,
3599           while the unset bits are subject to randomization. Setting
3600           "FE:FF:FF:00:00:00" means to preserve the OUI of the current MAC
3601           address and only randomize the lower 3 bytes using the "random" or
3602           "stable" algorithm. If the value contains one additional MAC
3603           address after the mask, this address is used instead of the current
3604           MAC address to fill the bits that shall not be randomized. For
3605           example, a value of "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set
3606           the OUI of the MAC address to 68:F7:28, while the lower bits are
3607           randomized. A value of "02:00:00:00:00:00 00:00:00:00:00:00" will
3608           create a fully scrambled globally-administered, burned-in MAC
3609           address. If the value contains more than one additional MAC
3610           addresses, one of them is chosen randomly. For example,
3611           "02:00:00:00:00:00 00:00:00:00:00:00 02:00:00:00:00:00" will create
3612           a fully scrambled MAC address, randomly locally or globally
3613           administered.
3614
3615           Format: string
3616
3617       mac-address
3618           Alias: mac
3619
3620           If specified, this connection will only apply to the Ethernet
3621           device whose permanent MAC address matches. This property does not
3622           change the MAC address of the device (i.e. MAC spoofing).
3623
3624           Format: byte array
3625
3626       mac-address-blacklist
3627           If specified, this connection will never apply to the Ethernet
3628           device whose permanent MAC address matches an address in the list.
3629           Each MAC address is in the standard hex-digits-and-colons notation
3630           (00:11:22:33:44:55).
3631
3632           Format: array of string
3633
3634       mtu
3635           Alias: mtu
3636
3637           If non-zero, only transmit packets of the specified size or
3638           smaller, breaking larger packets up into multiple Ethernet frames.
3639
3640           Format: uint32
3641
3642       port
3643           Specific port type to use if the device supports multiple
3644           attachment methods. One of "tp" (Twisted Pair), "aui" (Attachment
3645           Unit Interface), "bnc" (Thin Ethernet) or "mii" (Media Independent
3646           Interface). If the device supports only one port type, this setting
3647           is ignored.
3648
3649           Format: string
3650
3651       s390-nettype
3652           s390 network device type; one of "qeth", "lcs", or "ctc",
3653           representing the different types of virtual network devices
3654           available on s390 systems.
3655
3656           Format: string
3657
3658       s390-options
3659           Dictionary of key/value pairs of s390-specific device options. Both
3660           keys and values must be strings. Allowed keys include "portno",
3661           "layer2", "portname", "protocol", among others. Key names must
3662           contain only alphanumeric characters (ie, [a-zA-Z0-9]).
3663
3664           Format: dict of string to string
3665
3666       s390-subchannels
3667           Identifies specific subchannels that this network device uses for
3668           communication with z/VM or s390 host. Like the "mac-address"
3669           property for non-z/VM devices, this property can be used to ensure
3670           this connection only applies to the network device that uses these
3671           subchannels. The list should contain exactly 3 strings, and each
3672           string may only be composed of hexadecimal characters and the
3673           period (.) character.
3674
3675           Format: array of string
3676
3677       speed
3678           When a value greater than 0 is set, configures the device to use
3679           the specified speed. If "auto-negotiate" is "yes" the specified
3680           speed will be the only one advertised during link negotiation: this
3681           works only for BASE-T 802.3 specifications and is useful for
3682           enforcing gigabit speeds, as in this case link negotiation is
3683           mandatory. If the value is unset (0, the default), the link
3684           configuration will be either skipped (if "auto-negotiate" is "no",
3685           the default) or will be auto-negotiated (if "auto-negotiate" is
3686           "yes") and the local device will advertise all the supported
3687           speeds. In Mbit/s, ie 100 == 100Mbit/s. Must be set together with
3688           the "duplex" property when non-zero. Before specifying a speed
3689           value be sure your device supports it.
