1NM-SETTINGS-NMCLI(5) Configuration NM-SETTINGS-NMCLI(5)
2
3
4
6 nm-settings-nmcli - Description of settings and properties of
7 NetworkManager connection profiles for nmcli
8
10 NetworkManager is based on a concept of connection profiles, sometimes
11 referred to as connections only. These connection profiles contain a
12 network configuration. When NetworkManager activates a connection
13 profile on a network device the configuration will be applied and an
14 active network connection will be established. Users are free to create
15 as many connection profiles as they see fit. Thus they are flexible in
16 having various network configurations for different networking needs.
17
18 NetworkManager provides an API for configuring connection profiles, for
19 activating them to configure the network, and inspecting the current
20 network configuration. The command line tool nmcli is a client
21 application to NetworkManager that uses this API. See nmcli(1) for
22 details.
23
24 With commands like nmcli connection add, nmcli connection modify and
25 nmcli connection show, connection profiles can be created, modified and
26 inspected. A profile consists of properties. On D-Bus this follows the
27 format as described by nm-settings-dbus(5), while this manual page
28 describes the settings format how they are expected by nmcli.
29
30 The settings and properties shown in tables below list all available
31 connection configuration options. However, note that not all settings
32 are applicable to all connection types. nmcli connection editor has
33 also a built-in describe command that can display description of
34 particular settings and properties of this page.
35
36 The setting and property can be abbreviated provided they are unique.
37 The list below also shows aliases that can be used unqualified instead
38 of the full name. For example connection.interface-name and ifname
39 refer to the same property.
40
41 connection setting
42 General Connection Profile Settings.
43
44 Properties:
45
46 auth-retries
47 The number of retries for the authentication. Zero means to try
48 indefinitely; -1 means to use a global default. If the global
49 default is not set, the authentication retries for 3 times before
50 failing the connection. Currently, this only applies to 802-1x
51 authentication.
52
53 Format: int32
54
55 autoconnect
56 Alias: autoconnect
57
58 Whether or not the connection should be automatically connected by
59 NetworkManager when the resources for the connection are available.
60 TRUE to automatically activate the connection, FALSE to require
61 manual intervention to activate the connection. Autoconnect happens
62 when the circumstances are suitable. That means for example that
63 the device is currently managed and not active. Autoconnect thus
64 never replaces or competes with an already active profile. Note
65 that autoconnect is not implemented for VPN profiles. See
66 "secondaries" as an alternative to automatically connect VPN
67 profiles. If multiple profiles are ready to autoconnect on the same
68 device, the one with the better "connection.autoconnect-priority"
69 is chosen. If the priorities are equal, then the most recently
70 connected profile is activated. If the profiles were not connected
71 earlier or their "connection.timestamp" is identical, the choice is
72 undefined. Depending on "connection.multi-connect", a profile can
73 (auto)connect only once at a time or multiple times.
74
75 Format: boolean
76
77 autoconnect-priority
78 The autoconnect priority in range -999 to 999. If the connection is
79 set to autoconnect, connections with higher priority will be
80 preferred. The higher number means higher priority. Defaults to 0.
81 Note that this property only matters if there are more than one
82 candidate profile to select for autoconnect. In case of equal
83 priority, the profile used most recently is chosen.
84
85 Format: int32
86
87 autoconnect-retries
88 The number of times a connection should be tried when
89 autoactivating before giving up. Zero means forever, -1 means the
90 global default (4 times if not overridden). Setting this to 1 means
91 to try activation only once before blocking autoconnect. Note that
92 after a timeout, NetworkManager will try to autoconnect again.
93
94 Format: int32
95
96 autoconnect-slaves
97 Whether or not slaves of this connection should be automatically
98 brought up when NetworkManager activates this connection. This only
99 has a real effect for master connections. The properties
100 "autoconnect", "autoconnect-priority" and "autoconnect-retries" are
101 unrelated to this setting. The permitted values are: 0: leave slave
102 connections untouched, 1: activate all the slave connections with
103 this connection, -1: default. If -1 (default) is set, global
104 connection.autoconnect-slaves is read to determine the real value.
105 If it is default as well, this fallbacks to 0.
106
107 Format: NMSettingConnectionAutoconnectSlaves (int32)
108
109 dns-over-tls
110 Whether DNSOverTls (dns-over-tls) is enabled for the connection.
111 DNSOverTls is a technology which uses TLS to encrypt dns traffic.
112 The permitted values are: "yes" (2) use DNSOverTls and disabled
113 fallback, "opportunistic" (1) use DNSOverTls but allow fallback to
114 unencrypted resolution, "no" (0) don't ever use DNSOverTls. If
115 unspecified "default" depends on the plugin used. Systemd-resolved
116 uses global setting. This feature requires a plugin which supports
117 DNSOverTls. Otherwise, the setting has no effect. One such plugin
118 is dns-systemd-resolved.
119
120 Format: int32
121
122 gateway-ping-timeout
123 If greater than zero, delay success of IP addressing until either
124 the timeout is reached, or an IP gateway replies to a ping.
125
126 Format: uint32
127
128 id
129 Alias: con-name
130
131 A human readable unique identifier for the connection, like "Work
132 Wi-Fi" or "T-Mobile 3G".
133
134 Format: string
135
136 interface-name
137 Alias: ifname
138
139 The name of the network interface this connection is bound to. If
140 not set, then the connection can be attached to any interface of
141 the appropriate type (subject to restrictions imposed by other
142 settings). For software devices this specifies the name of the
143 created device. For connection types where interface names cannot
144 easily be made persistent (e.g. mobile broadband or USB Ethernet),
145 this property should not be used. Setting this property restricts
146 the interfaces a connection can be used with, and if interface
147 names change or are reordered the connection may be applied to the
148 wrong interface.
149
150 Format: string
151
152 lldp
153 Whether LLDP is enabled for the connection.
154
155 Format: int32
156
157 llmnr
158 Whether Link-Local Multicast Name Resolution (LLMNR) is enabled for
159 the connection. LLMNR is a protocol based on the Domain Name System
160 (DNS) packet format that allows both IPv4 and IPv6 hosts to perform
161 name resolution for hosts on the same local link. The permitted
162 values are: "yes" (2) register hostname and resolving for the
163 connection, "no" (0) disable LLMNR for the interface, "resolve" (1)
164 do not register hostname but allow resolving of LLMNR host names If
165 unspecified, "default" ultimately depends on the DNS plugin (which
166 for systemd-resolved currently means "yes"). This feature requires
167 a plugin which supports LLMNR. Otherwise, the setting has no
168 effect. One such plugin is dns-systemd-resolved.
169
170 Format: int32
171
172 master
173 Alias: master
174
175 Interface name of the master device or UUID of the master
176 connection.
177
178 Format: string
179
180 mdns
181 Whether mDNS is enabled for the connection. The permitted values
182 are: "yes" (2) register hostname and resolving for the connection,
183 "no" (0) disable mDNS for the interface, "resolve" (1) do not
184 register hostname but allow resolving of mDNS host names and
185 "default" (-1) to allow lookup of a global default in
186 NetworkManager.conf. If unspecified, "default" ultimately depends
187 on the DNS plugin (which for systemd-resolved currently means
188 "no"). This feature requires a plugin which supports mDNS.
189 Otherwise, the setting has no effect. One such plugin is
190 dns-systemd-resolved.
191
192 Format: int32
193
194 metered
195 Whether the connection is metered. When updating this property on a
196 currently activated connection, the change takes effect
197 immediately.
198
199 Format: NMMetered (int32)
200
201 mud-url
202 If configured, set to a Manufacturer Usage Description (MUD) URL
203 that points to manufacturer-recommended network policies for IoT
204 devices. It is transmitted as a DHCPv4 or DHCPv6 option. The value
205 must be a valid URL starting with "https://". The special value
206 "none" is allowed to indicate that no MUD URL is used. If the
207 per-profile value is unspecified (the default), a global connection
208 default gets consulted. If still unspecified, the ultimate default
209 is "none".
210
211 Format: string
212
213 multi-connect
214 Specifies whether the profile can be active multiple times at a
215 particular moment. The value is of type NMConnectionMultiConnect.
216
217 Format: int32
218
219 permissions
220 An array of strings defining what access a given user has to this
221 connection. If this is NULL or empty, all users are allowed to
222 access this connection; otherwise users are allowed if and only if
223 they are in this list. When this is not empty, the connection can
224 be active only when one of the specified users is logged into an
225 active session. Each entry is of the form "[type]:[id]:[reserved]";
226 for example, "user:dcbw:blah". At this time only the "user" [type]
227 is allowed. Any other values are ignored and reserved for future
228 use. [id] is the username that this permission refers to, which may
229 not contain the ":" character. Any [reserved] information present
230 must be ignored and is reserved for future use. All of [type],
231 [id], and [reserved] must be valid UTF-8.
232
233 Format: array of string
234
235 read-only
236 FALSE if the connection can be modified using the provided settings
237 service's D-Bus interface with the right privileges, or TRUE if the
238 connection is read-only and cannot be modified.
239
240 Format: boolean
241
242 secondaries
243 List of connection UUIDs that should be activated when the base
244 connection itself is activated. Currently, only VPN connections are
245 supported.
246
247 Format: array of string
248
249 slave-type
250 Alias: slave-type
251
252 Setting name of the device type of this slave's master connection
253 (eg, "bond"), or NULL if this connection is not a slave.
254
255 Format: string
256
257 stable-id
258 This represents the identity of the connection used for various
259 purposes. It allows to configure multiple profiles to share the
260 identity. Also, the stable-id can contain placeholders that are
261 substituted dynamically and deterministically depending on the
262 context. The stable-id is used for generating IPv6 stable private
263 addresses with ipv6.addr-gen-mode=stable-privacy. It is also used
264 to seed the generated cloned MAC address for
265 ethernet.cloned-mac-address=stable and
266 wifi.cloned-mac-address=stable. It is also used as DHCP client
267 identifier with ipv4.dhcp-client-id=stable and to derive the DHCP
268 DUID with ipv6.dhcp-duid=stable-[llt,ll,uuid]. Note that depending
269 on the context where it is used, other parameters are also seeded
270 into the generation algorithm. For example, a per-host key is
271 commonly also included, so that different systems end up generating
272 different IDs. Or with ipv6.addr-gen-mode=stable-privacy, also the
273 device's name is included, so that different interfaces yield
274 different addresses. The per-host key is the identity of your
275 machine and stored in /var/lib/NetworkManager/secret_key. See
276 NetworkManager(8) manual about the secret-key and the host
277 identity. The '$' character is treated special to perform dynamic
278 substitutions at runtime. Currently, supported are "${CONNECTION}",
279 "${DEVICE}", "${MAC}", "${BOOT}", "${RANDOM}". These effectively
280 create unique IDs per-connection, per-device, per-boot, or every
281 time. Note that "${DEVICE}" corresponds to the interface name of
282 the device and "${MAC}" is the permanent MAC address of the device.
283 Any unrecognized patterns following '$' are treated verbatim,
284 however are reserved for future use. You are thus advised to avoid
285 '$' or escape it as "$$". For example, set it to
286 "${CONNECTION}-${BOOT}-${DEVICE}" to create a unique id for this
287 connection that changes with every reboot and differs depending on
288 the interface where the profile activates. If the value is unset, a
289 global connection default is consulted. If the value is still
290 unset, the default is similar to "${CONNECTION}" and uses a unique,
291 fixed ID for the connection.
292
293 Format: string
294
295 timestamp
296 The time, in seconds since the Unix Epoch, that the connection was
297 last _successfully_ fully activated. NetworkManager updates the
298 connection timestamp periodically when the connection is active to
299 ensure that an active connection has the latest timestamp. The
300 property is only meant for reading (changes to this property will
301 not be preserved).
302
303 Format: uint64
304
305 type
306 Alias: type
307
308 Base type of the connection. For hardware-dependent connections,
309 should contain the setting name of the hardware-type specific
310 setting (ie, "802-3-ethernet" or "802-11-wireless" or "bluetooth",
311 etc), and for non-hardware dependent connections like VPN or
312 otherwise, should contain the setting name of that setting type
313 (ie, "vpn" or "bridge", etc).
314
315 Format: string
316
317 uuid
318 A universally unique identifier for the connection, for example
319 generated with libuuid. It should be assigned when the connection
320 is created, and never changed as long as the connection still
321 applies to the same network. For example, it should not be changed
322 when the "id" property or NMSettingIP4Config changes, but might
323 need to be re-created when the Wi-Fi SSID, mobile broadband network
324 provider, or "type" property changes. The UUID must be in the
325 format "2815492f-7e56-435e-b2e9-246bd7cdc664" (ie, contains only
326 hexadecimal characters and "-").
327
328 Format: string
329
330 wait-device-timeout
331 Timeout in milliseconds to wait for device at startup. During boot,
332 devices may take a while to be detected by the driver. This
333 property will cause to delay NetworkManager-wait-online.service and
334 nm-online to give the device a chance to appear. This works by
335 waiting for the given timeout until a compatible device for the
336 profile is available and managed. The value 0 means no wait time.
337 The default value is -1, which currently has the same meaning as no
338 wait time.
339
340 Format: int32
341
342 zone
343 The trust level of a the connection. Free form case-insensitive
344 string (for example "Home", "Work", "Public"). NULL or unspecified
345 zone means the connection will be placed in the default zone as
346 defined by the firewall. When updating this property on a currently
347 activated connection, the change takes effect immediately.
348
349 Format: string
350
351 6lowpan setting
352 6LoWPAN Settings.
353
354 Properties:
355
356 parent
357 Alias: dev
358
359 If given, specifies the parent interface name or parent connection
360 UUID from which this 6LowPAN interface should be created.
361
362 Format: string
363
364 802-1x setting
365 IEEE 802.1x Authentication Settings.
366
367 Properties:
368
369 altsubject-matches
370 List of strings to be matched against the altSubjectName of the
371 certificate presented by the authentication server. If the list is
372 empty, no verification of the server certificate's altSubjectName
373 is performed.
374
375 Format: array of string
376
377 anonymous-identity
378 Anonymous identity string for EAP authentication methods. Used as
379 the unencrypted identity with EAP types that support different
380 tunneled identity like EAP-TTLS.
381
382 Format: string
383
384 auth-timeout
385 A timeout for the authentication. Zero means the global default; if
386 the global default is not set, the authentication timeout is 25
387 seconds.
388
389 Format: int32
390
391 ca-cert
392 Contains the CA certificate if used by the EAP method specified in
393 the "eap" property. Certificate data is specified using a "scheme";
394 three are currently supported: blob, path and pkcs#11 URL. When
395 using the blob scheme this property should be set to the
396 certificate's DER encoded data. When using the path scheme, this
397 property should be set to the full UTF-8 encoded path of the
398 certificate, prefixed with the string "file://" and ending with a
399 terminating NUL byte. This property can be unset even if the EAP
400 method supports CA certificates, but this allows man-in-the-middle
401 attacks and is NOT recommended. Note that enabling
402 NMSetting8021x:system-ca-certs will override this setting to use
403 the built-in path, if the built-in path is not a directory.
404
405 Format: byte array
406
407 ca-cert-password
408 The password used to access the CA certificate stored in "ca-cert"
409 property. Only makes sense if the certificate is stored on a
410 PKCS#11 token that requires a login.
411
412 Format: string
413
414 ca-cert-password-flags
415 Flags indicating how to handle the "ca-cert-password" property. See
416 the section called “Secret flag types:” for flag values.
417
418 Format: NMSettingSecretFlags (uint32)
419
420 ca-path
421 UTF-8 encoded path to a directory containing PEM or DER formatted
422 certificates to be added to the verification chain in addition to
423 the certificate specified in the "ca-cert" property. If
424 NMSetting8021x:system-ca-certs is enabled and the built-in CA path
425 is an existing directory, then this setting is ignored.
426
427 Format: string
428
429 client-cert
430 Contains the client certificate if used by the EAP method specified
431 in the "eap" property. Certificate data is specified using a
432 "scheme"; two are currently supported: blob and path. When using
433 the blob scheme (which is backwards compatible with NM 0.7.x) this
434 property should be set to the certificate's DER encoded data. When
435 using the path scheme, this property should be set to the full
436 UTF-8 encoded path of the certificate, prefixed with the string
437 "file://" and ending with a terminating NUL byte.
438
439 Format: byte array
440
441 client-cert-password
442 The password used to access the client certificate stored in
443 "client-cert" property. Only makes sense if the certificate is
444 stored on a PKCS#11 token that requires a login.
445
446 Format: string
447
448 client-cert-password-flags
449 Flags indicating how to handle the "client-cert-password" property.
450 See the section called “Secret flag types:” for flag values.
451
452 Format: NMSettingSecretFlags (uint32)
453
454 domain-match
455 Constraint for server domain name. If set, this list of FQDNs is
456 used as a match requirement for dNSName element(s) of the
457 certificate presented by the authentication server. If a matching
458 dNSName is found, this constraint is met. If no dNSName values are
459 present, this constraint is matched against SubjectName CN using
460 the same comparison. Multiple valid FQDNs can be passed as a ";"
461 delimited list.
462
463 Format: string
464
465 domain-suffix-match
466 Constraint for server domain name. If set, this FQDN is used as a
467 suffix match requirement for dNSName element(s) of the certificate
468 presented by the authentication server. If a matching dNSName is
469 found, this constraint is met. If no dNSName values are present,
470 this constraint is matched against SubjectName CN using same suffix
471 match comparison. Since version 1.24, multiple valid FQDNs can be
472 passed as a ";" delimited list.
473
474 Format: string
475
476 eap
477 The allowed EAP method to be used when authenticating to the
478 network with 802.1x. Valid methods are: "leap", "md5", "tls",
479 "peap", "ttls", "pwd", and "fast". Each method requires different
480 configuration using the properties of this setting; refer to
481 wpa_supplicant documentation for the allowed combinations.
482
483 Format: array of string
484
485 identity
486 Identity string for EAP authentication methods. Often the user's
487 user or login name.
488
489 Format: string
490
491 optional
492 Whether the 802.1X authentication is optional. If TRUE, the
493 activation will continue even after a timeout or an authentication
494 failure. Setting the property to TRUE is currently allowed only for
495 Ethernet connections. If set to FALSE, the activation can continue
496 only after a successful authentication.
497
498 Format: boolean
499
500 pac-file
501 UTF-8 encoded file path containing PAC for EAP-FAST.
502
503 Format: string
504
505 password
506 UTF-8 encoded password used for EAP authentication methods. If both
507 the "password" property and the "password-raw" property are
508 specified, "password" is preferred.
509
510 Format: string
511
512 password-flags
513 Flags indicating how to handle the "password" property. See the
514 section called “Secret flag types:” for flag values.
515
516 Format: NMSettingSecretFlags (uint32)
517
518 password-raw
519 Password used for EAP authentication methods, given as a byte array
520 to allow passwords in other encodings than UTF-8 to be used. If
521 both the "password" property and the "password-raw" property are
522 specified, "password" is preferred.
523
524 Format: byte array
525
526 password-raw-flags
527 Flags indicating how to handle the "password-raw" property. See the
528 section called “Secret flag types:” for flag values.
529
530 Format: NMSettingSecretFlags (uint32)
531
532 phase1-auth-flags
533 Specifies authentication flags to use in "phase 1" outer
534 authentication using NMSetting8021xAuthFlags options. The
535 individual TLS versions can be explicitly disabled. If a certain
536 TLS disable flag is not set, it is up to the supplicant to allow or
537 forbid it. The TLS options map to tls_disable_tlsv1_x settings. See
538 the wpa_supplicant documentation for more details.
539
540 Format: uint32
541
542 phase1-fast-provisioning
543 Enables or disables in-line provisioning of EAP-FAST credentials
544 when FAST is specified as the EAP method in the "eap" property.
545 Recognized values are "0" (disabled), "1" (allow unauthenticated
546 provisioning), "2" (allow authenticated provisioning), and "3"
547 (allow both authenticated and unauthenticated provisioning). See
548 the wpa_supplicant documentation for more details.
549
550 Format: string
551
552 phase1-peaplabel
553 Forces use of the new PEAP label during key derivation. Some RADIUS
554 servers may require forcing the new PEAP label to interoperate with
555 PEAPv1. Set to "1" to force use of the new PEAP label. See the
556 wpa_supplicant documentation for more details.
