1NM-SETTINGS-NMCLI(5) Configuration NM-SETTINGS-NMCLI(5)
2
6 nm-settings-nmcli - Description of settings and properties of
7 NetworkManager connection profiles for nmcli
8
10 NetworkManager is based on a concept of connection profiles, sometimes
11 referred to as connections only. These connection profiles contain a
12 network configuration. When NetworkManager activates a connection
13 profile on a network device the configuration will be applied and an
14 active network connection will be established. Users are free to create
15 as many connection profiles as they see fit. Thus they are flexible in
16 having various network configurations for different networking needs.
17 NetworkManager provides an API for configuring connection profiles, for
19 activating them to configure the network, and inspecting the current
20 network configuration. The command line tool nmcli is a client
21 application to NetworkManager that uses this API. See nmcli(1) for
22 details.
23 With commands like nmcli connection add, nmcli connection modify and
25 nmcli connection show, connection profiles can be created, modified and
26 inspected. A profile consists of properties. On D-Bus this follows the
27 format as described by nm-settings-dbus(5), while this manual page
28 describes the settings format how they are expected by nmcli.
29 The settings and properties shown in tables below list all available
31 connection configuration options. However, note that not all settings
32 are applicable to all connection types. nmcli connection editor has
33 also a built-in describe command that can display description of
34 particular settings and properties of this page.
35 The setting and property can be abbreviated provided they are unique.
37 The list below also shows aliases that can be used unqualified instead
38 of the full name. For example connection.interface-name and ifname
39 refer to the same property.
40 connection setting
42 General Connection Profile Settings.
43 Properties:
45 auth-retries
47 The number of retries for the authentication. Zero means to try
48 indefinitely; -1 means to use a global default. If the global
49 default is not set, the authentication retries for 3 times before
50 failing the connection. Currently, this only applies to 802-1x
51 authentication.
52 Format: int32
54 autoconnect
56 Alias: autoconnect
57 Whether or not the connection should be automatically connected by
59 NetworkManager when the resources for the connection are available.
60 TRUE to automatically activate the connection, FALSE to require
61 manual intervention to activate the connection. Autoconnect happens
62 when the circumstances are suitable. That means for example that
63 the device is currently managed and not active. Autoconnect thus
64 never replaces or competes with an already active profile. Note
65 that autoconnect is not implemented for VPN profiles. See
66 "secondaries" as an alternative to automatically connect VPN
67 profiles. If multiple profiles are ready to autoconnect on the same
68 device, the one with the better "connection.autoconnect-priority"
69 is chosen. If the priorities are equal, then the most recently
70 connected profile is activated. If the profiles were not connected
71 earlier or their "connection.timestamp" is identical, the choice is
72 undefined. Depending on "connection.multi-connect", a profile can
73 (auto)connect only once at a time or multiple times.
74 Format: boolean
76 autoconnect-priority
78 The autoconnect priority in range -999 to 999. If the connection is
79 set to autoconnect, connections with higher priority will be
80 preferred. The higher number means higher priority. Defaults to 0.
81 Note that this property only matters if there are more than one
82 candidate profile to select for autoconnect. In case of equal
83 priority, the profile used most recently is chosen.
84 Format: int32
86 autoconnect-retries
88 The number of times a connection should be tried when
89 autoactivating before giving up. Zero means forever, -1 means the
90 global default (4 times if not overridden). Setting this to 1 means
91 to try activation only once before blocking autoconnect. Note that
92 after a timeout, NetworkManager will try to autoconnect again.
93 Format: int32
95 autoconnect-slaves
97 Whether or not slaves of this connection should be automatically
98 brought up when NetworkManager activates this connection. This only
99 has a real effect for master connections. The properties
100 "autoconnect", "autoconnect-priority" and "autoconnect-retries" are
101 unrelated to this setting. The permitted values are: 0: leave slave
102 connections untouched, 1: activate all the slave connections with
103 this connection, -1: default. If -1 (default) is set, global
104 connection.autoconnect-slaves is read to determine the real value.
105 If it is default as well, this fallbacks to 0.
106 Format: NMSettingConnectionAutoconnectSlaves (int32)
108 dns-over-tls
110 Whether DNSOverTls (dns-over-tls) is enabled for the connection.
111 DNSOverTls is a technology which uses TLS to encrypt dns traffic.
112 The permitted values are: "yes" (2) use DNSOverTls and disabled
113 fallback, "opportunistic" (1) use DNSOverTls but allow fallback to
114 unencrypted resolution, "no" (0) don't ever use DNSOverTls. If
115 unspecified "default" depends on the plugin used. Systemd-resolved
116 uses global setting. This feature requires a plugin which supports
117 DNSOverTls. Otherwise, the setting has no effect. One such plugin
118 is dns-systemd-resolved.
119 Format: int32
121 gateway-ping-timeout
123 If greater than zero, delay success of IP addressing until either
124 the timeout is reached, or an IP gateway replies to a ping.
125 Format: uint32
127 id
129 Alias: con-name
130 A human readable unique identifier for the connection, like "Work
132 Wi-Fi" or "T-Mobile 3G".
133 Format: string
135 interface-name
137 Alias: ifname
138 The name of the network interface this connection is bound to. If
140 not set, then the connection can be attached to any interface of
141 the appropriate type (subject to restrictions imposed by other
142 settings). For software devices this specifies the name of the
143 created device. For connection types where interface names cannot
144 easily be made persistent (e.g. mobile broadband or USB Ethernet),
145 this property should not be used. Setting this property restricts
146 the interfaces a connection can be used with, and if interface
147 names change or are reordered the connection may be applied to the
148 wrong interface.
149 Format: string
151 lldp
153 Whether LLDP is enabled for the connection.
154 Format: int32
156 llmnr
158 Whether Link-Local Multicast Name Resolution (LLMNR) is enabled for
159 the connection. LLMNR is a protocol based on the Domain Name System
160 (DNS) packet format that allows both IPv4 and IPv6 hosts to perform
161 name resolution for hosts on the same local link. The permitted
162 values are: "yes" (2) register hostname and resolving for the
163 connection, "no" (0) disable LLMNR for the interface, "resolve" (1)
164 do not register hostname but allow resolving of LLMNR host names If
165 unspecified, "default" ultimately depends on the DNS plugin (which
166 for systemd-resolved currently means "yes"). This feature requires
167 a plugin which supports LLMNR. Otherwise, the setting has no
168 effect. One such plugin is dns-systemd-resolved.
169 Format: int32
171 master
173 Alias: master
174 Interface name of the master device or UUID of the master
176 connection.
177 Format: string
179 mdns
181 Whether mDNS is enabled for the connection. The permitted values
182 are: "yes" (2) register hostname and resolving for the connection,
183 "no" (0) disable mDNS for the interface, "resolve" (1) do not
184 register hostname but allow resolving of mDNS host names and
185 "default" (-1) to allow lookup of a global default in
186 NetworkManager.conf. If unspecified, "default" ultimately depends
187 on the DNS plugin (which for systemd-resolved currently means
188 "no"). This feature requires a plugin which supports mDNS.
189 Otherwise, the setting has no effect. One such plugin is
190 dns-systemd-resolved.
191 Format: int32
193 metered
195 Whether the connection is metered. When updating this property on a
196 currently activated connection, the change takes effect
197 immediately.
198 Format: NMMetered (int32)
200 mud-url
202 If configured, set to a Manufacturer Usage Description (MUD) URL
203 that points to manufacturer-recommended network policies for IoT
204 devices. It is transmitted as a DHCPv4 or DHCPv6 option. The value
205 must be a valid URL starting with "https://". The special value
206 "none" is allowed to indicate that no MUD URL is used. If the
207 per-profile value is unspecified (the default), a global connection
208 default gets consulted. If still unspecified, the ultimate default
209 is "none".
210 Format: string
212 multi-connect
214 Specifies whether the profile can be active multiple times at a
215 particular moment. The value is of type NMConnectionMultiConnect.
216 Format: int32
218 permissions
220 An array of strings defining what access a given user has to this
221 connection. If this is NULL or empty, all users are allowed to
222 access this connection; otherwise users are allowed if and only if
223 they are in this list. When this is not empty, the connection can
224 be active only when one of the specified users is logged into an
225 active session. Each entry is of the form "[type]:[id]:[reserved]";
226 for example, "user:dcbw:blah". At this time only the "user" [type]
227 is allowed. Any other values are ignored and reserved for future
228 use. [id] is the username that this permission refers to, which may
229 not contain the ":" character. Any [reserved] information present
230 must be ignored and is reserved for future use. All of [type],
231 [id], and [reserved] must be valid UTF-8.
232 Format: array of string
234 read-only
236 FALSE if the connection can be modified using the provided settings
237 service's D-Bus interface with the right privileges, or TRUE if the
238 connection is read-only and cannot be modified.
239 Format: boolean
241 secondaries
243 List of connection UUIDs that should be activated when the base
244 connection itself is activated. Currently, only VPN connections are
245 supported.
246 Format: array of string
248 slave-type
250 Alias: slave-type
251 Setting name of the device type of this slave's master connection
253 (eg, "bond"), or NULL if this connection is not a slave.
254 Format: string
256 stable-id
258 This represents the identity of the connection used for various
259 purposes. It allows to configure multiple profiles to share the
260 identity. Also, the stable-id can contain placeholders that are
261 substituted dynamically and deterministically depending on the
262 context. The stable-id is used for generating IPv6 stable private
263 addresses with ipv6.addr-gen-mode=stable-privacy. It is also used
264 to seed the generated cloned MAC address for
265 ethernet.cloned-mac-address=stable and
266 wifi.cloned-mac-address=stable. It is also used as DHCP client
267 identifier with ipv4.dhcp-client-id=stable and to derive the DHCP
268 DUID with ipv6.dhcp-duid=stable-[llt,ll,uuid]. Note that depending
269 on the context where it is used, other parameters are also seeded
270 into the generation algorithm. For example, a per-host key is
271 commonly also included, so that different systems end up generating
272 different IDs. Or with ipv6.addr-gen-mode=stable-privacy, also the
273 device's name is included, so that different interfaces yield
274 different addresses. The per-host key is the identity of your
275 machine and stored in /var/lib/NetworkManager/secret_key. See
276 NetworkManager(8) manual about the secret-key and the host
277 identity. The '$' character is treated special to perform dynamic
278 substitutions at runtime. Currently, supported are "${CONNECTION}",
279 "${DEVICE}", "${MAC}", "${BOOT}", "${RANDOM}". These effectively
280 create unique IDs per-connection, per-device, per-boot, or every
281 time. Note that "${DEVICE}" corresponds to the interface name of
282 the device and "${MAC}" is the permanent MAC address of the device.
283 Any unrecognized patterns following '$' are treated verbatim,
284 however are reserved for future use. You are thus advised to avoid
285 '$' or escape it as "$$". For example, set it to
286 "${CONNECTION}-${BOOT}-${DEVICE}" to create a unique id for this
287 connection that changes with every reboot and differs depending on
288 the interface where the profile activates. If the value is unset, a
289 global connection default is consulted. If the value is still
290 unset, the default is similar to "${CONNECTION}" and uses a unique,
291 fixed ID for the connection.
292 Format: string
294 timestamp
296 The time, in seconds since the Unix Epoch, that the connection was
297 last _successfully_ fully activated. NetworkManager updates the
298 connection timestamp periodically when the connection is active to
299 ensure that an active connection has the latest timestamp. The
300 property is only meant for reading (changes to this property will
301 not be preserved).
302 Format: uint64
304 type
306 Alias: type
307 Base type of the connection. For hardware-dependent connections,
309 should contain the setting name of the hardware-type specific
310 setting (ie, "802-3-ethernet" or "802-11-wireless" or "bluetooth",
311 etc), and for non-hardware dependent connections like VPN or
312 otherwise, should contain the setting name of that setting type
313 (ie, "vpn" or "bridge", etc).
314 Format: string
316 uuid
318 A universally unique identifier for the connection, for example
319 generated with libuuid. It should be assigned when the connection
320 is created, and never changed as long as the connection still
321 applies to the same network. For example, it should not be changed
322 when the "id" property or NMSettingIP4Config changes, but might
323 need to be re-created when the Wi-Fi SSID, mobile broadband network
324 provider, or "type" property changes. The UUID must be in the
325 format "2815492f-7e56-435e-b2e9-246bd7cdc664" (ie, contains only
326 hexadecimal characters and "-").
327 Format: string
329 wait-device-timeout
331 Timeout in milliseconds to wait for device at startup. During boot,
332 devices may take a while to be detected by the driver. This
333 property will cause to delay NetworkManager-wait-online.service and
334 nm-online to give the device a chance to appear. This works by
335 waiting for the given timeout until a compatible device for the
336 profile is available and managed. The value 0 means no wait time.
337 The default value is -1, which currently has the same meaning as no
338 wait time.
339 Format: int32
341 zone
343 The trust level of a the connection. Free form case-insensitive
344 string (for example "Home", "Work", "Public"). NULL or unspecified
345 zone means the connection will be placed in the default zone as
346 defined by the firewall. When updating this property on a currently
347 activated connection, the change takes effect immediately.
348 Format: string
350 6lowpan setting
352 6LoWPAN Settings.
353 Properties:
355 parent
357 Alias: dev
358 If given, specifies the parent interface name or parent connection
360 UUID from which this 6LowPAN interface should be created.
361 Format: string
363 802-1x setting
365 IEEE 802.1x Authentication Settings.
366 Properties:
368 altsubject-matches
370 List of strings to be matched against the altSubjectName of the
371 certificate presented by the authentication server. If the list is
372 empty, no verification of the server certificate's altSubjectName
373 is performed.
374 Format: array of string
376 anonymous-identity
378 Anonymous identity string for EAP authentication methods. Used as
379 the unencrypted identity with EAP types that support different
380 tunneled identity like EAP-TTLS.
381 Format: string
383 auth-timeout
385 A timeout for the authentication. Zero means the global default; if
386 the global default is not set, the authentication timeout is 25
387 seconds.
388 Format: int32
390 ca-cert
392 Contains the CA certificate if used by the EAP method specified in
393 the "eap" property. Certificate data is specified using a "scheme";
394 three are currently supported: blob, path and pkcs#11 URL. When
395 using the blob scheme this property should be set to the
396 certificate's DER encoded data. When using the path scheme, this
397 property should be set to the full UTF-8 encoded path of the
398 certificate, prefixed with the string "file://" and ending with a
399 terminating NUL byte. This property can be unset even if the EAP
400 method supports CA certificates, but this allows man-in-the-middle
401 attacks and is NOT recommended. Note that enabling
402 NMSetting8021x:system-ca-certs will override this setting to use
403 the built-in path, if the built-in path is not a directory.
404 Format: byte array
406 ca-cert-password
408 The password used to access the CA certificate stored in "ca-cert"
409 property. Only makes sense if the certificate is stored on a
410 PKCS#11 token that requires a login.
411 Format: string
413 ca-cert-password-flags
415 Flags indicating how to handle the "ca-cert-password" property. See
416 the section called “Secret flag types:” for flag values.
417 Format: NMSettingSecretFlags (uint32)
419 ca-path
421 UTF-8 encoded path to a directory containing PEM or DER formatted
422 certificates to be added to the verification chain in addition to
423 the certificate specified in the "ca-cert" property. If
424 NMSetting8021x:system-ca-certs is enabled and the built-in CA path
425 is an existing directory, then this setting is ignored.
426 Format: string
428 client-cert
430 Contains the client certificate if used by the EAP method specified
431 in the "eap" property. Certificate data is specified using a
432 "scheme"; two are currently supported: blob and path. When using
433 the blob scheme (which is backwards compatible with NM 0.7.x) this
434 property should be set to the certificate's DER encoded data. When
435 using the path scheme, this property should be set to the full
436 UTF-8 encoded path of the certificate, prefixed with the string
437 "file://" and ending with a terminating NUL byte.
438 Format: byte array
440 client-cert-password
442 The password used to access the client certificate stored in
443 "client-cert" property. Only makes sense if the certificate is
444 stored on a PKCS#11 token that requires a login.
445 Format: string
447 client-cert-password-flags
449 Flags indicating how to handle the "client-cert-password" property.
450 See the section called “Secret flag types:” for flag values.
451 Format: NMSettingSecretFlags (uint32)
453 domain-match
455 Constraint for server domain name. If set, this list of FQDNs is
456 used as a match requirement for dNSName element(s) of the
457 certificate presented by the authentication server. If a matching
458 dNSName is found, this constraint is met. If no dNSName values are
459 present, this constraint is matched against SubjectName CN using
460 the same comparison. Multiple valid FQDNs can be passed as a ";"
461 delimited list.
462 Format: string
464 domain-suffix-match
466 Constraint for server domain name. If set, this FQDN is used as a
467 suffix match requirement for dNSName element(s) of the certificate
468 presented by the authentication server. If a matching dNSName is
469 found, this constraint is met. If no dNSName values are present,
470 this constraint is matched against SubjectName CN using same suffix
471 match comparison. Since version 1.24, multiple valid FQDNs can be
472 passed as a ";" delimited list.
473 Format: string
475 eap
477 The allowed EAP method to be used when authenticating to the
478 network with 802.1x. Valid methods are: "leap", "md5", "tls",
479 "peap", "ttls", "pwd", and "fast". Each method requires different
480 configuration using the properties of this setting; refer to
481 wpa_supplicant documentation for the allowed combinations.
482 Format: array of string
484 identity
486 Identity string for EAP authentication methods. Often the user's
487 user or login name.
488 Format: string
490 optional
492 Whether the 802.1X authentication is optional. If TRUE, the
493 activation will continue even after a timeout or an authentication
494 failure. Setting the property to TRUE is currently allowed only for
495 Ethernet connections. If set to FALSE, the activation can continue
496 only after a successful authentication.
497 Format: boolean
499 pac-file
501 UTF-8 encoded file path containing PAC for EAP-FAST.
502 Format: string
504 password
506 UTF-8 encoded password used for EAP authentication methods. If both
507 the "password" property and the "password-raw" property are
508 specified, "password" is preferred.
509 Format: string
511 password-flags
513 Flags indicating how to handle the "password" property. See the
514 section called “Secret flag types:” for flag values.
515 Format: NMSettingSecretFlags (uint32)
517 password-raw
519 Password used for EAP authentication methods, given as a byte array
520 to allow passwords in other encodings than UTF-8 to be used. If
521 both the "password" property and the "password-raw" property are
522 specified, "password" is preferred.
523 Format: byte array
525 password-raw-flags
527 Flags indicating how to handle the "password-raw" property. See the
528 section called “Secret flag types:” for flag values.
529 Format: NMSettingSecretFlags (uint32)
531 phase1-auth-flags
533 Specifies authentication flags to use in "phase 1" outer
534 authentication using NMSetting8021xAuthFlags options. The
535 individual TLS versions can be explicitly disabled. If a certain
536 TLS disable flag is not set, it is up to the supplicant to allow or
537 forbid it. The TLS options map to tls_disable_tlsv1_x settings. See
538 the wpa_supplicant documentation for more details.
539 Format: uint32
541 phase1-fast-provisioning
543 Enables or disables in-line provisioning of EAP-FAST credentials
544 when FAST is specified as the EAP method in the "eap" property.