3690
3691           Format: uint32
3692
3693       wake-on-lan
3694           The NMSettingWiredWakeOnLan options to enable. Not all devices
3695           support all options. May be any combination of
3696           NM_SETTING_WIRED_WAKE_ON_LAN_PHY (0x2),
3697           NM_SETTING_WIRED_WAKE_ON_LAN_UNICAST (0x4),
3698           NM_SETTING_WIRED_WAKE_ON_LAN_MULTICAST (0x8),
3699           NM_SETTING_WIRED_WAKE_ON_LAN_BROADCAST (0x10),
3700           NM_SETTING_WIRED_WAKE_ON_LAN_ARP (0x20),
3701           NM_SETTING_WIRED_WAKE_ON_LAN_MAGIC (0x40) or the special values
3702           NM_SETTING_WIRED_WAKE_ON_LAN_DEFAULT (0x1) (to use global settings)
3703           and NM_SETTING_WIRED_WAKE_ON_LAN_IGNORE (0x8000) (to disable
3704           management of Wake-on-LAN in NetworkManager).
3705
3706           Format: uint32
3707
3708       wake-on-lan-password
3709           If specified, the password used with magic-packet-based
3710           Wake-on-LAN, represented as an Ethernet MAC address. If NULL, no
3711           password will be required.
3712
3713           Format: string
3714
3715   wireguard setting
3716       WireGuard Settings.
3717
3718       Properties:
3719
3720       fwmark
3721           The use of fwmark is optional and is by default off. Setting it to
3722           0 disables it. Otherwise, it is a 32-bit fwmark for outgoing
3723           packets. Note that "ip4-auto-default-route" or
3724           "ip6-auto-default-route" enabled, implies to automatically choose a
3725           fwmark.
3726
3727           Format: uint32
3728
3729       ip4-auto-default-route
3730           Whether to enable special handling of the IPv4 default route. If
3731           enabled, the IPv4 default route from wireguard.peer-routes will be
3732           placed to a dedicated routing-table and two policy routing rules
3733           will be added. The fwmark number is also used as routing-table for
3734           the default-route, and if fwmark is zero, an unused fwmark/table is
3735           chosen automatically. This corresponds to what wg-quick does with
3736           Table=auto and what WireGuard calls "Improved Rule-based Routing".
3737           Note that for this automatism to work, you usually don't want to
3738           set ipv4.gateway, because that will result in a conflicting default
3739           route. Leaving this at the default will enable this option
3740           automatically if ipv4.never-default is not set and there are any
3741           peers that use a default-route as allowed-ips.
3742
3743           Format: NMTernary (int32)
3744
3745       ip6-auto-default-route
3746           Like ip4-auto-default-route, but for the IPv6 default route.
3747
3748           Format: NMTernary (int32)
3749
3750       listen-port
3751           The listen-port. If listen-port is not specified, the port will be
3752           chosen randomly when the interface comes up.
3753
3754           Format: uint32
3755
3756       mtu
3757           If non-zero, only transmit packets of the specified size or
3758           smaller, breaking larger packets up into multiple fragments. If
3759           zero a default MTU is used. Note that contrary to wg-quick's MTU
3760           setting, this does not take into account the current routes at the
3761           time of activation.
3762
3763           Format: uint32
3764
3765       peer-routes
3766           Whether to automatically add routes for the AllowedIPs ranges of
3767           the peers. If TRUE (the default), NetworkManager will automatically
3768           add routes in the routing tables according to ipv4.route-table and
3769           ipv6.route-table. Usually you want this automatism enabled. If
3770           FALSE, no such routes are added automatically. In this case, the
3771           user may want to configure static routes in ipv4.routes and
3772           ipv6.routes, respectively. Note that if the peer's AllowedIPs is
3773           "0.0.0.0/0" or "::/0" and the profile's ipv4.never-default or
3774           ipv6.never-default setting is enabled, the peer route for this peer
3775           won't be added automatically.
3776
3777           Format: boolean
3778
3779       private-key
3780           The 256 bit private-key in base64 encoding.
3781
3782           Format: string
3783
3784       private-key-flags
3785           Flags indicating how to handle the "private-key" property. See the
3786           section called “Secret flag types:” for flag values.
3787
3788           Format: NMSettingSecretFlags (uint32)
3789
3790   802-11-wireless setting
3791       Alias: wifi
3792
3793       Wi-Fi Settings.
3794
3795       Properties:
3796
3797       ap-isolation
3798           Configures AP isolation, which prevents communication between
3799           wireless devices connected to this AP. This property can be set to
3800           a value different from NM_TERNARY_DEFAULT (-1) only when the
3801           interface is configured in AP mode. If set to NM_TERNARY_TRUE (1),
3802           devices are not able to communicate with each other. This increases
3803           security because it protects devices against attacks from other
3804           clients in the network. At the same time, it prevents devices to
3805           access resources on the same wireless networks as file shares,
3806           printers, etc. If set to NM_TERNARY_FALSE (0), devices can talk to
3807           each other. When set to NM_TERNARY_DEFAULT (-1), the global default
3808           is used; in case the global default is unspecified it is assumed to
3809           be NM_TERNARY_FALSE (0).