557
558 Format: string
559
560 phase1-peapver
561 Forces which PEAP version is used when PEAP is set as the EAP
562 method in the "eap" property. When unset, the version reported by
563 the server will be used. Sometimes when using older RADIUS servers,
564 it is necessary to force the client to use a particular PEAP
565 version. To do so, this property may be set to "0" or "1" to force
566 that specific PEAP version.
567
568 Format: string
569
570 phase2-altsubject-matches
571 List of strings to be matched against the altSubjectName of the
572 certificate presented by the authentication server during the inner
573 "phase 2" authentication. If the list is empty, no verification of
574 the server certificate's altSubjectName is performed.
575
576 Format: array of string
577
578 phase2-auth
579 Specifies the allowed "phase 2" inner authentication method when an
580 EAP method that uses an inner TLS tunnel is specified in the "eap"
581 property. For TTLS this property selects one of the supported
582 non-EAP inner methods: "pap", "chap", "mschap", "mschapv2" while
583 "phase2-autheap" selects an EAP inner method. For PEAP this selects
584 an inner EAP method, one of: "gtc", "otp", "md5" and "tls". Each
585 "phase 2" inner method requires specific parameters for successful
586 authentication; see the wpa_supplicant documentation for more
587 details. Both "phase2-auth" and "phase2-autheap" cannot be
588 specified.
589
590 Format: string
591
592 phase2-autheap
593 Specifies the allowed "phase 2" inner EAP-based authentication
594 method when TTLS is specified in the "eap" property. Recognized
595 EAP-based "phase 2" methods are "md5", "mschapv2", "otp", "gtc",
596 and "tls". Each "phase 2" inner method requires specific parameters
597 for successful authentication; see the wpa_supplicant documentation
598 for more details.
599
600 Format: string
601
602 phase2-ca-cert
603 Contains the "phase 2" CA certificate if used by the EAP method
604 specified in the "phase2-auth" or "phase2-autheap" properties.
605 Certificate data is specified using a "scheme"; three are currently
606 supported: blob, path and pkcs#11 URL. When using the blob scheme
607 this property should be set to the certificate's DER encoded data.
608 When using the path scheme, this property should be set to the full
609 UTF-8 encoded path of the certificate, prefixed with the string
610 "file://" and ending with a terminating NUL byte. This property can
611 be unset even if the EAP method supports CA certificates, but this
612 allows man-in-the-middle attacks and is NOT recommended. Note that
613 enabling NMSetting8021x:system-ca-certs will override this setting
614 to use the built-in path, if the built-in path is not a directory.
615
616 Format: byte array
617
618 phase2-ca-cert-password
619 The password used to access the "phase2" CA certificate stored in
620 "phase2-ca-cert" property. Only makes sense if the certificate is
621 stored on a PKCS#11 token that requires a login.
622
623 Format: string
624
625 phase2-ca-cert-password-flags
626 Flags indicating how to handle the "phase2-ca-cert-password"
627 property. See the section called “Secret flag types:” for flag
628 values.
629
630 Format: NMSettingSecretFlags (uint32)
631
632 phase2-ca-path
633 UTF-8 encoded path to a directory containing PEM or DER formatted
634 certificates to be added to the verification chain in addition to
635 the certificate specified in the "phase2-ca-cert" property. If
636 NMSetting8021x:system-ca-certs is enabled and the built-in CA path
637 is an existing directory, then this setting is ignored.
638
639 Format: string
640
641 phase2-client-cert
642 Contains the "phase 2" client certificate if used by the EAP method
643 specified in the "phase2-auth" or "phase2-autheap" properties.
644 Certificate data is specified using a "scheme"; two are currently
645 supported: blob and path. When using the blob scheme (which is
646 backwards compatible with NM 0.7.x) this property should be set to
647 the certificate's DER encoded data. When using the path scheme,
648 this property should be set to the full UTF-8 encoded path of the
649 certificate, prefixed with the string "file://" and ending with a
650 terminating NUL byte. This property can be unset even if the EAP
651 method supports CA certificates, but this allows man-in-the-middle
652 attacks and is NOT recommended.
653
654 Format: byte array
655
656 phase2-client-cert-password
657 The password used to access the "phase2" client certificate stored
658 in "phase2-client-cert" property. Only makes sense if the
659 certificate is stored on a PKCS#11 token that requires a login.
660
661 Format: string
662
663 phase2-client-cert-password-flags
664 Flags indicating how to handle the "phase2-client-cert-password"
665 property. See the section called “Secret flag types:” for flag
666 values.
667
668 Format: NMSettingSecretFlags (uint32)
669
670 phase2-domain-match
671 Constraint for server domain name. If set, this list of FQDNs is
672 used as a match requirement for dNSName element(s) of the
673 certificate presented by the authentication server during the inner
674 "phase 2" authentication. If a matching dNSName is found, this
675 constraint is met. If no dNSName values are present, this
676 constraint is matched against SubjectName CN using the same
677 comparison. Multiple valid FQDNs can be passed as a ";" delimited
678 list.
679
680 Format: string
681
682 phase2-domain-suffix-match
683 Constraint for server domain name. If set, this FQDN is used as a
684 suffix match requirement for dNSName element(s) of the certificate
685 presented by the authentication server during the inner "phase 2"
686 authentication. If a matching dNSName is found, this constraint is
687 met. If no dNSName values are present, this constraint is matched
688 against SubjectName CN using same suffix match comparison. Since
689 version 1.24, multiple valid FQDNs can be passed as a ";" delimited
690 list.
691
692 Format: string
693
694 phase2-private-key
695 Contains the "phase 2" inner private key when the "phase2-auth" or
696 "phase2-autheap" property is set to "tls". Key data is specified
697 using a "scheme"; two are currently supported: blob and path. When
698 using the blob scheme and private keys, this property should be set
699 to the key's encrypted PEM encoded data. When using private keys
700 with the path scheme, this property should be set to the full UTF-8
701 encoded path of the key, prefixed with the string "file://" and
702 ending with a terminating NUL byte. When using PKCS#12 format
703 private keys and the blob scheme, this property should be set to
704 the PKCS#12 data and the "phase2-private-key-password" property
705 must be set to password used to decrypt the PKCS#12 certificate and
706 key. When using PKCS#12 files and the path scheme, this property
707 should be set to the full UTF-8 encoded path of the key, prefixed
708 with the string "file://" and ending with a terminating NUL byte,
709 and as with the blob scheme the "phase2-private-key-password"
710 property must be set to the password used to decode the PKCS#12
711 private key and certificate.
712
713 Format: byte array
714
715 phase2-private-key-password
716 The password used to decrypt the "phase 2" private key specified in
717 the "phase2-private-key" property when the private key either uses
718 the path scheme, or is a PKCS#12 format key.
719
720 Format: string
721
722 phase2-private-key-password-flags
723 Flags indicating how to handle the "phase2-private-key-password"
724 property. See the section called “Secret flag types:” for flag
725 values.
726
727 Format: NMSettingSecretFlags (uint32)
728
729 phase2-subject-match
730 Substring to be matched against the subject of the certificate
731 presented by the authentication server during the inner "phase 2"
732 authentication. When unset, no verification of the authentication
733 server certificate's subject is performed. This property provides
734 little security, if any, and its use is deprecated in favor of
735 NMSetting8021x:phase2-domain-suffix-match.
736
737 Format: string
738
739 pin
740 PIN used for EAP authentication methods.
741
742 Format: string
743
744 pin-flags
745 Flags indicating how to handle the "pin" property. See the section
746 called “Secret flag types:” for flag values.
747
748 Format: NMSettingSecretFlags (uint32)
749
750 private-key
751 Contains the private key when the "eap" property is set to "tls".
752 Key data is specified using a "scheme"; two are currently
753 supported: blob and path. When using the blob scheme and private
754 keys, this property should be set to the key's encrypted PEM
755 encoded data. When using private keys with the path scheme, this
756 property should be set to the full UTF-8 encoded path of the key,
757 prefixed with the string "file://" and ending with a terminating
758 NUL byte. When using PKCS#12 format private keys and the blob
759 scheme, this property should be set to the PKCS#12 data and the
760 "private-key-password" property must be set to password used to
761 decrypt the PKCS#12 certificate and key. When using PKCS#12 files
762 and the path scheme, this property should be set to the full UTF-8
763 encoded path of the key, prefixed with the string "file://" and
764 ending with a terminating NUL byte, and as with the blob scheme the
765 "private-key-password" property must be set to the password used to
766 decode the PKCS#12 private key and certificate. WARNING:
767 "private-key" is not a "secret" property, and thus unencrypted
768 private key data using the BLOB scheme may be readable by
769 unprivileged users. Private keys should always be encrypted with a
770 private key password to prevent unauthorized access to unencrypted
771 private key data.
772
773 Format: byte array
774
775 private-key-password
776 The password used to decrypt the private key specified in the
777 "private-key" property when the private key either uses the path
778 scheme, or if the private key is a PKCS#12 format key.
779
780 Format: string
781
782 private-key-password-flags
783 Flags indicating how to handle the "private-key-password" property.
784 See the section called “Secret flag types:” for flag values.
785
786 Format: NMSettingSecretFlags (uint32)
787
788 subject-match
789 Substring to be matched against the subject of the certificate
790 presented by the authentication server. When unset, no verification
791 of the authentication server certificate's subject is performed.
792 This property provides little security, if any, and its use is
793 deprecated in favor of NMSetting8021x:domain-suffix-match.
794
795 Format: string
796
797 system-ca-certs
798 When TRUE, overrides the "ca-path" and "phase2-ca-path" properties
799 using the system CA directory specified at configure time with the
800 --system-ca-path switch. The certificates in this directory are
801 added to the verification chain in addition to any certificates
802 specified by the "ca-cert" and "phase2-ca-cert" properties. If the
803 path provided with --system-ca-path is rather a file name (bundle
804 of trusted CA certificates), it overrides "ca-cert" and
805 "phase2-ca-cert" properties instead (sets ca_cert/ca_cert2 options
806 for wpa_supplicant).
807
808 Format: boolean
809
810 adsl setting
811 ADSL Settings.
812
813 Properties:
814
815 encapsulation
816 Alias: encapsulation
817
818 Encapsulation of ADSL connection. Can be "vcmux" or "llc".
819
820 Format: string
821
822 password
823 Alias: password
824
825 Password used to authenticate with the ADSL service.
826
827 Format: string
828
829 password-flags
830 Flags indicating how to handle the "password" property. See the
831 section called “Secret flag types:” for flag values.
832
833 Format: NMSettingSecretFlags (uint32)
834
835 protocol
836 Alias: protocol
837
838 ADSL connection protocol. Can be "pppoa", "pppoe" or "ipoatm".
839
840 Format: string
841
842 username
843 Alias: username
844
845 Username used to authenticate with the ADSL service.
846
847 Format: string
848
849 vci
850 VCI of ADSL connection
851
852 Format: uint32
853
854 vpi
855 VPI of ADSL connection
856
857 Format: uint32
858
859 bluetooth setting
860 Bluetooth Settings.
861
862 Properties:
863
864 bdaddr
865 Alias: addr
866
867 The Bluetooth address of the device.
868
869 Format: byte array
870
871 type
872 Alias: bt-type
873
874 Either "dun" for Dial-Up Networking connections or "panu" for
875 Personal Area Networking connections to devices supporting the NAP
876 profile.
877
878 Format: string
879
880 bond setting
881 Bonding Settings.
882
883 Properties:
884
885 options
886 Dictionary of key/value pairs of bonding options. Both keys and
887 values must be strings. Option names must contain only alphanumeric
888 characters (ie, [a-zA-Z0-9]).
889
890 Format: dict of string to string
891
892 bridge setting
893 Bridging Settings.
894
895 Properties:
896
897 ageing-time
898 Alias: ageing-time
899
900 The Ethernet MAC address aging time, in seconds.
901
902 Format: uint32
903
904 forward-delay
905 Alias: forward-delay
906
907 The Spanning Tree Protocol (STP) forwarding delay, in seconds.
908
909 Format: uint32
910
911 group-address
912 If specified, The MAC address of the multicast group this bridge
913 uses for STP. The address must be a link-local address in standard
914 Ethernet MAC address format, ie an address of the form
915 01:80:C2:00:00:0X, with X in [0, 4..F]. If not specified the
916 default value is 01:80:C2:00:00:00.
917
918 Format: byte array
919
920 group-forward-mask
921 Alias: group-forward-mask
922
923 A mask of group addresses to forward. Usually, group addresses in
924 the range from 01:80:C2:00:00:00 to 01:80:C2:00:00:0F are not
925 forwarded according to standards. This property is a mask of 16
926 bits, each corresponding to a group address in that range that must
927 be forwarded. The mask can't have bits 0, 1 or 2 set because they
928 are used for STP, MAC pause frames and LACP.
929
930 Format: uint32
931
932 hello-time
933 Alias: hello-time
934
935 The Spanning Tree Protocol (STP) hello time, in seconds.
936
937 Format: uint32
938
939 mac-address
940 Alias: mac
941
942 If specified, the MAC address of bridge. When creating a new
943 bridge, this MAC address will be set. If this field is left
944 unspecified, the "ethernet.cloned-mac-address" is referred instead
945 to generate the initial MAC address. Note that setting
946 "ethernet.cloned-mac-address" anyway overwrites the MAC address of
947 the bridge later while activating the bridge. Hence, this property
948 is deprecated. Deprecated: 1
949
950 Format: byte array
951
952 max-age
953 Alias: max-age
954
955 The Spanning Tree Protocol (STP) maximum message age, in seconds.
956
957 Format: uint32
958
959 multicast-hash-max
960 Set maximum size of multicast hash table (value must be a power of
961 2).
962
963 Format: uint32
964
965 multicast-last-member-count
966 Set the number of queries the bridge will send before stopping
967 forwarding a multicast group after a "leave" message has been
968 received.
969
970 Format: uint32
971
972 multicast-last-member-interval
973 Set interval (in deciseconds) between queries to find remaining
974 members of a group, after a "leave" message is received.
975
976 Format: uint64
977
978 multicast-membership-interval
979 Set delay (in deciseconds) after which the bridge will leave a
980 group, if no membership reports for this group are received.
981
982 Format: uint64
983
984 multicast-querier
985 Enable or disable sending of multicast queries by the bridge. If
986 not specified the option is disabled.
987
988 Format: boolean
989
990 multicast-querier-interval
991 If no queries are seen after this delay (in deciseconds) has
992 passed, the bridge will start to send its own queries.
993
994 Format: uint64
995
996 multicast-query-interval
997 Interval (in deciseconds) between queries sent by the bridge after
998 the end of the startup phase.
999
1000 Format: uint64
1001
1002 multicast-query-response-interval
1003 Set the Max Response Time/Max Response Delay (in deciseconds) for
1004 IGMP/MLD queries sent by the bridge.
1005
1006 Format: uint64
1007
1008 multicast-query-use-ifaddr
1009 If enabled the bridge's own IP address is used as the source
1010 address for IGMP queries otherwise the default of 0.0.0.0 is used.
1011
1012 Format: boolean
1013
1014 multicast-router
1015 Sets bridge's multicast router. Multicast-snooping must be enabled
1016 for this option to work. Supported values are: 'auto', 'disabled',
1017 'enabled' to which kernel assigns the numbers 1, 0, and 2,
1018 respectively. If not specified the default value is 'auto' (1).
1019
1020 Format: string
1021
1022 multicast-snooping
1023 Alias: multicast-snooping
1024
1025 Controls whether IGMP snooping is enabled for this bridge. Note
1026 that if snooping was automatically disabled due to hash collisions,
1027 the system may refuse to enable the feature until the collisions
1028 are resolved.
1029
1030 Format: boolean
1031
1032 multicast-startup-query-count
1033 Set the number of IGMP queries to send during startup phase.
1034
1035 Format: uint32
1036
1037 multicast-startup-query-interval
1038 Sets the time (in deciseconds) between queries sent out at startup
1039 to determine membership information.
1040
1041 Format: uint64
1042
1043 priority
1044 Alias: priority
1045
1046 Sets the Spanning Tree Protocol (STP) priority for this bridge.
1047 Lower values are "better"; the lowest priority bridge will be
1048 elected the root bridge.
1049
1050 Format: uint32
1051
1052 stp
1053 Alias: stp
1054
1055 Controls whether Spanning Tree Protocol (STP) is enabled for this
1056 bridge.
1057
1058 Format: boolean
1059
1060 vlan-default-pvid
1061 The default PVID for the ports of the bridge, that is the VLAN id
1062 assigned to incoming untagged frames.
1063
1064 Format: uint32
1065
1066 vlan-filtering
1067 Control whether VLAN filtering is enabled on the bridge.
1068
1069 Format: boolean
1070
1071 vlan-protocol
1072 If specified, the protocol used for VLAN filtering. Supported
1073 values are: '802.1Q', '802.1ad'. If not specified the default value
1074 is '802.1Q'.
1075
1076 Format: string
1077
1078 vlan-stats-enabled
1079 Controls whether per-VLAN stats accounting is enabled.
1080
1081 Format: boolean
1082
1083 vlans
1084 Array of bridge VLAN objects. In addition to the VLANs specified
1085 here, the bridge will also have the default-pvid VLAN configured by
1086 the bridge.vlan-default-pvid property. In nmcli the VLAN list can
1087 be specified with the following syntax: $vid [pvid] [untagged] [,
1088 $vid [pvid] [untagged]]... where $vid is either a single id between
1089 1 and 4094 or a range, represented as a couple of ids separated by
1090 a dash.
1091
1092 Format: array of vardict
1093
1094 bridge-port setting
1095 Bridge Port Settings.
1096
1097 Properties:
1098
1099 hairpin-mode
1100 Alias: hairpin
1101
1102 Enables or disables "hairpin mode" for the port, which allows
1103 frames to be sent back out through the port the frame was received
1104 on.
1105
1106 Format: boolean
1107
1108 path-cost
1109 Alias: path-cost
1110
1111 The Spanning Tree Protocol (STP) port cost for destinations via
1112 this port.
1113
1114 Format: uint32
1115
1116 priority
1117 Alias: priority
1118
1119 The Spanning Tree Protocol (STP) priority of this bridge port.
1120
1121 Format: uint32
1122
1123 vlans
1124 Array of bridge VLAN objects. In addition to the VLANs specified
1125 here, the port will also have the default-pvid VLAN configured on
1126 the bridge by the bridge.vlan-default-pvid property. In nmcli the
1127 VLAN list can be specified with the following syntax: $vid [pvid]
1128 [untagged] [, $vid [pvid] [untagged]]... where $vid is either a
1129 single id between 1 and 4094 or a range, represented as a couple of
1130 ids separated by a dash.
1131
1132 Format: array of vardict
1133
1134 cdma setting
1135 CDMA-based Mobile Broadband Settings.
1136
1137 Properties:
1138
1139 mtu
1140 If non-zero, only transmit packets of the specified size or
1141 smaller, breaking larger packets up into multiple frames.
1142
1143 Format: uint32
1144
1145 number
1146 The number to dial to establish the connection to the CDMA-based
1147 mobile broadband network, if any. If not specified, the default
1148 number (#777) is used when required.
1149
1150 Format: string
1151
1152 password
1153 Alias: password
1154
1155 The password used to authenticate with the network, if required.
1156 Many providers do not require a password, or accept any password.
1157 But if a password is required, it is specified here.
1158
1159 Format: string
1160
1161 password-flags
1162 Flags indicating how to handle the "password" property. See the
1163 section called “Secret flag types:” for flag values.
1164
1165 Format: NMSettingSecretFlags (uint32)
1166
1167 username
1168 Alias: user
1169
1170 The username used to authenticate with the network, if required.
1171 Many providers do not require a username, or accept any username.
1172 But if a username is required, it is specified here.
1173
1174 Format: string
1175
1176 dcb setting
1177 Data Center Bridging Settings.
1178
1179 Properties:
1180
1181 app-fcoe-flags
1182 Specifies the NMSettingDcbFlags for the DCB FCoE application. Flags
1183 may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1184 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1185 NM_SETTING_DCB_FLAG_WILLING (0x4).