545 Recognized values are "0" (disabled), "1" (allow unauthenticated
546 provisioning), "2" (allow authenticated provisioning), and "3"
547 (allow both authenticated and unauthenticated provisioning). See
548 the wpa_supplicant documentation for more details.
549 Format: string
551 phase1-peaplabel
553 Forces use of the new PEAP label during key derivation. Some RADIUS
554 servers may require forcing the new PEAP label to interoperate with
555 PEAPv1. Set to "1" to force use of the new PEAP label. See the
556 wpa_supplicant documentation for more details.
557 Format: string
559 phase1-peapver
561 Forces which PEAP version is used when PEAP is set as the EAP
562 method in the "eap" property. When unset, the version reported by
563 the server will be used. Sometimes when using older RADIUS servers,
564 it is necessary to force the client to use a particular PEAP
565 version. To do so, this property may be set to "0" or "1" to force
566 that specific PEAP version.
567 Format: string
569 phase2-altsubject-matches
571 List of strings to be matched against the altSubjectName of the
572 certificate presented by the authentication server during the inner
573 "phase 2" authentication. If the list is empty, no verification of
574 the server certificate's altSubjectName is performed.
575 Format: array of string
577 phase2-auth
579 Specifies the allowed "phase 2" inner authentication method when an
580 EAP method that uses an inner TLS tunnel is specified in the "eap"
581 property. For TTLS this property selects one of the supported
582 non-EAP inner methods: "pap", "chap", "mschap", "mschapv2" while
583 "phase2-autheap" selects an EAP inner method. For PEAP this selects
584 an inner EAP method, one of: "gtc", "otp", "md5" and "tls". Each
585 "phase 2" inner method requires specific parameters for successful
586 authentication; see the wpa_supplicant documentation for more
587 details. Both "phase2-auth" and "phase2-autheap" cannot be
588 specified.
589 Format: string
591 phase2-autheap
593 Specifies the allowed "phase 2" inner EAP-based authentication
594 method when TTLS is specified in the "eap" property. Recognized
595 EAP-based "phase 2" methods are "md5", "mschapv2", "otp", "gtc",
596 and "tls". Each "phase 2" inner method requires specific parameters
597 for successful authentication; see the wpa_supplicant documentation
598 for more details.
599 Format: string
601 phase2-ca-cert
603 Contains the "phase 2" CA certificate if used by the EAP method
604 specified in the "phase2-auth" or "phase2-autheap" properties.
605 Certificate data is specified using a "scheme"; three are currently
606 supported: blob, path and pkcs#11 URL. When using the blob scheme
607 this property should be set to the certificate's DER encoded data.
608 When using the path scheme, this property should be set to the full
609 UTF-8 encoded path of the certificate, prefixed with the string
610 "file://" and ending with a terminating NUL byte. This property can
611 be unset even if the EAP method supports CA certificates, but this
612 allows man-in-the-middle attacks and is NOT recommended. Note that
613 enabling NMSetting8021x:system-ca-certs will override this setting
614 to use the built-in path, if the built-in path is not a directory.
615 Format: byte array
617 phase2-ca-cert-password
619 The password used to access the "phase2" CA certificate stored in
620 "phase2-ca-cert" property. Only makes sense if the certificate is
621 stored on a PKCS#11 token that requires a login.
622 Format: string
624 phase2-ca-cert-password-flags
626 Flags indicating how to handle the "phase2-ca-cert-password"
627 property. See the section called “Secret flag types:” for flag
628 values.
629 Format: NMSettingSecretFlags (uint32)
631 phase2-ca-path
633 UTF-8 encoded path to a directory containing PEM or DER formatted
634 certificates to be added to the verification chain in addition to
635 the certificate specified in the "phase2-ca-cert" property. If
636 NMSetting8021x:system-ca-certs is enabled and the built-in CA path
637 is an existing directory, then this setting is ignored.
638 Format: string
640 phase2-client-cert
642 Contains the "phase 2" client certificate if used by the EAP method
643 specified in the "phase2-auth" or "phase2-autheap" properties.
644 Certificate data is specified using a "scheme"; two are currently
645 supported: blob and path. When using the blob scheme (which is
646 backwards compatible with NM 0.7.x) this property should be set to
647 the certificate's DER encoded data. When using the path scheme,
648 this property should be set to the full UTF-8 encoded path of the
649 certificate, prefixed with the string "file://" and ending with a
650 terminating NUL byte. This property can be unset even if the EAP
651 method supports CA certificates, but this allows man-in-the-middle
652 attacks and is NOT recommended.
653 Format: byte array
655 phase2-client-cert-password
657 The password used to access the "phase2" client certificate stored
658 in "phase2-client-cert" property. Only makes sense if the
659 certificate is stored on a PKCS#11 token that requires a login.
660 Format: string
662 phase2-client-cert-password-flags
664 Flags indicating how to handle the "phase2-client-cert-password"
665 property. See the section called “Secret flag types:” for flag
666 values.
667 Format: NMSettingSecretFlags (uint32)
669 phase2-domain-match
671 Constraint for server domain name. If set, this list of FQDNs is
672 used as a match requirement for dNSName element(s) of the
673 certificate presented by the authentication server during the inner
674 "phase 2" authentication. If a matching dNSName is found, this
675 constraint is met. If no dNSName values are present, this
676 constraint is matched against SubjectName CN using the same
677 comparison. Multiple valid FQDNs can be passed as a ";" delimited
678 list.
679 Format: string
681 phase2-domain-suffix-match
683 Constraint for server domain name. If set, this FQDN is used as a
684 suffix match requirement for dNSName element(s) of the certificate
685 presented by the authentication server during the inner "phase 2"
686 authentication. If a matching dNSName is found, this constraint is
687 met. If no dNSName values are present, this constraint is matched
688 against SubjectName CN using same suffix match comparison. Since
689 version 1.24, multiple valid FQDNs can be passed as a ";" delimited
690 list.
691 Format: string
693 phase2-private-key
695 Contains the "phase 2" inner private key when the "phase2-auth" or
696 "phase2-autheap" property is set to "tls". Key data is specified
697 using a "scheme"; two are currently supported: blob and path. When
698 using the blob scheme and private keys, this property should be set
699 to the key's encrypted PEM encoded data. When using private keys
700 with the path scheme, this property should be set to the full UTF-8
701 encoded path of the key, prefixed with the string "file://" and
702 ending with a terminating NUL byte. When using PKCS#12 format
703 private keys and the blob scheme, this property should be set to
704 the PKCS#12 data and the "phase2-private-key-password" property
705 must be set to password used to decrypt the PKCS#12 certificate and
706 key. When using PKCS#12 files and the path scheme, this property
707 should be set to the full UTF-8 encoded path of the key, prefixed
708 with the string "file://" and ending with a terminating NUL byte,
709 and as with the blob scheme the "phase2-private-key-password"
710 property must be set to the password used to decode the PKCS#12
711 private key and certificate.
712 Format: byte array
714 phase2-private-key-password
716 The password used to decrypt the "phase 2" private key specified in
717 the "phase2-private-key" property when the private key either uses
718 the path scheme, or is a PKCS#12 format key.
719 Format: string
721 phase2-private-key-password-flags
723 Flags indicating how to handle the "phase2-private-key-password"
724 property. See the section called “Secret flag types:” for flag
725 values.
726 Format: NMSettingSecretFlags (uint32)
728 phase2-subject-match
730 Substring to be matched against the subject of the certificate
731 presented by the authentication server during the inner "phase 2"
732 authentication. When unset, no verification of the authentication
733 server certificate's subject is performed. This property provides
734 little security, if any, and its use is deprecated in favor of
735 NMSetting8021x:phase2-domain-suffix-match.
736 Format: string
738 pin
740 PIN used for EAP authentication methods.
741 Format: string
743 pin-flags
745 Flags indicating how to handle the "pin" property. See the section
746 called “Secret flag types:” for flag values.
747 Format: NMSettingSecretFlags (uint32)
749 private-key
751 Contains the private key when the "eap" property is set to "tls".
752 Key data is specified using a "scheme"; two are currently
753 supported: blob and path. When using the blob scheme and private
754 keys, this property should be set to the key's encrypted PEM
755 encoded data. When using private keys with the path scheme, this
756 property should be set to the full UTF-8 encoded path of the key,
757 prefixed with the string "file://" and ending with a terminating
758 NUL byte. When using PKCS#12 format private keys and the blob
759 scheme, this property should be set to the PKCS#12 data and the
760 "private-key-password" property must be set to password used to
761 decrypt the PKCS#12 certificate and key. When using PKCS#12 files
762 and the path scheme, this property should be set to the full UTF-8
763 encoded path of the key, prefixed with the string "file://" and
764 ending with a terminating NUL byte, and as with the blob scheme the
765 "private-key-password" property must be set to the password used to
766 decode the PKCS#12 private key and certificate. WARNING:
767 "private-key" is not a "secret" property, and thus unencrypted
768 private key data using the BLOB scheme may be readable by
769 unprivileged users. Private keys should always be encrypted with a
770 private key password to prevent unauthorized access to unencrypted
771 private key data.
772 Format: byte array
774 private-key-password
776 The password used to decrypt the private key specified in the
777 "private-key" property when the private key either uses the path
778 scheme, or if the private key is a PKCS#12 format key.
779 Format: string
781 private-key-password-flags
783 Flags indicating how to handle the "private-key-password" property.
784 See the section called “Secret flag types:” for flag values.
785 Format: NMSettingSecretFlags (uint32)
787 subject-match
789 Substring to be matched against the subject of the certificate
790 presented by the authentication server. When unset, no verification
791 of the authentication server certificate's subject is performed.
792 This property provides little security, if any, and its use is
793 deprecated in favor of NMSetting8021x:domain-suffix-match.
794 Format: string
796 system-ca-certs
798 When TRUE, overrides the "ca-path" and "phase2-ca-path" properties
799 using the system CA directory specified at configure time with the
800 --system-ca-path switch. The certificates in this directory are
801 added to the verification chain in addition to any certificates
802 specified by the "ca-cert" and "phase2-ca-cert" properties. If the
803 path provided with --system-ca-path is rather a file name (bundle
804 of trusted CA certificates), it overrides "ca-cert" and
805 "phase2-ca-cert" properties instead (sets ca_cert/ca_cert2 options
806 for wpa_supplicant).
807 Format: boolean
809 adsl setting
811 ADSL Settings.
812 Properties:
814 encapsulation
816 Alias: encapsulation
817 Encapsulation of ADSL connection. Can be "vcmux" or "llc".
819 Format: string
821 password
823 Alias: password
824 Password used to authenticate with the ADSL service.
826 Format: string
828 password-flags
830 Flags indicating how to handle the "password" property. See the
831 section called “Secret flag types:” for flag values.
832 Format: NMSettingSecretFlags (uint32)
834 protocol
836 Alias: protocol
837 ADSL connection protocol. Can be "pppoa", "pppoe" or "ipoatm".
839 Format: string
841 username
843 Alias: username
844 Username used to authenticate with the ADSL service.
846 Format: string
848 vci
850 VCI of ADSL connection
851 Format: uint32
853 vpi
855 VPI of ADSL connection
856 Format: uint32
858 bluetooth setting
860 Bluetooth Settings.
861 Properties:
863 bdaddr
865 Alias: addr
866 The Bluetooth address of the device.
868 Format: byte array
870 type
872 Alias: bt-type
873 Either "dun" for Dial-Up Networking connections or "panu" for
875 Personal Area Networking connections to devices supporting the NAP
876 profile.
877 Format: string
879 bond setting
881 Bonding Settings.
882 Properties:
884 options
886 Dictionary of key/value pairs of bonding options. Both keys and
887 values must be strings. Option names must contain only alphanumeric
888 characters (ie, [a-zA-Z0-9]).
889 Format: dict of string to string
891 bridge setting
893 Bridging Settings.
894 Properties:
896 ageing-time
898 Alias: ageing-time
899 The Ethernet MAC address aging time, in seconds.
901 Format: uint32
903 forward-delay
905 Alias: forward-delay
906 The Spanning Tree Protocol (STP) forwarding delay, in seconds.
908 Format: uint32
910 group-address
912 If specified, The MAC address of the multicast group this bridge
913 uses for STP. The address must be a link-local address in standard
914 Ethernet MAC address format, ie an address of the form
915 01:80:C2:00:00:0X, with X in [0, 4..F]. If not specified the
916 default value is 01:80:C2:00:00:00.
917 Format: byte array
919 group-forward-mask
921 Alias: group-forward-mask
922 A mask of group addresses to forward. Usually, group addresses in
924 the range from 01:80:C2:00:00:00 to 01:80:C2:00:00:0F are not
925 forwarded according to standards. This property is a mask of 16
926 bits, each corresponding to a group address in that range that must
927 be forwarded. The mask can't have bits 0, 1 or 2 set because they
928 are used for STP, MAC pause frames and LACP.
929 Format: uint32
931 hello-time
933 Alias: hello-time
934 The Spanning Tree Protocol (STP) hello time, in seconds.
936 Format: uint32
938 mac-address
940 Alias: mac
941 If specified, the MAC address of bridge. When creating a new
943 bridge, this MAC address will be set. If this field is left
944 unspecified, the "ethernet.cloned-mac-address" is referred instead
945 to generate the initial MAC address. Note that setting
946 "ethernet.cloned-mac-address" anyway overwrites the MAC address of
947 the bridge later while activating the bridge. Hence, this property
948 is deprecated. Deprecated: 1
949 Format: byte array
951 max-age
953 Alias: max-age
954 The Spanning Tree Protocol (STP) maximum message age, in seconds.
956 Format: uint32
958 multicast-hash-max
960 Set maximum size of multicast hash table (value must be a power of
961 2).
962 Format: uint32
964 multicast-last-member-count
966 Set the number of queries the bridge will send before stopping
967 forwarding a multicast group after a "leave" message has been
968 received.
969 Format: uint32
971 multicast-last-member-interval
973 Set interval (in deciseconds) between queries to find remaining
974 members of a group, after a "leave" message is received.
975 Format: uint64
977 multicast-membership-interval
979 Set delay (in deciseconds) after which the bridge will leave a
980 group, if no membership reports for this group are received.
981 Format: uint64
983 multicast-querier
985 Enable or disable sending of multicast queries by the bridge. If
986 not specified the option is disabled.
987 Format: boolean
989 multicast-querier-interval
991 If no queries are seen after this delay (in deciseconds) has
992 passed, the bridge will start to send its own queries.
993 Format: uint64
995 multicast-query-interval
997 Interval (in deciseconds) between queries sent by the bridge after
998 the end of the startup phase.
999 Format: uint64
1001 multicast-query-response-interval
1003 Set the Max Response Time/Max Response Delay (in deciseconds) for
1004 IGMP/MLD queries sent by the bridge.
1005 Format: uint64
1007 multicast-query-use-ifaddr
1009 If enabled the bridge's own IP address is used as the source
1010 address for IGMP queries otherwise the default of 0.0.0.0 is used.
1011 Format: boolean
1013 multicast-router
1015 Sets bridge's multicast router. Multicast-snooping must be enabled
1016 for this option to work. Supported values are: 'auto', 'disabled',
1017 'enabled' to which kernel assigns the numbers 1, 0, and 2,
1018 respectively. If not specified the default value is 'auto' (1).
1019 Format: string
1021 multicast-snooping
1023 Alias: multicast-snooping
1024 Controls whether IGMP snooping is enabled for this bridge. Note
1026 that if snooping was automatically disabled due to hash collisions,
1027 the system may refuse to enable the feature until the collisions
1028 are resolved.
1029 Format: boolean
1031 multicast-startup-query-count
1033 Set the number of IGMP queries to send during startup phase.
1034 Format: uint32
1036 multicast-startup-query-interval
1038 Sets the time (in deciseconds) between queries sent out at startup
1039 to determine membership information.
1040 Format: uint64
1042 priority
1044 Alias: priority
1045 Sets the Spanning Tree Protocol (STP) priority for this bridge.
1047 Lower values are "better"; the lowest priority bridge will be
1048 elected the root bridge.
1049 Format: uint32
1051 stp
1053 Alias: stp
1054 Controls whether Spanning Tree Protocol (STP) is enabled for this
1056 bridge.
1057 Format: boolean
1059 vlan-default-pvid
1061 The default PVID for the ports of the bridge, that is the VLAN id
1062 assigned to incoming untagged frames.
1063 Format: uint32
1065 vlan-filtering
1067 Control whether VLAN filtering is enabled on the bridge.
1068 Format: boolean
1070 vlan-protocol
1072 If specified, the protocol used for VLAN filtering. Supported
1073 values are: '802.1Q', '802.1ad'. If not specified the default value
1074 is '802.1Q'.
1075 Format: string
1077 vlan-stats-enabled
1079 Controls whether per-VLAN stats accounting is enabled.
1080 Format: boolean
1082 vlans
1084 Array of bridge VLAN objects. In addition to the VLANs specified
1085 here, the bridge will also have the default-pvid VLAN configured by
1086 the bridge.vlan-default-pvid property. In nmcli the VLAN list can
1087 be specified with the following syntax: $vid [pvid] [untagged] [,
1088 $vid [pvid] [untagged]]... where $vid is either a single id between
1089 1 and 4094 or a range, represented as a couple of ids separated by
1090 a dash.
1091 Format: array of vardict
1093 bridge-port setting
1095 Bridge Port Settings.
1096 Properties:
1098 hairpin-mode
1100 Alias: hairpin
1101 Enables or disables "hairpin mode" for the port, which allows
1103 frames to be sent back out through the port the frame was received
1104 on.
1105 Format: boolean
1107 path-cost
1109 Alias: path-cost
1110 The Spanning Tree Protocol (STP) port cost for destinations via
1112 this port.
1113 Format: uint32
1115 priority
1117 Alias: priority
1118 The Spanning Tree Protocol (STP) priority of this bridge port.
1120 Format: uint32
1122 vlans
1124 Array of bridge VLAN objects. In addition to the VLANs specified
1125 here, the port will also have the default-pvid VLAN configured on
1126 the bridge by the bridge.vlan-default-pvid property. In nmcli the
1127 VLAN list can be specified with the following syntax: $vid [pvid]
1128 [untagged] [, $vid [pvid] [untagged]]... where $vid is either a
1129 single id between 1 and 4094 or a range, represented as a couple of
1130 ids separated by a dash.
1131 Format: array of vardict
1133 cdma setting
1135 CDMA-based Mobile Broadband Settings.
1136 Properties:
1138 mtu
1140 If non-zero, only transmit packets of the specified size or
1141 smaller, breaking larger packets up into multiple frames.
1142 Format: uint32
1144 number
1146 The number to dial to establish the connection to the CDMA-based
1147 mobile broadband network, if any. If not specified, the default
1148 number (#777) is used when required.
1149 Format: string
1151 password
1153 Alias: password
1154 The password used to authenticate with the network, if required.
1156 Many providers do not require a password, or accept any password.
1157 But if a password is required, it is specified here.
1158 Format: string
1160 password-flags
1162 Flags indicating how to handle the "password" property. See the
1163 section called “Secret flag types:” for flag values.