3810
3811           Format: NMTernary (int32)
3812
3813       band
3814           802.11 frequency band of the network. One of "a" for 5GHz 802.11a
3815           or "bg" for 2.4GHz 802.11. This will lock associations to the Wi-Fi
3816           network to the specific band, i.e. if "a" is specified, the device
3817           will not associate with the same network in the 2.4GHz band even if
3818           the network's settings are compatible. This setting depends on
3819           specific driver capability and may not work with all drivers.
3820
3821           Format: string
3822
3823       bssid
3824           If specified, directs the device to only associate with the given
3825           access point. This capability is highly driver dependent and not
3826           supported by all devices. Note: this property does not control the
3827           BSSID used when creating an Ad-Hoc network and is unlikely to in
3828           the future.
3829
3830           Format: byte array
3831
3832       channel
3833           Wireless channel to use for the Wi-Fi connection. The device will
3834           only join (or create for Ad-Hoc networks) a Wi-Fi network on the
3835           specified channel. Because channel numbers overlap between bands,
3836           this property also requires the "band" property to be set.
3837
3838           Format: uint32
3839
3840       cloned-mac-address
3841           Alias: cloned-mac
3842
3843           If specified, request that the device use this MAC address instead.
3844           This is known as MAC cloning or spoofing. Beside explicitly
3845           specifying a MAC address, the special values "preserve",
3846           "permanent", "random" and "stable" are supported. "preserve" means
3847           not to touch the MAC address on activation. "permanent" means to
3848           use the permanent hardware address of the device. "random" creates
3849           a random MAC address on each connect. "stable" creates a hashed MAC
3850           address based on connection.stable-id and a machine dependent key.
3851           If unspecified, the value can be overwritten via global defaults,
3852           see manual of NetworkManager.conf. If still unspecified, it
3853           defaults to "preserve" (older versions of NetworkManager may use a
3854           different default value). On D-Bus, this field is expressed as
3855           "assigned-mac-address" or the deprecated "cloned-mac-address".
3856
3857           Format: byte array
3858
3859       generate-mac-address-mask
3860           With "cloned-mac-address" setting "random" or "stable", by default
3861           all bits of the MAC address are scrambled and a
3862           locally-administered, unicast MAC address is created. This property
3863           allows to specify that certain bits are fixed. Note that the least
3864           significant bit of the first MAC address will always be unset to
3865           create a unicast MAC address. If the property is NULL, it is
3866           eligible to be overwritten by a default connection setting. If the
3867           value is still NULL or an empty string, the default is to create a
3868           locally-administered, unicast MAC address. If the value contains
3869           one MAC address, this address is used as mask. The set bits of the
3870           mask are to be filled with the current MAC address of the device,
3871           while the unset bits are subject to randomization. Setting
3872           "FE:FF:FF:00:00:00" means to preserve the OUI of the current MAC
3873           address and only randomize the lower 3 bytes using the "random" or
3874           "stable" algorithm. If the value contains one additional MAC
3875           address after the mask, this address is used instead of the current
3876           MAC address to fill the bits that shall not be randomized. For
3877           example, a value of "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set
3878           the OUI of the MAC address to 68:F7:28, while the lower bits are
3879           randomized. A value of "02:00:00:00:00:00 00:00:00:00:00:00" will
3880           create a fully scrambled globally-administered, burned-in MAC
3881           address. If the value contains more than one additional MAC
3882           addresses, one of them is chosen randomly. For example,
3883           "02:00:00:00:00:00 00:00:00:00:00:00 02:00:00:00:00:00" will create
3884           a fully scrambled MAC address, randomly locally or globally
3885           administered.
3886
3887           Format: string
3888
3889       hidden
3890           If TRUE, indicates that the network is a non-broadcasting network
3891           that hides its SSID. This works both in infrastructure and AP mode.