1186
1187 Format: NMSettingDcbFlags (uint32)
1188
1189 app-fcoe-mode
1190 The FCoE controller mode; either "fabric" or "vn2vn". Since 1.34,
1191 NULL is the default and means "fabric". Before 1.34, NULL was
1192 rejected as invalid and the default was "fabric".
1193
1194 Format: string
1195
1196 app-fcoe-priority
1197 The highest User Priority (0 - 7) which FCoE frames should use, or
1198 -1 for default priority. Only used when the "app-fcoe-flags"
1199 property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1200
1201 Format: int32
1202
1203 app-fip-flags
1204 Specifies the NMSettingDcbFlags for the DCB FIP application. Flags
1205 may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1206 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1207 NM_SETTING_DCB_FLAG_WILLING (0x4).
1208
1209 Format: NMSettingDcbFlags (uint32)
1210
1211 app-fip-priority
1212 The highest User Priority (0 - 7) which FIP frames should use, or
1213 -1 for default priority. Only used when the "app-fip-flags"
1214 property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1215
1216 Format: int32
1217
1218 app-iscsi-flags
1219 Specifies the NMSettingDcbFlags for the DCB iSCSI application.
1220 Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1221 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1222 NM_SETTING_DCB_FLAG_WILLING (0x4).
1223
1224 Format: NMSettingDcbFlags (uint32)
1225
1226 app-iscsi-priority
1227 The highest User Priority (0 - 7) which iSCSI frames should use, or
1228 -1 for default priority. Only used when the "app-iscsi-flags"
1229 property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1230
1231 Format: int32
1232
1233 priority-bandwidth
1234 An array of 8 uint values, where the array index corresponds to the
1235 User Priority (0 - 7) and the value indicates the percentage of
1236 bandwidth of the priority's assigned group that the priority may
1237 use. The sum of all percentages for priorities which belong to the
1238 same group must total 100 percents.
1239
1240 Format: array of uint32
1241
1242 priority-flow-control
1243 An array of 8 boolean values, where the array index corresponds to
1244 the User Priority (0 - 7) and the value indicates whether or not
1245 the corresponding priority should transmit priority pause.
1246
1247 Format: array of uint32
1248
1249 priority-flow-control-flags
1250 Specifies the NMSettingDcbFlags for DCB Priority Flow Control
1251 (PFC). Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE
1252 (0x1), NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1253 NM_SETTING_DCB_FLAG_WILLING (0x4).
1254
1255 Format: NMSettingDcbFlags (uint32)
1256
1257 priority-group-bandwidth
1258 An array of 8 uint values, where the array index corresponds to the
1259 Priority Group ID (0 - 7) and the value indicates the percentage of
1260 link bandwidth allocated to that group. Allowed values are 0 - 100,
1261 and the sum of all values must total 100 percents.
1262
1263 Format: array of uint32
1264
1265 priority-group-flags
1266 Specifies the NMSettingDcbFlags for DCB Priority Groups. Flags may
1267 be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1268 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1269 NM_SETTING_DCB_FLAG_WILLING (0x4).
1270
1271 Format: NMSettingDcbFlags (uint32)
1272
1273 priority-group-id
1274 An array of 8 uint values, where the array index corresponds to the
1275 User Priority (0 - 7) and the value indicates the Priority Group
1276 ID. Allowed Priority Group ID values are 0 - 7 or 15 for the
1277 unrestricted group.
1278
1279 Format: array of uint32
1280
1281 priority-strict-bandwidth
1282 An array of 8 boolean values, where the array index corresponds to
1283 the User Priority (0 - 7) and the value indicates whether or not
1284 the priority may use all of the bandwidth allocated to its assigned
1285 group.
1286
1287 Format: array of uint32
1288
1289 priority-traffic-class
1290 An array of 8 uint values, where the array index corresponds to the
1291 User Priority (0 - 7) and the value indicates the traffic class (0
1292 - 7) to which the priority is mapped.
1293
1294 Format: array of uint32
1295
1296 ethtool setting
1297 Ethtool Ethernet Settings.
1298
1299 Properties:
1300
1301 coalesce-adaptive-rx
1302
1303 coalesce-adaptive-tx
1304
1305 coalesce-pkt-rate-high
1306
1307 coalesce-pkt-rate-low
1308
1309 coalesce-rx-frames
1310
1311 coalesce-rx-frames-high
1312
1313 coalesce-rx-frames-irq
1314
1315 coalesce-rx-frames-low
1316
1317 coalesce-rx-usecs
1318
1319 coalesce-rx-usecs-high
1320
1321 coalesce-rx-usecs-irq
1322
1323 coalesce-rx-usecs-low
1324
1325 coalesce-sample-interval
1326
1327 coalesce-stats-block-usecs
1328
1329 coalesce-tx-frames
1330
1331 coalesce-tx-frames-high
1332
1333 coalesce-tx-frames-irq
1334
1335 coalesce-tx-frames-low
1336
1337 coalesce-tx-usecs
1338
1339 coalesce-tx-usecs-high
1340
1341 coalesce-tx-usecs-irq
1342
1343 coalesce-tx-usecs-low
1344
1345 feature-esp-hw-offload
1346
1347 feature-esp-tx-csum-hw-offload
1348
1349 feature-fcoe-mtu
1350
1351 feature-gro
1352
1353 feature-gso
1354
1355 feature-highdma
1356
1357 feature-hw-tc-offload
1358
1359 feature-l2-fwd-offload
1360
1361 feature-loopback
1362
1363 feature-lro
1364
1365 feature-macsec-hw-offload
1366
1367 feature-ntuple
1368
1369 feature-rx
1370
1371 feature-rx-all
1372
1373 feature-rx-fcs
1374
1375 feature-rx-gro-hw
1376
1377 feature-rx-gro-list
1378
1379 feature-rx-udp-gro-forwarding
1380
1381 feature-rx-udp_tunnel-port-offload
1382
1383 feature-rx-vlan-filter
1384
1385 feature-rx-vlan-stag-filter
1386
1387 feature-rx-vlan-stag-hw-parse
1388
1389 feature-rxhash
1390
1391 feature-rxvlan
1392
1393 feature-sg
1394
1395 feature-tls-hw-record
1396
1397 feature-tls-hw-rx-offload
1398
1399 feature-tls-hw-tx-offload
1400
1401 feature-tso
1402
1403 feature-tx
1404
1405 feature-tx-checksum-fcoe-crc
1406
1407 feature-tx-checksum-ip-generic
1408
1409 feature-tx-checksum-ipv4
1410
1411 feature-tx-checksum-ipv6
1412
1413 feature-tx-checksum-sctp
1414
1415 feature-tx-esp-segmentation
1416
1417 feature-tx-fcoe-segmentation
1418
1419 feature-tx-gre-csum-segmentation
1420
1421 feature-tx-gre-segmentation
1422
1423 feature-tx-gso-list
1424
1425 feature-tx-gso-partial
1426
1427 feature-tx-gso-robust
1428
1429 feature-tx-ipxip4-segmentation
1430
1431 feature-tx-ipxip6-segmentation
1432
1433 feature-tx-nocache-copy
1434
1435 feature-tx-scatter-gather
1436
1437 feature-tx-scatter-gather-fraglist
1438
1439 feature-tx-sctp-segmentation
1440
1441 feature-tx-tcp-ecn-segmentation
1442
1443 feature-tx-tcp-mangleid-segmentation
1444
1445 feature-tx-tcp-segmentation
1446
1447 feature-tx-tcp6-segmentation
1448
1449 feature-tx-tunnel-remcsum-segmentation
1450
1451 feature-tx-udp-segmentation
1452
1453 feature-tx-udp_tnl-csum-segmentation
1454
1455 feature-tx-udp_tnl-segmentation
1456
1457 feature-tx-vlan-stag-hw-insert
1458
1459 feature-txvlan
1460
1461 pause-autoneg
1462 Whether to automatically negotiate on pause frame of flow control
1463 mechanism defined by IEEE 802.3x standard.
1464
1465 pause-rx
1466 Whether RX pause should be enabled. Only valid when automatic
1467 negotiation is disabled
1468
1469 pause-tx
1470 Whether TX pause should be enabled. Only valid when automatic
1471 negotiation is disabled
1472
1473 ring-rx
1474
1475 ring-rx-jumbo
1476
1477 ring-rx-mini
1478
1479 ring-tx
1480
1481 gsm setting
1482 GSM-based Mobile Broadband Settings.
1483
1484 Properties:
1485
1486 apn
1487 Alias: apn
1488
1489 The GPRS Access Point Name specifying the APN used when
1490 establishing a data session with the GSM-based network. The APN
1491 often determines how the user will be billed for their network
1492 usage and whether the user has access to the Internet or just a
1493 provider-specific walled-garden, so it is important to use the
1494 correct APN for the user's mobile broadband plan. The APN may only
1495 be composed of the characters a-z, 0-9, ., and - per GSM 03.60
1496 Section 14.9.
1497
1498 Format: string
1499
1500 auto-config
1501 When TRUE, the settings such as APN, username, or password will
1502 default to values that match the network the modem will register to
1503 in the Mobile Broadband Provider database.
1504
1505 Format: boolean
1506
1507 device-id
1508 The device unique identifier (as given by the WWAN management
1509 service) which this connection applies to. If given, the connection
1510 will only apply to the specified device.
1511
1512 Format: string
1513
1514 home-only
1515 When TRUE, only connections to the home network will be allowed.
1516 Connections to roaming networks will not be made.
1517
1518 Format: boolean
1519
1520 mtu
1521 If non-zero, only transmit packets of the specified size or
1522 smaller, breaking larger packets up into multiple frames.
1523
1524 Format: uint32
1525
1526 network-id
1527 The Network ID (GSM LAI format, ie MCC-MNC) to force specific
1528 network registration. If the Network ID is specified,
1529 NetworkManager will attempt to force the device to register only on
1530 the specified network. This can be used to ensure that the device
1531 does not roam when direct roaming control of the device is not
1532 otherwise possible.
1533
1534 Format: string
1535
1536 number
1537 Legacy setting that used to help establishing PPP data sessions for
1538 GSM-based modems. Deprecated: 1
1539
1540 Format: string
1541
1542 password
1543 Alias: password
1544
1545 The password used to authenticate with the network, if required.
1546 Many providers do not require a password, or accept any password.
1547 But if a password is required, it is specified here.
1548
1549 Format: string
1550
1551 password-flags
1552 Flags indicating how to handle the "password" property. See the
1553 section called “Secret flag types:” for flag values.
1554
1555 Format: NMSettingSecretFlags (uint32)
1556
1557 pin
1558 If the SIM is locked with a PIN it must be unlocked before any
1559 other operations are requested. Specify the PIN here to allow
1560 operation of the device.
1561
1562 Format: string
1563
1564 pin-flags
1565 Flags indicating how to handle the "pin" property. See the section
1566 called “Secret flag types:” for flag values.
1567
1568 Format: NMSettingSecretFlags (uint32)
1569
1570 sim-id
1571 The SIM card unique identifier (as given by the WWAN management
1572 service) which this connection applies to. If given, the connection
1573 will apply to any device also allowed by "device-id" which contains
1574 a SIM card matching the given identifier.
1575
1576 Format: string
1577
1578 sim-operator-id
1579 A MCC/MNC string like "310260" or "21601" identifying the specific
1580 mobile network operator which this connection applies to. If given,
1581 the connection will apply to any device also allowed by "device-id"
1582 and "sim-id" which contains a SIM card provisioned by the given
1583 operator.
1584
1585 Format: string
1586
1587 username
1588 Alias: user
1589
1590 The username used to authenticate with the network, if required.
1591 Many providers do not require a username, or accept any username.
1592 But if a username is required, it is specified here.
1593
1594 Format: string
1595
1596 infiniband setting
1597 Infiniband Settings.
1598
1599 Properties:
1600
1601 mac-address
1602 Alias: mac
1603
1604 If specified, this connection will only apply to the IPoIB device
1605 whose permanent MAC address matches. This property does not change
1606 the MAC address of the device (i.e. MAC spoofing).
1607
1608 Format: byte array
1609
1610 mtu
1611 Alias: mtu
1612
1613 If non-zero, only transmit packets of the specified size or
1614 smaller, breaking larger packets up into multiple frames.
1615
1616 Format: uint32
1617
1618 p-key
1619 Alias: p-key
1620
1621 The InfiniBand P_Key to use for this device. A value of -1 means to
1622 use the default P_Key (aka "the P_Key at index 0"). Otherwise, it
1623 is a 16-bit unsigned integer, whose high bit is set if it is a
1624 "full membership" P_Key.
1625
1626 Format: int32
1627
1628 parent
1629 Alias: parent
1630
1631 The interface name of the parent device of this device. Normally
1632 NULL, but if the "p_key" property is set, then you must specify the
1633 base device by setting either this property or "mac-address".
1634
1635 Format: string
1636
1637 transport-mode
1638 Alias: transport-mode
1639
1640 The IP-over-InfiniBand transport mode. Either "datagram" or
1641 "connected".
1642
1643 Format: string
1644
1645 ipv4 setting
1646 IPv4 Settings.
1647
1648 Properties:
1649
1650 addresses
1651 Alias: ip4
1652
1653 A list of IPv4 addresses and their prefix length. Multiple
1654 addresses can be separated by comma. For example "192.168.1.5/24,
1655 10.1.0.5/24". The addresses are listed in decreasing priority,
1656 meaning the first address will be the primary address.
1657
1658 Format: a comma separated list of addresses
1659
1660 dad-timeout
1661 Timeout in milliseconds used to check for the presence of duplicate
1662 IP addresses on the network. If an address conflict is detected,
1663 the activation will fail. A zero value means that no duplicate
1664 address detection is performed, -1 means the default value (either
1665 configuration ipvx.dad-timeout override or zero). A value greater
1666 than zero is a timeout in milliseconds. The property is currently
1667 implemented only for IPv4.
1668
1669 Format: int32
1670
1671 dhcp-client-id
1672 A string sent to the DHCP server to identify the local machine
1673 which the DHCP server may use to customize the DHCP lease and
1674 options. When the property is a hex string ('aa:bb:cc') it is
1675 interpreted as a binary client ID, in which case the first byte is
1676 assumed to be the 'type' field as per RFC 2132 section 9.14 and the
1677 remaining bytes may be an hardware address (e.g.
1678 '01:xx:xx:xx:xx:xx:xx' where 1 is the Ethernet ARP type and the
1679 rest is a MAC address). If the property is not a hex string it is
1680 considered as a non-hardware-address client ID and the 'type' field
1681 is set to 0. The special values "mac" and "perm-mac" are supported,
1682 which use the current or permanent MAC address of the device to
1683 generate a client identifier with type ethernet (01). Currently,
1684 these options only work for ethernet type of links. The special
1685 value "ipv6-duid" uses the DUID from "ipv6.dhcp-duid" property as
1686 an RFC4361-compliant client identifier. As IAID it uses
1687 "ipv4.dhcp-iaid" and falls back to "ipv6.dhcp-iaid" if unset. The
1688 special value "duid" generates a RFC4361-compliant client
1689 identifier based on "ipv4.dhcp-iaid" and uses a DUID generated by
1690 hashing /etc/machine-id. The special value "stable" is supported to
1691 generate a type 0 client identifier based on the stable-id (see
1692 connection.stable-id) and a per-host key. If you set the stable-id,
1693 you may want to include the "${DEVICE}" or "${MAC}" specifier to
1694 get a per-device key. If unset, a globally configured default is
1695 used. If still unset, the default depends on the DHCP plugin.
1696
1697 Format: string
1698
1699 dhcp-fqdn
1700 If the "dhcp-send-hostname" property is TRUE, then the specified
1701 FQDN will be sent to the DHCP server when acquiring a lease. This
1702 property and "dhcp-hostname" are mutually exclusive and cannot be
1703 set at the same time.
1704
1705 Format: string
1706
1707 dhcp-hostname
1708 If the "dhcp-send-hostname" property is TRUE, then the specified
1709 name will be sent to the DHCP server when acquiring a lease. This
1710 property and "dhcp-fqdn" are mutually exclusive and cannot be set
1711 at the same time.
1712
1713 Format: string
1714
1715 dhcp-hostname-flags
1716 Flags for the DHCP hostname and FQDN. Currently, this property only
1717 includes flags to control the FQDN flags set in the DHCP FQDN
1718 option. Supported FQDN flags are
1719 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1720 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
1721 NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is
1722 set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the
1723 DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag
1724 is set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set,
1725 the standard FQDN flags are set in the request:
1726 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1727 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
1728 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6. When this
1729 property is set to the default value NM_DHCP_HOSTNAME_FLAG_NONE
1730 (0x0), a global default is looked up in NetworkManager
1731 configuration. If that value is unset or also
1732 NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
1733 described above are sent in the DHCP requests.
1734
1735 Format: uint32
1736
1737 dhcp-iaid
1738 A string containing the "Identity Association Identifier" (IAID)
1739 used by the DHCP client. The property is a 32-bit decimal value or
1740 a special value among "mac", "perm-mac", "ifname" and "stable".
1741 When set to "mac" (or "perm-mac"), the last 4 bytes of the current
1742 (or permanent) MAC address are used as IAID. When set to "ifname",
1743 the IAID is computed by hashing the interface name. The special
1744 value "stable" can be used to generate an IAID based on the
1745 stable-id (see connection.stable-id), a per-host key and the
1746 interface name. When the property is unset, the value from global
1747 configuration is used; if no global default is set then the IAID is
1748 assumed to be "ifname". Note that at the moment this property is
1749 ignored for IPv6 by dhclient, which always derives the IAID from
1750 the MAC address.
1751
1752 Format: string
1753
1754 dhcp-reject-servers
1755 Array of servers from which DHCP offers must be rejected. This
1756 property is useful to avoid getting a lease from misconfigured or
1757 rogue servers. For DHCPv4, each element must be an IPv4 address,
1758 optionally followed by a slash and a prefix length (e.g.
1759 "192.168.122.0/24"). This property is currently not implemented for
1760 DHCPv6.
1761
1762 Format: array of string
1763
1764 dhcp-send-hostname
1765 If TRUE, a hostname is sent to the DHCP server when acquiring a
1766 lease. Some DHCP servers use this hostname to update DNS databases,
1767 essentially providing a static hostname for the computer. If the
1768 "dhcp-hostname" property is NULL and this property is TRUE, the
1769 current persistent hostname of the computer is sent.
1770
1771 Format: boolean
1772
1773 dhcp-timeout
1774 A timeout for a DHCP transaction in seconds. If zero (the default),
1775 a globally configured default is used. If still unspecified, a
1776 device specific timeout is used (usually 45 seconds). Set to
1777 2147483647 (MAXINT32) for infinity.
1778
1779 Format: int32
1780
1781 dhcp-vendor-class-identifier
1782 The Vendor Class Identifier DHCP option (60). Special characters in
1783 the data string may be escaped using C-style escapes, nevertheless
1784 this property cannot contain nul bytes. If the per-profile value is
1785 unspecified (the default), a global connection default gets
1786 consulted. If still unspecified, the DHCP option is not sent to the
1787 server. Since 1.28
1788
1789 Format: string
1790
1791 dns
1792 Array of IP addresses of DNS servers.
1793
1794 Format: array of uint32
1795
1796 dns-options
1797 Array of DNS options as described in man 5 resolv.conf. NULL means
1798 that the options are unset and left at the default. In this case
1799 NetworkManager will use default options. This is distinct from an
1800 empty list of properties. The currently supported options are
1801 "attempts", "debug", "edns0", "inet6", "ip6-bytestring",
1802 "ip6-dotint", "ndots", "no-check-names", "no-ip6-dotint",
1803 "no-reload", "no-tld-query", "rotate", "single-request",
1804 "single-request-reopen", "timeout", "trust-ad", "use-vc". The
1805 "trust-ad" setting is only honored if the profile contributes name
1806 servers to resolv.conf, and if all contributing profiles have
1807 "trust-ad" enabled. When using a caching DNS plugin (dnsmasq or
1808 systemd-resolved in NetworkManager.conf) then "edns0" and
1809 "trust-ad" are automatically added.