1164 Format: NMSettingSecretFlags (uint32)
1166 username
1168 Alias: user
1169 The username used to authenticate with the network, if required.
1171 Many providers do not require a username, or accept any username.
1172 But if a username is required, it is specified here.
1173 Format: string
1175 dcb setting
1177 Data Center Bridging Settings.
1178 Properties:
1180 app-fcoe-flags
1182 Specifies the NMSettingDcbFlags for the DCB FCoE application. Flags
1183 may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1184 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1185 NM_SETTING_DCB_FLAG_WILLING (0x4).
1186 Format: NMSettingDcbFlags (uint32)
1188 app-fcoe-mode
1190 The FCoE controller mode; either "fabric" or "vn2vn". Since 1.34,
1191 NULL is the default and means "fabric". Before 1.34, NULL was
1192 rejected as invalid and the default was "fabric".
1193 Format: string
1195 app-fcoe-priority
1197 The highest User Priority (0 - 7) which FCoE frames should use, or
1198 -1 for default priority. Only used when the "app-fcoe-flags"
1199 property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1200 Format: int32
1202 app-fip-flags
1204 Specifies the NMSettingDcbFlags for the DCB FIP application. Flags
1205 may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1206 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1207 NM_SETTING_DCB_FLAG_WILLING (0x4).
1208 Format: NMSettingDcbFlags (uint32)
1210 app-fip-priority
1212 The highest User Priority (0 - 7) which FIP frames should use, or
1213 -1 for default priority. Only used when the "app-fip-flags"
1214 property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1215 Format: int32
1217 app-iscsi-flags
1219 Specifies the NMSettingDcbFlags for the DCB iSCSI application.
1220 Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1221 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1222 NM_SETTING_DCB_FLAG_WILLING (0x4).
1223 Format: NMSettingDcbFlags (uint32)
1225 app-iscsi-priority
1227 The highest User Priority (0 - 7) which iSCSI frames should use, or
1228 -1 for default priority. Only used when the "app-iscsi-flags"
1229 property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1230 Format: int32
1232 priority-bandwidth
1234 An array of 8 uint values, where the array index corresponds to the
1235 User Priority (0 - 7) and the value indicates the percentage of
1236 bandwidth of the priority's assigned group that the priority may
1237 use. The sum of all percentages for priorities which belong to the
1238 same group must total 100 percents.
1239 Format: array of uint32
1241 priority-flow-control
1243 An array of 8 boolean values, where the array index corresponds to
1244 the User Priority (0 - 7) and the value indicates whether or not
1245 the corresponding priority should transmit priority pause.
1246 Format: array of uint32
1248 priority-flow-control-flags
1250 Specifies the NMSettingDcbFlags for DCB Priority Flow Control
1251 (PFC). Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE
1252 (0x1), NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1253 NM_SETTING_DCB_FLAG_WILLING (0x4).
1254 Format: NMSettingDcbFlags (uint32)
1256 priority-group-bandwidth
1258 An array of 8 uint values, where the array index corresponds to the
1259 Priority Group ID (0 - 7) and the value indicates the percentage of
1260 link bandwidth allocated to that group. Allowed values are 0 - 100,
1261 and the sum of all values must total 100 percents.
1262 Format: array of uint32
1264 priority-group-flags
1266 Specifies the NMSettingDcbFlags for DCB Priority Groups. Flags may
1267 be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1268 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1269 NM_SETTING_DCB_FLAG_WILLING (0x4).
1270 Format: NMSettingDcbFlags (uint32)
1272 priority-group-id
1274 An array of 8 uint values, where the array index corresponds to the
1275 User Priority (0 - 7) and the value indicates the Priority Group
1276 ID. Allowed Priority Group ID values are 0 - 7 or 15 for the
1277 unrestricted group.
1278 Format: array of uint32
1280 priority-strict-bandwidth
1282 An array of 8 boolean values, where the array index corresponds to
1283 the User Priority (0 - 7) and the value indicates whether or not
1284 the priority may use all of the bandwidth allocated to its assigned
1285 group.
1286 Format: array of uint32
1288 priority-traffic-class
1290 An array of 8 uint values, where the array index corresponds to the
1291 User Priority (0 - 7) and the value indicates the traffic class (0
1292 - 7) to which the priority is mapped.
1293 Format: array of uint32
1295 ethtool setting
1297 Ethtool Ethernet Settings.
1298 Properties:
1300 coalesce-adaptive-rx
1302 coalesce-adaptive-tx
1304 coalesce-pkt-rate-high
1306 coalesce-pkt-rate-low
1308 coalesce-rx-frames
1310 coalesce-rx-frames-high
1312 coalesce-rx-frames-irq
1314 coalesce-rx-frames-low
1316 coalesce-rx-usecs
1318 coalesce-rx-usecs-high
1320 coalesce-rx-usecs-irq
1322 coalesce-rx-usecs-low
1324 coalesce-sample-interval
1326 coalesce-stats-block-usecs
1328 coalesce-tx-frames
1330 coalesce-tx-frames-high
1332 coalesce-tx-frames-irq
1334 coalesce-tx-frames-low
1336 coalesce-tx-usecs
1338 coalesce-tx-usecs-high
1340 coalesce-tx-usecs-irq
1342 coalesce-tx-usecs-low
1344 feature-esp-hw-offload
1346 feature-esp-tx-csum-hw-offload
1348 feature-fcoe-mtu
1350 feature-gro
1352 feature-gso
1354 feature-highdma
1356 feature-hw-tc-offload
1358 feature-l2-fwd-offload
1360 feature-loopback
1362 feature-lro
1364 feature-macsec-hw-offload
1366 feature-ntuple
1368 feature-rx
1370 feature-rx-all
1372 feature-rx-fcs
1374 feature-rx-gro-hw
1376 feature-rx-gro-list
1378 feature-rx-udp-gro-forwarding
1380 feature-rx-udp_tunnel-port-offload
1382 feature-rx-vlan-filter
1384 feature-rx-vlan-stag-filter
1386 feature-rx-vlan-stag-hw-parse
1388 feature-rxhash
1390 feature-rxvlan
1392 feature-sg
1394 feature-tls-hw-record
1396 feature-tls-hw-rx-offload
1398 feature-tls-hw-tx-offload
1400 feature-tso
1402 feature-tx
1404 feature-tx-checksum-fcoe-crc
1406 feature-tx-checksum-ip-generic
1408 feature-tx-checksum-ipv4
1410 feature-tx-checksum-ipv6
1412 feature-tx-checksum-sctp
1414 feature-tx-esp-segmentation
1416 feature-tx-fcoe-segmentation
1418 feature-tx-gre-csum-segmentation
1420 feature-tx-gre-segmentation
1422 feature-tx-gso-list
1424 feature-tx-gso-partial
1426 feature-tx-gso-robust
1428 feature-tx-ipxip4-segmentation
1430 feature-tx-ipxip6-segmentation
1432 feature-tx-nocache-copy
1434 feature-tx-scatter-gather
1436 feature-tx-scatter-gather-fraglist
1438 feature-tx-sctp-segmentation
1440 feature-tx-tcp-ecn-segmentation
1442 feature-tx-tcp-mangleid-segmentation
1444 feature-tx-tcp-segmentation
1446 feature-tx-tcp6-segmentation
1448 feature-tx-tunnel-remcsum-segmentation
1450 feature-tx-udp-segmentation
1452 feature-tx-udp_tnl-csum-segmentation
1454 feature-tx-udp_tnl-segmentation
1456 feature-tx-vlan-stag-hw-insert
1458 feature-txvlan
1460 pause-autoneg
1462 Whether to automatically negotiate on pause frame of flow control
1463 mechanism defined by IEEE 802.3x standard.
1464 pause-rx
1466 Whether RX pause should be enabled. Only valid when automatic
1467 negotiation is disabled
1468 pause-tx
1470 Whether TX pause should be enabled. Only valid when automatic
1471 negotiation is disabled
1472 ring-rx
1474 ring-rx-jumbo
1476 ring-rx-mini
1478 ring-tx
1480 gsm setting
1482 GSM-based Mobile Broadband Settings.
1483 Properties:
1485 apn
1487 Alias: apn
1488 The GPRS Access Point Name specifying the APN used when
1490 establishing a data session with the GSM-based network. The APN
1491 often determines how the user will be billed for their network
1492 usage and whether the user has access to the Internet or just a
1493 provider-specific walled-garden, so it is important to use the
1494 correct APN for the user's mobile broadband plan. The APN may only
1495 be composed of the characters a-z, 0-9, ., and - per GSM 03.60
1496 Section 14.9.
1497 Format: string
1499 auto-config
1501 When TRUE, the settings such as APN, username, or password will
1502 default to values that match the network the modem will register to
1503 in the Mobile Broadband Provider database.
1504 Format: boolean
1506 device-id
1508 The device unique identifier (as given by the WWAN management
1509 service) which this connection applies to. If given, the connection
1510 will only apply to the specified device.
1511 Format: string
1513 home-only
1515 When TRUE, only connections to the home network will be allowed.
1516 Connections to roaming networks will not be made.
1517 Format: boolean
1519 mtu
1521 If non-zero, only transmit packets of the specified size or
1522 smaller, breaking larger packets up into multiple frames.
1523 Format: uint32
1525 network-id
1527 The Network ID (GSM LAI format, ie MCC-MNC) to force specific
1528 network registration. If the Network ID is specified,
1529 NetworkManager will attempt to force the device to register only on
1530 the specified network. This can be used to ensure that the device
1531 does not roam when direct roaming control of the device is not
1532 otherwise possible.
1533 Format: string
1535 number
1537 Legacy setting that used to help establishing PPP data sessions for
1538 GSM-based modems. Deprecated: 1
1539 Format: string
1541 password
1543 Alias: password
1544 The password used to authenticate with the network, if required.
1546 Many providers do not require a password, or accept any password.
1547 But if a password is required, it is specified here.
1548 Format: string
1550 password-flags
1552 Flags indicating how to handle the "password" property. See the
1553 section called “Secret flag types:” for flag values.
1554 Format: NMSettingSecretFlags (uint32)
1556 pin
1558 If the SIM is locked with a PIN it must be unlocked before any
1559 other operations are requested. Specify the PIN here to allow
1560 operation of the device.
1561 Format: string
1563 pin-flags
1565 Flags indicating how to handle the "pin" property. See the section
1566 called “Secret flag types:” for flag values.
1567 Format: NMSettingSecretFlags (uint32)
1569 sim-id
1571 The SIM card unique identifier (as given by the WWAN management
1572 service) which this connection applies to. If given, the connection
1573 will apply to any device also allowed by "device-id" which contains
1574 a SIM card matching the given identifier.
1575 Format: string
1577 sim-operator-id
1579 A MCC/MNC string like "310260" or "21601" identifying the specific
1580 mobile network operator which this connection applies to. If given,
1581 the connection will apply to any device also allowed by "device-id"
1582 and "sim-id" which contains a SIM card provisioned by the given
1583 operator.
1584 Format: string
1586 username
1588 Alias: user
1589 The username used to authenticate with the network, if required.
1591 Many providers do not require a username, or accept any username.
1592 But if a username is required, it is specified here.
1593 Format: string
1595 infiniband setting
1597 Infiniband Settings.
1598 Properties:
1600 mac-address
1602 Alias: mac
1603 If specified, this connection will only apply to the IPoIB device
1605 whose permanent MAC address matches. This property does not change
1606 the MAC address of the device (i.e. MAC spoofing).
1607 Format: byte array
1609 mtu
1611 Alias: mtu
1612 If non-zero, only transmit packets of the specified size or
1614 smaller, breaking larger packets up into multiple frames.
1615 Format: uint32
1617 p-key
1619 Alias: p-key
1620 The InfiniBand P_Key to use for this device. A value of -1 means to
1622 use the default P_Key (aka "the P_Key at index 0"). Otherwise, it
1623 is a 16-bit unsigned integer, whose high bit is set if it is a
1624 "full membership" P_Key.
1625 Format: int32
1627 parent
1629 Alias: parent
1630 The interface name of the parent device of this device. Normally
1632 NULL, but if the "p_key" property is set, then you must specify the
1633 base device by setting either this property or "mac-address".
1634 Format: string
1636 transport-mode
1638 Alias: transport-mode
1639 The IP-over-InfiniBand transport mode. Either "datagram" or
1641 "connected".
1642 Format: string
1644 ipv4 setting
1646 IPv4 Settings.
1647 Properties:
1649 addresses
1651 Alias: ip4
1652 A list of IPv4 addresses and their prefix length. Multiple
1654 addresses can be separated by comma. For example "192.168.1.5/24,
1655 10.1.0.5/24". The addresses are listed in decreasing priority,
1656 meaning the first address will be the primary address.
1657 Format: a comma separated list of addresses
1659 dad-timeout
1661 Timeout in milliseconds used to check for the presence of duplicate
1662 IP addresses on the network. If an address conflict is detected,
1663 the activation will fail. A zero value means that no duplicate
1664 address detection is performed, -1 means the default value (either
1665 configuration ipvx.dad-timeout override or zero). A value greater
1666 than zero is a timeout in milliseconds. The property is currently
1667 implemented only for IPv4.
1668 Format: int32
1670 dhcp-client-id
1672 A string sent to the DHCP server to identify the local machine
1673 which the DHCP server may use to customize the DHCP lease and
1674 options. When the property is a hex string ('aa:bb:cc') it is
1675 interpreted as a binary client ID, in which case the first byte is
1676 assumed to be the 'type' field as per RFC 2132 section 9.14 and the
1677 remaining bytes may be an hardware address (e.g.
1678 '01:xx:xx:xx:xx:xx:xx' where 1 is the Ethernet ARP type and the
1679 rest is a MAC address). If the property is not a hex string it is
1680 considered as a non-hardware-address client ID and the 'type' field
1681 is set to 0. The special values "mac" and "perm-mac" are supported,
1682 which use the current or permanent MAC address of the device to
1683 generate a client identifier with type ethernet (01). Currently,
1684 these options only work for ethernet type of links. The special
1685 value "ipv6-duid" uses the DUID from "ipv6.dhcp-duid" property as
1686 an RFC4361-compliant client identifier. As IAID it uses
1687 "ipv4.dhcp-iaid" and falls back to "ipv6.dhcp-iaid" if unset. The
1688 special value "duid" generates a RFC4361-compliant client
1689 identifier based on "ipv4.dhcp-iaid" and uses a DUID generated by
1690 hashing /etc/machine-id. The special value "stable" is supported to
1691 generate a type 0 client identifier based on the stable-id (see
1692 connection.stable-id) and a per-host key. If you set the stable-id,
1693 you may want to include the "${DEVICE}" or "${MAC}" specifier to
1694 get a per-device key. If unset, a globally configured default is
1695 used. If still unset, the default depends on the DHCP plugin.
1696 Format: string
1698 dhcp-fqdn
1700 If the "dhcp-send-hostname" property is TRUE, then the specified
1701 FQDN will be sent to the DHCP server when acquiring a lease. This
1702 property and "dhcp-hostname" are mutually exclusive and cannot be
1703 set at the same time.
1704 Format: string
1706 dhcp-hostname
1708 If the "dhcp-send-hostname" property is TRUE, then the specified
1709 name will be sent to the DHCP server when acquiring a lease. This
1710 property and "dhcp-fqdn" are mutually exclusive and cannot be set
1711 at the same time.
1712 Format: string
1714 dhcp-hostname-flags
1716 Flags for the DHCP hostname and FQDN. Currently, this property only
1717 includes flags to control the FQDN flags set in the DHCP FQDN
1718 option. Supported FQDN flags are
1719 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1720 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
1721 NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is
1722 set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the
1723 DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag
1724 is set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set,
1725 the standard FQDN flags are set in the request:
1726 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1727 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
1728 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6. When this
1729 property is set to the default value NM_DHCP_HOSTNAME_FLAG_NONE
1730 (0x0), a global default is looked up in NetworkManager
1731 configuration. If that value is unset or also
1732 NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
1733 described above are sent in the DHCP requests.
1734 Format: uint32
1736 dhcp-iaid
1738 A string containing the "Identity Association Identifier" (IAID)
1739 used by the DHCP client. The property is a 32-bit decimal value or
1740 a special value among "mac", "perm-mac", "ifname" and "stable".
1741 When set to "mac" (or "perm-mac"), the last 4 bytes of the current
1742 (or permanent) MAC address are used as IAID. When set to "ifname",
1743 the IAID is computed by hashing the interface name. The special
1744 value "stable" can be used to generate an IAID based on the
1745 stable-id (see connection.stable-id), a per-host key and the
1746 interface name. When the property is unset, the value from global
1747 configuration is used; if no global default is set then the IAID is
1748 assumed to be "ifname". Note that at the moment this property is
1749 ignored for IPv6 by dhclient, which always derives the IAID from
1750 the MAC address.
1751 Format: string
1753 dhcp-reject-servers
1755 Array of servers from which DHCP offers must be rejected. This
1756 property is useful to avoid getting a lease from misconfigured or
1757 rogue servers. For DHCPv4, each element must be an IPv4 address,
1758 optionally followed by a slash and a prefix length (e.g.
1759 "192.168.122.0/24"). This property is currently not implemented for
1760 DHCPv6.
1761 Format: array of string
1763 dhcp-send-hostname
1765 If TRUE, a hostname is sent to the DHCP server when acquiring a
1766 lease. Some DHCP servers use this hostname to update DNS databases,
1767 essentially providing a static hostname for the computer. If the
1768 "dhcp-hostname" property is NULL and this property is TRUE, the
1769 current persistent hostname of the computer is sent.
1770 Format: boolean
1772 dhcp-timeout
1774 A timeout for a DHCP transaction in seconds. If zero (the default),
1775 a globally configured default is used. If still unspecified, a
1776 device specific timeout is used (usually 45 seconds). Set to
1777 2147483647 (MAXINT32) for infinity.
1778 Format: int32
1780 dhcp-vendor-class-identifier
1782 The Vendor Class Identifier DHCP option (60). Special characters in
1783 the data string may be escaped using C-style escapes, nevertheless
1784 this property cannot contain nul bytes. If the per-profile value is
1785 unspecified (the default), a global connection default gets
1786 consulted. If still unspecified, the DHCP option is not sent to the
1787 server. Since 1.28
1788 Format: string
1790 dns
1792 Array of IP addresses of DNS servers.
1793 Format: array of uint32
1795 dns-options
1797 Array of DNS options as described in man 5 resolv.conf. NULL means
1798 that the options are unset and left at the default. In this case
1799 NetworkManager will use default options. This is distinct from an
1800 empty list of properties. The currently supported options are
1801 "attempts", "debug", "edns0", "inet6", "ip6-bytestring",
1802 "ip6-dotint", "ndots", "no-check-names", "no-ip6-dotint",
1803 "no-reload", "no-tld-query", "rotate", "single-request",
1804 "single-request-reopen", "timeout", "trust-ad", "use-vc". The
1805 "trust-ad" setting is only honored if the profile contributes name
1806 servers to resolv.conf, and if all contributing profiles have
1807 "trust-ad" enabled. When using a caching DNS plugin (dnsmasq or
1808 systemd-resolved in NetworkManager.conf) then "edns0" and
1809 "trust-ad" are automatically added.