3892           In infrastructure mode, various workarounds are used for a more
3893           reliable discovery of hidden networks, such as probe-scanning the
3894           SSID. However, these workarounds expose inherent insecurities with
3895           hidden SSID networks, and thus hidden SSID networks should be used
3896           with caution. In AP mode, the created network does not broadcast
3897           its SSID. Note that marking the network as hidden may be a privacy
3898           issue for you (in infrastructure mode) or client stations (in AP
3899           mode), as the explicit probe-scans are distinctly recognizable on
3900           the air.
3901
3902           Format: boolean
3903
3904       mac-address
3905           Alias: mac
3906
3907           If specified, this connection will only apply to the Wi-Fi device
3908           whose permanent MAC address matches. This property does not change
3909           the MAC address of the device (i.e. MAC spoofing).
3910
3911           Format: byte array
3912
3913       mac-address-blacklist
3914           A list of permanent MAC addresses of Wi-Fi devices to which this
3915           connection should never apply. Each MAC address should be given in
3916           the standard hex-digits-and-colons notation (eg
3917           "00:11:22:33:44:55").
3918
3919           Format: array of string
3920
3921       mac-address-randomization
3922           One of NM_SETTING_MAC_RANDOMIZATION_DEFAULT (0) (never randomize
3923           unless the user has set a global default to randomize and the
3924           supplicant supports randomization),
3925           NM_SETTING_MAC_RANDOMIZATION_NEVER (1) (never randomize the MAC
3926           address), or NM_SETTING_MAC_RANDOMIZATION_ALWAYS (2) (always
3927           randomize the MAC address). This property is deprecated for
3928           'cloned-mac-address'. Deprecated: 1
3929
3930           Format: uint32
3931
3932       mode
3933           Alias: mode
3934
3935           Wi-Fi network mode; one of "infrastructure", "mesh", "adhoc" or
3936           "ap". If blank, infrastructure is assumed.
3937
3938           Format: string
3939
3940       mtu
3941           Alias: mtu
3942
3943           If non-zero, only transmit packets of the specified size or
3944           smaller, breaking larger packets up into multiple Ethernet frames.
3945
3946           Format: uint32
3947
3948       powersave
3949           One of NM_SETTING_WIRELESS_POWERSAVE_DISABLE (2) (disable Wi-Fi
3950           power saving), NM_SETTING_WIRELESS_POWERSAVE_ENABLE (3) (enable
3951           Wi-Fi power saving), NM_SETTING_WIRELESS_POWERSAVE_IGNORE (1)
3952           (don't touch currently configure setting) or
3953           NM_SETTING_WIRELESS_POWERSAVE_DEFAULT (0) (use the globally
3954           configured value). All other values are reserved.
3955
3956           Format: uint32
3957
3958       rate
3959           If non-zero, directs the device to only use the specified bitrate
3960           for communication with the access point. Units are in Kb/s, ie 5500
3961           = 5.5 Mbit/s. This property is highly driver dependent and not all
3962           devices support setting a static bitrate.
3963
3964           Format: uint32
3965
3966       seen-bssids
3967           A list of BSSIDs (each BSSID formatted as a MAC address like
3968           "00:11:22:33:44:55") that have been detected as part of the Wi-Fi
3969           network. NetworkManager internally tracks previously seen BSSIDs.
3970           The property is only meant for reading and reflects the BSSID list
3971           of NetworkManager. The changes you make to this property will not
3972           be preserved.
3973
3974           Format: array of string
3975
3976       ssid
3977           Alias: ssid
3978
3979           SSID of the Wi-Fi network. Must be specified.
3980
3981           Format: byte array
3982
3983       tx-power
3984           If non-zero, directs the device to use the specified transmit
3985           power. Units are dBm. This property is highly driver dependent and
3986           not all devices support setting a static transmit power.