1810
1811 Format: array of string
1812
1813 dns-priority
1814 DNS servers priority. The relative priority for DNS servers
1815 specified by this setting. A lower numerical value is better
1816 (higher priority). Negative values have the special effect of
1817 excluding other configurations with a greater numerical priority
1818 value; so in presence of at least one negative priority, only DNS
1819 servers from connections with the lowest priority value will be
1820 used. To avoid all DNS leaks, set the priority of the profile that
1821 should be used to the most negative value of all active connections
1822 profiles. Zero selects a globally configured default value. If the
1823 latter is missing or zero too, it defaults to 50 for VPNs
1824 (including WireGuard) and 100 for other connections. Note that the
1825 priority is to order DNS settings for multiple active connections.
1826 It does not disambiguate multiple DNS servers within the same
1827 connection profile. When multiple devices have configurations with
1828 the same priority, VPNs will be considered first, then devices with
1829 the best (lowest metric) default route and then all other devices.
1830 When using dns=default, servers with higher priority will be on top
1831 of resolv.conf. To prioritize a given server over another one
1832 within the same connection, just specify them in the desired order.
1833 Note that commonly the resolver tries name servers in
1834 /etc/resolv.conf in the order listed, proceeding with the next
1835 server in the list on failure. See for example the "rotate" option
1836 of the dns-options setting. If there are any negative DNS
1837 priorities, then only name servers from the devices with that
1838 lowest priority will be considered. When using a DNS resolver that
1839 supports Conditional Forwarding or Split DNS (with dns=dnsmasq or
1840 dns=systemd-resolved settings), each connection is used to query
1841 domains in its search list. The search domains determine which name
1842 servers to ask, and the DNS priority is used to prioritize name
1843 servers based on the domain. Queries for domains not present in any
1844 search list are routed through connections having the '~.' special
1845 wildcard domain, which is added automatically to connections with
1846 the default route (or can be added manually). When multiple
1847 connections specify the same domain, the one with the best priority
1848 (lowest numerical value) wins. If a sub domain is configured on
1849 another interface it will be accepted regardless the priority,
1850 unless parent domain on the other interface has a negative
1851 priority, which causes the sub domain to be shadowed. With Split
1852 DNS one can avoid undesired DNS leaks by properly configuring DNS
1853 priorities and the search domains, so that only name servers of the
1854 desired interface are configured.
1855
1856 Format: int32
1857
1858 dns-search
1859 Array of DNS search domains. Domains starting with a tilde ('~')
1860 are considered 'routing' domains and are used only to decide the
1861 interface over which a query must be forwarded; they are not used
1862 to complete unqualified host names. When using a DNS plugin that
1863 supports Conditional Forwarding or Split DNS, then the search
1864 domains specify which name servers to query. This makes the
1865 behavior different from running with plain /etc/resolv.conf. For
1866 more information see also the dns-priority setting.
1867
1868 Format: array of string
1869
1870 gateway
1871 Alias: gw4
1872
1873 The gateway associated with this configuration. This is only
1874 meaningful if "addresses" is also set. The gateway's main purpose
1875 is to control the next hop of the standard default route on the
1876 device. Hence, the gateway property conflicts with "never-default"
1877 and will be automatically dropped if the IP configuration is set to
1878 never-default. As an alternative to set the gateway, configure a
1879 static default route with /0 as prefix length.
1880
1881 Format: string
1882
1883 ignore-auto-dns
1884 When "method" is set to "auto" and this property to TRUE,
1885 automatically configured name servers and search domains are
1886 ignored and only name servers and search domains specified in the
1887 "dns" and "dns-search" properties, if any, are used.
1888
1889 Format: boolean
1890
1891 ignore-auto-routes
1892 When "method" is set to "auto" and this property to TRUE,
1893 automatically configured routes are ignored and only routes
1894 specified in the "routes" property, if any, are used.
1895
1896 Format: boolean
1897
1898 may-fail
1899 If TRUE, allow overall network configuration to proceed even if the
1900 configuration specified by this property times out. Note that at
1901 least one IP configuration must succeed or overall network
1902 configuration will still fail. For example, in IPv6-only networks,
1903 setting this property to TRUE on the NMSettingIP4Config allows the
1904 overall network configuration to succeed if IPv4 configuration
1905 fails but IPv6 configuration completes successfully.
1906
1907 Format: boolean
1908
1909 method
1910 IP configuration method. NMSettingIP4Config and NMSettingIP6Config
1911 both support "disabled", "auto", "manual", and "link-local". See
1912 the subclass-specific documentation for other values. In general,
1913 for the "auto" method, properties such as "dns" and "routes"
1914 specify information that is added on to the information returned
1915 from automatic configuration. The "ignore-auto-routes" and
1916 "ignore-auto-dns" properties modify this behavior. For methods that
1917 imply no upstream network, such as "shared" or "link-local", these
1918 properties must be empty. For IPv4 method "shared", the IP subnet
1919 can be configured by adding one manual IPv4 address or otherwise
1920 10.42.x.0/24 is chosen. Note that the shared method must be
1921 configured on the interface which shares the internet to a subnet,
1922 not on the uplink which is shared.
1923
1924 Format: string
1925
1926 never-default
1927 If TRUE, this connection will never be the default connection for
1928 this IP type, meaning it will never be assigned the default route
1929 by NetworkManager.
1930
1931 Format: boolean
1932
1933 required-timeout
1934 The minimum time interval in milliseconds for which dynamic IP
1935 configuration should be tried before the connection succeeds. This
1936 property is useful for example if both IPv4 and IPv6 are enabled
1937 and are allowed to fail. Normally the connection succeeds as soon
1938 as one of the two address families completes; by setting a required
1939 timeout for e.g. IPv4, one can ensure that even if IP6 succeeds
1940 earlier than IPv4, NetworkManager waits some time for IPv4 before
1941 the connection becomes active. Note that if "may-fail" is FALSE for
1942 the same address family, this property has no effect as
1943 NetworkManager needs to wait for the full DHCP timeout. A zero
1944 value means that no required timeout is present, -1 means the
1945 default value (either configuration ipvx.required-timeout override
1946 or zero).
1947
1948 Format: int32
1949
1950 route-metric
1951 The default metric for routes that don't explicitly specify a
1952 metric. The default value -1 means that the metric is chosen
1953 automatically based on the device type. The metric applies to
1954 dynamic routes, manual (static) routes that don't have an explicit
1955 metric setting, address prefix routes, and the default route. Note
1956 that for IPv6, the kernel accepts zero (0) but coerces it to 1024
1957 (user default). Hence, setting this property to zero effectively
1958 mean setting it to 1024. For IPv4, zero is a regular value for the
1959 metric.
1960
1961 Format: int64
1962
1963 route-table
1964 Enable policy routing (source routing) and set the routing table
1965 used when adding routes. This affects all routes, including
1966 device-routes, IPv4LL, DHCP, SLAAC, default-routes and static
1967 routes. But note that static routes can individually overwrite the
1968 setting by explicitly specifying a non-zero routing table. If the
1969 table setting is left at zero, it is eligible to be overwritten via
1970 global configuration. If the property is zero even after applying
1971 the global configuration value, policy routing is disabled for the
1972 address family of this connection. Policy routing disabled means
1973 that NetworkManager will add all routes to the main table (except
1974 static routes that explicitly configure a different table).
1975 Additionally, NetworkManager will not delete any extraneous routes
1976 from tables except the main table. This is to preserve backward
1977 compatibility for users who manage routing tables outside of
1978 NetworkManager.
1979
1980 Format: uint32
1981
1982 routes
1983 A list of IPv4 destination addresses, prefix length, optional IPv4
1984 next hop addresses, optional route metric, optional attribute. The
1985 valid syntax is: "ip[/prefix] [next-hop] [metric]
1986 [attribute=val]...[,ip[/prefix]...]". For example "192.0.2.0/24
1987 10.1.1.1 77, 198.51.100.0/24".
1988
1989 Various attributes are supported:
1990
1991 • "cwnd" - an unsigned 32 bit integer.
1992
1993 • "initcwnd" - an unsigned 32 bit integer.
1994
1995 • "initrwnd" - an unsigned 32 bit integer.
1996
1997 • "lock-cwnd" - a boolean value.
1998
1999 • "lock-initcwnd" - a boolean value.
2000
2001 • "lock-initrwnd" - a boolean value.
2002
2003 • "lock-mtu" - a boolean value.
2004
2005 • "lock-window" - a boolean value.
2006
2007 • "mtu" - an unsigned 32 bit integer.
2008
2009 • "onlink" - a boolean value.
2010
2011 • "scope" - an unsigned 8 bit integer. IPv4 only.
2012
2013 • "src" - an IPv4 address.
2014
2015 • "table" - an unsigned 32 bit integer. The default depends on
2016 ipv4.route-table.
2017
2018 • "tos" - an unsigned 8 bit integer. IPv4 only.
2019
2020 • "type" - one of unicast, local, blackhole, unavailable,
2021 prohibit, throw. The default is unicast.
2022
2023 • "window" - an unsigned 32 bit integer.
2024
2025 For details see also `man ip-route`.
2026
2027 Format: a comma separated list of routes
2028
2029 routing-rules
2030 A comma separated list of routing rules for policy routing. The
2031 format is based on ip rule add syntax and mostly compatible. One
2032 difference is that routing rules in NetworkManager always need a
2033 fixed priority.
2034
2035 Example: priority 5 from 192.167.4.0/24 table 45
2036
2037 Format: a comma separated list of routing rules
2038
2039 ipv6 setting
2040 IPv6 Settings.
2041
2042 Properties:
2043
2044 addr-gen-mode
2045 Configure method for creating the address for use with RFC4862 IPv6
2046 Stateless Address Autoconfiguration. The permitted values are:
2047 NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_EUI64 (0) or
2048 NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_STABLE_PRIVACY (1). If the
2049 property is set to EUI64, the addresses will be generated using the
2050 interface tokens derived from hardware address. This makes the host
2051 part of the address to stay constant, making it possible to track
2052 host's presence when it changes networks. The address changes when
2053 the interface hardware is replaced. The value of stable-privacy
2054 enables use of cryptographically secure hash of a secret
2055 host-specific key along with the connection's stable-id and the
2056 network address as specified by RFC7217. This makes it impossible
2057 to use the address track host's presence, and makes the address
2058 stable when the network interface hardware is replaced. On D-Bus,
2059 the absence of an addr-gen-mode setting equals enabling
2060 stable-privacy. For keyfile plugin, the absence of the setting on
2061 disk means EUI64 so that the property doesn't change on upgrade
2062 from older versions. Note that this setting is distinct from the
2063 Privacy Extensions as configured by "ip6-privacy" property and it
2064 does not affect the temporary addresses configured with this
2065 option.
2066
2067 Format: int32
2068
2069 addresses
2070 Alias: ip6
2071
2072 A list of IPv6 addresses and their prefix length. Multiple
2073 addresses can be separated by comma. For example
2074 "2001:db8:85a3::8a2e:370:7334/64, 2001:db8:85a3::5/64". The
2075 addresses are listed in decreasing priority, meaning the first
2076 address will be the primary address. This can make a difference
2077 with IPv6 source address selection (RFC 6724, section 5).
2078
2079 Format: a comma separated list of addresses
2080
2081 dhcp-duid
2082 A string containing the DHCPv6 Unique Identifier (DUID) used by the
2083 dhcp client to identify itself to DHCPv6 servers (RFC 3315). The
2084 DUID is carried in the Client Identifier option. If the property is
2085 a hex string ('aa:bb:cc') it is interpreted as a binary DUID and
2086 filled as an opaque value in the Client Identifier option. The
2087 special value "lease" will retrieve the DUID previously used from
2088 the lease file belonging to the connection. If no DUID is found and
2089 "dhclient" is the configured dhcp client, the DUID is searched in
2090 the system-wide dhclient lease file. If still no DUID is found, or
2091 another dhcp client is used, a global and permanent DUID-UUID (RFC
2092 6355) will be generated based on the machine-id. The special values
2093 "llt" and "ll" will generate a DUID of type LLT or LL (see RFC
2094 3315) based on the current MAC address of the device. In order to
2095 try providing a stable DUID-LLT, the time field will contain a
2096 constant timestamp that is used globally (for all profiles) and
2097 persisted to disk. The special values "stable-llt", "stable-ll" and
2098 "stable-uuid" will generate a DUID of the corresponding type,
2099 derived from the connection's stable-id and a per-host unique key.
2100 You may want to include the "${DEVICE}" or "${MAC}" specifier in
2101 the stable-id, in case this profile gets activated on multiple
2102 devices. So, the link-layer address of "stable-ll" and "stable-llt"
2103 will be a generated address derived from the stable id. The
2104 DUID-LLT time value in the "stable-llt" option will be picked among
2105 a static timespan of three years (the upper bound of the interval
2106 is the same constant timestamp used in "llt"). When the property is
2107 unset, the global value provided for "ipv6.dhcp-duid" is used. If
2108 no global value is provided, the default "lease" value is assumed.
2109
2110 Format: string
2111
2112 dhcp-hostname
2113 If the "dhcp-send-hostname" property is TRUE, then the specified
2114 name will be sent to the DHCP server when acquiring a lease. This
2115 property and "dhcp-fqdn" are mutually exclusive and cannot be set
2116 at the same time.
2117
2118 Format: string
2119
2120 dhcp-hostname-flags
2121 Flags for the DHCP hostname and FQDN. Currently, this property only
2122 includes flags to control the FQDN flags set in the DHCP FQDN
2123 option. Supported FQDN flags are
2124 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
2125 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
2126 NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is
2127 set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the
2128 DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag
2129 is set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set,
2130 the standard FQDN flags are set in the request:
2131 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
2132 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
2133 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6. When this
2134 property is set to the default value NM_DHCP_HOSTNAME_FLAG_NONE
2135 (0x0), a global default is looked up in NetworkManager
2136 configuration. If that value is unset or also
2137 NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
2138 described above are sent in the DHCP requests.
2139
2140 Format: uint32
2141
2142 dhcp-iaid
2143 A string containing the "Identity Association Identifier" (IAID)
2144 used by the DHCP client. The property is a 32-bit decimal value or
2145 a special value among "mac", "perm-mac", "ifname" and "stable".
2146 When set to "mac" (or "perm-mac"), the last 4 bytes of the current
2147 (or permanent) MAC address are used as IAID. When set to "ifname",
2148 the IAID is computed by hashing the interface name. The special
2149 value "stable" can be used to generate an IAID based on the
2150 stable-id (see connection.stable-id), a per-host key and the
2151 interface name. When the property is unset, the value from global
2152 configuration is used; if no global default is set then the IAID is
2153 assumed to be "ifname". Note that at the moment this property is
2154 ignored for IPv6 by dhclient, which always derives the IAID from
2155 the MAC address.
2156
2157 Format: string
2158
2159 dhcp-send-hostname
2160 If TRUE, a hostname is sent to the DHCP server when acquiring a
2161 lease. Some DHCP servers use this hostname to update DNS databases,
2162 essentially providing a static hostname for the computer. If the
2163 "dhcp-hostname" property is NULL and this property is TRUE, the
2164 current persistent hostname of the computer is sent.
2165
2166 Format: boolean
2167
2168 dhcp-timeout
2169 A timeout for a DHCP transaction in seconds. If zero (the default),
2170 a globally configured default is used. If still unspecified, a
2171 device specific timeout is used (usually 45 seconds). Set to
2172 2147483647 (MAXINT32) for infinity.
2173
2174 Format: int32
2175
2176 dns
2177 Array of IP addresses of DNS servers.
2178
2179 Format: array of byte array
2180
2181 dns-options
2182 Array of DNS options as described in man 5 resolv.conf. NULL means
2183 that the options are unset and left at the default. In this case
2184 NetworkManager will use default options. This is distinct from an
2185 empty list of properties. The currently supported options are
2186 "attempts", "debug", "edns0", "inet6", "ip6-bytestring",
2187 "ip6-dotint", "ndots", "no-check-names", "no-ip6-dotint",
2188 "no-reload", "no-tld-query", "rotate", "single-request",
2189 "single-request-reopen", "timeout", "trust-ad", "use-vc". The
2190 "trust-ad" setting is only honored if the profile contributes name
2191 servers to resolv.conf, and if all contributing profiles have
2192 "trust-ad" enabled. When using a caching DNS plugin (dnsmasq or
2193 systemd-resolved in NetworkManager.conf) then "edns0" and
2194 "trust-ad" are automatically added.
2195
2196 Format: array of string
2197
2198 dns-priority
2199 DNS servers priority. The relative priority for DNS servers
2200 specified by this setting. A lower numerical value is better
2201 (higher priority). Negative values have the special effect of
2202 excluding other configurations with a greater numerical priority
2203 value; so in presence of at least one negative priority, only DNS
2204 servers from connections with the lowest priority value will be
2205 used. To avoid all DNS leaks, set the priority of the profile that
2206 should be used to the most negative value of all active connections
2207 profiles. Zero selects a globally configured default value. If the
2208 latter is missing or zero too, it defaults to 50 for VPNs
2209 (including WireGuard) and 100 for other connections. Note that the
2210 priority is to order DNS settings for multiple active connections.
2211 It does not disambiguate multiple DNS servers within the same
2212 connection profile. When multiple devices have configurations with
2213 the same priority, VPNs will be considered first, then devices with
2214 the best (lowest metric) default route and then all other devices.
2215 When using dns=default, servers with higher priority will be on top
2216 of resolv.conf. To prioritize a given server over another one
2217 within the same connection, just specify them in the desired order.
2218 Note that commonly the resolver tries name servers in
2219 /etc/resolv.conf in the order listed, proceeding with the next
2220 server in the list on failure. See for example the "rotate" option
2221 of the dns-options setting. If there are any negative DNS
2222 priorities, then only name servers from the devices with that
2223 lowest priority will be considered. When using a DNS resolver that
2224 supports Conditional Forwarding or Split DNS (with dns=dnsmasq or
2225 dns=systemd-resolved settings), each connection is used to query
2226 domains in its search list. The search domains determine which name
2227 servers to ask, and the DNS priority is used to prioritize name
2228 servers based on the domain. Queries for domains not present in any
2229 search list are routed through connections having the '~.' special
2230 wildcard domain, which is added automatically to connections with
2231 the default route (or can be added manually). When multiple
2232 connections specify the same domain, the one with the best priority
2233 (lowest numerical value) wins. If a sub domain is configured on
2234 another interface it will be accepted regardless the priority,
2235 unless parent domain on the other interface has a negative
2236 priority, which causes the sub domain to be shadowed. With Split
2237 DNS one can avoid undesired DNS leaks by properly configuring DNS
2238 priorities and the search domains, so that only name servers of the
2239 desired interface are configured.
2240
2241 Format: int32
2242
2243 dns-search
2244 Array of DNS search domains. Domains starting with a tilde ('~')
2245 are considered 'routing' domains and are used only to decide the
2246 interface over which a query must be forwarded; they are not used
2247 to complete unqualified host names. When using a DNS plugin that
2248 supports Conditional Forwarding or Split DNS, then the search
2249 domains specify which name servers to query. This makes the
2250 behavior different from running with plain /etc/resolv.conf. For
2251 more information see also the dns-priority setting.
2252
2253 Format: array of string
2254
2255 gateway
2256 Alias: gw6
2257
2258 The gateway associated with this configuration. This is only
2259 meaningful if "addresses" is also set. The gateway's main purpose
2260 is to control the next hop of the standard default route on the
2261 device. Hence, the gateway property conflicts with "never-default"
2262 and will be automatically dropped if the IP configuration is set to
2263 never-default. As an alternative to set the gateway, configure a
2264 static default route with /0 as prefix length.
2265
2266 Format: string
2267
2268 ignore-auto-dns
2269 When "method" is set to "auto" and this property to TRUE,
2270 automatically configured name servers and search domains are
2271 ignored and only name servers and search domains specified in the
2272 "dns" and "dns-search" properties, if any, are used.
2273
2274 Format: boolean
2275
2276 ignore-auto-routes
2277 When "method" is set to "auto" and this property to TRUE,
2278 automatically configured routes are ignored and only routes
2279 specified in the "routes" property, if any, are used.