1810 Format: array of string
1812 dns-priority
1814 DNS servers priority. The relative priority for DNS servers
1815 specified by this setting. A lower numerical value is better
1816 (higher priority). Negative values have the special effect of
1817 excluding other configurations with a greater numerical priority
1818 value; so in presence of at least one negative priority, only DNS
1819 servers from connections with the lowest priority value will be
1820 used. To avoid all DNS leaks, set the priority of the profile that
1821 should be used to the most negative value of all active connections
1822 profiles. Zero selects a globally configured default value. If the
1823 latter is missing or zero too, it defaults to 50 for VPNs
1824 (including WireGuard) and 100 for other connections. Note that the
1825 priority is to order DNS settings for multiple active connections.
1826 It does not disambiguate multiple DNS servers within the same
1827 connection profile. When multiple devices have configurations with
1828 the same priority, VPNs will be considered first, then devices with
1829 the best (lowest metric) default route and then all other devices.
1830 When using dns=default, servers with higher priority will be on top
1831 of resolv.conf. To prioritize a given server over another one
1832 within the same connection, just specify them in the desired order.
1833 Note that commonly the resolver tries name servers in
1834 /etc/resolv.conf in the order listed, proceeding with the next
1835 server in the list on failure. See for example the "rotate" option
1836 of the dns-options setting. If there are any negative DNS
1837 priorities, then only name servers from the devices with that
1838 lowest priority will be considered. When using a DNS resolver that
1839 supports Conditional Forwarding or Split DNS (with dns=dnsmasq or
1840 dns=systemd-resolved settings), each connection is used to query
1841 domains in its search list. The search domains determine which name
1842 servers to ask, and the DNS priority is used to prioritize name
1843 servers based on the domain. Queries for domains not present in any
1844 search list are routed through connections having the '~.' special
1845 wildcard domain, which is added automatically to connections with
1846 the default route (or can be added manually). When multiple
1847 connections specify the same domain, the one with the best priority
1848 (lowest numerical value) wins. If a sub domain is configured on
1849 another interface it will be accepted regardless the priority,
1850 unless parent domain on the other interface has a negative
1851 priority, which causes the sub domain to be shadowed. With Split
1852 DNS one can avoid undesired DNS leaks by properly configuring DNS
1853 priorities and the search domains, so that only name servers of the
1854 desired interface are configured.
1855 Format: int32
1857 dns-search
1859 Array of DNS search domains. Domains starting with a tilde ('~')
1860 are considered 'routing' domains and are used only to decide the
1861 interface over which a query must be forwarded; they are not used
1862 to complete unqualified host names. When using a DNS plugin that
1863 supports Conditional Forwarding or Split DNS, then the search
1864 domains specify which name servers to query. This makes the
1865 behavior different from running with plain /etc/resolv.conf. For
1866 more information see also the dns-priority setting.
1867 Format: array of string
1869 gateway
1871 Alias: gw4
1872 The gateway associated with this configuration. This is only
1874 meaningful if "addresses" is also set. The gateway's main purpose
1875 is to control the next hop of the standard default route on the
1876 device. Hence, the gateway property conflicts with "never-default"
1877 and will be automatically dropped if the IP configuration is set to
1878 never-default. As an alternative to set the gateway, configure a
1879 static default route with /0 as prefix length.
1880 Format: string
1882 ignore-auto-dns
1884 When "method" is set to "auto" and this property to TRUE,
1885 automatically configured name servers and search domains are
1886 ignored and only name servers and search domains specified in the
1887 "dns" and "dns-search" properties, if any, are used.
1888 Format: boolean
1890 ignore-auto-routes
1892 When "method" is set to "auto" and this property to TRUE,
1893 automatically configured routes are ignored and only routes
1894 specified in the "routes" property, if any, are used.
1895 Format: boolean
1897 may-fail
1899 If TRUE, allow overall network configuration to proceed even if the
1900 configuration specified by this property times out. Note that at
1901 least one IP configuration must succeed or overall network
1902 configuration will still fail. For example, in IPv6-only networks,
1903 setting this property to TRUE on the NMSettingIP4Config allows the
1904 overall network configuration to succeed if IPv4 configuration
1905 fails but IPv6 configuration completes successfully.
1906 Format: boolean
1908 method
1910 IP configuration method. NMSettingIP4Config and NMSettingIP6Config
1911 both support "disabled", "auto", "manual", and "link-local". See
1912 the subclass-specific documentation for other values. In general,
1913 for the "auto" method, properties such as "dns" and "routes"
1914 specify information that is added on to the information returned
1915 from automatic configuration. The "ignore-auto-routes" and
1916 "ignore-auto-dns" properties modify this behavior. For methods that
1917 imply no upstream network, such as "shared" or "link-local", these
1918 properties must be empty. For IPv4 method "shared", the IP subnet
1919 can be configured by adding one manual IPv4 address or otherwise
1920 10.42.x.0/24 is chosen. Note that the shared method must be
1921 configured on the interface which shares the internet to a subnet,
1922 not on the uplink which is shared.
1923 Format: string
1925 never-default
1927 If TRUE, this connection will never be the default connection for
1928 this IP type, meaning it will never be assigned the default route
1929 by NetworkManager.
1930 Format: boolean
1932 required-timeout
1934 The minimum time interval in milliseconds for which dynamic IP
1935 configuration should be tried before the connection succeeds. This
1936 property is useful for example if both IPv4 and IPv6 are enabled
1937 and are allowed to fail. Normally the connection succeeds as soon
1938 as one of the two address families completes; by setting a required
1939 timeout for e.g. IPv4, one can ensure that even if IP6 succeeds
1940 earlier than IPv4, NetworkManager waits some time for IPv4 before
1941 the connection becomes active. Note that if "may-fail" is FALSE for
1942 the same address family, this property has no effect as
1943 NetworkManager needs to wait for the full DHCP timeout. A zero
1944 value means that no required timeout is present, -1 means the
1945 default value (either configuration ipvx.required-timeout override
1946 or zero).
1947 Format: int32
1949 route-metric
1951 The default metric for routes that don't explicitly specify a
1952 metric. The default value -1 means that the metric is chosen
1953 automatically based on the device type. The metric applies to
1954 dynamic routes, manual (static) routes that don't have an explicit
1955 metric setting, address prefix routes, and the default route. Note
1956 that for IPv6, the kernel accepts zero (0) but coerces it to 1024
1957 (user default). Hence, setting this property to zero effectively
1958 mean setting it to 1024. For IPv4, zero is a regular value for the
1959 metric.
1960 Format: int64
1962 route-table
1964 Enable policy routing (source routing) and set the routing table
1965 used when adding routes. This affects all routes, including
1966 device-routes, IPv4LL, DHCP, SLAAC, default-routes and static
1967 routes. But note that static routes can individually overwrite the
1968 setting by explicitly specifying a non-zero routing table. If the
1969 table setting is left at zero, it is eligible to be overwritten via
1970 global configuration. If the property is zero even after applying
1971 the global configuration value, policy routing is disabled for the
1972 address family of this connection. Policy routing disabled means
1973 that NetworkManager will add all routes to the main table (except
1974 static routes that explicitly configure a different table).
1975 Additionally, NetworkManager will not delete any extraneous routes
1976 from tables except the main table. This is to preserve backward
1977 compatibility for users who manage routing tables outside of
1978 NetworkManager.
1979 Format: uint32
1981 routes
1983 A list of IPv4 destination addresses, prefix length, optional IPv4
1984 next hop addresses, optional route metric, optional attribute. The
1985 valid syntax is: "ip[/prefix] [next-hop] [metric]
1986 [attribute=val]...[,ip[/prefix]...]". For example "192.0.2.0/24
1987 10.1.1.1 77, 198.51.100.0/24".
1988 Various attributes are supported:
1990 • "cwnd" - an unsigned 32 bit integer.
1992 • "initcwnd" - an unsigned 32 bit integer.
1994 • "initrwnd" - an unsigned 32 bit integer.
1996 • "lock-cwnd" - a boolean value.
1998 • "lock-initcwnd" - a boolean value.
2000 • "lock-initrwnd" - a boolean value.
2002 • "lock-mtu" - a boolean value.
2004 • "lock-window" - a boolean value.
2006 • "mtu" - an unsigned 32 bit integer.
2008 • "onlink" - a boolean value.
2010 • "scope" - an unsigned 8 bit integer. IPv4 only.
2012 • "src" - an IPv4 address.
2014 • "table" - an unsigned 32 bit integer. The default depends on
2016 ipv4.route-table.
2017 • "tos" - an unsigned 8 bit integer. IPv4 only.
2019 • "type" - one of unicast, local, blackhole, unavailable,
2021 prohibit, throw. The default is unicast.
2022 • "window" - an unsigned 32 bit integer.
2024 For details see also `man ip-route`.
2026 Format: a comma separated list of routes
2028 routing-rules
2030 A comma separated list of routing rules for policy routing. The
2031 format is based on ip rule add syntax and mostly compatible. One
2032 difference is that routing rules in NetworkManager always need a
2033 fixed priority.
2034 Example: priority 5 from 192.167.4.0/24 table 45
2036 Format: a comma separated list of routing rules
2038 ipv6 setting
2040 IPv6 Settings.
2041 Properties:
2043 addr-gen-mode
2045 Configure method for creating the address for use with RFC4862 IPv6
2046 Stateless Address Autoconfiguration. The permitted values are:
2047 NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_EUI64 (0) or
2048 NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_STABLE_PRIVACY (1). If the
2049 property is set to EUI64, the addresses will be generated using the
2050 interface tokens derived from hardware address. This makes the host
2051 part of the address to stay constant, making it possible to track
2052 host's presence when it changes networks. The address changes when
2053 the interface hardware is replaced. The value of stable-privacy
2054 enables use of cryptographically secure hash of a secret
2055 host-specific key along with the connection's stable-id and the
2056 network address as specified by RFC7217. This makes it impossible
2057 to use the address track host's presence, and makes the address
2058 stable when the network interface hardware is replaced. On D-Bus,
2059 the absence of an addr-gen-mode setting equals enabling
2060 stable-privacy. For keyfile plugin, the absence of the setting on
2061 disk means EUI64 so that the property doesn't change on upgrade
2062 from older versions. Note that this setting is distinct from the
2063 Privacy Extensions as configured by "ip6-privacy" property and it
2064 does not affect the temporary addresses configured with this
2065 option.
2066 Format: int32
2068 addresses
2070 Alias: ip6
2071 A list of IPv6 addresses and their prefix length. Multiple
2073 addresses can be separated by comma. For example
2074 "2001:db8:85a3::8a2e:370:7334/64, 2001:db8:85a3::5/64". The
2075 addresses are listed in decreasing priority, meaning the first
2076 address will be the primary address. This can make a difference
2077 with IPv6 source address selection (RFC 6724, section 5).
2078 Format: a comma separated list of addresses
2080 dhcp-duid
2082 A string containing the DHCPv6 Unique Identifier (DUID) used by the
2083 dhcp client to identify itself to DHCPv6 servers (RFC 3315). The
2084 DUID is carried in the Client Identifier option. If the property is
2085 a hex string ('aa:bb:cc') it is interpreted as a binary DUID and
2086 filled as an opaque value in the Client Identifier option. The
2087 special value "lease" will retrieve the DUID previously used from
2088 the lease file belonging to the connection. If no DUID is found and
2089 "dhclient" is the configured dhcp client, the DUID is searched in
2090 the system-wide dhclient lease file. If still no DUID is found, or
2091 another dhcp client is used, a global and permanent DUID-UUID (RFC
2092 6355) will be generated based on the machine-id. The special values
2093 "llt" and "ll" will generate a DUID of type LLT or LL (see RFC
2094 3315) based on the current MAC address of the device. In order to
2095 try providing a stable DUID-LLT, the time field will contain a
2096 constant timestamp that is used globally (for all profiles) and
2097 persisted to disk. The special values "stable-llt", "stable-ll" and
2098 "stable-uuid" will generate a DUID of the corresponding type,
2099 derived from the connection's stable-id and a per-host unique key.
2100 You may want to include the "${DEVICE}" or "${MAC}" specifier in
2101 the stable-id, in case this profile gets activated on multiple
2102 devices. So, the link-layer address of "stable-ll" and "stable-llt"
2103 will be a generated address derived from the stable id. The
2104 DUID-LLT time value in the "stable-llt" option will be picked among
2105 a static timespan of three years (the upper bound of the interval
2106 is the same constant timestamp used in "llt"). When the property is
2107 unset, the global value provided for "ipv6.dhcp-duid" is used. If
2108 no global value is provided, the default "lease" value is assumed.
2109 Format: string
2111 dhcp-hostname
2113 If the "dhcp-send-hostname" property is TRUE, then the specified
2114 name will be sent to the DHCP server when acquiring a lease. This
2115 property and "dhcp-fqdn" are mutually exclusive and cannot be set
2116 at the same time.
2117 Format: string
2119 dhcp-hostname-flags
2121 Flags for the DHCP hostname and FQDN. Currently, this property only
2122 includes flags to control the FQDN flags set in the DHCP FQDN
2123 option. Supported FQDN flags are
2124 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
2125 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
2126 NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is
2127 set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the
2128 DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag
2129 is set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set,
2130 the standard FQDN flags are set in the request:
2131 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
2132 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
2133 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6. When this
2134 property is set to the default value NM_DHCP_HOSTNAME_FLAG_NONE
2135 (0x0), a global default is looked up in NetworkManager
2136 configuration. If that value is unset or also
2137 NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
2138 described above are sent in the DHCP requests.
2139 Format: uint32
2141 dhcp-iaid
2143 A string containing the "Identity Association Identifier" (IAID)
2144 used by the DHCP client. The property is a 32-bit decimal value or
2145 a special value among "mac", "perm-mac", "ifname" and "stable".
2146 When set to "mac" (or "perm-mac"), the last 4 bytes of the current
2147 (or permanent) MAC address are used as IAID. When set to "ifname",
2148 the IAID is computed by hashing the interface name. The special
2149 value "stable" can be used to generate an IAID based on the
2150 stable-id (see connection.stable-id), a per-host key and the
2151 interface name. When the property is unset, the value from global
2152 configuration is used; if no global default is set then the IAID is
2153 assumed to be "ifname". Note that at the moment this property is
2154 ignored for IPv6 by dhclient, which always derives the IAID from
2155 the MAC address.
2156 Format: string
2158 dhcp-send-hostname
2160 If TRUE, a hostname is sent to the DHCP server when acquiring a
2161 lease. Some DHCP servers use this hostname to update DNS databases,
2162 essentially providing a static hostname for the computer. If the
2163 "dhcp-hostname" property is NULL and this property is TRUE, the
2164 current persistent hostname of the computer is sent.
2165 Format: boolean
2167 dhcp-timeout
2169 A timeout for a DHCP transaction in seconds. If zero (the default),
2170 a globally configured default is used. If still unspecified, a
2171 device specific timeout is used (usually 45 seconds). Set to
2172 2147483647 (MAXINT32) for infinity.
2173 Format: int32
2175 dns
2177 Array of IP addresses of DNS servers.
2178 Format: array of byte array
2180 dns-options
2182 Array of DNS options as described in man 5 resolv.conf. NULL means
2183 that the options are unset and left at the default. In this case
2184 NetworkManager will use default options. This is distinct from an
2185 empty list of properties. The currently supported options are
2186 "attempts", "debug", "edns0", "inet6", "ip6-bytestring",
2187 "ip6-dotint", "ndots", "no-check-names", "no-ip6-dotint",
2188 "no-reload", "no-tld-query", "rotate", "single-request",
2189 "single-request-reopen", "timeout", "trust-ad", "use-vc". The
2190 "trust-ad" setting is only honored if the profile contributes name
2191 servers to resolv.conf, and if all contributing profiles have
2192 "trust-ad" enabled. When using a caching DNS plugin (dnsmasq or
2193 systemd-resolved in NetworkManager.conf) then "edns0" and
2194 "trust-ad" are automatically added.
2195 Format: array of string
2197 dns-priority
2199 DNS servers priority. The relative priority for DNS servers
2200 specified by this setting. A lower numerical value is better
2201 (higher priority). Negative values have the special effect of
2202 excluding other configurations with a greater numerical priority
2203 value; so in presence of at least one negative priority, only DNS
2204 servers from connections with the lowest priority value will be
2205 used. To avoid all DNS leaks, set the priority of the profile that
2206 should be used to the most negative value of all active connections
2207 profiles. Zero selects a globally configured default value. If the
2208 latter is missing or zero too, it defaults to 50 for VPNs
2209 (including WireGuard) and 100 for other connections. Note that the
2210 priority is to order DNS settings for multiple active connections.
2211 It does not disambiguate multiple DNS servers within the same
2212 connection profile. When multiple devices have configurations with
2213 the same priority, VPNs will be considered first, then devices with
2214 the best (lowest metric) default route and then all other devices.
2215 When using dns=default, servers with higher priority will be on top
2216 of resolv.conf. To prioritize a given server over another one
2217 within the same connection, just specify them in the desired order.
2218 Note that commonly the resolver tries name servers in
2219 /etc/resolv.conf in the order listed, proceeding with the next
2220 server in the list on failure. See for example the "rotate" option
2221 of the dns-options setting. If there are any negative DNS
2222 priorities, then only name servers from the devices with that
2223 lowest priority will be considered. When using a DNS resolver that
2224 supports Conditional Forwarding or Split DNS (with dns=dnsmasq or
2225 dns=systemd-resolved settings), each connection is used to query
2226 domains in its search list. The search domains determine which name
2227 servers to ask, and the DNS priority is used to prioritize name
2228 servers based on the domain. Queries for domains not present in any
2229 search list are routed through connections having the '~.' special
2230 wildcard domain, which is added automatically to connections with
2231 the default route (or can be added manually). When multiple
2232 connections specify the same domain, the one with the best priority
2233 (lowest numerical value) wins. If a sub domain is configured on
2234 another interface it will be accepted regardless the priority,
2235 unless parent domain on the other interface has a negative
2236 priority, which causes the sub domain to be shadowed. With Split
2237 DNS one can avoid undesired DNS leaks by properly configuring DNS
2238 priorities and the search domains, so that only name servers of the
2239 desired interface are configured.
2240 Format: int32
2242 dns-search
2244 Array of DNS search domains. Domains starting with a tilde ('~')
2245 are considered 'routing' domains and are used only to decide the
2246 interface over which a query must be forwarded; they are not used
2247 to complete unqualified host names. When using a DNS plugin that
2248 supports Conditional Forwarding or Split DNS, then the search
2249 domains specify which name servers to query. This makes the
2250 behavior different from running with plain /etc/resolv.conf. For
2251 more information see also the dns-priority setting.
2252 Format: array of string
2254 gateway
2256 Alias: gw6
2257 The gateway associated with this configuration. This is only
2259 meaningful if "addresses" is also set. The gateway's main purpose
2260 is to control the next hop of the standard default route on the
2261 device. Hence, the gateway property conflicts with "never-default"
2262 and will be automatically dropped if the IP configuration is set to
2263 never-default. As an alternative to set the gateway, configure a
2264 static default route with /0 as prefix length.