3987
3988           Format: uint32
3989
3990       wake-on-wlan
3991           The NMSettingWirelessWakeOnWLan options to enable. Not all devices
3992           support all options. May be any combination of
3993           NM_SETTING_WIRELESS_WAKE_ON_WLAN_ANY (0x2),
3994           NM_SETTING_WIRELESS_WAKE_ON_WLAN_DISCONNECT (0x4),
3995           NM_SETTING_WIRELESS_WAKE_ON_WLAN_MAGIC (0x8),
3996           NM_SETTING_WIRELESS_WAKE_ON_WLAN_GTK_REKEY_FAILURE (0x10),
3997           NM_SETTING_WIRELESS_WAKE_ON_WLAN_EAP_IDENTITY_REQUEST (0x20),
3998           NM_SETTING_WIRELESS_WAKE_ON_WLAN_4WAY_HANDSHAKE (0x40),
3999           NM_SETTING_WIRELESS_WAKE_ON_WLAN_RFKILL_RELEASE (0x80),
4000           NM_SETTING_WIRELESS_WAKE_ON_WLAN_TCP (0x100) or the special values
4001           NM_SETTING_WIRELESS_WAKE_ON_WLAN_DEFAULT (0x1) (to use global
4002           settings) and NM_SETTING_WIRELESS_WAKE_ON_WLAN_IGNORE (0x8000) (to
4003           disable management of Wake-on-LAN in NetworkManager).
4004
4005           Format: uint32
4006
4007   802-11-wireless-security setting
4008       Alias: wifi-sec
4009
4010       Wi-Fi Security Settings.
4011
4012       Properties:
4013
4014       auth-alg
4015           When WEP is used (ie, key-mgmt = "none" or "ieee8021x") indicate
4016           the 802.11 authentication algorithm required by the AP here. One of
4017           "open" for Open System, "shared" for Shared Key, or "leap" for
4018           Cisco LEAP. When using Cisco LEAP (ie, key-mgmt = "ieee8021x" and
4019           auth-alg = "leap") the "leap-username" and "leap-password"
4020           properties must be specified.
4021
4022           Format: string
4023
4024       fils
4025           Indicates whether Fast Initial Link Setup (802.11ai) must be
4026           enabled for the connection. One of
4027           NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) (use global default
4028           value), NM_SETTING_WIRELESS_SECURITY_FILS_DISABLE (1) (disable
4029           FILS), NM_SETTING_WIRELESS_SECURITY_FILS_OPTIONAL (2) (enable FILS
4030           if the supplicant and the access point support it) or
4031           NM_SETTING_WIRELESS_SECURITY_FILS_REQUIRED (3) (enable FILS and
4032           fail if not supported). When set to
4033           NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) and no global default
4034           is set, FILS will be optionally enabled.
4035
4036           Format: int32
4037
4038       group
4039           A list of group/broadcast encryption algorithms which prevents
4040           connections to Wi-Fi networks that do not utilize one of the
4041           algorithms in the list. For maximum compatibility leave this
4042           property empty. Each list element may be one of "wep40", "wep104",
4043           "tkip", or "ccmp".
4044
4045           Format: array of string
4046
4047       key-mgmt
4048           Key management used for the connection. One of "none" (WEP or no
4049           password protection), "ieee8021x" (Dynamic WEP), "owe"
4050           (Opportunistic Wireless Encryption), "wpa-psk" (WPA2 + WPA3
4051           personal), "sae" (WPA3 personal only), "wpa-eap" (WPA2 + WPA3
4052           enterprise) or "wpa-eap-suite-b-192" (WPA3 enterprise only). This
4053           property must be set for any Wi-Fi connection that uses security.
4054
4055           Format: string
4056
4057       leap-password
4058           The login password for legacy LEAP connections (ie, key-mgmt =
4059           "ieee8021x" and auth-alg = "leap").
4060
4061           Format: string
4062
4063       leap-password-flags
4064           Flags indicating how to handle the "leap-password" property. See
4065           the section called “Secret flag types:” for flag values.
4066
4067           Format: NMSettingSecretFlags (uint32)
4068
4069       leap-username
4070           The login username for legacy LEAP connections (ie, key-mgmt =
4071           "ieee8021x" and auth-alg = "leap").
4072
4073           Format: string
4074
4075       pairwise
4076           A list of pairwise encryption algorithms which prevents connections
4077           to Wi-Fi networks that do not utilize one of the algorithms in the
4078           list. For maximum compatibility leave this property empty. Each
4079           list element may be one of "tkip" or "ccmp".
4080
4081           Format: array of string
4082
4083       pmf
4084           Indicates whether Protected Management Frames (802.11w) must be
4085           enabled for the connection. One of
4086           NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) (use global default
4087           value), NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE (1) (disable PMF),
4088           NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL (2) (enable PMF if the
4089           supplicant and the access point support it) or
4090           NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED (3) (enable PMF and fail
4091           if not supported). When set to
4092           NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) and no global default
4093           is set, PMF will be optionally enabled.