2280
2281 Format: boolean
2282
2283 ip6-privacy
2284 Configure IPv6 Privacy Extensions for SLAAC, described in RFC4941.
2285 If enabled, it makes the kernel generate a temporary IPv6 address
2286 in addition to the public one generated from MAC address via
2287 modified EUI-64. This enhances privacy, but could cause problems in
2288 some applications, on the other hand. The permitted values are: -1:
2289 unknown, 0: disabled, 1: enabled (prefer public address), 2:
2290 enabled (prefer temporary addresses). Having a per-connection
2291 setting set to "-1" (unknown) means fallback to global
2292 configuration "ipv6.ip6-privacy". If also global configuration is
2293 unspecified or set to "-1", fallback to read
2294 "/proc/sys/net/ipv6/conf/default/use_tempaddr". Note that this
2295 setting is distinct from the Stable Privacy addresses that can be
2296 enabled with the "addr-gen-mode" property's "stable-privacy"
2297 setting as another way of avoiding host tracking with IPv6
2298 addresses.
2299
2300 Format: NMSettingIP6ConfigPrivacy (int32)
2301
2302 may-fail
2303 If TRUE, allow overall network configuration to proceed even if the
2304 configuration specified by this property times out. Note that at
2305 least one IP configuration must succeed or overall network
2306 configuration will still fail. For example, in IPv6-only networks,
2307 setting this property to TRUE on the NMSettingIP4Config allows the
2308 overall network configuration to succeed if IPv4 configuration
2309 fails but IPv6 configuration completes successfully.
2310
2311 Format: boolean
2312
2313 method
2314 IP configuration method. NMSettingIP4Config and NMSettingIP6Config
2315 both support "disabled", "auto", "manual", and "link-local". See
2316 the subclass-specific documentation for other values. In general,
2317 for the "auto" method, properties such as "dns" and "routes"
2318 specify information that is added on to the information returned
2319 from automatic configuration. The "ignore-auto-routes" and
2320 "ignore-auto-dns" properties modify this behavior. For methods that
2321 imply no upstream network, such as "shared" or "link-local", these
2322 properties must be empty. For IPv4 method "shared", the IP subnet
2323 can be configured by adding one manual IPv4 address or otherwise
2324 10.42.x.0/24 is chosen. Note that the shared method must be
2325 configured on the interface which shares the internet to a subnet,
2326 not on the uplink which is shared.
2327
2328 Format: string
2329
2330 never-default
2331 If TRUE, this connection will never be the default connection for
2332 this IP type, meaning it will never be assigned the default route
2333 by NetworkManager.
2334
2335 Format: boolean
2336
2337 ra-timeout
2338 A timeout for waiting Router Advertisements in seconds. If zero
2339 (the default), a globally configured default is used. If still
2340 unspecified, the timeout depends on the sysctl settings of the
2341 device. Set to 2147483647 (MAXINT32) for infinity.
2342
2343 Format: int32
2344
2345 required-timeout
2346 The minimum time interval in milliseconds for which dynamic IP
2347 configuration should be tried before the connection succeeds. This
2348 property is useful for example if both IPv4 and IPv6 are enabled
2349 and are allowed to fail. Normally the connection succeeds as soon
2350 as one of the two address families completes; by setting a required
2351 timeout for e.g. IPv4, one can ensure that even if IP6 succeeds
2352 earlier than IPv4, NetworkManager waits some time for IPv4 before
2353 the connection becomes active. Note that if "may-fail" is FALSE for
2354 the same address family, this property has no effect as
2355 NetworkManager needs to wait for the full DHCP timeout. A zero
2356 value means that no required timeout is present, -1 means the
2357 default value (either configuration ipvx.required-timeout override
2358 or zero).
2359
2360 Format: int32
2361
2362 route-metric
2363 The default metric for routes that don't explicitly specify a
2364 metric. The default value -1 means that the metric is chosen
2365 automatically based on the device type. The metric applies to
2366 dynamic routes, manual (static) routes that don't have an explicit
2367 metric setting, address prefix routes, and the default route. Note
2368 that for IPv6, the kernel accepts zero (0) but coerces it to 1024
2369 (user default). Hence, setting this property to zero effectively
2370 mean setting it to 1024. For IPv4, zero is a regular value for the
2371 metric.
2372
2373 Format: int64
2374
2375 route-table
2376 Enable policy routing (source routing) and set the routing table
2377 used when adding routes. This affects all routes, including
2378 device-routes, IPv4LL, DHCP, SLAAC, default-routes and static
2379 routes. But note that static routes can individually overwrite the
2380 setting by explicitly specifying a non-zero routing table. If the
2381 table setting is left at zero, it is eligible to be overwritten via
2382 global configuration. If the property is zero even after applying
2383 the global configuration value, policy routing is disabled for the
2384 address family of this connection. Policy routing disabled means
2385 that NetworkManager will add all routes to the main table (except
2386 static routes that explicitly configure a different table).
2387 Additionally, NetworkManager will not delete any extraneous routes
2388 from tables except the main table. This is to preserve backward
2389 compatibility for users who manage routing tables outside of
2390 NetworkManager.
2391
2392 Format: uint32
2393
2394 routes
2395 A list of IPv6 destination addresses, prefix length, optional IPv6
2396 next hop addresses, optional route metric, optional attribute. The
2397 valid syntax is: "ip[/prefix] [next-hop] [metric]
2398 [attribute=val]...[,ip[/prefix]...]".
2399
2400 Various attributes are supported:
2401
2402 • "cwnd" - an unsigned 32 bit integer.
2403
2404 • "from" - an IPv6 address with optional prefix. IPv6 only.
2405
2406 • "initcwnd" - an unsigned 32 bit integer.
2407
2408 • "initrwnd" - an unsigned 32 bit integer.
2409
2410 • "lock-cwnd" - a boolean value.
2411
2412 • "lock-initcwnd" - a boolean value.
2413
2414 • "lock-initrwnd" - a boolean value.
2415
2416 • "lock-mtu" - a boolean value.
2417
2418 • "lock-window" - a boolean value.
2419
2420 • "mtu" - an unsigned 32 bit integer.
2421
2422 • "onlink" - a boolean value.
2423
2424 • "src" - an IPv6 address.
2425
2426 • "table" - an unsigned 32 bit integer. The default depends on
2427 ipv6.route-table.
2428
2429 • "type" - one of unicast, local, blackhole, unavailable,
2430 prohibit, throw. The default is unicast.
2431
2432 • "window" - an unsigned 32 bit integer.
2433
2434 For details see also `man ip-route`.
2435
2436 Format: a comma separated list of routes
2437
2438 routing-rules
2439 A comma separated list of routing rules for policy routing. The
2440 format is based on ip rule add syntax and mostly compatible. One
2441 difference is that routing rules in NetworkManager always need a
2442 fixed priority.
2443
2444 Example: priority 5 from 1:2:3::5/128 table 45
2445
2446 Format: a comma separated list of routing rules
2447
2448 token
2449 Configure the token for
2450 draft-chown-6man-tokenised-ipv6-identifiers-02 IPv6 tokenized
2451 interface identifiers. Useful with eui64 addr-gen-mode.
2452
2453 Format: string
2454
2455 ip-tunnel setting
2456 IP Tunneling Settings.
2457
2458 Properties:
2459
2460 encapsulation-limit
2461 How many additional levels of encapsulation are permitted to be
2462 prepended to packets. This property applies only to IPv6 tunnels.
2463
2464 Format: uint32
2465
2466 flags
2467 Tunnel flags. Currently, the following values are supported:
2468 NM_IP_TUNNEL_FLAG_IP6_IGN_ENCAP_LIMIT (0x1),
2469 NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_TCLASS (0x2),
2470 NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FLOWLABEL (0x4),
2471 NM_IP_TUNNEL_FLAG_IP6_MIP6_DEV (0x8),
2472 NM_IP_TUNNEL_FLAG_IP6_RCV_DSCP_COPY (0x10),
2473 NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FWMARK (0x20). They are valid only
2474 for IPv6 tunnels.
2475
2476 Format: uint32
2477
2478 flow-label
2479 The flow label to assign to tunnel packets. This property applies
2480 only to IPv6 tunnels.
2481
2482 Format: uint32
2483
2484 input-key
2485 The key used for tunnel input packets; the property is valid only
2486 for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
2487
2488 Format: string
2489
2490 local
2491 Alias: local
2492
2493 The local endpoint of the tunnel; the value can be empty, otherwise
2494 it must contain an IPv4 or IPv6 address.
2495
2496 Format: string
2497
2498 mode
2499 Alias: mode
2500
2501 The tunneling mode, for example NM_IP_TUNNEL_MODE_IPIP (1) or
2502 NM_IP_TUNNEL_MODE_GRE (2).
2503
2504 Format: uint32
2505
2506 mtu
2507 If non-zero, only transmit packets of the specified size or
2508 smaller, breaking larger packets up into multiple fragments.
2509
2510 Format: uint32
2511
2512 output-key
2513 The key used for tunnel output packets; the property is valid only
2514 for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
2515
2516 Format: string
2517
2518 parent
2519 Alias: dev
2520
2521 If given, specifies the parent interface name or parent connection
2522 UUID the new device will be bound to so that tunneled packets will
2523 only be routed via that interface.
2524
2525 Format: string
2526
2527 path-mtu-discovery
2528 Whether to enable Path MTU Discovery on this tunnel.
2529
2530 Format: boolean
2531
2532 remote
2533 Alias: remote
2534
2535 The remote endpoint of the tunnel; the value must contain an IPv4
2536 or IPv6 address.
2537
2538 Format: string
2539
2540 tos
2541 The type of service (IPv4) or traffic class (IPv6) field to be set
2542 on tunneled packets.
2543
2544 Format: uint32
2545
2546 ttl
2547 The TTL to assign to tunneled packets. 0 is a special value meaning
2548 that packets inherit the TTL value.
2549
2550 Format: uint32
2551
2552 macsec setting
2553 MACSec Settings.
2554
2555 Properties:
2556
2557 encrypt
2558 Alias: encrypt
2559
2560 Whether the transmitted traffic must be encrypted.
2561
2562 Format: boolean
2563
2564 mka-cak
2565 Alias: cak
2566
2567 The pre-shared CAK (Connectivity Association Key) for MACsec Key
2568 Agreement.
2569
2570 Format: string
2571
2572 mka-cak-flags
2573 Flags indicating how to handle the "mka-cak" property. See the
2574 section called “Secret flag types:” for flag values.
2575
2576 Format: NMSettingSecretFlags (uint32)
2577
2578 mka-ckn
2579 Alias: ckn
2580
2581 The pre-shared CKN (Connectivity-association Key Name) for MACsec
2582 Key Agreement.
2583
2584 Format: string
2585
2586 mode
2587 Alias: mode
2588
2589 Specifies how the CAK (Connectivity Association Key) for MKA
2590 (MACsec Key Agreement) is obtained.
2591
2592 Format: int32
2593
2594 parent
2595 Alias: dev
2596
2597 If given, specifies the parent interface name or parent connection
2598 UUID from which this MACSEC interface should be created. If this
2599 property is not specified, the connection must contain an
2600 "802-3-ethernet" setting with a "mac-address" property.
2601
2602 Format: string
2603
2604 port
2605 Alias: port
2606
2607 The port component of the SCI (Secure Channel Identifier), between
2608 1 and 65534.
2609
2610 Format: int32
2611
2612 send-sci
2613 Specifies whether the SCI (Secure Channel Identifier) is included
2614 in every packet.
2615
2616 Format: boolean
2617
2618 validation
2619 Specifies the validation mode for incoming frames.
2620
2621 Format: int32
2622
2623 macvlan setting
2624 MAC VLAN Settings.
2625
2626 Properties:
2627
2628 mode
2629 Alias: mode
2630
2631 The macvlan mode, which specifies the communication mechanism
2632 between multiple macvlans on the same lower device.
2633
2634 Format: uint32
2635
2636 parent
2637 Alias: dev
2638
2639 If given, specifies the parent interface name or parent connection
2640 UUID from which this MAC-VLAN interface should be created. If this
2641 property is not specified, the connection must contain an
2642 "802-3-ethernet" setting with a "mac-address" property.
2643
2644 Format: string
2645
2646 promiscuous
2647 Whether the interface should be put in promiscuous mode.
2648
2649 Format: boolean
2650
2651 tap
2652 Alias: tap
2653
2654 Whether the interface should be a MACVTAP.
2655
2656 Format: boolean
2657
2658 match setting
2659 Match settings.
2660
2661 Properties:
2662
2663 driver
2664 A list of driver names to match. Each element is a shell wildcard
2665 pattern. See NMSettingMatch:interface-name for how special
2666 characters '|', '&', '!' and '\' are used for optional and
2667 mandatory matches and inverting the pattern.
2668
2669 Format: array of string
2670
2671 interface-name
2672 A list of interface names to match. Each element is a shell
2673 wildcard pattern. An element can be prefixed with a pipe symbol (|)
2674 or an ampersand (&). The former means that the element is optional
2675 and the latter means that it is mandatory. If there are any
2676 optional elements, than the match evaluates to true if at least one
2677 of the optional element matches (logical OR). If there are any
2678 mandatory elements, then they all must match (logical AND). By
2679 default, an element is optional. This means that an element "foo"
2680 behaves the same as "|foo". An element can also be inverted with
2681 exclamation mark (!) between the pipe symbol (or the ampersand) and
2682 before the pattern. Note that "!foo" is a shortcut for the
2683 mandatory match "&!foo". Finally, a backslash can be used at the
2684 beginning of the element (after the optional special characters) to
2685 escape the start of the pattern. For example, "&\!a" is an
2686 mandatory match for literally "!a".
2687
2688 Format: array of string
2689
2690 kernel-command-line
2691 A list of kernel command line arguments to match. This may be used
2692 to check whether a specific kernel command line option is set (or
2693 unset, if prefixed with the exclamation mark). The argument must
2694 either be a single word, or an assignment (i.e. two words, joined
2695 by "="). In the former case the kernel command line is searched for
2696 the word appearing as is, or as left hand side of an assignment. In
2697 the latter case, the exact assignment is looked for with right and
2698 left hand side matching. Wildcard patterns are not supported. See
2699 NMSettingMatch:interface-name for how special characters '|', '&',
2700 '!' and '\' are used for optional and mandatory matches and
2701 inverting the match.
2702
2703 Format: array of string
2704
2705 path
2706 A list of paths to match against the ID_PATH udev property of
2707 devices. ID_PATH represents the topological persistent path of a
2708 device. It typically contains a subsystem string (pci, usb,
2709 platform, etc.) and a subsystem-specific identifier. For PCI
2710 devices the path has the form "pci-$domain:$bus:$device.$function",
2711 where each variable is an hexadecimal value; for example
2712 "pci-0000:0a:00.0". The path of a device can be obtained with
2713 "udevadm info /sys/class/net/$dev | grep ID_PATH=" or by looking at
2714 the "path" property exported by NetworkManager ("nmcli -f
2715 general.path device show $dev"). Each element of the list is a
2716 shell wildcard pattern. See NMSettingMatch:interface-name for how
2717 special characters '|', '&', '!' and '\' are used for optional and
2718 mandatory matches and inverting the pattern.
2719
2720 Format: array of string
2721
2722 802-11-olpc-mesh setting
2723 Alias: olpc-mesh
2724
2725 OLPC Wireless Mesh Settings.
2726
2727 Properties:
2728
2729 channel
2730 Alias: channel
2731
2732 Channel on which the mesh network to join is located.
2733
2734 Format: uint32
2735
2736 dhcp-anycast-address
2737 Alias: dhcp-anycast
2738
2739 Anycast DHCP MAC address used when requesting an IP address via
2740 DHCP. The specific anycast address used determines which DHCP
2741 server class answers the request. This is currently only
2742 implemented by dhclient DHCP plugin.
2743
2744 Format: byte array
2745
2746 ssid
2747 Alias: ssid
2748
2749 SSID of the mesh network to join.
2750
2751 Format: byte array
2752
2753 ovs-bridge setting
2754 OvsBridge Link Settings.
2755
2756 Properties:
2757
2758 datapath-type
2759 The data path type. One of "system", "netdev" or empty.
2760
2761 Format: string
2762
2763 fail-mode
2764 The bridge failure mode. One of "secure", "standalone" or empty.
2765
2766 Format: string
2767
2768 mcast-snooping-enable
2769 Enable or disable multicast snooping.
2770
2771 Format: boolean
2772
2773 rstp-enable
2774 Enable or disable RSTP.
2775
2776 Format: boolean
2777
2778 stp-enable
2779 Enable or disable STP.
2780
2781 Format: boolean
2782
2783 ovs-dpdk setting
2784 OvsDpdk Link Settings.
2785
2786 Properties:
2787
2788 devargs
2789 Open vSwitch DPDK device arguments.
2790
2791 Format: string
2792
2793 n-rxq
2794 Open vSwitch DPDK number of rx queues. Defaults to zero which means
2795 to leave the parameter in OVS unspecified and effectively
2796 configures one queue.
2797
2798 Format: uint32
2799
2800 ovs-interface setting
2801 Open vSwitch Interface Settings.
2802
2803 Properties:
2804
2805 type
2806 The interface type. Either "internal", "system", "patch", "dpdk",
2807 or empty.
2808
2809 Format: string
2810
2811 ovs-patch setting
2812 OvsPatch Link Settings.
2813
2814 Properties:
2815
2816 peer
2817 Specifies the name of the interface for the other side of the
2818 patch. The patch on the other side must also set this interface as
2819 peer.
2820
2821 Format: string
2822
2823 ovs-port setting
2824 OvsPort Link Settings.
2825
2826 Properties:
2827
2828 bond-downdelay
2829 The time port must be inactive in order to be considered down.
2830
2831 Format: uint32
2832
2833 bond-mode
2834 Bonding mode. One of "active-backup", "balance-slb", or
2835 "balance-tcp".
2836
2837 Format: string
2838
2839 bond-updelay
2840 The time port must be active before it starts forwarding traffic.
2841
2842 Format: uint32
2843
2844 lacp
2845 LACP mode. One of "active", "off", or "passive".
2846
2847 Format: string
2848
2849 tag
2850 The VLAN tag in the range 0-4095.
2851
2852 Format: uint32
2853
2854 vlan-mode
2855 The VLAN mode. One of "access", "native-tagged", "native-untagged",
2856 "trunk" or unset.
2857
2858 Format: string
2859
2860 ppp setting
2861 Point-to-Point Protocol Settings.
2862
2863 Properties:
2864
2865 baud
2866 If non-zero, instruct pppd to set the serial port to the specified
2867 baudrate. This value should normally be left as 0 to automatically
2868 choose the speed.
2869
2870 Format: uint32
2871
2872 crtscts
2873 If TRUE, specify that pppd should set the serial port to use
2874 hardware flow control with RTS and CTS signals. This value should
2875 normally be set to FALSE.
2876
2877 Format: boolean
2878
2879 lcp-echo-failure
2880 If non-zero, instruct pppd to presume the connection to the peer
2881 has failed if the specified number of LCP echo-requests go
2882 unanswered by the peer. The "lcp-echo-interval" property must also
2883 be set to a non-zero value if this property is used.
2884
2885 Format: uint32
2886
2887 lcp-echo-interval
2888 If non-zero, instruct pppd to send an LCP echo-request frame to the
2889 peer every n seconds (where n is the specified value). Note that
2890 some PPP peers will respond to echo requests and some will not, and
2891 it is not possible to autodetect this.
2892
2893 Format: uint32
2894
2895 mppe-stateful
2896 If TRUE, stateful MPPE is used. See pppd documentation for more
2897 information on stateful MPPE.
2898
2899 Format: boolean
2900
2901 mru
2902 If non-zero, instruct pppd to request that the peer send packets no
2903 larger than the specified size. If non-zero, the MRU should be
2904 between 128 and 16384.
2905
2906 Format: uint32
2907
2908 mtu
2909 If non-zero, instruct pppd to send packets no larger than the
2910 specified size.
2911
2912 Format: uint32
2913
2914 no-vj-comp
2915 If TRUE, Van Jacobsen TCP header compression will not be requested.
2916
2917 Format: boolean
2918
2919 noauth
2920 If TRUE, do not require the other side (usually the PPP server) to
2921 authenticate itself to the client. If FALSE, require authentication
2922 from the remote side. In almost all cases, this should be TRUE.