2265 Format: string
2267 ignore-auto-dns
2269 When "method" is set to "auto" and this property to TRUE,
2270 automatically configured name servers and search domains are
2271 ignored and only name servers and search domains specified in the
2272 "dns" and "dns-search" properties, if any, are used.
2273 Format: boolean
2275 ignore-auto-routes
2277 When "method" is set to "auto" and this property to TRUE,
2278 automatically configured routes are ignored and only routes
2279 specified in the "routes" property, if any, are used.
2280 Format: boolean
2282 ip6-privacy
2284 Configure IPv6 Privacy Extensions for SLAAC, described in RFC4941.
2285 If enabled, it makes the kernel generate a temporary IPv6 address
2286 in addition to the public one generated from MAC address via
2287 modified EUI-64. This enhances privacy, but could cause problems in
2288 some applications, on the other hand. The permitted values are: -1:
2289 unknown, 0: disabled, 1: enabled (prefer public address), 2:
2290 enabled (prefer temporary addresses). Having a per-connection
2291 setting set to "-1" (unknown) means fallback to global
2292 configuration "ipv6.ip6-privacy". If also global configuration is
2293 unspecified or set to "-1", fallback to read
2294 "/proc/sys/net/ipv6/conf/default/use_tempaddr". Note that this
2295 setting is distinct from the Stable Privacy addresses that can be
2296 enabled with the "addr-gen-mode" property's "stable-privacy"
2297 setting as another way of avoiding host tracking with IPv6
2298 addresses.
2299 Format: NMSettingIP6ConfigPrivacy (int32)
2301 may-fail
2303 If TRUE, allow overall network configuration to proceed even if the
2304 configuration specified by this property times out. Note that at
2305 least one IP configuration must succeed or overall network
2306 configuration will still fail. For example, in IPv6-only networks,
2307 setting this property to TRUE on the NMSettingIP4Config allows the
2308 overall network configuration to succeed if IPv4 configuration
2309 fails but IPv6 configuration completes successfully.
2310 Format: boolean
2312 method
2314 IP configuration method. NMSettingIP4Config and NMSettingIP6Config
2315 both support "disabled", "auto", "manual", and "link-local". See
2316 the subclass-specific documentation for other values. In general,
2317 for the "auto" method, properties such as "dns" and "routes"
2318 specify information that is added on to the information returned
2319 from automatic configuration. The "ignore-auto-routes" and
2320 "ignore-auto-dns" properties modify this behavior. For methods that
2321 imply no upstream network, such as "shared" or "link-local", these
2322 properties must be empty. For IPv4 method "shared", the IP subnet
2323 can be configured by adding one manual IPv4 address or otherwise
2324 10.42.x.0/24 is chosen. Note that the shared method must be
2325 configured on the interface which shares the internet to a subnet,
2326 not on the uplink which is shared.
2327 Format: string
2329 never-default
2331 If TRUE, this connection will never be the default connection for
2332 this IP type, meaning it will never be assigned the default route
2333 by NetworkManager.
2334 Format: boolean
2336 ra-timeout
2338 A timeout for waiting Router Advertisements in seconds. If zero
2339 (the default), a globally configured default is used. If still
2340 unspecified, the timeout depends on the sysctl settings of the
2341 device. Set to 2147483647 (MAXINT32) for infinity.
2342 Format: int32
2344 required-timeout
2346 The minimum time interval in milliseconds for which dynamic IP
2347 configuration should be tried before the connection succeeds. This
2348 property is useful for example if both IPv4 and IPv6 are enabled
2349 and are allowed to fail. Normally the connection succeeds as soon
2350 as one of the two address families completes; by setting a required
2351 timeout for e.g. IPv4, one can ensure that even if IP6 succeeds
2352 earlier than IPv4, NetworkManager waits some time for IPv4 before
2353 the connection becomes active. Note that if "may-fail" is FALSE for
2354 the same address family, this property has no effect as
2355 NetworkManager needs to wait for the full DHCP timeout. A zero
2356 value means that no required timeout is present, -1 means the
2357 default value (either configuration ipvx.required-timeout override
2358 or zero).
2359 Format: int32
2361 route-metric
2363 The default metric for routes that don't explicitly specify a
2364 metric. The default value -1 means that the metric is chosen
2365 automatically based on the device type. The metric applies to
2366 dynamic routes, manual (static) routes that don't have an explicit
2367 metric setting, address prefix routes, and the default route. Note
2368 that for IPv6, the kernel accepts zero (0) but coerces it to 1024
2369 (user default). Hence, setting this property to zero effectively
2370 mean setting it to 1024. For IPv4, zero is a regular value for the
2371 metric.
2372 Format: int64
2374 route-table
2376 Enable policy routing (source routing) and set the routing table
2377 used when adding routes. This affects all routes, including
2378 device-routes, IPv4LL, DHCP, SLAAC, default-routes and static
2379 routes. But note that static routes can individually overwrite the
2380 setting by explicitly specifying a non-zero routing table. If the
2381 table setting is left at zero, it is eligible to be overwritten via
2382 global configuration. If the property is zero even after applying
2383 the global configuration value, policy routing is disabled for the
2384 address family of this connection. Policy routing disabled means
2385 that NetworkManager will add all routes to the main table (except
2386 static routes that explicitly configure a different table).
2387 Additionally, NetworkManager will not delete any extraneous routes
2388 from tables except the main table. This is to preserve backward
2389 compatibility for users who manage routing tables outside of
2390 NetworkManager.
2391 Format: uint32
2393 routes
2395 A list of IPv6 destination addresses, prefix length, optional IPv6
2396 next hop addresses, optional route metric, optional attribute. The
2397 valid syntax is: "ip[/prefix] [next-hop] [metric]
2398 [attribute=val]...[,ip[/prefix]...]".
2399 Various attributes are supported:
2401 • "cwnd" - an unsigned 32 bit integer.
2403 • "from" - an IPv6 address with optional prefix. IPv6 only.
2405 • "initcwnd" - an unsigned 32 bit integer.
2407 • "initrwnd" - an unsigned 32 bit integer.
2409 • "lock-cwnd" - a boolean value.
2411 • "lock-initcwnd" - a boolean value.
2413 • "lock-initrwnd" - a boolean value.
2415 • "lock-mtu" - a boolean value.
2417 • "lock-window" - a boolean value.
2419 • "mtu" - an unsigned 32 bit integer.
2421 • "onlink" - a boolean value.
2423 • "src" - an IPv6 address.
2425 • "table" - an unsigned 32 bit integer. The default depends on
2427 ipv6.route-table.
2428 • "type" - one of unicast, local, blackhole, unavailable,
2430 prohibit, throw. The default is unicast.
2431 • "window" - an unsigned 32 bit integer.
2433 For details see also `man ip-route`.
2435 Format: a comma separated list of routes
2437 routing-rules
2439 A comma separated list of routing rules for policy routing. The
2440 format is based on ip rule add syntax and mostly compatible. One
2441 difference is that routing rules in NetworkManager always need a
2442 fixed priority.
2443 Example: priority 5 from 1:2:3::5/128 table 45
2445 Format: a comma separated list of routing rules
2447 token
2449 Configure the token for
2450 draft-chown-6man-tokenised-ipv6-identifiers-02 IPv6 tokenized
2451 interface identifiers. Useful with eui64 addr-gen-mode.
2452 Format: string
2454 ip-tunnel setting
2456 IP Tunneling Settings.
2457 Properties:
2459 encapsulation-limit
2461 How many additional levels of encapsulation are permitted to be
2462 prepended to packets. This property applies only to IPv6 tunnels.
2463 Format: uint32
2465 flags
2467 Tunnel flags. Currently, the following values are supported:
2468 NM_IP_TUNNEL_FLAG_IP6_IGN_ENCAP_LIMIT (0x1),
2469 NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_TCLASS (0x2),
2470 NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FLOWLABEL (0x4),
2471 NM_IP_TUNNEL_FLAG_IP6_MIP6_DEV (0x8),
2472 NM_IP_TUNNEL_FLAG_IP6_RCV_DSCP_COPY (0x10),
2473 NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FWMARK (0x20). They are valid only
2474 for IPv6 tunnels.
2475 Format: uint32
2477 flow-label
2479 The flow label to assign to tunnel packets. This property applies
2480 only to IPv6 tunnels.
2481 Format: uint32
2483 input-key
2485 The key used for tunnel input packets; the property is valid only
2486 for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
2487 Format: string
2489 local
2491 Alias: local
2492 The local endpoint of the tunnel; the value can be empty, otherwise
2494 it must contain an IPv4 or IPv6 address.
2495 Format: string
2497 mode
2499 Alias: mode
2500 The tunneling mode, for example NM_IP_TUNNEL_MODE_IPIP (1) or
2502 NM_IP_TUNNEL_MODE_GRE (2).
2503 Format: uint32
2505 mtu
2507 If non-zero, only transmit packets of the specified size or
2508 smaller, breaking larger packets up into multiple fragments.
2509 Format: uint32
2511 output-key
2513 The key used for tunnel output packets; the property is valid only
2514 for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
2515 Format: string
2517 parent
2519 Alias: dev
2520 If given, specifies the parent interface name or parent connection
2522 UUID the new device will be bound to so that tunneled packets will
2523 only be routed via that interface.
2524 Format: string
2526 path-mtu-discovery
2528 Whether to enable Path MTU Discovery on this tunnel.
2529 Format: boolean
2531 remote
2533 Alias: remote
2534 The remote endpoint of the tunnel; the value must contain an IPv4
2536 or IPv6 address.
2537 Format: string
2539 tos
2541 The type of service (IPv4) or traffic class (IPv6) field to be set
2542 on tunneled packets.
2543 Format: uint32
2545 ttl
2547 The TTL to assign to tunneled packets. 0 is a special value meaning
2548 that packets inherit the TTL value.
2549 Format: uint32
2551 macsec setting
2553 MACSec Settings.
2554 Properties:
2556 encrypt
2558 Alias: encrypt
2559 Whether the transmitted traffic must be encrypted.
2561 Format: boolean
2563 mka-cak
2565 Alias: cak
2566 The pre-shared CAK (Connectivity Association Key) for MACsec Key
2568 Agreement.
2569 Format: string
2571 mka-cak-flags
2573 Flags indicating how to handle the "mka-cak" property. See the
2574 section called “Secret flag types:” for flag values.
2575 Format: NMSettingSecretFlags (uint32)
2577 mka-ckn
2579 Alias: ckn
2580 The pre-shared CKN (Connectivity-association Key Name) for MACsec
2582 Key Agreement.
2583 Format: string
2585 mode
2587 Alias: mode
2588 Specifies how the CAK (Connectivity Association Key) for MKA
2590 (MACsec Key Agreement) is obtained.
2591 Format: int32
2593 parent
2595 Alias: dev
2596 If given, specifies the parent interface name or parent connection
2598 UUID from which this MACSEC interface should be created. If this
2599 property is not specified, the connection must contain an
2600 "802-3-ethernet" setting with a "mac-address" property.
2601 Format: string
2603 port
2605 Alias: port
2606 The port component of the SCI (Secure Channel Identifier), between
2608 1 and 65534.
2609 Format: int32
2611 send-sci
2613 Specifies whether the SCI (Secure Channel Identifier) is included
2614 in every packet.
2615 Format: boolean
2617 validation
2619 Specifies the validation mode for incoming frames.
2620 Format: int32
2622 macvlan setting
2624 MAC VLAN Settings.
2625 Properties:
2627 mode
2629 Alias: mode
2630 The macvlan mode, which specifies the communication mechanism
2632 between multiple macvlans on the same lower device.
2633 Format: uint32
2635 parent
2637 Alias: dev
2638 If given, specifies the parent interface name or parent connection
2640 UUID from which this MAC-VLAN interface should be created. If this
2641 property is not specified, the connection must contain an
2642 "802-3-ethernet" setting with a "mac-address" property.
2643 Format: string
2645 promiscuous
2647 Whether the interface should be put in promiscuous mode.
2648 Format: boolean
2650 tap
2652 Alias: tap
2653 Whether the interface should be a MACVTAP.
2655 Format: boolean
2657 match setting
2659 Match settings.
2660 Properties:
2662 driver
2664 A list of driver names to match. Each element is a shell wildcard
2665 pattern. See NMSettingMatch:interface-name for how special
2666 characters '|', '&', '!' and '\' are used for optional and
2667 mandatory matches and inverting the pattern.
2668 Format: array of string
2670 interface-name
2672 A list of interface names to match. Each element is a shell
2673 wildcard pattern. An element can be prefixed with a pipe symbol (|)
2674 or an ampersand (&). The former means that the element is optional
2675 and the latter means that it is mandatory. If there are any
2676 optional elements, than the match evaluates to true if at least one
2677 of the optional element matches (logical OR). If there are any
2678 mandatory elements, then they all must match (logical AND). By
2679 default, an element is optional. This means that an element "foo"
2680 behaves the same as "|foo". An element can also be inverted with
2681 exclamation mark (!) between the pipe symbol (or the ampersand) and
2682 before the pattern. Note that "!foo" is a shortcut for the
2683 mandatory match "&!foo". Finally, a backslash can be used at the
2684 beginning of the element (after the optional special characters) to
2685 escape the start of the pattern. For example, "&\!a" is an
2686 mandatory match for literally "!a".
2687 Format: array of string
2689 kernel-command-line
2691 A list of kernel command line arguments to match. This may be used
2692 to check whether a specific kernel command line option is set (or
2693 unset, if prefixed with the exclamation mark). The argument must
2694 either be a single word, or an assignment (i.e. two words, joined
2695 by "="). In the former case the kernel command line is searched for
2696 the word appearing as is, or as left hand side of an assignment. In
2697 the latter case, the exact assignment is looked for with right and
2698 left hand side matching. Wildcard patterns are not supported. See
2699 NMSettingMatch:interface-name for how special characters '|', '&',
2700 '!' and '\' are used for optional and mandatory matches and
2701 inverting the match.
2702 Format: array of string
2704 path
2706 A list of paths to match against the ID_PATH udev property of
2707 devices. ID_PATH represents the topological persistent path of a
2708 device. It typically contains a subsystem string (pci, usb,
2709 platform, etc.) and a subsystem-specific identifier. For PCI
2710 devices the path has the form "pci-$domain:$bus:$device.$function",
2711 where each variable is an hexadecimal value; for example
2712 "pci-0000:0a:00.0". The path of a device can be obtained with
2713 "udevadm info /sys/class/net/$dev | grep ID_PATH=" or by looking at
2714 the "path" property exported by NetworkManager ("nmcli -f
2715 general.path device show $dev"). Each element of the list is a
2716 shell wildcard pattern. See NMSettingMatch:interface-name for how
2717 special characters '|', '&', '!' and '\' are used for optional and
2718 mandatory matches and inverting the pattern.
2719 Format: array of string
2721 802-11-olpc-mesh setting
2723 Alias: olpc-mesh
2724 OLPC Wireless Mesh Settings.
2726 Properties:
2728 channel
2730 Alias: channel
2731 Channel on which the mesh network to join is located.
2733 Format: uint32
2735 dhcp-anycast-address
2737 Alias: dhcp-anycast
2738 Anycast DHCP MAC address used when requesting an IP address via
2740 DHCP. The specific anycast address used determines which DHCP
2741 server class answers the request. This is currently only
2742 implemented by dhclient DHCP plugin.
2743 Format: byte array
2745 ssid
2747 Alias: ssid
2748 SSID of the mesh network to join.
2750 Format: byte array
2752 ovs-bridge setting
2754 OvsBridge Link Settings.
2755 Properties:
2757 datapath-type
2759 The data path type. One of "system", "netdev" or empty.
2760 Format: string
2762 fail-mode
2764 The bridge failure mode. One of "secure", "standalone" or empty.
2765 Format: string
2767 mcast-snooping-enable
2769 Enable or disable multicast snooping.
2770 Format: boolean
2772 rstp-enable
2774 Enable or disable RSTP.
2775 Format: boolean
2777 stp-enable
2779 Enable or disable STP.
2780 Format: boolean
2782 ovs-dpdk setting
2784 OvsDpdk Link Settings.
2785 Properties:
2787 devargs
2789 Open vSwitch DPDK device arguments.
2790 Format: string
2792 n-rxq
2794 Open vSwitch DPDK number of rx queues. Defaults to zero which means
2795 to leave the parameter in OVS unspecified and effectively
2796 configures one queue.
2797 Format: uint32
2799 ovs-interface setting
2801 Open vSwitch Interface Settings.
2802 Properties:
2804 type
2806 The interface type. Either "internal", "system", "patch", "dpdk",
2807 or empty.
2808 Format: string
2810 ovs-patch setting
2812 OvsPatch Link Settings.
2813 Properties:
2815 peer
2817 Specifies the name of the interface for the other side of the
2818 patch. The patch on the other side must also set this interface as
2819 peer.
2820 Format: string
2822 ovs-port setting
2824 OvsPort Link Settings.
2825 Properties:
2827 bond-downdelay
2829 The time port must be inactive in order to be considered down.
2830 Format: uint32
2832 bond-mode
2834 Bonding mode. One of "active-backup", "balance-slb", or
2835 "balance-tcp".
2836 Format: string
2838 bond-updelay
2840 The time port must be active before it starts forwarding traffic.
2841 Format: uint32
2843 lacp
2845 LACP mode. One of "active", "off", or "passive".
2846 Format: string
2848 tag
2850 The VLAN tag in the range 0-4095.
2851 Format: uint32
2853 vlan-mode
2855 The VLAN mode. One of "access", "native-tagged", "native-untagged",
2856 "trunk" or unset.
2857 Format: string
2859 ppp setting
2861 Point-to-Point Protocol Settings.
2862 Properties:
2864 baud
2866 If non-zero, instruct pppd to set the serial port to the specified
2867 baudrate. This value should normally be left as 0 to automatically
2868 choose the speed.
2869 Format: uint32
2871 crtscts
2873 If TRUE, specify that pppd should set the serial port to use
2874 hardware flow control with RTS and CTS signals. This value should
2875 normally be set to FALSE.
2876 Format: boolean
2878 lcp-echo-failure
2880 If non-zero, instruct pppd to presume the connection to the peer
2881 has failed if the specified number of LCP echo-requests go
2882 unanswered by the peer. The "lcp-echo-interval" property must also
2883 be set to a non-zero value if this property is used.
2884 Format: uint32
2886 lcp-echo-interval
2888 If non-zero, instruct pppd to send an LCP echo-request frame to the
2889 peer every n seconds (where n is the specified value). Note that
2890 some PPP peers will respond to echo requests and some will not, and
2891 it is not possible to autodetect this.
2892 Format: uint32
2894 mppe-stateful
2896 If TRUE, stateful MPPE is used. See pppd documentation for more
2897 information on stateful MPPE.
2898 Format: boolean
2900 mru
2902 If non-zero, instruct pppd to request that the peer send packets no
2903 larger than the specified size. If non-zero, the MRU should be
2904 between 128 and 16384.