4094
4095           Format: int32
4096
4097       proto
4098           List of strings specifying the allowed WPA protocol versions to
4099           use. Each element may be one "wpa" (allow WPA) or "rsn" (allow
4100           WPA2/RSN). If not specified, both WPA and RSN connections are
4101           allowed.
4102
4103           Format: array of string
4104
4105       psk
4106           Pre-Shared-Key for WPA networks. For WPA-PSK, it's either an ASCII
4107           passphrase of 8 to 63 characters that is (as specified in the
4108           802.11i standard) hashed to derive the actual key, or the key in
4109           form of 64 hexadecimal character. The WPA3-Personal networks use a
4110           passphrase of any length for SAE authentication.
4111
4112           Format: string
4113
4114       psk-flags
4115           Flags indicating how to handle the "psk" property. See the section
4116           called “Secret flag types:” for flag values.
4117
4118           Format: NMSettingSecretFlags (uint32)
4119
4120       wep-key-flags
4121           Flags indicating how to handle the "wep-key0", "wep-key1",
4122           "wep-key2", and "wep-key3" properties. See the section called
4123           “Secret flag types:” for flag values.
4124
4125           Format: NMSettingSecretFlags (uint32)
4126
4127       wep-key-type
4128           Controls the interpretation of WEP keys. Allowed values are
4129           NM_WEP_KEY_TYPE_KEY (1), in which case the key is either a 10- or
4130           26-character hexadecimal string, or a 5- or 13-character ASCII
4131           password; or NM_WEP_KEY_TYPE_PASSPHRASE (2), in which case the
4132           passphrase is provided as a string and will be hashed using the
4133           de-facto MD5 method to derive the actual WEP key.
4134
4135           Format: NMWepKeyType (uint32)
4136
4137       wep-key0
4138           Index 0 WEP key. This is the WEP key used in most networks. See the
4139           "wep-key-type" property for a description of how this key is
4140           interpreted.
4141
4142           Format: string
4143
4144       wep-key1
4145           Index 1 WEP key. This WEP index is not used by most networks. See
4146           the "wep-key-type" property for a description of how this key is
4147           interpreted.
4148
4149           Format: string
4150
4151       wep-key2
4152           Index 2 WEP key. This WEP index is not used by most networks. See
4153           the "wep-key-type" property for a description of how this key is
4154           interpreted.
4155
4156           Format: string
4157
4158       wep-key3
4159           Index 3 WEP key. This WEP index is not used by most networks. See
4160           the "wep-key-type" property for a description of how this key is
4161           interpreted.
4162
4163           Format: string
4164
4165       wep-tx-keyidx
4166           When static WEP is used (ie, key-mgmt = "none") and a non-default
4167           WEP key index is used by the AP, put that WEP key index here. Valid
4168           values are 0 (default key) through 3. Note that some consumer
4169           access points (like the Linksys WRT54G) number the keys 1 - 4.
4170
4171           Format: uint32
4172
4173       wps-method
4174           Flags indicating which mode of WPS is to be used if any. There's
4175           little point in changing the default setting as NetworkManager will
4176           automatically determine whether it's feasible to start WPS
4177           enrollment from the Access Point capabilities. WPS can be disabled
4178           by setting this property to a value of 1.
4179
4180           Format: uint32
4181
4182   wpan setting
4183       IEEE 802.15.4 (WPAN) MAC Settings.
4184
4185       Properties:
4186
4187       channel
4188           Alias: channel
4189
4190           IEEE 802.15.4 channel. A positive integer or -1, meaning "do not
4191           set, use whatever the device is already set to".
4192
4193           Format: int32
4194
4195       mac-address
4196           Alias: mac
4197
4198           If specified, this connection will only apply to the IEEE 802.15.4
4199           (WPAN) MAC layer device whose permanent MAC address matches.
4200
4201           Format: string
4202
4203       page
4204           Alias: page
4205
4206           IEEE 802.15.4 channel page. A positive integer or -1, meaning "do
4207           not set, use whatever the device is already set to".