2923
2924 Format: boolean
2925
2926 nobsdcomp
2927 If TRUE, BSD compression will not be requested.
2928
2929 Format: boolean
2930
2931 nodeflate
2932 If TRUE, "deflate" compression will not be requested.
2933
2934 Format: boolean
2935
2936 refuse-chap
2937 If TRUE, the CHAP authentication method will not be used.
2938
2939 Format: boolean
2940
2941 refuse-eap
2942 If TRUE, the EAP authentication method will not be used.
2943
2944 Format: boolean
2945
2946 refuse-mschap
2947 If TRUE, the MSCHAP authentication method will not be used.
2948
2949 Format: boolean
2950
2951 refuse-mschapv2
2952 If TRUE, the MSCHAPv2 authentication method will not be used.
2953
2954 Format: boolean
2955
2956 refuse-pap
2957 If TRUE, the PAP authentication method will not be used.
2958
2959 Format: boolean
2960
2961 require-mppe
2962 If TRUE, MPPE (Microsoft Point-to-Point Encryption) will be
2963 required for the PPP session. If either 64-bit or 128-bit MPPE is
2964 not available the session will fail. Note that MPPE is not used on
2965 mobile broadband connections.
2966
2967 Format: boolean
2968
2969 require-mppe-128
2970 If TRUE, 128-bit MPPE (Microsoft Point-to-Point Encryption) will be
2971 required for the PPP session, and the "require-mppe" property must
2972 also be set to TRUE. If 128-bit MPPE is not available the session
2973 will fail.
2974
2975 Format: boolean
2976
2977 pppoe setting
2978 PPP-over-Ethernet Settings.
2979
2980 Properties:
2981
2982 parent
2983 Alias: parent
2984
2985 If given, specifies the parent interface name on which this PPPoE
2986 connection should be created. If this property is not specified,
2987 the connection is activated on the interface specified in
2988 "interface-name" of NMSettingConnection.
2989
2990 Format: string
2991
2992 password
2993 Alias: password
2994
2995 Password used to authenticate with the PPPoE service.
2996
2997 Format: string
2998
2999 password-flags
3000 Flags indicating how to handle the "password" property. See the
3001 section called “Secret flag types:” for flag values.
3002
3003 Format: NMSettingSecretFlags (uint32)
3004
3005 service
3006 Alias: service
3007
3008 If specified, instruct PPPoE to only initiate sessions with access
3009 concentrators that provide the specified service. For most
3010 providers, this should be left blank. It is only required if there
3011 are multiple access concentrators or a specific service is known to
3012 be required.
3013
3014 Format: string
3015
3016 username
3017 Alias: username
3018
3019 Username used to authenticate with the PPPoE service.
3020
3021 Format: string
3022
3023 proxy setting
3024 WWW Proxy Settings.
3025
3026 Properties:
3027
3028 browser-only
3029 Alias: browser-only
3030
3031 Whether the proxy configuration is for browser only.
3032
3033 Format: boolean
3034
3035 method
3036 Alias: method
3037
3038 Method for proxy configuration, Default is
3039 NM_SETTING_PROXY_METHOD_NONE (0)
3040
3041 Format: int32
3042
3043 pac-script
3044 Alias: pac-script
3045
3046 The PAC script. In the profile this must be an UTF-8 encoded
3047 javascript code that defines a FindProxyForURL() function. When
3048 setting the property in nmcli, a filename is accepted too. In that
3049 case, nmcli will read the content of the file and set the script.
3050 The prefixes "file://" and "js://" are supported to explicitly
3051 differentiate between the two.
3052
3053 Format: string
3054
3055 pac-url
3056 Alias: pac-url
3057
3058 PAC URL for obtaining PAC file.
3059
3060 Format: string
3061
3062 serial setting
3063 Serial Link Settings.
3064
3065 Properties:
3066
3067 baud
3068 Speed to use for communication over the serial port. Note that this
3069 value usually has no effect for mobile broadband modems as they
3070 generally ignore speed settings and use the highest available
3071 speed.
3072
3073 Format: uint32
3074
3075 bits
3076 Byte-width of the serial communication. The 8 in "8n1" for example.
3077
3078 Format: uint32
3079
3080 parity
3081 Parity setting of the serial port.
3082
3083 Format: NMSettingSerialParity (byte)
3084
3085 send-delay
3086 Time to delay between each byte sent to the modem, in microseconds.
3087
3088 Format: uint64
3089
3090 stopbits
3091 Number of stop bits for communication on the serial port. Either 1
3092 or 2. The 1 in "8n1" for example.
3093
3094 Format: uint32
3095
3096 sriov setting
3097 SR-IOV settings.
3098
3099 Properties:
3100
3101 autoprobe-drivers
3102 Whether to autoprobe virtual functions by a compatible driver. If
3103 set to NM_TERNARY_TRUE (1), the kernel will try to bind VFs to a
3104 compatible driver and if this succeeds a new network interface will
3105 be instantiated for each VF. If set to NM_TERNARY_FALSE (0), VFs
3106 will not be claimed and no network interfaces will be created for
3107 them. When set to NM_TERNARY_DEFAULT (-1), the global default is
3108 used; in case the global default is unspecified it is assumed to be
3109 NM_TERNARY_TRUE (1).
3110
3111 Format: NMTernary (int32)
3112
3113 total-vfs
3114 The total number of virtual functions to create. Note that when the
3115 sriov setting is present NetworkManager enforces the number of
3116 virtual functions on the interface (also when it is zero) during
3117 activation and resets it upon deactivation. To prevent any changes
3118 to SR-IOV parameters don't add a sriov setting to the connection.
3119
3120 Format: uint32
3121
3122 vfs
3123 Array of virtual function descriptors. Each VF descriptor is a
3124 dictionary mapping attribute names to GVariant values. The 'index'
3125 entry is mandatory for each VF. When represented as string a VF is
3126 in the form: "INDEX [ATTR=VALUE[ ATTR=VALUE]...]". for example: "2
3127 mac=00:11:22:33:44:55 spoof-check=true". Multiple VFs can be
3128 specified using a comma as separator. Currently, the following
3129 attributes are supported: mac, spoof-check, trust, min-tx-rate,
3130 max-tx-rate, vlans. The "vlans" attribute is represented as a
3131 semicolon-separated list of VLAN descriptors, where each descriptor
3132 has the form "ID[.PRIORITY[.PROTO]]". PROTO can be either 'q' for
3133 802.1Q (the default) or 'ad' for 802.1ad.
3134
3135 Format: array of vardict
3136
3137 tc setting
3138 Linux Traffic Control Settings.
3139
3140 Properties:
3141
3142 qdiscs
3143 Array of TC queueing disciplines. qdisc is a basic block in the
3144 Linux traffic control subsystem
3145
3146 Each qdisc can be specified by the following attributes:
3147
3148 handle HANDLE
3149 specifies the qdisc handle. A qdisc, which potentially can have
3150 children, gets assigned a major number, called a 'handle',
3151 leaving the minor number namespace available for classes. The
3152 handle is expressed as '10:'. It is customary to explicitly
3153 assign a handle to qdiscs expected to have children.
3154
3155 parent HANDLE
3156 specifies the handle of the parent qdisc the current qdisc must
3157 be attached to.
3158
3159 root
3160 specifies that the qdisc is attached to the root of device.
3161
3162 KIND
3163 this is the qdisc kind. NetworkManager currently supports the
3164 following kinds: fq_codel, sfq, tbf. Each qdisc kind has a
3165 different set of parameters, described below. There are also
3166 some kinds like pfifo, pfifo_fast, prio supported by
3167 NetworkManager but their parameters are not supported by
3168 NetworkManager.
3169
3170 Parameters for 'fq_codel':
3171
3172 limit U32
3173 the hard limit on the real queue size. When this limit is
3174 reached, incoming packets are dropped. Default is 10240
3175 packets.
3176
3177 memory_limit U32
3178 sets a limit on the total number of bytes that can be queued in
3179 this FQ-CoDel instance. The lower of the packet limit of the
3180 limit parameter and the memory limit will be enforced. Default
3181 is 32 MB.
3182
3183 flows U32
3184 the number of flows into which the incoming packets are
3185 classified. Due to the stochastic nature of hashing, multiple
3186 flows may end up being hashed into the same slot. Newer flows
3187 have priority over older ones. This parameter can be set only
3188 at load time since memory has to be allocated for the hash
3189 table. Default value is 1024.
3190
3191 target U32
3192 the acceptable minimum standing/persistent queue delay. This
3193 minimum delay is identified by tracking the local minimum queue
3194 delay that packets experience. The unit of measurement is
3195 microsecond(us). Default value is 5ms.
3196
3197 interval U32
3198 used to ensure that the measured minimum delay does not become
3199 too stale. The minimum delay must be experienced in the last
3200 epoch of length .B interval. It should be set on the order of
3201 the worst-case RTT through the bottleneck to give endpoints
3202 sufficient time to react. Default value is 100ms.
3203
3204 quantum U32
3205 the number of bytes used as 'deficit' in the fair queuing
3206 algorithm. Default is set to 1514 bytes which corresponds to
3207 the Ethernet MTU plus the hardware header length of 14 bytes.
3208
3209 ecn BOOL
3210 can be used to mark packets instead of dropping them. ecn is
3211 turned on by default.
3212
3213 ce_threshold U32
3214 sets a threshold above which all packets are marked with ECN
3215 Congestion Experienced. This is useful for DCTCP-style
3216 congestion control algorithms that require marking at very
3217 shallow queueing thresholds.
3218
3219 Parameters for 'sfq':
3220
3221 divisor U32
3222 can be used to set a different hash table size, available from
3223 kernel 2.6.39 onwards. The specified divisor must be a power of
3224 two and cannot be larger than 65536. Default value: 1024.
3225
3226 limit U32
3227 Upper limit of the SFQ. Can be used to reduce the default
3228 length of 127 packets.
3229
3230 depth U32
3231 Limit of packets per flow. Default to 127 and can be lowered.
3232
3233 perturb_period U32
3234 Interval in seconds for queue algorithm perturbation. Defaults
3235 to 0, which means that no perturbation occurs. Do not set too
3236 low for each perturbation may cause some packet reordering or
3237 losses. Advised value: 60 This value has no effect when
3238 external flow classification is used. Its better to increase
3239 divisor value to lower risk of hash collisions.
3240
3241 quantum U32
3242 Amount of bytes a flow is allowed to dequeue during a round of
3243 the round robin process. Defaults to the MTU of the interface
3244 which is also the advised value and the minimum value.
3245
3246 flows U32
3247 Default value is 127.
3248
3249 Parameters for 'tbf':
3250
3251 rate U64
3252 Bandwidth or rate. These parameters accept a floating point
3253 number, possibly followed by either a unit (both SI and IEC
3254 units supported), or a float followed by a percent character to
3255 specify the rate as a percentage of the device's speed.
3256
3257 burst U32
3258 Also known as buffer or maxburst. Size of the bucket, in bytes.
3259 This is the maximum amount of bytes that tokens can be
3260 available for instantaneously. In general, larger shaping rates
3261 require a larger buffer. For 10mbit/s on Intel, you need at
3262 least 10kbyte buffer if you want to reach your configured rate!
3263
3264 If your buffer is too small, packets may be dropped because
3265 more tokens arrive per timer tick than fit in your bucket. The
3266 minimum buffer size can be calculated by dividing the rate by
3267 HZ.
3268
3269 Token usage calculations are performed using a table which by
3270 default has a resolution of 8 packets. This resolution can be
3271 changed by specifying the cell size with the burst. For
3272 example, to specify a 6000 byte buffer with a 16 byte cell
3273 size, set a burst of 6000/16. You will probably never have to
3274 set this. Must be an integral power of 2.
3275
3276 limit U32
3277 Limit is the number of bytes that can be queued waiting for
3278 tokens to become available.
3279
3280 latency U32
3281 specifies the maximum amount of time a packet can sit in the
3282 TBF. The latency calculation takes into account the size of the
3283 bucket, the rate and possibly the peakrate (if set). The
3284 latency and limit are mutually exclusive.
3285
3286 Format: GPtrArray(NMTCQdisc)
3287
3288 tfilters
3289 Array of TC traffic filters. Traffic control can manage the packet
3290 content during classification by using filters.
3291
3292 Each tfilters can be specified by the following attributes:
3293
3294 handle HANDLE
3295 specifies the tfilters handle. A filter is used by a classful
3296 qdisc to determine in which class a packet will be enqueued. It
3297 is important to notice that filters reside within qdiscs.
3298 Therefore, see qdiscs handle for detailed information.
3299
3300 parent HANDLE
3301 specifies the handle of the parent qdisc the current qdisc must
3302 be attached to.
3303
3304 root
3305 specifies that the qdisc is attached to the root of device.
3306
3307 KIND
3308 this is the tfilters kind. NetworkManager currently supports
3309 following kinds: mirred, simple. Each filter kind has a
3310 different set of actions, described below. There are also some
3311 other kinds like matchall, basic, u32 supported by
3312 NetworkManager.
3313
3314 Actions for 'mirred':
3315
3316 egress bool
3317 Define whether the packet should exit from the interface.
3318
3319 ingress bool
3320 Define whether the packet should come into the interface.
3321
3322 mirror bool
3323 Define whether the packet should be copied to the destination
3324 space.
3325
3326 redirect bool
3327 Define whether the packet should be moved to the destination
3328 space.
3329
3330 Action for 'simple':
3331
3332 sdata char[32]
3333 The actual string to print.
3334
3335 Format: GPtrArray(NMTCTfilter)
3336
3337 team setting
3338 Teaming Settings.
3339
3340 Properties:
3341
3342 config
3343 Alias: config
3344
3345 The JSON configuration for the team network interface. The property
3346 should contain raw JSON configuration data suitable for teamd,
3347 because the value is passed directly to teamd. If not specified,
3348 the default configuration is used. See man teamd.conf for the
3349 format details.
3350
3351 Format: string
3352
3353 link-watchers
3354 Link watchers configuration for the connection: each link watcher
3355 is defined by a dictionary, whose keys depend upon the selected
3356 link watcher. Available link watchers are 'ethtool', 'nsna_ping'
3357 and 'arp_ping' and it is specified in the dictionary with the key
3358 'name'. Available keys are: ethtool: 'delay-up', 'delay-down',
3359 'init-wait'; nsna_ping: 'init-wait', 'interval', 'missed-max',
3360 'target-host'; arp_ping: all the ones in nsna_ping and
3361 'source-host', 'validate-active', 'validate-inactive',
3362 'send-always'. See teamd.conf man for more details.
3363
3364 Format: array of vardict
3365
3366 mcast-rejoin-count
3367 Corresponds to the teamd mcast_rejoin.count.
3368
3369 Format: int32
3370
3371 mcast-rejoin-interval
3372 Corresponds to the teamd mcast_rejoin.interval.
3373
3374 Format: int32
3375
3376 notify-peers-count
3377 Corresponds to the teamd notify_peers.count.
3378
3379 Format: int32
3380
3381 notify-peers-interval
3382 Corresponds to the teamd notify_peers.interval.
3383
3384 Format: int32
3385
3386 runner
3387 Corresponds to the teamd runner.name. Permitted values are:
3388 "roundrobin", "broadcast", "activebackup", "loadbalance", "lacp",
3389 "random".
3390
3391 Format: string
3392
3393 runner-active
3394 Corresponds to the teamd runner.active.
3395
3396 Format: boolean
3397
3398 runner-agg-select-policy
3399 Corresponds to the teamd runner.agg_select_policy.
3400
3401 Format: string
3402
3403 runner-fast-rate
3404 Corresponds to the teamd runner.fast_rate.
3405
3406 Format: boolean
3407
3408 runner-hwaddr-policy
3409 Corresponds to the teamd runner.hwaddr_policy.
3410
3411 Format: string
3412
3413 runner-min-ports
3414 Corresponds to the teamd runner.min_ports.
3415
3416 Format: int32
3417
3418 runner-sys-prio
3419 Corresponds to the teamd runner.sys_prio.
3420
3421 Format: int32
3422
3423 runner-tx-balancer
3424 Corresponds to the teamd runner.tx_balancer.name.
3425
3426 Format: string
3427
3428 runner-tx-balancer-interval
3429 Corresponds to the teamd runner.tx_balancer.interval.
3430
3431 Format: int32
3432
3433 runner-tx-hash
3434 Corresponds to the teamd runner.tx_hash.
3435
3436 Format: array of string
3437
3438 team-port setting
3439 Team Port Settings.
3440
3441 Properties:
3442
3443 config
3444 Alias: config
3445
3446 The JSON configuration for the team port. The property should
3447 contain raw JSON configuration data suitable for teamd, because the
3448 value is passed directly to teamd. If not specified, the default
3449 configuration is used. See man teamd.conf for the format details.
3450
3451 Format: string
3452
3453 lacp-key
3454 Corresponds to the teamd ports.PORTIFNAME.lacp_key.
3455
3456 Format: int32
3457
3458 lacp-prio
3459 Corresponds to the teamd ports.PORTIFNAME.lacp_prio.
3460
3461 Format: int32
3462
3463 link-watchers
3464 Link watchers configuration for the connection: each link watcher
3465 is defined by a dictionary, whose keys depend upon the selected
3466 link watcher. Available link watchers are 'ethtool', 'nsna_ping'
3467 and 'arp_ping' and it is specified in the dictionary with the key
3468 'name'. Available keys are: ethtool: 'delay-up', 'delay-down',
3469 'init-wait'; nsna_ping: 'init-wait', 'interval', 'missed-max',
3470 'target-host'; arp_ping: all the ones in nsna_ping and
3471 'source-host', 'validate-active', 'validate-inactive',
3472 'send-always'. See teamd.conf man for more details.
3473
3474 Format: array of vardict
3475
3476 prio
3477 Corresponds to the teamd ports.PORTIFNAME.prio.
3478
3479 Format: int32
3480
3481 queue-id
3482 Corresponds to the teamd ports.PORTIFNAME.queue_id. When set to -1
3483 means the parameter is skipped from the json config.
3484
3485 Format: int32
3486
3487 sticky
3488 Corresponds to the teamd ports.PORTIFNAME.sticky.
3489
3490 Format: boolean
3491
3492 tun setting
3493 Tunnel Settings.
3494
3495 Properties:
3496
3497 group
3498 Alias: group
3499
3500 The group ID which will own the device. If set to NULL everyone
3501 will be able to use the device.
3502
3503 Format: string
3504
3505 mode
3506 Alias: mode
3507
3508 The operating mode of the virtual device. Allowed values are
3509 NM_SETTING_TUN_MODE_TUN (1) to create a layer 3 device and
3510 NM_SETTING_TUN_MODE_TAP (2) to create an Ethernet-like layer 2 one.
3511
3512 Format: uint32
3513
3514 multi-queue
3515 Alias: multi-queue
3516
3517 If the property is set to TRUE, the interface will support multiple
3518 file descriptors (queues) to parallelize packet sending or
3519 receiving. Otherwise, the interface will only support a single
3520 queue.
3521
3522 Format: boolean
3523
3524 owner
3525 Alias: owner
3526
3527 The user ID which will own the device. If set to NULL everyone will
3528 be able to use the device.
3529
3530 Format: string
3531
3532 pi
3533 Alias: pi
3534
3535 If TRUE the interface will prepend a 4 byte header describing the
3536 physical interface to the packets.
3537
3538 Format: boolean
3539
3540 vnet-hdr
3541 Alias: vnet-hdr
3542
3543 If TRUE the IFF_VNET_HDR the tunnel packets will include a virtio
3544 network header.
3545
3546 Format: boolean
3547
3548 vlan setting
3549 VLAN Settings.
3550
3551 Properties:
3552
3553 egress-priority-map
3554 Alias: egress
3555
3556 For outgoing packets, a list of mappings from Linux SKB priorities
3557 to 802.1p priorities. The mapping is given in the format "from:to"
3558 where both "from" and "to" are unsigned integers, ie "7:3".