2905 Format: uint32
2907 mtu
2909 If non-zero, instruct pppd to send packets no larger than the
2910 specified size.
2911 Format: uint32
2913 no-vj-comp
2915 If TRUE, Van Jacobsen TCP header compression will not be requested.
2916 Format: boolean
2918 noauth
2920 If TRUE, do not require the other side (usually the PPP server) to
2921 authenticate itself to the client. If FALSE, require authentication
2922 from the remote side. In almost all cases, this should be TRUE.
2923 Format: boolean
2925 nobsdcomp
2927 If TRUE, BSD compression will not be requested.
2928 Format: boolean
2930 nodeflate
2932 If TRUE, "deflate" compression will not be requested.
2933 Format: boolean
2935 refuse-chap
2937 If TRUE, the CHAP authentication method will not be used.
2938 Format: boolean
2940 refuse-eap
2942 If TRUE, the EAP authentication method will not be used.
2943 Format: boolean
2945 refuse-mschap
2947 If TRUE, the MSCHAP authentication method will not be used.
2948 Format: boolean
2950 refuse-mschapv2
2952 If TRUE, the MSCHAPv2 authentication method will not be used.
2953 Format: boolean
2955 refuse-pap
2957 If TRUE, the PAP authentication method will not be used.
2958 Format: boolean
2960 require-mppe
2962 If TRUE, MPPE (Microsoft Point-to-Point Encryption) will be
2963 required for the PPP session. If either 64-bit or 128-bit MPPE is
2964 not available the session will fail. Note that MPPE is not used on
2965 mobile broadband connections.
2966 Format: boolean
2968 require-mppe-128
2970 If TRUE, 128-bit MPPE (Microsoft Point-to-Point Encryption) will be
2971 required for the PPP session, and the "require-mppe" property must
2972 also be set to TRUE. If 128-bit MPPE is not available the session
2973 will fail.
2974 Format: boolean
2976 pppoe setting
2978 PPP-over-Ethernet Settings.
2979 Properties:
2981 parent
2983 Alias: parent
2984 If given, specifies the parent interface name on which this PPPoE
2986 connection should be created. If this property is not specified,
2987 the connection is activated on the interface specified in
2988 "interface-name" of NMSettingConnection.
2989 Format: string
2991 password
2993 Alias: password
2994 Password used to authenticate with the PPPoE service.
2996 Format: string
2998 password-flags
3000 Flags indicating how to handle the "password" property. See the
3001 section called “Secret flag types:” for flag values.
3002 Format: NMSettingSecretFlags (uint32)
3004 service
3006 Alias: service
3007 If specified, instruct PPPoE to only initiate sessions with access
3009 concentrators that provide the specified service. For most
3010 providers, this should be left blank. It is only required if there
3011 are multiple access concentrators or a specific service is known to
3012 be required.
3013 Format: string
3015 username
3017 Alias: username
3018 Username used to authenticate with the PPPoE service.
3020 Format: string
3022 proxy setting
3024 WWW Proxy Settings.
3025 Properties:
3027 browser-only
3029 Alias: browser-only
3030 Whether the proxy configuration is for browser only.
3032 Format: boolean
3034 method
3036 Alias: method
3037 Method for proxy configuration, Default is
3039 NM_SETTING_PROXY_METHOD_NONE (0)
3040 Format: int32
3042 pac-script
3044 Alias: pac-script
3045 The PAC script. In the profile this must be an UTF-8 encoded
3047 javascript code that defines a FindProxyForURL() function. When
3048 setting the property in nmcli, a filename is accepted too. In that
3049 case, nmcli will read the content of the file and set the script.
3050 The prefixes "file://" and "js://" are supported to explicitly
3051 differentiate between the two.
3052 Format: string
3054 pac-url
3056 Alias: pac-url
3057 PAC URL for obtaining PAC file.
3059 Format: string
3061 serial setting
3063 Serial Link Settings.
3064 Properties:
3066 baud
3068 Speed to use for communication over the serial port. Note that this
3069 value usually has no effect for mobile broadband modems as they
3070 generally ignore speed settings and use the highest available
3071 speed.
3072 Format: uint32
3074 bits
3076 Byte-width of the serial communication. The 8 in "8n1" for example.
3077 Format: uint32
3079 parity
3081 Parity setting of the serial port.
3082 Format: NMSettingSerialParity (byte)
3084 send-delay
3086 Time to delay between each byte sent to the modem, in microseconds.
3087 Format: uint64
3089 stopbits
3091 Number of stop bits for communication on the serial port. Either 1
3092 or 2. The 1 in "8n1" for example.
3093 Format: uint32
3095 sriov setting
3097 SR-IOV settings.
3098 Properties:
3100 autoprobe-drivers
3102 Whether to autoprobe virtual functions by a compatible driver. If
3103 set to NM_TERNARY_TRUE (1), the kernel will try to bind VFs to a
3104 compatible driver and if this succeeds a new network interface will
3105 be instantiated for each VF. If set to NM_TERNARY_FALSE (0), VFs
3106 will not be claimed and no network interfaces will be created for
3107 them. When set to NM_TERNARY_DEFAULT (-1), the global default is
3108 used; in case the global default is unspecified it is assumed to be
3109 NM_TERNARY_TRUE (1).
3110 Format: NMTernary (int32)
3112 total-vfs
3114 The total number of virtual functions to create. Note that when the
3115 sriov setting is present NetworkManager enforces the number of
3116 virtual functions on the interface (also when it is zero) during
3117 activation and resets it upon deactivation. To prevent any changes
3118 to SR-IOV parameters don't add a sriov setting to the connection.
3119 Format: uint32
3121 vfs
3123 Array of virtual function descriptors. Each VF descriptor is a
3124 dictionary mapping attribute names to GVariant values. The 'index'
3125 entry is mandatory for each VF. When represented as string a VF is
3126 in the form: "INDEX [ATTR=VALUE[ ATTR=VALUE]...]". for example: "2
3127 mac=00:11:22:33:44:55 spoof-check=true". Multiple VFs can be
3128 specified using a comma as separator. Currently, the following
3129 attributes are supported: mac, spoof-check, trust, min-tx-rate,
3130 max-tx-rate, vlans. The "vlans" attribute is represented as a
3131 semicolon-separated list of VLAN descriptors, where each descriptor
3132 has the form "ID[.PRIORITY[.PROTO]]". PROTO can be either 'q' for
3133 802.1Q (the default) or 'ad' for 802.1ad.
3134 Format: array of vardict
3136 tc setting
3138 Linux Traffic Control Settings.
3139 Properties:
3141 qdiscs
3143 Array of TC queueing disciplines. qdisc is a basic block in the
3144 Linux traffic control subsystem
3145 Each qdisc can be specified by the following attributes:
3147 handle HANDLE
3149 specifies the qdisc handle. A qdisc, which potentially can have
3150 children, gets assigned a major number, called a 'handle',
3151 leaving the minor number namespace available for classes. The
3152 handle is expressed as '10:'. It is customary to explicitly
3153 assign a handle to qdiscs expected to have children.
3154 parent HANDLE
3156 specifies the handle of the parent qdisc the current qdisc must
3157 be attached to.
3158 root
3160 specifies that the qdisc is attached to the root of device.
3161 KIND
3163 this is the qdisc kind. NetworkManager currently supports the
3164 following kinds: fq_codel, sfq, tbf. Each qdisc kind has a
3165 different set of parameters, described below. There are also
3166 some kinds like pfifo, pfifo_fast, prio supported by
3167 NetworkManager but their parameters are not supported by
3168 NetworkManager.
3169 Parameters for 'fq_codel':
3171 limit U32
3173 the hard limit on the real queue size. When this limit is
3174 reached, incoming packets are dropped. Default is 10240
3175 packets.
3176 memory_limit U32
3178 sets a limit on the total number of bytes that can be queued in
3179 this FQ-CoDel instance. The lower of the packet limit of the
3180 limit parameter and the memory limit will be enforced. Default
3181 is 32 MB.
3182 flows U32
3184 the number of flows into which the incoming packets are
3185 classified. Due to the stochastic nature of hashing, multiple
3186 flows may end up being hashed into the same slot. Newer flows
3187 have priority over older ones. This parameter can be set only
3188 at load time since memory has to be allocated for the hash
3189 table. Default value is 1024.
3190 target U32
3192 the acceptable minimum standing/persistent queue delay. This
3193 minimum delay is identified by tracking the local minimum queue
3194 delay that packets experience. The unit of measurement is
3195 microsecond(us). Default value is 5ms.
3196 interval U32
3198 used to ensure that the measured minimum delay does not become
3199 too stale. The minimum delay must be experienced in the last
3200 epoch of length .B interval. It should be set on the order of
3201 the worst-case RTT through the bottleneck to give endpoints
3202 sufficient time to react. Default value is 100ms.
3203 quantum U32
3205 the number of bytes used as 'deficit' in the fair queuing
3206 algorithm. Default is set to 1514 bytes which corresponds to
3207 the Ethernet MTU plus the hardware header length of 14 bytes.
3208 ecn BOOL
3210 can be used to mark packets instead of dropping them. ecn is
3211 turned on by default.
3212 ce_threshold U32
3214 sets a threshold above which all packets are marked with ECN
3215 Congestion Experienced. This is useful for DCTCP-style
3216 congestion control algorithms that require marking at very
3217 shallow queueing thresholds.
3218 Parameters for 'sfq':
3220 divisor U32
3222 can be used to set a different hash table size, available from
3223 kernel 2.6.39 onwards. The specified divisor must be a power of
3224 two and cannot be larger than 65536. Default value: 1024.
3225 limit U32
3227 Upper limit of the SFQ. Can be used to reduce the default
3228 length of 127 packets.
3229 depth U32
3231 Limit of packets per flow. Default to 127 and can be lowered.
3232 perturb_period U32
3234 Interval in seconds for queue algorithm perturbation. Defaults
3235 to 0, which means that no perturbation occurs. Do not set too
3236 low for each perturbation may cause some packet reordering or
3237 losses. Advised value: 60 This value has no effect when
3238 external flow classification is used. Its better to increase
3239 divisor value to lower risk of hash collisions.
3240 quantum U32
3242 Amount of bytes a flow is allowed to dequeue during a round of
3243 the round robin process. Defaults to the MTU of the interface
3244 which is also the advised value and the minimum value.
3245 flows U32
3247 Default value is 127.
3248 Parameters for 'tbf':
3250 rate U64
3252 Bandwidth or rate. These parameters accept a floating point
3253 number, possibly followed by either a unit (both SI and IEC
3254 units supported), or a float followed by a percent character to
3255 specify the rate as a percentage of the device's speed.
3256 burst U32
3258 Also known as buffer or maxburst. Size of the bucket, in bytes.
3259 This is the maximum amount of bytes that tokens can be
3260 available for instantaneously. In general, larger shaping rates
3261 require a larger buffer. For 10mbit/s on Intel, you need at
3262 least 10kbyte buffer if you want to reach your configured rate!
3263 If your buffer is too small, packets may be dropped because
3265 more tokens arrive per timer tick than fit in your bucket. The
3266 minimum buffer size can be calculated by dividing the rate by
3267 HZ.
3268 Token usage calculations are performed using a table which by
3270 default has a resolution of 8 packets. This resolution can be
3271 changed by specifying the cell size with the burst. For
3272 example, to specify a 6000 byte buffer with a 16 byte cell
3273 size, set a burst of 6000/16. You will probably never have to
3274 set this. Must be an integral power of 2.
3275 limit U32
3277 Limit is the number of bytes that can be queued waiting for
3278 tokens to become available.
3279 latency U32
3281 specifies the maximum amount of time a packet can sit in the
3282 TBF. The latency calculation takes into account the size of the
3283 bucket, the rate and possibly the peakrate (if set). The
3284 latency and limit are mutually exclusive.
3285 Format: GPtrArray(NMTCQdisc)
3287 tfilters
3289 Array of TC traffic filters. Traffic control can manage the packet
3290 content during classification by using filters.
3291 Each tfilters can be specified by the following attributes:
3293 handle HANDLE
3295 specifies the tfilters handle. A filter is used by a classful
3296 qdisc to determine in which class a packet will be enqueued. It
3297 is important to notice that filters reside within qdiscs.
3298 Therefore, see qdiscs handle for detailed information.
3299 parent HANDLE
3301 specifies the handle of the parent qdisc the current qdisc must
3302 be attached to.
3303 root
3305 specifies that the qdisc is attached to the root of device.
3306 KIND
3308 this is the tfilters kind. NetworkManager currently supports
3309 following kinds: mirred, simple. Each filter kind has a
3310 different set of actions, described below. There are also some
3311 other kinds like matchall, basic, u32 supported by
3312 NetworkManager.
3313 Actions for 'mirred':
3315 egress bool
3317 Define whether the packet should exit from the interface.
3318 ingress bool
3320 Define whether the packet should come into the interface.
3321 mirror bool
3323 Define whether the packet should be copied to the destination
3324 space.
3325 redirect bool
3327 Define whether the packet should be moved to the destination
3328 space.
3329 Action for 'simple':
3331 sdata char[32]
3333 The actual string to print.
3334 Format: GPtrArray(NMTCTfilter)
3336 team setting
3338 Teaming Settings.
3339 Properties:
3341 config
3343 Alias: config
3344 The JSON configuration for the team network interface. The property
3346 should contain raw JSON configuration data suitable for teamd,
3347 because the value is passed directly to teamd. If not specified,
3348 the default configuration is used. See man teamd.conf for the
3349 format details.
3350 Format: string
3352 link-watchers
3354 Link watchers configuration for the connection: each link watcher
3355 is defined by a dictionary, whose keys depend upon the selected
3356 link watcher. Available link watchers are 'ethtool', 'nsna_ping'
3357 and 'arp_ping' and it is specified in the dictionary with the key
3358 'name'. Available keys are: ethtool: 'delay-up', 'delay-down',
3359 'init-wait'; nsna_ping: 'init-wait', 'interval', 'missed-max',
3360 'target-host'; arp_ping: all the ones in nsna_ping and
3361 'source-host', 'validate-active', 'validate-inactive',
3362 'send-always'. See teamd.conf man for more details.
3363 Format: array of vardict
3365 mcast-rejoin-count
3367 Corresponds to the teamd mcast_rejoin.count.
3368 Format: int32
3370 mcast-rejoin-interval
3372 Corresponds to the teamd mcast_rejoin.interval.
3373 Format: int32
3375 notify-peers-count
3377 Corresponds to the teamd notify_peers.count.
3378 Format: int32
3380 notify-peers-interval
3382 Corresponds to the teamd notify_peers.interval.
3383 Format: int32
3385 runner
3387 Corresponds to the teamd runner.name. Permitted values are:
3388 "roundrobin", "broadcast", "activebackup", "loadbalance", "lacp",
3389 "random".
3390 Format: string
3392 runner-active
3394 Corresponds to the teamd runner.active.
3395 Format: boolean
3397 runner-agg-select-policy
3399 Corresponds to the teamd runner.agg_select_policy.
3400 Format: string
3402 runner-fast-rate
3404 Corresponds to the teamd runner.fast_rate.
3405 Format: boolean
3407 runner-hwaddr-policy
3409 Corresponds to the teamd runner.hwaddr_policy.
3410 Format: string
3412 runner-min-ports
3414 Corresponds to the teamd runner.min_ports.
3415 Format: int32
3417 runner-sys-prio
3419 Corresponds to the teamd runner.sys_prio.
3420 Format: int32
3422 runner-tx-balancer
3424 Corresponds to the teamd runner.tx_balancer.name.
3425 Format: string
3427 runner-tx-balancer-interval
3429 Corresponds to the teamd runner.tx_balancer.interval.
3430 Format: int32
3432 runner-tx-hash
3434 Corresponds to the teamd runner.tx_hash.
3435 Format: array of string
3437 team-port setting
3439 Team Port Settings.
3440 Properties:
3442 config
3444 Alias: config
3445 The JSON configuration for the team port. The property should
3447 contain raw JSON configuration data suitable for teamd, because the
3448 value is passed directly to teamd. If not specified, the default
3449 configuration is used. See man teamd.conf for the format details.
3450 Format: string
3452 lacp-key
3454 Corresponds to the teamd ports.PORTIFNAME.lacp_key.
3455 Format: int32
3457 lacp-prio
3459 Corresponds to the teamd ports.PORTIFNAME.lacp_prio.
3460 Format: int32
3462 link-watchers
3464 Link watchers configuration for the connection: each link watcher
3465 is defined by a dictionary, whose keys depend upon the selected
3466 link watcher. Available link watchers are 'ethtool', 'nsna_ping'
3467 and 'arp_ping' and it is specified in the dictionary with the key
3468 'name'. Available keys are: ethtool: 'delay-up', 'delay-down',
3469 'init-wait'; nsna_ping: 'init-wait', 'interval', 'missed-max',
3470 'target-host'; arp_ping: all the ones in nsna_ping and
3471 'source-host', 'validate-active', 'validate-inactive',
3472 'send-always'. See teamd.conf man for more details.
3473 Format: array of vardict
3475 prio
3477 Corresponds to the teamd ports.PORTIFNAME.prio.
3478 Format: int32
3480 queue-id
3482 Corresponds to the teamd ports.PORTIFNAME.queue_id. When set to -1
3483 means the parameter is skipped from the json config.
3484 Format: int32
3486 sticky
3488 Corresponds to the teamd ports.PORTIFNAME.sticky.
3489 Format: boolean
3491 tun setting
3493 Tunnel Settings.
3494 Properties:
3496 group
3498 Alias: group
3499 The group ID which will own the device. If set to NULL everyone
3501 will be able to use the device.
3502 Format: string
3504 mode
3506 Alias: mode
3507 The operating mode of the virtual device. Allowed values are
3509 NM_SETTING_TUN_MODE_TUN (1) to create a layer 3 device and
3510 NM_SETTING_TUN_MODE_TAP (2) to create an Ethernet-like layer 2 one.
3511 Format: uint32
3513 multi-queue
3515 Alias: multi-queue
3516 If the property is set to TRUE, the interface will support multiple
3518 file descriptors (queues) to parallelize packet sending or
3519 receiving. Otherwise, the interface will only support a single
3520 queue.
3521 Format: boolean
3523 owner
3525 Alias: owner
3526 The user ID which will own the device. If set to NULL everyone will
3528 be able to use the device.
3529 Format: string
3531 pi
3533 Alias: pi
3534 If TRUE the interface will prepend a 4 byte header describing the
3536 physical interface to the packets.
3537 Format: boolean
3539 vnet-hdr
3541 Alias: vnet-hdr
3542 If TRUE the IFF_VNET_HDR the tunnel packets will include a virtio
3544 network header.
3545 Format: boolean
3547 vlan setting
3549 VLAN Settings.
3550 Properties:
3552 egress-priority-map
3554 Alias: egress
3555 For outgoing packets, a list of mappings from Linux SKB priorities
3557 to 802.1p priorities. The mapping is given in the format "from:to"
3558 where both "from" and "to" are unsigned integers, ie "7:3".