4208
4209           Format: int32
4210
4211       pan-id
4212           Alias: pan-id
4213
4214           IEEE 802.15.4 Personal Area Network (PAN) identifier.
4215
4216           Format: uint32
4217
4218       short-address
4219           Alias: short-addr
4220
4221           Short IEEE 802.15.4 address to be used within a restricted
4222           environment.
4223
4224           Format: uint32
4225
4226   hostname setting
4227       Hostname settings.
4228
4229       Properties:
4230
4231       from-dhcp
4232           Whether the system hostname can be determined from DHCP on this
4233           connection. When set to NM_TERNARY_DEFAULT (-1), the value from
4234           global configuration is used. If the property doesn't have a value
4235           in the global configuration, NetworkManager assumes the value to be
4236           NM_TERNARY_TRUE (1).
4237
4238           Format: NMTernary (int32)
4239
4240       from-dns-lookup
4241           Whether the system hostname can be determined from reverse DNS
4242           lookup of addresses on this device. When set to NM_TERNARY_DEFAULT
4243           (-1), the value from global configuration is used. If the property
4244           doesn't have a value in the global configuration, NetworkManager
4245           assumes the value to be NM_TERNARY_TRUE (1).
4246
4247           Format: NMTernary (int32)
4248
4249       only-from-default
4250           If set to NM_TERNARY_TRUE (1), NetworkManager attempts to get the
4251           hostname via DHCPv4/DHCPv6 or reverse DNS lookup on this device
4252           only when the device has the default route for the given address
4253           family (IPv4/IPv6). If set to NM_TERNARY_FALSE (0), the hostname
4254           can be set from this device even if it doesn't have the default
4255           route. When set to NM_TERNARY_DEFAULT (-1), the value from global
4256           configuration is used. If the property doesn't have a value in the
4257           global configuration, NetworkManager assumes the value to be
4258           NM_TERNARY_FALSE (0).
4259
4260           Format: NMTernary (int32)
4261
4262       priority
4263           The relative priority of this connection to determine the system
4264           hostname. A lower numerical value is better (higher priority). A
4265           connection with higher priority is considered before connections
4266           with lower priority. If the value is zero, it can be overridden by
4267           a global value from NetworkManager configuration. If the property
4268           doesn't have a value in the global configuration, the value is
4269           assumed to be 100. Negative values have the special effect of
4270           excluding other connections with a greater numerical priority
4271           value; so in presence of at least one negative priority, only
4272           connections with the lowest priority value will be used to
4273           determine the hostname.
4274
4275           Format: int32
4276
4277   veth setting
4278       Veth Settings.
4279
4280       Properties:
4281
4282       peer
4283           Alias: peer
4284
4285           This property specifies the peer interface name of the veth. This
4286           property is mandatory.
4287
4288           Format: string
4289
4290   Secret flag types:
4291       Each password or secret property in a setting has an associated flags
4292       property that describes how to handle that secret. The flags property
4293       is a bitfield that contains zero or more of the following values
4294       logically OR-ed together.
4295
4296       •   0x0 (none) - the system is responsible for providing and storing
4297           this secret. This may be required so that secrets are already
4298           available before the user logs in. It also commonly means that the
4299           secret will be stored in plain text on disk, accessible to root
4300           only. For example via the keyfile settings plugin as described in
4301           the "PLUGINS" section in NetworkManager.conf(5).
4302
4303       •   0x1 (agent-owned) - a user-session secret agent is responsible for
4304           providing and storing this secret; when it is required, agents will
4305           be asked to provide it.
4306
4307       •   0x2 (not-saved) - this secret should not be saved but should be
4308           requested from the user each time it is required. This flag should
4309           be used for One-Time-Pad secrets, PIN codes from hardware tokens,
4310           or if the user simply does not want to save the secret.
4311
4312       •   0x4 (not-required) - in some situations it cannot be automatically
4313           determined that a secret is required or not. This flag hints that
4314           the secret is not required and should not be requested from the
4315           user.
4316

FILES

4318       /etc/NetworkManager/system-connections or distro plugin-specific
4319       location
4320

SEE ALSO

4322       nmcli(1), nmcli-examples(7), NetworkManager(8), nm-settings-dbus(5),
4323       nm-settings-keyfile(5), NetworkManager.conf(5)
4324
4325
4326
4327NetworkManager 1.32.12                                    NM-SETTINGS-NMCLI(5)
Impressum