3559
3560 Format: array of string
3561
3562 flags
3563 Alias: flags
3564
3565 One or more flags which control the behavior and features of the
3566 VLAN interface. Flags include NM_VLAN_FLAG_REORDER_HEADERS (0x1)
3567 (reordering of output packet headers), NM_VLAN_FLAG_GVRP (0x2) (use
3568 of the GVRP protocol), and NM_VLAN_FLAG_LOOSE_BINDING (0x4) (loose
3569 binding of the interface to its master device's operating state).
3570 NM_VLAN_FLAG_MVRP (0x8) (use of the MVRP protocol). The default
3571 value of this property is NM_VLAN_FLAG_REORDER_HEADERS, but it used
3572 to be 0. To preserve backward compatibility, the default-value in
3573 the D-Bus API continues to be 0 and a missing property on D-Bus is
3574 still considered as 0.
3575
3576 Format: NMVlanFlags (uint32)
3577
3578 id
3579 Alias: id
3580
3581 The VLAN identifier that the interface created by this connection
3582 should be assigned. The valid range is from 0 to 4094, without the
3583 reserved id 4095.
3584
3585 Format: uint32
3586
3587 ingress-priority-map
3588 Alias: ingress
3589
3590 For incoming packets, a list of mappings from 802.1p priorities to
3591 Linux SKB priorities. The mapping is given in the format "from:to"
3592 where both "from" and "to" are unsigned integers, ie "7:3".
3593
3594 Format: array of string
3595
3596 parent
3597 Alias: dev
3598
3599 If given, specifies the parent interface name or parent connection
3600 UUID from which this VLAN interface should be created. If this
3601 property is not specified, the connection must contain an
3602 "802-3-ethernet" setting with a "mac-address" property.
3603
3604 Format: string
3605
3606 vpn setting
3607 VPN Settings.
3608
3609 Properties:
3610
3611 data
3612 Dictionary of key/value pairs of VPN plugin specific data. Both
3613 keys and values must be strings.
3614
3615 Format: dict of string to string
3616
3617 persistent
3618 If the VPN service supports persistence, and this property is TRUE,
3619 the VPN will attempt to stay connected across link changes and
3620 outages, until explicitly disconnected.
3621
3622 Format: boolean
3623
3624 secrets
3625 Dictionary of key/value pairs of VPN plugin specific secrets like
3626 passwords or private keys. Both keys and values must be strings.
3627
3628 Format: dict of string to string
3629
3630 service-type
3631 Alias: vpn-type
3632
3633 D-Bus service name of the VPN plugin that this setting uses to
3634 connect to its network. i.e. org.freedesktop.NetworkManager.vpnc
3635 for the vpnc plugin.
3636
3637 Format: string
3638
3639 timeout
3640 Timeout for the VPN service to establish the connection. Some
3641 services may take quite a long time to connect. Value of 0 means a
3642 default timeout, which is 60 seconds (unless overridden by
3643 vpn.timeout in configuration file). Values greater than zero mean
3644 timeout in seconds.
3645
3646 Format: uint32
3647
3648 user-name
3649 Alias: user
3650
3651 If the VPN connection requires a user name for authentication, that
3652 name should be provided here. If the connection is available to
3653 more than one user, and the VPN requires each user to supply a
3654 different name, then leave this property empty. If this property is
3655 empty, NetworkManager will automatically supply the username of the
3656 user which requested the VPN connection.
3657
3658 Format: string
3659
3660 vrf setting
3661 VRF settings.
3662
3663 Properties:
3664
3665 table
3666 Alias: table
3667
3668 The routing table for this VRF.
3669
3670 Format: uint32
3671
3672 vxlan setting
3673 VXLAN Settings.
3674
3675 Properties:
3676
3677 ageing
3678 Specifies the lifetime in seconds of FDB entries learnt by the
3679 kernel.
3680
3681 Format: uint32
3682
3683 destination-port
3684 Alias: destination-port
3685
3686 Specifies the UDP destination port to communicate to the remote
3687 VXLAN tunnel endpoint.
3688
3689 Format: uint32
3690
3691 id
3692 Alias: id
3693
3694 Specifies the VXLAN Network Identifier (or VXLAN Segment
3695 Identifier) to use.
3696
3697 Format: uint32
3698
3699 l2-miss
3700 Specifies whether netlink LL ADDR miss notifications are generated.
3701
3702 Format: boolean
3703
3704 l3-miss
3705 Specifies whether netlink IP ADDR miss notifications are generated.
3706
3707 Format: boolean
3708
3709 learning
3710 Specifies whether unknown source link layer addresses and IP
3711 addresses are entered into the VXLAN device forwarding database.
3712
3713 Format: boolean
3714
3715 limit
3716 Specifies the maximum number of FDB entries. A value of zero means
3717 that the kernel will store unlimited entries.
3718
3719 Format: uint32
3720
3721 local
3722 Alias: local
3723
3724 If given, specifies the source IP address to use in outgoing
3725 packets.
3726
3727 Format: string
3728
3729 parent
3730 Alias: dev
3731
3732 If given, specifies the parent interface name or parent connection
3733 UUID.
3734
3735 Format: string
3736
3737 proxy
3738 Specifies whether ARP proxy is turned on.
3739
3740 Format: boolean
3741
3742 remote
3743 Alias: remote
3744
3745 Specifies the unicast destination IP address to use in outgoing
3746 packets when the destination link layer address is not known in the
3747 VXLAN device forwarding database, or the multicast IP address to
3748 join.
3749
3750 Format: string
3751
3752 rsc
3753 Specifies whether route short circuit is turned on.
3754
3755 Format: boolean
3756
3757 source-port-max
3758 Alias: source-port-max
3759
3760 Specifies the maximum UDP source port to communicate to the remote
3761 VXLAN tunnel endpoint.
3762
3763 Format: uint32
3764
3765 source-port-min
3766 Alias: source-port-min
3767
3768 Specifies the minimum UDP source port to communicate to the remote
3769 VXLAN tunnel endpoint.
3770
3771 Format: uint32
3772
3773 tos
3774 Specifies the TOS value to use in outgoing packets.
3775
3776 Format: uint32
3777
3778 ttl
3779 Specifies the time-to-live value to use in outgoing packets.
3780
3781 Format: uint32
3782
3783 wifi-p2p setting
3784 Wi-Fi P2P Settings.
3785
3786 Properties:
3787
3788 peer
3789 Alias: peer
3790
3791 The P2P device that should be connected to. Currently, this is the
3792 only way to create or join a group.
3793
3794 Format: string
3795
3796 wfd-ies
3797 The Wi-Fi Display (WFD) Information Elements (IEs) to set. Wi-Fi
3798 Display requires a protocol specific information element to be set
3799 in certain Wi-Fi frames. These can be specified here for the
3800 purpose of establishing a connection. This setting is only useful
3801 when implementing a Wi-Fi Display client.
3802
3803 Format: byte array
3804
3805 wps-method
3806 Flags indicating which mode of WPS is to be used. There's little
3807 point in changing the default setting as NetworkManager will
3808 automatically determine the best method to use.
3809
3810 Format: uint32
3811
3812 wimax setting
3813 WiMax Settings.
3814
3815 Properties:
3816
3817 mac-address
3818 Alias: mac
3819
3820 If specified, this connection will only apply to the WiMAX device
3821 whose MAC address matches. This property does not change the MAC
3822 address of the device (known as MAC spoofing). Deprecated: 1
3823
3824 Format: byte array
3825
3826 network-name
3827 Alias: nsp
3828
3829 Network Service Provider (NSP) name of the WiMAX network this
3830 connection should use. Deprecated: 1
3831
3832 Format: string
3833
3834 802-3-ethernet setting
3835 Alias: ethernet
3836
3837 Wired Ethernet Settings.
3838
3839 Properties:
3840
3841 accept-all-mac-addresses
3842 When TRUE, setup the interface to accept packets for all MAC
3843 addresses. This is enabling the kernel interface flag IFF_PROMISC.
3844 When FALSE, the interface will only accept the packets with the
3845 interface destination mac address or broadcast.
3846
3847 Format: NMTernary (int32)
3848
3849 auto-negotiate
3850 When TRUE, enforce auto-negotiation of speed and duplex mode. If
3851 "speed" and "duplex" properties are both specified, only that
3852 single mode will be advertised and accepted during the link
3853 auto-negotiation process: this works only for BASE-T 802.3
3854 specifications and is useful for enforcing gigabits modes, as in
3855 these cases link negotiation is mandatory. When FALSE, "speed" and
3856 "duplex" properties should be both set or link configuration will
3857 be skipped.
3858
3859 Format: boolean
3860
3861 cloned-mac-address
3862 Alias: cloned-mac
3863
3864 If specified, request that the device use this MAC address instead.
3865 This is known as MAC cloning or spoofing. Beside explicitly
3866 specifying a MAC address, the special values "preserve",
3867 "permanent", "random" and "stable" are supported. "preserve" means
3868 not to touch the MAC address on activation. "permanent" means to
3869 use the permanent hardware address if the device has one (otherwise
3870 this is treated as "preserve"). "random" creates a random MAC
3871 address on each connect. "stable" creates a hashed MAC address
3872 based on connection.stable-id and a machine dependent key. If
3873 unspecified, the value can be overwritten via global defaults, see
3874 manual of NetworkManager.conf. If still unspecified, it defaults to
3875 "preserve" (older versions of NetworkManager may use a different
3876 default value). On D-Bus, this field is expressed as
3877 "assigned-mac-address" or the deprecated "cloned-mac-address".
3878
3879 Format: byte array
3880
3881 duplex
3882 When a value is set, either "half" or "full", configures the device
3883 to use the specified duplex mode. If "auto-negotiate" is "yes" the
3884 specified duplex mode will be the only one advertised during link
3885 negotiation: this works only for BASE-T 802.3 specifications and is
3886 useful for enforcing gigabits modes, as in these cases link
3887 negotiation is mandatory. If the value is unset (the default), the
3888 link configuration will be either skipped (if "auto-negotiate" is
3889 "no", the default) or will be auto-negotiated (if "auto-negotiate"
3890 is "yes") and the local device will advertise all the supported
3891 duplex modes. Must be set together with the "speed" property if
3892 specified. Before specifying a duplex mode be sure your device
3893 supports it.
3894
3895 Format: string
3896
3897 generate-mac-address-mask
3898 With "cloned-mac-address" setting "random" or "stable", by default
3899 all bits of the MAC address are scrambled and a
3900 locally-administered, unicast MAC address is created. This property
3901 allows to specify that certain bits are fixed. Note that the least
3902 significant bit of the first MAC address will always be unset to
3903 create a unicast MAC address. If the property is NULL, it is
3904 eligible to be overwritten by a default connection setting. If the
3905 value is still NULL or an empty string, the default is to create a
3906 locally-administered, unicast MAC address. If the value contains
3907 one MAC address, this address is used as mask. The set bits of the
3908 mask are to be filled with the current MAC address of the device,
3909 while the unset bits are subject to randomization. Setting
3910 "FE:FF:FF:00:00:00" means to preserve the OUI of the current MAC
3911 address and only randomize the lower 3 bytes using the "random" or
3912 "stable" algorithm. If the value contains one additional MAC
3913 address after the mask, this address is used instead of the current
3914 MAC address to fill the bits that shall not be randomized. For
3915 example, a value of "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set
3916 the OUI of the MAC address to 68:F7:28, while the lower bits are
3917 randomized. A value of "02:00:00:00:00:00 00:00:00:00:00:00" will
3918 create a fully scrambled globally-administered, burned-in MAC
3919 address. If the value contains more than one additional MAC
3920 addresses, one of them is chosen randomly. For example,
3921 "02:00:00:00:00:00 00:00:00:00:00:00 02:00:00:00:00:00" will create
3922 a fully scrambled MAC address, randomly locally or globally
3923 administered.
3924
3925 Format: string
3926
3927 mac-address
3928 Alias: mac
3929
3930 If specified, this connection will only apply to the Ethernet
3931 device whose permanent MAC address matches. This property does not
3932 change the MAC address of the device (i.e. MAC spoofing).
3933
3934 Format: byte array
3935
3936 mac-address-blacklist
3937 If specified, this connection will never apply to the Ethernet
3938 device whose permanent MAC address matches an address in the list.
3939 Each MAC address is in the standard hex-digits-and-colons notation
3940 (00:11:22:33:44:55).
3941
3942 Format: array of string
3943
3944 mtu
3945 Alias: mtu
3946
3947 If non-zero, only transmit packets of the specified size or
3948 smaller, breaking larger packets up into multiple Ethernet frames.
3949
3950 Format: uint32
3951
3952 port
3953 Specific port type to use if the device supports multiple
3954 attachment methods. One of "tp" (Twisted Pair), "aui" (Attachment
3955 Unit Interface), "bnc" (Thin Ethernet) or "mii" (Media Independent
3956 Interface). If the device supports only one port type, this setting
3957 is ignored.
3958
3959 Format: string
3960
3961 s390-nettype
3962 s390 network device type; one of "qeth", "lcs", or "ctc",
3963 representing the different types of virtual network devices
3964 available on s390 systems.
3965
3966 Format: string
3967
3968 s390-options
3969 Dictionary of key/value pairs of s390-specific device options. Both
3970 keys and values must be strings. Allowed keys include "portno",
3971 "layer2", "portname", "protocol", among others. Key names must
3972 contain only alphanumeric characters (ie, [a-zA-Z0-9]). Currently,
3973 NetworkManager itself does nothing with this information. However,
3974 s390utils ships a udev rule which parses this information and
3975 applies it to the interface.
3976
3977 Format: dict of string to string
3978
3979 s390-subchannels
3980 Identifies specific subchannels that this network device uses for
3981 communication with z/VM or s390 host. Like the "mac-address"
3982 property for non-z/VM devices, this property can be used to ensure
3983 this connection only applies to the network device that uses these
3984 subchannels. The list should contain exactly 3 strings, and each
3985 string may only be composed of hexadecimal characters and the
3986 period (.) character.
3987
3988 Format: array of string
3989
3990 speed
3991 When a value greater than 0 is set, configures the device to use
3992 the specified speed. If "auto-negotiate" is "yes" the specified
3993 speed will be the only one advertised during link negotiation: this
3994 works only for BASE-T 802.3 specifications and is useful for
3995 enforcing gigabit speeds, as in this case link negotiation is
3996 mandatory. If the value is unset (0, the default), the link
3997 configuration will be either skipped (if "auto-negotiate" is "no",
3998 the default) or will be auto-negotiated (if "auto-negotiate" is
3999 "yes") and the local device will advertise all the supported
4000 speeds. In Mbit/s, ie 100 == 100Mbit/s. Must be set together with
4001 the "duplex" property when non-zero. Before specifying a speed
4002 value be sure your device supports it.
4003
4004 Format: uint32
4005
4006 wake-on-lan
4007 The NMSettingWiredWakeOnLan options to enable. Not all devices
4008 support all options. May be any combination of
4009 NM_SETTING_WIRED_WAKE_ON_LAN_PHY (0x2),
4010 NM_SETTING_WIRED_WAKE_ON_LAN_UNICAST (0x4),
4011 NM_SETTING_WIRED_WAKE_ON_LAN_MULTICAST (0x8),
4012 NM_SETTING_WIRED_WAKE_ON_LAN_BROADCAST (0x10),
4013 NM_SETTING_WIRED_WAKE_ON_LAN_ARP (0x20),
4014 NM_SETTING_WIRED_WAKE_ON_LAN_MAGIC (0x40) or the special values
4015 NM_SETTING_WIRED_WAKE_ON_LAN_DEFAULT (0x1) (to use global settings)
4016 and NM_SETTING_WIRED_WAKE_ON_LAN_IGNORE (0x8000) (to disable
4017 management of Wake-on-LAN in NetworkManager).
4018
4019 Format: uint32
4020
4021 wake-on-lan-password
4022 If specified, the password used with magic-packet-based
4023 Wake-on-LAN, represented as an Ethernet MAC address. If NULL, no
4024 password will be required.
4025
4026 Format: string
4027
4028 wireguard setting
4029 WireGuard Settings.
4030
4031 Properties:
4032
4033 fwmark
4034 The use of fwmark is optional and is by default off. Setting it to
4035 0 disables it. Otherwise, it is a 32-bit fwmark for outgoing
4036 packets. Note that "ip4-auto-default-route" or
4037 "ip6-auto-default-route" enabled, implies to automatically choose a
4038 fwmark.
4039
4040 Format: uint32
4041
4042 ip4-auto-default-route
4043 Whether to enable special handling of the IPv4 default route. If
4044 enabled, the IPv4 default route from wireguard.peer-routes will be
4045 placed to a dedicated routing-table and two policy routing rules
4046 will be added. The fwmark number is also used as routing-table for
4047 the default-route, and if fwmark is zero, an unused fwmark/table is
4048 chosen automatically. This corresponds to what wg-quick does with
4049 Table=auto and what WireGuard calls "Improved Rule-based Routing".
4050 Note that for this automatism to work, you usually don't want to
4051 set ipv4.gateway, because that will result in a conflicting default
4052 route. Leaving this at the default will enable this option
4053 automatically if ipv4.never-default is not set and there are any
4054 peers that use a default-route as allowed-ips.
4055
4056 Format: NMTernary (int32)
4057
4058 ip6-auto-default-route
4059 Like ip4-auto-default-route, but for the IPv6 default route.
4060
4061 Format: NMTernary (int32)
4062
4063 listen-port
4064 The listen-port. If listen-port is not specified, the port will be
4065 chosen randomly when the interface comes up.
4066
4067 Format: uint32
4068
4069 mtu
4070 If non-zero, only transmit packets of the specified size or
4071 smaller, breaking larger packets up into multiple fragments. If
4072 zero a default MTU is used. Note that contrary to wg-quick's MTU
4073 setting, this does not take into account the current routes at the
4074 time of activation.
4075
4076 Format: uint32
4077
4078 peer-routes
4079 Whether to automatically add routes for the AllowedIPs ranges of
4080 the peers. If TRUE (the default), NetworkManager will automatically
4081 add routes in the routing tables according to ipv4.route-table and
4082 ipv6.route-table. Usually you want this automatism enabled. If
4083 FALSE, no such routes are added automatically. In this case, the
4084 user may want to configure static routes in ipv4.routes and
4085 ipv6.routes, respectively. Note that if the peer's AllowedIPs is
4086 "0.0.0.0/0" or "::/0" and the profile's ipv4.never-default or
4087 ipv6.never-default setting is enabled, the peer route for this peer
4088 won't be added automatically.
4089
4090 Format: boolean
4091
4092 private-key
4093 The 256 bit private-key in base64 encoding.
4094
4095 Format: string
4096
4097 private-key-flags
4098 Flags indicating how to handle the "private-key" property. See the
4099 section called “Secret flag types:” for flag values.
4100
4101 Format: NMSettingSecretFlags (uint32)
4102
4103 802-11-wireless setting
4104 Alias: wifi
4105
4106 Wi-Fi Settings.
4107
4108 Properties:
4109
4110 ap-isolation
4111 Configures AP isolation, which prevents communication between
4112 wireless devices connected to this AP. This property can be set to
4113 a value different from NM_TERNARY_DEFAULT (-1) only when the
4114 interface is configured in AP mode. If set to NM_TERNARY_TRUE (1),
4115 devices are not able to communicate with each other. This increases
4116 security because it protects devices against attacks from other
4117 clients in the network. At the same time, it prevents devices to
4118 access resources on the same wireless networks as file shares,
4119 printers, etc. If set to NM_TERNARY_FALSE (0), devices can talk to
4120 each other. When set to NM_TERNARY_DEFAULT (-1), the global default
4121 is used; in case the global default is unspecified it is assumed to
4122 be NM_TERNARY_FALSE (0).
4123
4124 Format: NMTernary (int32)
4125
4126 band
4127 802.11 frequency band of the network. One of "a" for 5GHz 802.11a
4128 or "bg" for 2.4GHz 802.11. This will lock associations to the Wi-Fi
4129 network to the specific band, i.e. if "a" is specified, the device
4130 will not associate with the same network in the 2.4GHz band even if
4131 the network's settings are compatible. This setting depends on
4132 specific driver capability and may not work with all drivers.