3559 Format: array of string
3561 flags
3563 Alias: flags
3564 One or more flags which control the behavior and features of the
3566 VLAN interface. Flags include NM_VLAN_FLAG_REORDER_HEADERS (0x1)
3567 (reordering of output packet headers), NM_VLAN_FLAG_GVRP (0x2) (use
3568 of the GVRP protocol), and NM_VLAN_FLAG_LOOSE_BINDING (0x4) (loose
3569 binding of the interface to its master device's operating state).
3570 NM_VLAN_FLAG_MVRP (0x8) (use of the MVRP protocol). The default
3571 value of this property is NM_VLAN_FLAG_REORDER_HEADERS, but it used
3572 to be 0. To preserve backward compatibility, the default-value in
3573 the D-Bus API continues to be 0 and a missing property on D-Bus is
3574 still considered as 0.
3575 Format: NMVlanFlags (uint32)
3577 id
3579 Alias: id
3580 The VLAN identifier that the interface created by this connection
3582 should be assigned. The valid range is from 0 to 4094, without the
3583 reserved id 4095.
3584 Format: uint32
3586 ingress-priority-map
3588 Alias: ingress
3589 For incoming packets, a list of mappings from 802.1p priorities to
3591 Linux SKB priorities. The mapping is given in the format "from:to"
3592 where both "from" and "to" are unsigned integers, ie "7:3".
3593 Format: array of string
3595 parent
3597 Alias: dev
3598 If given, specifies the parent interface name or parent connection
3600 UUID from which this VLAN interface should be created. If this
3601 property is not specified, the connection must contain an
3602 "802-3-ethernet" setting with a "mac-address" property.
3603 Format: string
3605 vpn setting
3607 VPN Settings.
3608 Properties:
3610 data
3612 Dictionary of key/value pairs of VPN plugin specific data. Both
3613 keys and values must be strings.
3614 Format: dict of string to string
3616 persistent
3618 If the VPN service supports persistence, and this property is TRUE,
3619 the VPN will attempt to stay connected across link changes and
3620 outages, until explicitly disconnected.
3621 Format: boolean
3623 secrets
3625 Dictionary of key/value pairs of VPN plugin specific secrets like
3626 passwords or private keys. Both keys and values must be strings.
3627 Format: dict of string to string
3629 service-type
3631 Alias: vpn-type
3632 D-Bus service name of the VPN plugin that this setting uses to
3634 connect to its network. i.e. org.freedesktop.NetworkManager.vpnc
3635 for the vpnc plugin.
3636 Format: string
3638 timeout
3640 Timeout for the VPN service to establish the connection. Some
3641 services may take quite a long time to connect. Value of 0 means a
3642 default timeout, which is 60 seconds (unless overridden by
3643 vpn.timeout in configuration file). Values greater than zero mean
3644 timeout in seconds.
3645 Format: uint32
3647 user-name
3649 Alias: user
3650 If the VPN connection requires a user name for authentication, that
3652 name should be provided here. If the connection is available to
3653 more than one user, and the VPN requires each user to supply a
3654 different name, then leave this property empty. If this property is
3655 empty, NetworkManager will automatically supply the username of the
3656 user which requested the VPN connection.
3657 Format: string
3659 vrf setting
3661 VRF settings.
3662 Properties:
3664 table
3666 Alias: table
3667 The routing table for this VRF.
3669 Format: uint32
3671 vxlan setting
3673 VXLAN Settings.
3674 Properties:
3676 ageing
3678 Specifies the lifetime in seconds of FDB entries learnt by the
3679 kernel.
3680 Format: uint32
3682 destination-port
3684 Alias: destination-port
3685 Specifies the UDP destination port to communicate to the remote
3687 VXLAN tunnel endpoint.
3688 Format: uint32
3690 id
3692 Alias: id
3693 Specifies the VXLAN Network Identifier (or VXLAN Segment
3695 Identifier) to use.
3696 Format: uint32
3698 l2-miss
3700 Specifies whether netlink LL ADDR miss notifications are generated.
3701 Format: boolean
3703 l3-miss
3705 Specifies whether netlink IP ADDR miss notifications are generated.
3706 Format: boolean
3708 learning
3710 Specifies whether unknown source link layer addresses and IP
3711 addresses are entered into the VXLAN device forwarding database.
3712 Format: boolean
3714 limit
3716 Specifies the maximum number of FDB entries. A value of zero means
3717 that the kernel will store unlimited entries.
3718 Format: uint32
3720 local
3722 Alias: local
3723 If given, specifies the source IP address to use in outgoing
3725 packets.
3726 Format: string
3728 parent
3730 Alias: dev
3731 If given, specifies the parent interface name or parent connection
3733 UUID.
3734 Format: string
3736 proxy
3738 Specifies whether ARP proxy is turned on.
3739 Format: boolean
3741 remote
3743 Alias: remote
3744 Specifies the unicast destination IP address to use in outgoing
3746 packets when the destination link layer address is not known in the
3747 VXLAN device forwarding database, or the multicast IP address to
3748 join.
3749 Format: string
3751 rsc
3753 Specifies whether route short circuit is turned on.
3754 Format: boolean
3756 source-port-max
3758 Alias: source-port-max
3759 Specifies the maximum UDP source port to communicate to the remote
3761 VXLAN tunnel endpoint.
3762 Format: uint32
3764 source-port-min
3766 Alias: source-port-min
3767 Specifies the minimum UDP source port to communicate to the remote
3769 VXLAN tunnel endpoint.
3770 Format: uint32
3772 tos
3774 Specifies the TOS value to use in outgoing packets.
3775 Format: uint32
3777 ttl
3779 Specifies the time-to-live value to use in outgoing packets.
3780 Format: uint32
3782 wifi-p2p setting
3784 Wi-Fi P2P Settings.
3785 Properties:
3787 peer
3789 Alias: peer
3790 The P2P device that should be connected to. Currently, this is the
3792 only way to create or join a group.
3793 Format: string
3795 wfd-ies
3797 The Wi-Fi Display (WFD) Information Elements (IEs) to set. Wi-Fi
3798 Display requires a protocol specific information element to be set
3799 in certain Wi-Fi frames. These can be specified here for the
3800 purpose of establishing a connection. This setting is only useful
3801 when implementing a Wi-Fi Display client.
3802 Format: byte array
3804 wps-method
3806 Flags indicating which mode of WPS is to be used. There's little
3807 point in changing the default setting as NetworkManager will
3808 automatically determine the best method to use.
3809 Format: uint32
3811 wimax setting
3813 WiMax Settings.
3814 Properties:
3816 mac-address
3818 Alias: mac
3819 If specified, this connection will only apply to the WiMAX device
3821 whose MAC address matches. This property does not change the MAC
3822 address of the device (known as MAC spoofing). Deprecated: 1
3823 Format: byte array
3825 network-name
3827 Alias: nsp
3828 Network Service Provider (NSP) name of the WiMAX network this
3830 connection should use. Deprecated: 1
3831 Format: string
3833 802-3-ethernet setting
3835 Alias: ethernet
3836 Wired Ethernet Settings.
3838 Properties:
3840 accept-all-mac-addresses
3842 When TRUE, setup the interface to accept packets for all MAC
3843 addresses. This is enabling the kernel interface flag IFF_PROMISC.
3844 When FALSE, the interface will only accept the packets with the
3845 interface destination mac address or broadcast.
3846 Format: NMTernary (int32)
3848 auto-negotiate
3850 When TRUE, enforce auto-negotiation of speed and duplex mode. If
3851 "speed" and "duplex" properties are both specified, only that
3852 single mode will be advertised and accepted during the link
3853 auto-negotiation process: this works only for BASE-T 802.3
3854 specifications and is useful for enforcing gigabits modes, as in
3855 these cases link negotiation is mandatory. When FALSE, "speed" and
3856 "duplex" properties should be both set or link configuration will
3857 be skipped.
3858 Format: boolean
3860 cloned-mac-address
3862 Alias: cloned-mac
3863 If specified, request that the device use this MAC address instead.
3865 This is known as MAC cloning or spoofing. Beside explicitly
3866 specifying a MAC address, the special values "preserve",
3867 "permanent", "random" and "stable" are supported. "preserve" means
3868 not to touch the MAC address on activation. "permanent" means to
3869 use the permanent hardware address if the device has one (otherwise
3870 this is treated as "preserve"). "random" creates a random MAC
3871 address on each connect. "stable" creates a hashed MAC address
3872 based on connection.stable-id and a machine dependent key. If
3873 unspecified, the value can be overwritten via global defaults, see
3874 manual of NetworkManager.conf. If still unspecified, it defaults to
3875 "preserve" (older versions of NetworkManager may use a different
3876 default value). On D-Bus, this field is expressed as
3877 "assigned-mac-address" or the deprecated "cloned-mac-address".
3878 Format: byte array
3880 duplex
3882 When a value is set, either "half" or "full", configures the device
3883 to use the specified duplex mode. If "auto-negotiate" is "yes" the
3884 specified duplex mode will be the only one advertised during link
3885 negotiation: this works only for BASE-T 802.3 specifications and is
3886 useful for enforcing gigabits modes, as in these cases link
3887 negotiation is mandatory. If the value is unset (the default), the
3888 link configuration will be either skipped (if "auto-negotiate" is
3889 "no", the default) or will be auto-negotiated (if "auto-negotiate"
3890 is "yes") and the local device will advertise all the supported
3891 duplex modes. Must be set together with the "speed" property if
3892 specified. Before specifying a duplex mode be sure your device
3893 supports it.
3894 Format: string
3896 generate-mac-address-mask
3898 With "cloned-mac-address" setting "random" or "stable", by default
3899 all bits of the MAC address are scrambled and a
3900 locally-administered, unicast MAC address is created. This property
3901 allows to specify that certain bits are fixed. Note that the least
3902 significant bit of the first MAC address will always be unset to
3903 create a unicast MAC address. If the property is NULL, it is
3904 eligible to be overwritten by a default connection setting. If the
3905 value is still NULL or an empty string, the default is to create a
3906 locally-administered, unicast MAC address. If the value contains
3907 one MAC address, this address is used as mask. The set bits of the
3908 mask are to be filled with the current MAC address of the device,
3909 while the unset bits are subject to randomization. Setting
3910 "FE:FF:FF:00:00:00" means to preserve the OUI of the current MAC
3911 address and only randomize the lower 3 bytes using the "random" or
3912 "stable" algorithm. If the value contains one additional MAC
3913 address after the mask, this address is used instead of the current
3914 MAC address to fill the bits that shall not be randomized. For
3915 example, a value of "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set
3916 the OUI of the MAC address to 68:F7:28, while the lower bits are
3917 randomized. A value of "02:00:00:00:00:00 00:00:00:00:00:00" will
3918 create a fully scrambled globally-administered, burned-in MAC
3919 address. If the value contains more than one additional MAC
3920 addresses, one of them is chosen randomly. For example,
3921 "02:00:00:00:00:00 00:00:00:00:00:00 02:00:00:00:00:00" will create
3922 a fully scrambled MAC address, randomly locally or globally
3923 administered.
3924 Format: string
3926 mac-address
3928 Alias: mac
3929 If specified, this connection will only apply to the Ethernet
3931 device whose permanent MAC address matches. This property does not
3932 change the MAC address of the device (i.e. MAC spoofing).
3933 Format: byte array
3935 mac-address-blacklist
3937 If specified, this connection will never apply to the Ethernet
3938 device whose permanent MAC address matches an address in the list.
3939 Each MAC address is in the standard hex-digits-and-colons notation
3940 (00:11:22:33:44:55).
3941 Format: array of string
3943 mtu
3945 Alias: mtu
3946 If non-zero, only transmit packets of the specified size or
3948 smaller, breaking larger packets up into multiple Ethernet frames.
3949 Format: uint32
3951 port
3953 Specific port type to use if the device supports multiple
3954 attachment methods. One of "tp" (Twisted Pair), "aui" (Attachment
3955 Unit Interface), "bnc" (Thin Ethernet) or "mii" (Media Independent
3956 Interface). If the device supports only one port type, this setting
3957 is ignored.
3958 Format: string
3960 s390-nettype
3962 s390 network device type; one of "qeth", "lcs", or "ctc",
3963 representing the different types of virtual network devices
3964 available on s390 systems.
3965 Format: string
3967 s390-options
3969 Dictionary of key/value pairs of s390-specific device options. Both
3970 keys and values must be strings. Allowed keys include "portno",
3971 "layer2", "portname", "protocol", among others. Key names must
3972 contain only alphanumeric characters (ie, [a-zA-Z0-9]). Currently,
3973 NetworkManager itself does nothing with this information. However,
3974 s390utils ships a udev rule which parses this information and
3975 applies it to the interface.
3976 Format: dict of string to string
3978 s390-subchannels
3980 Identifies specific subchannels that this network device uses for
3981 communication with z/VM or s390 host. Like the "mac-address"
3982 property for non-z/VM devices, this property can be used to ensure
3983 this connection only applies to the network device that uses these
3984 subchannels. The list should contain exactly 3 strings, and each
3985 string may only be composed of hexadecimal characters and the
3986 period (.) character.
3987 Format: array of string
3989 speed
3991 When a value greater than 0 is set, configures the device to use
3992 the specified speed. If "auto-negotiate" is "yes" the specified
3993 speed will be the only one advertised during link negotiation: this
3994 works only for BASE-T 802.3 specifications and is useful for
3995 enforcing gigabit speeds, as in this case link negotiation is
3996 mandatory. If the value is unset (0, the default), the link
3997 configuration will be either skipped (if "auto-negotiate" is "no",
3998 the default) or will be auto-negotiated (if "auto-negotiate" is
3999 "yes") and the local device will advertise all the supported
4000 speeds. In Mbit/s, ie 100 == 100Mbit/s. Must be set together with
4001 the "duplex" property when non-zero. Before specifying a speed
4002 value be sure your device supports it.
4003 Format: uint32
4005 wake-on-lan
4007 The NMSettingWiredWakeOnLan options to enable. Not all devices
4008 support all options. May be any combination of
4009 NM_SETTING_WIRED_WAKE_ON_LAN_PHY (0x2),
4010 NM_SETTING_WIRED_WAKE_ON_LAN_UNICAST (0x4),
4011 NM_SETTING_WIRED_WAKE_ON_LAN_MULTICAST (0x8),
4012 NM_SETTING_WIRED_WAKE_ON_LAN_BROADCAST (0x10),
4013 NM_SETTING_WIRED_WAKE_ON_LAN_ARP (0x20),
4014 NM_SETTING_WIRED_WAKE_ON_LAN_MAGIC (0x40) or the special values
4015 NM_SETTING_WIRED_WAKE_ON_LAN_DEFAULT (0x1) (to use global settings)
4016 and NM_SETTING_WIRED_WAKE_ON_LAN_IGNORE (0x8000) (to disable
4017 management of Wake-on-LAN in NetworkManager).
4018 Format: uint32
4020 wake-on-lan-password
4022 If specified, the password used with magic-packet-based
4023 Wake-on-LAN, represented as an Ethernet MAC address. If NULL, no
4024 password will be required.
4025 Format: string
4027 wireguard setting
4029 WireGuard Settings.
4030 Properties:
4032 fwmark
4034 The use of fwmark is optional and is by default off. Setting it to
4035 0 disables it. Otherwise, it is a 32-bit fwmark for outgoing
4036 packets. Note that "ip4-auto-default-route" or
4037 "ip6-auto-default-route" enabled, implies to automatically choose a
4038 fwmark.
4039 Format: uint32
4041 ip4-auto-default-route
4043 Whether to enable special handling of the IPv4 default route. If
4044 enabled, the IPv4 default route from wireguard.peer-routes will be
4045 placed to a dedicated routing-table and two policy routing rules
4046 will be added. The fwmark number is also used as routing-table for
4047 the default-route, and if fwmark is zero, an unused fwmark/table is
4048 chosen automatically. This corresponds to what wg-quick does with
4049 Table=auto and what WireGuard calls "Improved Rule-based Routing".
4050 Note that for this automatism to work, you usually don't want to
4051 set ipv4.gateway, because that will result in a conflicting default
4052 route. Leaving this at the default will enable this option
4053 automatically if ipv4.never-default is not set and there are any
4054 peers that use a default-route as allowed-ips.
4055 Format: NMTernary (int32)
4057 ip6-auto-default-route
4059 Like ip4-auto-default-route, but for the IPv6 default route.
4060 Format: NMTernary (int32)
4062 listen-port
4064 The listen-port. If listen-port is not specified, the port will be
4065 chosen randomly when the interface comes up.
4066 Format: uint32
4068 mtu
4070 If non-zero, only transmit packets of the specified size or
4071 smaller, breaking larger packets up into multiple fragments. If
4072 zero a default MTU is used. Note that contrary to wg-quick's MTU
4073 setting, this does not take into account the current routes at the
4074 time of activation.
4075 Format: uint32
4077 peer-routes
4079 Whether to automatically add routes for the AllowedIPs ranges of
4080 the peers. If TRUE (the default), NetworkManager will automatically
4081 add routes in the routing tables according to ipv4.route-table and
4082 ipv6.route-table. Usually you want this automatism enabled. If
4083 FALSE, no such routes are added automatically. In this case, the
4084 user may want to configure static routes in ipv4.routes and
4085 ipv6.routes, respectively. Note that if the peer's AllowedIPs is
4086 "0.0.0.0/0" or "::/0" and the profile's ipv4.never-default or
4087 ipv6.never-default setting is enabled, the peer route for this peer
4088 won't be added automatically.
4089 Format: boolean
4091 private-key
4093 The 256 bit private-key in base64 encoding.
4094 Format: string
4096 private-key-flags
4098 Flags indicating how to handle the "private-key" property. See the
4099 section called “Secret flag types:” for flag values.
4100 Format: NMSettingSecretFlags (uint32)
4102 802-11-wireless setting
4104 Alias: wifi
4105 Wi-Fi Settings.
4107 Properties:
4109 ap-isolation
4111 Configures AP isolation, which prevents communication between
4112 wireless devices connected to this AP. This property can be set to
4113 a value different from NM_TERNARY_DEFAULT (-1) only when the
4114 interface is configured in AP mode. If set to NM_TERNARY_TRUE (1),
4115 devices are not able to communicate with each other. This increases
4116 security because it protects devices against attacks from other
4117 clients in the network. At the same time, it prevents devices to
4118 access resources on the same wireless networks as file shares,
4119 printers, etc. If set to NM_TERNARY_FALSE (0), devices can talk to
4120 each other. When set to NM_TERNARY_DEFAULT (-1), the global default
4121 is used; in case the global default is unspecified it is assumed to
4122 be NM_TERNARY_FALSE (0).
4123 Format: NMTernary (int32)
4125 band
4127 802.11 frequency band of the network. One of "a" for 5GHz 802.11a
4128 or "bg" for 2.4GHz 802.11. This will lock associations to the Wi-Fi
4129 network to the specific band, i.e. if "a" is specified, the device
4130 will not associate with the same network in the 2.4GHz band even if
4131 the network's settings are compatible. This setting depends on
4132 specific driver capability and may not work with all drivers.
4133 Format: string
4135 bssid
4137 If specified, directs the device to only associate with the given
4138 access point. This capability is highly driver dependent and not
4139 supported by all devices. Note: this property does not control the
4140 BSSID used when creating an Ad-Hoc network and is unlikely to in
4141 the future.
4142 Format: byte array
4144 channel
4146 Wireless channel to use for the Wi-Fi connection. The device will
4147 only join (or create for Ad-Hoc networks) a Wi-Fi network on the
4148 specified channel. Because channel numbers overlap between bands,
4149 this property also requires the "band" property to be set.
4150 Format: uint32
4152 cloned-mac-address
4154 Alias: cloned-mac
4155 If specified, request that the device use this MAC address instead.
4157 This is known as MAC cloning or spoofing. Beside explicitly
4158 specifying a MAC address, the special values "preserve",
4159 "permanent", "random" and "stable" are supported. "preserve" means
4160 not to touch the MAC address on activation. "permanent" means to
4161 use the permanent hardware address of the device. "random" creates
4162 a random MAC address on each connect. "stable" creates a hashed MAC
4163 address based on connection.stable-id and a machine dependent key.
4164 If unspecified, the value can be overwritten via global defaults,
4165 see manual of NetworkManager.conf. If still unspecified, it
4166 defaults to "preserve" (older versions of NetworkManager may use a
4167 different default value). On D-Bus, this field is expressed as
4168 "assigned-mac-address" or the deprecated "cloned-mac-address".
4169 Format: byte array
4171 generate-mac-address-mask
4173 With "cloned-mac-address" setting "random" or "stable", by default
4174 all bits of the MAC address are scrambled and a
4175 locally-administered, unicast MAC address is created. This property
4176 allows to specify that certain bits are fixed. Note that the least
4177 significant bit of the first MAC address will always be unset to
4178 create a unicast MAC address. If the property is NULL, it is
4179 eligible to be overwritten by a default connection setting. If the
4180 value is still NULL or an empty string, the default is to create a
4181 locally-administered, unicast MAC address. If the value contains
4182 one MAC address, this address is used as mask. The set bits of the
4183 mask are to be filled with the current MAC address of the device,
4184 while the unset bits are subject to randomization. Setting
4185 "FE:FF:FF:00:00:00" means to preserve the OUI of the current MAC
4186 address and only randomize the lower 3 bytes using the "random" or
4187 "stable" algorithm. If the value contains one additional MAC
4188 address after the mask, this address is used instead of the current
4189 MAC address to fill the bits that shall not be randomized. For
4190 example, a value of "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set
4191 the OUI of the MAC address to 68:F7:28, while the lower bits are
4192 randomized. A value of "02:00:00:00:00:00 00:00:00:00:00:00" will
4193 create a fully scrambled globally-administered, burned-in MAC
4194 address. If the value contains more than one additional MAC
4195 addresses, one of them is chosen randomly. For example,
4196 "02:00:00:00:00:00 00:00:00:00:00:00 02:00:00:00:00:00" will create
4197 a fully scrambled MAC address, randomly locally or globally
4198 administered.
4199 Format: string
4201 hidden
4203 If TRUE, indicates that the network is a non-broadcasting network
4204 that hides its SSID. This works both in infrastructure and AP mode.
4205 In infrastructure mode, various workarounds are used for a more
4206 reliable discovery of hidden networks, such as probe-scanning the
4207 SSID. However, these workarounds expose inherent insecurities with
4208 hidden SSID networks, and thus hidden SSID networks should be used
4209 with caution. In AP mode, the created network does not broadcast
4210 its SSID. Note that marking the network as hidden may be a privacy
4211 issue for you (in infrastructure mode) or client stations (in AP
4212 mode), as the explicit probe-scans are distinctly recognizable on
4213 the air.
4214 Format: boolean
4216 mac-address
4218 Alias: mac
4219 If specified, this connection will only apply to the Wi-Fi device
4221 whose permanent MAC address matches. This property does not change
4222 the MAC address of the device (i.e. MAC spoofing).
4223 Format: byte array
4225 mac-address-blacklist
4227 A list of permanent MAC addresses of Wi-Fi devices to which this
4228 connection should never apply. Each MAC address should be given in
4229 the standard hex-digits-and-colons notation (eg
4230 "00:11:22:33:44:55").
4231 Format: array of string
4233 mac-address-randomization
4235 One of NM_SETTING_MAC_RANDOMIZATION_DEFAULT (0) (never randomize
4236 unless the user has set a global default to randomize and the
4237 supplicant supports randomization),
4238 NM_SETTING_MAC_RANDOMIZATION_NEVER (1) (never randomize the MAC
4239 address), or NM_SETTING_MAC_RANDOMIZATION_ALWAYS (2) (always
4240 randomize the MAC address). This property is deprecated for
4241 'cloned-mac-address'. Deprecated: 1
4242 Format: uint32
4244 mode
4246 Alias: mode
4247 Wi-Fi network mode; one of "infrastructure", "mesh", "adhoc" or
4249 "ap". If blank, infrastructure is assumed.
4250 Format: string
4252 mtu
4254 Alias: mtu
4255 If non-zero, only transmit packets of the specified size or
4257 smaller, breaking larger packets up into multiple Ethernet frames.
4258 Format: uint32
4260 powersave
4262 One of NM_SETTING_WIRELESS_POWERSAVE_DISABLE (2) (disable Wi-Fi
4263 power saving), NM_SETTING_WIRELESS_POWERSAVE_ENABLE (3) (enable
4264 Wi-Fi power saving), NM_SETTING_WIRELESS_POWERSAVE_IGNORE (1)
4265 (don't touch currently configure setting) or
4266 NM_SETTING_WIRELESS_POWERSAVE_DEFAULT (0) (use the globally
4267 configured value). All other values are reserved.
4268 Format: uint32
4270 rate
4272 If non-zero, directs the device to only use the specified bitrate
4273 for communication with the access point. Units are in Kb/s, ie 5500
4274 = 5.5 Mbit/s. This property is highly driver dependent and not all
4275 devices support setting a static bitrate.
4276 Format: uint32
4278 seen-bssids
4280 A list of BSSIDs (each BSSID formatted as a MAC address like
4281 "00:11:22:33:44:55") that have been detected as part of the Wi-Fi
4282 network. NetworkManager internally tracks previously seen BSSIDs.
4283 The property is only meant for reading and reflects the BSSID list
4284 of NetworkManager. The changes you make to this property will not
4285 be preserved.
4286 Format: array of string
4288 ssid
4290 Alias: ssid
4291 SSID of the Wi-Fi network. Must be specified.
4293 Format: byte array
4295 tx-power
4297 If non-zero, directs the device to use the specified transmit
4298 power. Units are dBm. This property is highly driver dependent and
4299 not all devices support setting a static transmit power.
4300 Format: uint32
4302 wake-on-wlan
4304 The NMSettingWirelessWakeOnWLan options to enable. Not all devices
4305 support all options. May be any combination of
4306 NM_SETTING_WIRELESS_WAKE_ON_WLAN_ANY (0x2),
4307 NM_SETTING_WIRELESS_WAKE_ON_WLAN_DISCONNECT (0x4),
4308 NM_SETTING_WIRELESS_WAKE_ON_WLAN_MAGIC (0x8),
4309 NM_SETTING_WIRELESS_WAKE_ON_WLAN_GTK_REKEY_FAILURE (0x10),
4310 NM_SETTING_WIRELESS_WAKE_ON_WLAN_EAP_IDENTITY_REQUEST (0x20),
4311 NM_SETTING_WIRELESS_WAKE_ON_WLAN_4WAY_HANDSHAKE (0x40),
4312 NM_SETTING_WIRELESS_WAKE_ON_WLAN_RFKILL_RELEASE (0x80),
4313 NM_SETTING_WIRELESS_WAKE_ON_WLAN_TCP (0x100) or the special values
4314 NM_SETTING_WIRELESS_WAKE_ON_WLAN_DEFAULT (0x1) (to use global
4315 settings) and NM_SETTING_WIRELESS_WAKE_ON_WLAN_IGNORE (0x8000) (to
4316 disable management of Wake-on-LAN in NetworkManager).
4317 Format: uint32
4319 802-11-wireless-security setting
4321 Alias: wifi-sec
4322 Wi-Fi Security Settings.
4324 Properties:
4326 auth-alg
4328 When WEP is used (ie, key-mgmt = "none" or "ieee8021x") indicate
4329 the 802.11 authentication algorithm required by the AP here. One of
4330 "open" for Open System, "shared" for Shared Key, or "leap" for
4331 Cisco LEAP. When using Cisco LEAP (ie, key-mgmt = "ieee8021x" and
4332 auth-alg = "leap") the "leap-username" and "leap-password"
4333 properties must be specified.
4334 Format: string
4336 fils
4338 Indicates whether Fast Initial Link Setup (802.11ai) must be
4339 enabled for the connection. One of
4340 NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) (use global default
4341 value), NM_SETTING_WIRELESS_SECURITY_FILS_DISABLE (1) (disable
4342 FILS), NM_SETTING_WIRELESS_SECURITY_FILS_OPTIONAL (2) (enable FILS
4343 if the supplicant and the access point support it) or
4344 NM_SETTING_WIRELESS_SECURITY_FILS_REQUIRED (3) (enable FILS and
4345 fail if not supported). When set to
4346 NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) and no global default
4347 is set, FILS will be optionally enabled.
4348 Format: int32
4350 group
4352 A list of group/broadcast encryption algorithms which prevents
4353 connections to Wi-Fi networks that do not utilize one of the
4354 algorithms in the list. For maximum compatibility leave this
4355 property empty. Each list element may be one of "wep40", "wep104",
4356 "tkip", or "ccmp".
4357 Format: array of string
4359 key-mgmt
4361 Key management used for the connection. One of "none" (WEP or no
4362 password protection), "ieee8021x" (Dynamic WEP), "owe"
4363 (Opportunistic Wireless Encryption), "wpa-psk" (WPA2 + WPA3
4364 personal), "sae" (WPA3 personal only), "wpa-eap" (WPA2 + WPA3
4365 enterprise) or "wpa-eap-suite-b-192" (WPA3 enterprise only). This
4366 property must be set for any Wi-Fi connection that uses security.
4367 Format: string
4369 leap-password
4371 The login password for legacy LEAP connections (ie, key-mgmt =
4372 "ieee8021x" and auth-alg = "leap").
4373 Format: string
4375 leap-password-flags
4377 Flags indicating how to handle the "leap-password" property. See
4378 the section called “Secret flag types:” for flag values.
4379 Format: NMSettingSecretFlags (uint32)
4381 leap-username
4383 The login username for legacy LEAP connections (ie, key-mgmt =
4384 "ieee8021x" and auth-alg = "leap").
4385 Format: string
4387 pairwise
4389 A list of pairwise encryption algorithms which prevents connections
4390 to Wi-Fi networks that do not utilize one of the algorithms in the
4391 list. For maximum compatibility leave this property empty. Each
4392 list element may be one of "tkip" or "ccmp".
4393 Format: array of string
4395 pmf
4397 Indicates whether Protected Management Frames (802.11w) must be
4398 enabled for the connection. One of
4399 NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) (use global default
4400 value), NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE (1) (disable PMF),
4401 NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL (2) (enable PMF if the
4402 supplicant and the access point support it) or
4403 NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED (3) (enable PMF and fail
4404 if not supported). When set to
4405 NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) and no global default
4406 is set, PMF will be optionally enabled.
4407 Format: int32
4409 proto
4411 List of strings specifying the allowed WPA protocol versions to
4412 use. Each element may be one "wpa" (allow WPA) or "rsn" (allow
4413 WPA2/RSN). If not specified, both WPA and RSN connections are
4414 allowed.
4415 Format: array of string
4417 psk
4419 Pre-Shared-Key for WPA networks. For WPA-PSK, it's either an ASCII
4420 passphrase of 8 to 63 characters that is (as specified in the
4421 802.11i standard) hashed to derive the actual key, or the key in
4422 form of 64 hexadecimal character. The WPA3-Personal networks use a
4423 passphrase of any length for SAE authentication.
4424 Format: string
4426 psk-flags
4428 Flags indicating how to handle the "psk" property. See the section
4429 called “Secret flag types:” for flag values.
4430 Format: NMSettingSecretFlags (uint32)
4432 wep-key-flags
4434 Flags indicating how to handle the "wep-key0", "wep-key1",
4435 "wep-key2", and "wep-key3" properties. See the section called
4436 “Secret flag types:” for flag values.
4437 Format: NMSettingSecretFlags (uint32)
4439 wep-key-type
4441 Controls the interpretation of WEP keys. Allowed values are
4442 NM_WEP_KEY_TYPE_KEY (1), in which case the key is either a 10- or
4443 26-character hexadecimal string, or a 5- or 13-character ASCII
4444 password; or NM_WEP_KEY_TYPE_PASSPHRASE (2), in which case the
4445 passphrase is provided as a string and will be hashed using the
4446 de-facto MD5 method to derive the actual WEP key.
4447 Format: NMWepKeyType (uint32)
4449 wep-key0
4451 Index 0 WEP key. This is the WEP key used in most networks. See the
4452 "wep-key-type" property for a description of how this key is
4453 interpreted.
4454 Format: string
4456 wep-key1
4458 Index 1 WEP key. This WEP index is not used by most networks. See
4459 the "wep-key-type" property for a description of how this key is
4460 interpreted.
4461 Format: string
4463 wep-key2
4465 Index 2 WEP key. This WEP index is not used by most networks. See
4466 the "wep-key-type" property for a description of how this key is
4467 interpreted.
4468 Format: string
4470 wep-key3
4472 Index 3 WEP key. This WEP index is not used by most networks. See
4473 the "wep-key-type" property for a description of how this key is
4474 interpreted.
4475 Format: string
4477 wep-tx-keyidx
4479 When static WEP is used (ie, key-mgmt = "none") and a non-default
4480 WEP key index is used by the AP, put that WEP key index here. Valid
4481 values are 0 (default key) through 3. Note that some consumer
4482 access points (like the Linksys WRT54G) number the keys 1 - 4.
4483 Format: uint32
4485 wps-method
4487 Flags indicating which mode of WPS is to be used if any. There's
4488 little point in changing the default setting as NetworkManager will
4489 automatically determine whether it's feasible to start WPS
4490 enrollment from the Access Point capabilities. WPS can be disabled
4491 by setting this property to a value of 1.
4492 Format: uint32
4494 wpan setting
4496 IEEE 802.15.4 (WPAN) MAC Settings.
4497 Properties:
4499 channel
4501 Alias: channel
4502 IEEE 802.15.4 channel. A positive integer or -1, meaning "do not
4504 set, use whatever the device is already set to".
4505 Format: int32
4507 mac-address
4509 Alias: mac
4510 If specified, this connection will only apply to the IEEE 802.15.4
4512 (WPAN) MAC layer device whose permanent MAC address matches.
4513 Format: string
4515 page
4517 Alias: page
4518 IEEE 802.15.4 channel page. A positive integer or -1, meaning "do
4520 not set, use whatever the device is already set to".
4521 Format: int32
4523 pan-id
4525 Alias: pan-id
4526 IEEE 802.15.4 Personal Area Network (PAN) identifier.
4528 Format: uint32
4530 short-address
4532 Alias: short-addr
4533 Short IEEE 802.15.4 address to be used within a restricted
4535 environment.
4536 Format: uint32
4538 bond-port setting
4540 Bond Port Settings.
4541 Properties:
4543 queue-id
4545 Alias: queue-id
4546 The queue ID of this bond port. The maximum value of queue ID is
4548 the number of TX queues currently active in device.
4549 Format: uint32
4551 hostname setting
4553 Hostname settings.
4554 Properties:
4556 from-dhcp
4558 Whether the system hostname can be determined from DHCP on this
4559 connection. When set to NM_TERNARY_DEFAULT (-1), the value from
4560 global configuration is used. If the property doesn't have a value
4561 in the global configuration, NetworkManager assumes the value to be
4562 NM_TERNARY_TRUE (1).
4563 Format: NMTernary (int32)
4565 from-dns-lookup
4567 Whether the system hostname can be determined from reverse DNS
4568 lookup of addresses on this device. When set to NM_TERNARY_DEFAULT
4569 (-1), the value from global configuration is used. If the property
4570 doesn't have a value in the global configuration, NetworkManager
4571 assumes the value to be NM_TERNARY_TRUE (1).
4572 Format: NMTernary (int32)
4574 only-from-default
4576 If set to NM_TERNARY_TRUE (1), NetworkManager attempts to get the
4577 hostname via DHCPv4/DHCPv6 or reverse DNS lookup on this device
4578 only when the device has the default route for the given address
4579 family (IPv4/IPv6). If set to NM_TERNARY_FALSE (0), the hostname
4580 can be set from this device even if it doesn't have the default
4581 route. When set to NM_TERNARY_DEFAULT (-1), the value from global
4582 configuration is used. If the property doesn't have a value in the
4583 global configuration, NetworkManager assumes the value to be
4584 NM_TERNARY_FALSE (0).
4585 Format: NMTernary (int32)
4587 priority
4589 The relative priority of this connection to determine the system
4590 hostname. A lower numerical value is better (higher priority). A
4591 connection with higher priority is considered before connections
4592 with lower priority. If the value is zero, it can be overridden by
4593 a global value from NetworkManager configuration. If the property
4594 doesn't have a value in the global configuration, the value is
4595 assumed to be 100. Negative values have the special effect of
4596 excluding other connections with a greater numerical priority
4597 value; so in presence of at least one negative priority, only
4598 connections with the lowest priority value will be used to
4599 determine the hostname.
4600 Format: int32
4602 veth setting
4604 Veth Settings.
4605 Properties:
4607 peer
4609 Alias: peer
4610 This property specifies the peer interface name of the veth. This
4612 property is mandatory.
4613 Format: string
4615 Secret flag types:
4617 Each password or secret property in a setting has an associated flags
4618 property that describes how to handle that secret. The flags property
4619 is a bitfield that contains zero or more of the following values
4620 logically OR-ed together.
4621 • 0x0 (none) - the system is responsible for providing and storing
4623 this secret. This may be required so that secrets are already
4624 available before the user logs in. It also commonly means that the
4625 secret will be stored in plain text on disk, accessible to root
4626 only. For example via the keyfile settings plugin as described in
4627 the "PLUGINS" section in NetworkManager.conf(5).
4628 • 0x1 (agent-owned) - a user-session secret agent is responsible for
4630 providing and storing this secret; when it is required, agents will
4631 be asked to provide it.
4632 • 0x2 (not-saved) - this secret should not be saved but should be
4634 requested from the user each time it is required. This flag should
4635 be used for One-Time-Pad secrets, PIN codes from hardware tokens,
4636 or if the user simply does not want to save the secret.
4637 • 0x4 (not-required) - in some situations it cannot be automatically
4639 determined that a secret is required or not. This flag hints that
4640 the secret is not required and should not be requested from the
4641 user.
4642
4644 /etc/NetworkManager/system-connections or distro plugin-specific
4645 location
4646
4648 nmcli(1), nmcli-examples(7), NetworkManager(8), nm-settings-dbus(5),
4649 nm-settings-keyfile(5), NetworkManager.conf(5)
4650NetworkManager 1.38.0 NM-SETTINGS-NMCLI(5)