4133
4134 Format: string
4135
4136 bssid
4137 If specified, directs the device to only associate with the given
4138 access point. This capability is highly driver dependent and not
4139 supported by all devices. Note: this property does not control the
4140 BSSID used when creating an Ad-Hoc network and is unlikely to in
4141 the future.
4142
4143 Format: byte array
4144
4145 channel
4146 Wireless channel to use for the Wi-Fi connection. The device will
4147 only join (or create for Ad-Hoc networks) a Wi-Fi network on the
4148 specified channel. Because channel numbers overlap between bands,
4149 this property also requires the "band" property to be set.
4150
4151 Format: uint32
4152
4153 cloned-mac-address
4154 Alias: cloned-mac
4155
4156 If specified, request that the device use this MAC address instead.
4157 This is known as MAC cloning or spoofing. Beside explicitly
4158 specifying a MAC address, the special values "preserve",
4159 "permanent", "random" and "stable" are supported. "preserve" means
4160 not to touch the MAC address on activation. "permanent" means to
4161 use the permanent hardware address of the device. "random" creates
4162 a random MAC address on each connect. "stable" creates a hashed MAC
4163 address based on connection.stable-id and a machine dependent key.
4164 If unspecified, the value can be overwritten via global defaults,
4165 see manual of NetworkManager.conf. If still unspecified, it
4166 defaults to "preserve" (older versions of NetworkManager may use a
4167 different default value). On D-Bus, this field is expressed as
4168 "assigned-mac-address" or the deprecated "cloned-mac-address".
4169
4170 Format: byte array
4171
4172 generate-mac-address-mask
4173 With "cloned-mac-address" setting "random" or "stable", by default
4174 all bits of the MAC address are scrambled and a
4175 locally-administered, unicast MAC address is created. This property
4176 allows to specify that certain bits are fixed. Note that the least
4177 significant bit of the first MAC address will always be unset to
4178 create a unicast MAC address. If the property is NULL, it is
4179 eligible to be overwritten by a default connection setting. If the
4180 value is still NULL or an empty string, the default is to create a
4181 locally-administered, unicast MAC address. If the value contains
4182 one MAC address, this address is used as mask. The set bits of the
4183 mask are to be filled with the current MAC address of the device,
4184 while the unset bits are subject to randomization. Setting
4185 "FE:FF:FF:00:00:00" means to preserve the OUI of the current MAC
4186 address and only randomize the lower 3 bytes using the "random" or
4187 "stable" algorithm. If the value contains one additional MAC
4188 address after the mask, this address is used instead of the current
4189 MAC address to fill the bits that shall not be randomized. For
4190 example, a value of "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set
4191 the OUI of the MAC address to 68:F7:28, while the lower bits are
4192 randomized. A value of "02:00:00:00:00:00 00:00:00:00:00:00" will
4193 create a fully scrambled globally-administered, burned-in MAC
4194 address. If the value contains more than one additional MAC
4195 addresses, one of them is chosen randomly. For example,
4196 "02:00:00:00:00:00 00:00:00:00:00:00 02:00:00:00:00:00" will create
4197 a fully scrambled MAC address, randomly locally or globally
4198 administered.
4199
4200 Format: string
4201
4202 hidden
4203 If TRUE, indicates that the network is a non-broadcasting network
4204 that hides its SSID. This works both in infrastructure and AP mode.
4205 In infrastructure mode, various workarounds are used for a more
4206 reliable discovery of hidden networks, such as probe-scanning the
4207 SSID. However, these workarounds expose inherent insecurities with
4208 hidden SSID networks, and thus hidden SSID networks should be used
4209 with caution. In AP mode, the created network does not broadcast
4210 its SSID. Note that marking the network as hidden may be a privacy
4211 issue for you (in infrastructure mode) or client stations (in AP
4212 mode), as the explicit probe-scans are distinctly recognizable on
4213 the air.
4214
4215 Format: boolean
4216
4217 mac-address
4218 Alias: mac
4219
4220 If specified, this connection will only apply to the Wi-Fi device
4221 whose permanent MAC address matches. This property does not change
4222 the MAC address of the device (i.e. MAC spoofing).
4223
4224 Format: byte array
4225
4226 mac-address-blacklist
4227 A list of permanent MAC addresses of Wi-Fi devices to which this
4228 connection should never apply. Each MAC address should be given in
4229 the standard hex-digits-and-colons notation (eg
4230 "00:11:22:33:44:55").
4231
4232 Format: array of string
4233
4234 mac-address-randomization
4235 One of NM_SETTING_MAC_RANDOMIZATION_DEFAULT (0) (never randomize
4236 unless the user has set a global default to randomize and the
4237 supplicant supports randomization),
4238 NM_SETTING_MAC_RANDOMIZATION_NEVER (1) (never randomize the MAC
4239 address), or NM_SETTING_MAC_RANDOMIZATION_ALWAYS (2) (always
4240 randomize the MAC address). This property is deprecated for
4241 'cloned-mac-address'. Deprecated: 1
4242
4243 Format: uint32
4244
4245 mode
4246 Alias: mode
4247
4248 Wi-Fi network mode; one of "infrastructure", "mesh", "adhoc" or
4249 "ap". If blank, infrastructure is assumed.
4250
4251 Format: string
4252
4253 mtu
4254 Alias: mtu
4255
4256 If non-zero, only transmit packets of the specified size or
4257 smaller, breaking larger packets up into multiple Ethernet frames.
4258
4259 Format: uint32
4260
4261 powersave
4262 One of NM_SETTING_WIRELESS_POWERSAVE_DISABLE (2) (disable Wi-Fi
4263 power saving), NM_SETTING_WIRELESS_POWERSAVE_ENABLE (3) (enable
4264 Wi-Fi power saving), NM_SETTING_WIRELESS_POWERSAVE_IGNORE (1)
4265 (don't touch currently configure setting) or
4266 NM_SETTING_WIRELESS_POWERSAVE_DEFAULT (0) (use the globally
4267 configured value). All other values are reserved.
4268
4269 Format: uint32
4270
4271 rate
4272 If non-zero, directs the device to only use the specified bitrate
4273 for communication with the access point. Units are in Kb/s, ie 5500
4274 = 5.5 Mbit/s. This property is highly driver dependent and not all
4275 devices support setting a static bitrate.
4276
4277 Format: uint32
4278
4279 seen-bssids
4280 A list of BSSIDs (each BSSID formatted as a MAC address like
4281 "00:11:22:33:44:55") that have been detected as part of the Wi-Fi
4282 network. NetworkManager internally tracks previously seen BSSIDs.
4283 The property is only meant for reading and reflects the BSSID list
4284 of NetworkManager. The changes you make to this property will not
4285 be preserved.
4286
4287 Format: array of string
4288
4289 ssid
4290 Alias: ssid
4291
4292 SSID of the Wi-Fi network. Must be specified.
4293
4294 Format: byte array
4295
4296 tx-power
4297 If non-zero, directs the device to use the specified transmit
4298 power. Units are dBm. This property is highly driver dependent and
4299 not all devices support setting a static transmit power.
4300
4301 Format: uint32
4302
4303 wake-on-wlan
4304 The NMSettingWirelessWakeOnWLan options to enable. Not all devices
4305 support all options. May be any combination of
4306 NM_SETTING_WIRELESS_WAKE_ON_WLAN_ANY (0x2),
4307 NM_SETTING_WIRELESS_WAKE_ON_WLAN_DISCONNECT (0x4),
4308 NM_SETTING_WIRELESS_WAKE_ON_WLAN_MAGIC (0x8),
4309 NM_SETTING_WIRELESS_WAKE_ON_WLAN_GTK_REKEY_FAILURE (0x10),
4310 NM_SETTING_WIRELESS_WAKE_ON_WLAN_EAP_IDENTITY_REQUEST (0x20),
4311 NM_SETTING_WIRELESS_WAKE_ON_WLAN_4WAY_HANDSHAKE (0x40),
4312 NM_SETTING_WIRELESS_WAKE_ON_WLAN_RFKILL_RELEASE (0x80),
4313 NM_SETTING_WIRELESS_WAKE_ON_WLAN_TCP (0x100) or the special values
4314 NM_SETTING_WIRELESS_WAKE_ON_WLAN_DEFAULT (0x1) (to use global
4315 settings) and NM_SETTING_WIRELESS_WAKE_ON_WLAN_IGNORE (0x8000) (to
4316 disable management of Wake-on-LAN in NetworkManager).
4317
4318 Format: uint32
4319
4320 802-11-wireless-security setting
4321 Alias: wifi-sec
4322
4323 Wi-Fi Security Settings.
4324
4325 Properties:
4326
4327 auth-alg
4328 When WEP is used (ie, key-mgmt = "none" or "ieee8021x") indicate
4329 the 802.11 authentication algorithm required by the AP here. One of
4330 "open" for Open System, "shared" for Shared Key, or "leap" for
4331 Cisco LEAP. When using Cisco LEAP (ie, key-mgmt = "ieee8021x" and
4332 auth-alg = "leap") the "leap-username" and "leap-password"
4333 properties must be specified.
4334
4335 Format: string
4336
4337 fils
4338 Indicates whether Fast Initial Link Setup (802.11ai) must be
4339 enabled for the connection. One of
4340 NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) (use global default
4341 value), NM_SETTING_WIRELESS_SECURITY_FILS_DISABLE (1) (disable
4342 FILS), NM_SETTING_WIRELESS_SECURITY_FILS_OPTIONAL (2) (enable FILS
4343 if the supplicant and the access point support it) or
4344 NM_SETTING_WIRELESS_SECURITY_FILS_REQUIRED (3) (enable FILS and
4345 fail if not supported). When set to
4346 NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) and no global default
4347 is set, FILS will be optionally enabled.
4348
4349 Format: int32
4350
4351 group
4352 A list of group/broadcast encryption algorithms which prevents
4353 connections to Wi-Fi networks that do not utilize one of the
4354 algorithms in the list. For maximum compatibility leave this
4355 property empty. Each list element may be one of "wep40", "wep104",
4356 "tkip", or "ccmp".
4357
4358 Format: array of string
4359
4360 key-mgmt
4361 Key management used for the connection. One of "none" (WEP or no
4362 password protection), "ieee8021x" (Dynamic WEP), "owe"
4363 (Opportunistic Wireless Encryption), "wpa-psk" (WPA2 + WPA3
4364 personal), "sae" (WPA3 personal only), "wpa-eap" (WPA2 + WPA3
4365 enterprise) or "wpa-eap-suite-b-192" (WPA3 enterprise only). This
4366 property must be set for any Wi-Fi connection that uses security.
4367
4368 Format: string
4369
4370 leap-password
4371 The login password for legacy LEAP connections (ie, key-mgmt =
4372 "ieee8021x" and auth-alg = "leap").
4373
4374 Format: string
4375
4376 leap-password-flags
4377 Flags indicating how to handle the "leap-password" property. See
4378 the section called “Secret flag types:” for flag values.
4379
4380 Format: NMSettingSecretFlags (uint32)
4381
4382 leap-username
4383 The login username for legacy LEAP connections (ie, key-mgmt =
4384 "ieee8021x" and auth-alg = "leap").
4385
4386 Format: string
4387
4388 pairwise
4389 A list of pairwise encryption algorithms which prevents connections
4390 to Wi-Fi networks that do not utilize one of the algorithms in the
4391 list. For maximum compatibility leave this property empty. Each
4392 list element may be one of "tkip" or "ccmp".
4393
4394 Format: array of string
4395
4396 pmf
4397 Indicates whether Protected Management Frames (802.11w) must be
4398 enabled for the connection. One of
4399 NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) (use global default
4400 value), NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE (1) (disable PMF),
4401 NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL (2) (enable PMF if the
4402 supplicant and the access point support it) or
4403 NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED (3) (enable PMF and fail
4404 if not supported). When set to
4405 NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) and no global default
4406 is set, PMF will be optionally enabled.
4407
4408 Format: int32
4409
4410 proto
4411 List of strings specifying the allowed WPA protocol versions to
4412 use. Each element may be one "wpa" (allow WPA) or "rsn" (allow
4413 WPA2/RSN). If not specified, both WPA and RSN connections are
4414 allowed.
4415
4416 Format: array of string
4417
4418 psk
4419 Pre-Shared-Key for WPA networks. For WPA-PSK, it's either an ASCII
4420 passphrase of 8 to 63 characters that is (as specified in the
4421 802.11i standard) hashed to derive the actual key, or the key in
4422 form of 64 hexadecimal character. The WPA3-Personal networks use a
4423 passphrase of any length for SAE authentication.
4424
4425 Format: string
4426
4427 psk-flags
4428 Flags indicating how to handle the "psk" property. See the section
4429 called “Secret flag types:” for flag values.
4430
4431 Format: NMSettingSecretFlags (uint32)
4432
4433 wep-key-flags
4434 Flags indicating how to handle the "wep-key0", "wep-key1",
4435 "wep-key2", and "wep-key3" properties. See the section called
4436 “Secret flag types:” for flag values.
4437
4438 Format: NMSettingSecretFlags (uint32)
4439
4440 wep-key-type
4441 Controls the interpretation of WEP keys. Allowed values are
4442 NM_WEP_KEY_TYPE_KEY (1), in which case the key is either a 10- or
4443 26-character hexadecimal string, or a 5- or 13-character ASCII
4444 password; or NM_WEP_KEY_TYPE_PASSPHRASE (2), in which case the
4445 passphrase is provided as a string and will be hashed using the
4446 de-facto MD5 method to derive the actual WEP key.
4447
4448 Format: NMWepKeyType (uint32)
4449
4450 wep-key0
4451 Index 0 WEP key. This is the WEP key used in most networks. See the
4452 "wep-key-type" property for a description of how this key is
4453 interpreted.
4454
4455 Format: string
4456
4457 wep-key1
4458 Index 1 WEP key. This WEP index is not used by most networks. See
4459 the "wep-key-type" property for a description of how this key is
4460 interpreted.
4461
4462 Format: string
4463
4464 wep-key2
4465 Index 2 WEP key. This WEP index is not used by most networks. See
4466 the "wep-key-type" property for a description of how this key is
4467 interpreted.
4468
4469 Format: string
4470
4471 wep-key3
4472 Index 3 WEP key. This WEP index is not used by most networks. See
4473 the "wep-key-type" property for a description of how this key is
4474 interpreted.
4475
4476 Format: string
4477
4478 wep-tx-keyidx
4479 When static WEP is used (ie, key-mgmt = "none") and a non-default
4480 WEP key index is used by the AP, put that WEP key index here. Valid
4481 values are 0 (default key) through 3. Note that some consumer
4482 access points (like the Linksys WRT54G) number the keys 1 - 4.
4483
4484 Format: uint32
4485
4486 wps-method
4487 Flags indicating which mode of WPS is to be used if any. There's
4488 little point in changing the default setting as NetworkManager will
4489 automatically determine whether it's feasible to start WPS
4490 enrollment from the Access Point capabilities. WPS can be disabled
4491 by setting this property to a value of 1.
4492
4493 Format: uint32
4494
4495 wpan setting
4496 IEEE 802.15.4 (WPAN) MAC Settings.
4497
4498 Properties:
4499
4500 channel
4501 Alias: channel
4502
4503 IEEE 802.15.4 channel. A positive integer or -1, meaning "do not
4504 set, use whatever the device is already set to".
4505
4506 Format: int32
4507
4508 mac-address
4509 Alias: mac
4510
4511 If specified, this connection will only apply to the IEEE 802.15.4
4512 (WPAN) MAC layer device whose permanent MAC address matches.
4513
4514 Format: string
4515
4516 page
4517 Alias: page
4518
4519 IEEE 802.15.4 channel page. A positive integer or -1, meaning "do
4520 not set, use whatever the device is already set to".
4521
4522 Format: int32
4523
4524 pan-id
4525 Alias: pan-id
4526
4527 IEEE 802.15.4 Personal Area Network (PAN) identifier.
4528
4529 Format: uint32
4530
4531 short-address
4532 Alias: short-addr
4533
4534 Short IEEE 802.15.4 address to be used within a restricted
4535 environment.
4536
4537 Format: uint32
4538
4539 bond-port setting
4540 Bond Port Settings.
4541
4542 Properties:
4543
4544 queue-id
4545 Alias: queue-id
4546
4547 The queue ID of this bond port. The maximum value of queue ID is
4548 the number of TX queues currently active in device.
4549
4550 Format: uint32
4551
4552 hostname setting
4553 Hostname settings.
4554
4555 Properties:
4556
4557 from-dhcp
4558 Whether the system hostname can be determined from DHCP on this
4559 connection. When set to NM_TERNARY_DEFAULT (-1), the value from
4560 global configuration is used. If the property doesn't have a value
4561 in the global configuration, NetworkManager assumes the value to be
4562 NM_TERNARY_TRUE (1).
4563
4564 Format: NMTernary (int32)
4565
4566 from-dns-lookup
4567 Whether the system hostname can be determined from reverse DNS
4568 lookup of addresses on this device. When set to NM_TERNARY_DEFAULT
4569 (-1), the value from global configuration is used. If the property
4570 doesn't have a value in the global configuration, NetworkManager
4571 assumes the value to be NM_TERNARY_TRUE (1).
4572
4573 Format: NMTernary (int32)
4574
4575 only-from-default
4576 If set to NM_TERNARY_TRUE (1), NetworkManager attempts to get the
4577 hostname via DHCPv4/DHCPv6 or reverse DNS lookup on this device
4578 only when the device has the default route for the given address
4579 family (IPv4/IPv6). If set to NM_TERNARY_FALSE (0), the hostname
4580 can be set from this device even if it doesn't have the default
4581 route. When set to NM_TERNARY_DEFAULT (-1), the value from global
4582 configuration is used. If the property doesn't have a value in the
4583 global configuration, NetworkManager assumes the value to be
4584 NM_TERNARY_FALSE (0).
4585
4586 Format: NMTernary (int32)
4587
4588 priority
4589 The relative priority of this connection to determine the system
4590 hostname. A lower numerical value is better (higher priority). A
4591 connection with higher priority is considered before connections
4592 with lower priority. If the value is zero, it can be overridden by
4593 a global value from NetworkManager configuration. If the property
4594 doesn't have a value in the global configuration, the value is
4595 assumed to be 100. Negative values have the special effect of
4596 excluding other connections with a greater numerical priority
4597 value; so in presence of at least one negative priority, only
4598 connections with the lowest priority value will be used to
4599 determine the hostname.
4600
4601 Format: int32
4602
4603 veth setting
4604 Veth Settings.
4605
4606 Properties:
4607
4608 peer
4609 Alias: peer
4610
4611 This property specifies the peer interface name of the veth. This
4612 property is mandatory.
4613
4614 Format: string
4615
4616 Secret flag types:
4617 Each password or secret property in a setting has an associated flags
4618 property that describes how to handle that secret. The flags property
4619 is a bitfield that contains zero or more of the following values
4620 logically OR-ed together.
4621
4622 • 0x0 (none) - the system is responsible for providing and storing
4623 this secret. This may be required so that secrets are already
4624 available before the user logs in. It also commonly means that the
4625 secret will be stored in plain text on disk, accessible to root
4626 only. For example via the keyfile settings plugin as described in
4627 the "PLUGINS" section in NetworkManager.conf(5).
4628
4629 • 0x1 (agent-owned) - a user-session secret agent is responsible for
4630 providing and storing this secret; when it is required, agents will
4631 be asked to provide it.
4632
4633 • 0x2 (not-saved) - this secret should not be saved but should be
4634 requested from the user each time it is required. This flag should
4635 be used for One-Time-Pad secrets, PIN codes from hardware tokens,
4636 or if the user simply does not want to save the secret.
4637
4638 • 0x4 (not-required) - in some situations it cannot be automatically
4639 determined that a secret is required or not. This flag hints that
4640 the secret is not required and should not be requested from the
4641 user.
4642
4644 /etc/NetworkManager/system-connections or distro plugin-specific
4645 location
4646
4648 nmcli(1), nmcli-examples(7), NetworkManager(8), nm-settings-dbus(5),
4649 nm-settings-keyfile(5), NetworkManager.conf(5)
4650
4651
4652
4653NetworkManager 1.38.0 NM-SETTINGS-NMCLI(5)