1NM-SETTINGS-NMCLI(5)             Configuration            NM-SETTINGS-NMCLI(5)
2
3
4

NAME

6       nm-settings-nmcli - Description of settings and properties of
7       NetworkManager connection profiles for nmcli
8

DESCRIPTION

10       NetworkManager is based on a concept of connection profiles, sometimes
11       referred to as connections only. These connection profiles contain a
12       network configuration. When NetworkManager activates a connection
13       profile on a network device the configuration will be applied and an
14       active network connection will be established. Users are free to create
15       as many connection profiles as they see fit. Thus they are flexible in
16       having various network configurations for different networking needs.
17
18       NetworkManager provides an API for configuring connection profiles, for
19       activating them to configure the network, and inspecting the current
20       network configuration. The command line tool nmcli is a client
21       application to NetworkManager that uses this API. See nmcli(1) for
22       details.
23
24       With commands like nmcli connection add, nmcli connection modify and
25       nmcli connection show, connection profiles can be created, modified and
26       inspected. A profile consists of properties. On D-Bus this follows the
27       format as described by nm-settings-dbus(5), while this manual page
28       describes the settings format how they are expected by nmcli.
29
30       The settings and properties shown in tables below list all available
31       connection configuration options. However, note that not all settings
32       are applicable to all connection types.  nmcli connection editor has
33       also a built-in describe command that can display description of
34       particular settings and properties of this page.
35
36       The setting and property can be abbreviated provided they are unique.
37       The list below also shows aliases that can be used unqualified instead
38       of the full name. For example connection.interface-name and ifname
39       refer to the same property.
40
41   connection setting
42       General Connection Profile Settings.
43
44       Properties:
45
46       auth-retries
47           The number of retries for the authentication. Zero means to try
48           indefinitely; -1 means to use a global default. If the global
49           default is not set, the authentication retries for 3 times before
50           failing the connection. Currently, this only applies to 802-1x
51           authentication.
52
53           Format: int32
54
55       autoconnect
56           Alias: autoconnect
57
58           Whether or not the connection should be automatically connected by
59           NetworkManager when the resources for the connection are available.
60           TRUE to automatically activate the connection, FALSE to require
61           manual intervention to activate the connection. Autoconnect happens
62           when the circumstances are suitable. That means for example that
63           the device is currently managed and not active. Autoconnect thus
64           never replaces or competes with an already active profile. Note
65           that autoconnect is not implemented for VPN profiles. See
66           "secondaries" as an alternative to automatically connect VPN
67           profiles. If multiple profiles are ready to autoconnect on the same
68           device, the one with the better "connection.autoconnect-priority"
69           is chosen. If the priorities are equal, then the most recently
70           connected profile is activated. If the profiles were not connected
71           earlier or their "connection.timestamp" is identical, the choice is
72           undefined. Depending on "connection.multi-connect", a profile can
73           (auto)connect only once at a time or multiple times.
74
75           Format: boolean
76
77       autoconnect-priority
78           The autoconnect priority in range -999 to 999. If the connection is
79           set to autoconnect, connections with higher priority will be
80           preferred. The higher number means higher priority. Defaults to 0.
81           Note that this property only matters if there are more than one
82           candidate profile to select for autoconnect. In case of equal
83           priority, the profile used most recently is chosen.
84
85           Format: int32
86
87       autoconnect-retries
88           The number of times a connection should be tried when
89           autoactivating before giving up. Zero means forever, -1 means the
90           global default (4 times if not overridden). Setting this to 1 means
91           to try activation only once before blocking autoconnect. Note that
92           after a timeout, NetworkManager will try to autoconnect again.
93
94           Format: int32
95
96       autoconnect-slaves
97           Whether or not slaves of this connection should be automatically
98           brought up when NetworkManager activates this connection. This only
99           has a real effect for master connections. The properties
100           "autoconnect", "autoconnect-priority" and "autoconnect-retries" are
101           unrelated to this setting. The permitted values are: 0: leave slave
102           connections untouched, 1: activate all the slave connections with
103           this connection, -1: default. If -1 (default) is set, global
104           connection.autoconnect-slaves is read to determine the real value.
105           If it is default as well, this fallbacks to 0.
106
107           Format: NMSettingConnectionAutoconnectSlaves (int32)
108
109       dns-over-tls
110           Whether DNSOverTls (dns-over-tls) is enabled for the connection.
111           DNSOverTls is a technology which uses TLS to encrypt dns traffic.
112           The permitted values are: "yes" (2) use DNSOverTls and disabled
113           fallback, "opportunistic" (1) use DNSOverTls but allow fallback to
114           unencrypted resolution, "no" (0) don't ever use DNSOverTls. If
115           unspecified "default" depends on the plugin used. Systemd-resolved
116           uses global setting. This feature requires a plugin which supports
117           DNSOverTls. Otherwise, the setting has no effect. One such plugin
118           is dns-systemd-resolved.
119
120           Format: int32
121
122       gateway-ping-timeout
123           If greater than zero, delay success of IP addressing until either
124           the timeout is reached, or an IP gateway replies to a ping.
125
126           Format: uint32
127
128       id
129           Alias: con-name
130
131           A human readable unique identifier for the connection, like "Work
132           Wi-Fi" or "T-Mobile 3G".
133
134           Format: string
135
136       interface-name
137           Alias: ifname
138
139           The name of the network interface this connection is bound to. If
140           not set, then the connection can be attached to any interface of
141           the appropriate type (subject to restrictions imposed by other
142           settings). For software devices this specifies the name of the
143           created device. For connection types where interface names cannot
144           easily be made persistent (e.g. mobile broadband or USB Ethernet),
145           this property should not be used. Setting this property restricts
146           the interfaces a connection can be used with, and if interface
147           names change or are reordered the connection may be applied to the
148           wrong interface.
149
150           Format: string
151
152       lldp
153           Whether LLDP is enabled for the connection.
154
155           Format: int32
156
157       llmnr
158           Whether Link-Local Multicast Name Resolution (LLMNR) is enabled for
159           the connection. LLMNR is a protocol based on the Domain Name System
160           (DNS) packet format that allows both IPv4 and IPv6 hosts to perform
161           name resolution for hosts on the same local link. The permitted
162           values are: "yes" (2) register hostname and resolving for the
163           connection, "no" (0) disable LLMNR for the interface, "resolve" (1)
164           do not register hostname but allow resolving of LLMNR host names If
165           unspecified, "default" ultimately depends on the DNS plugin (which
166           for systemd-resolved currently means "yes"). This feature requires
167           a plugin which supports LLMNR. Otherwise, the setting has no
168           effect. One such plugin is dns-systemd-resolved.
169
170           Format: int32
171
172       master
173           Alias: master
174
175           Interface name of the master device or UUID of the master
176           connection.
177
178           Format: string
179
180       mdns
181           Whether mDNS is enabled for the connection. The permitted values
182           are: "yes" (2) register hostname and resolving for the connection,
183           "no" (0) disable mDNS for the interface, "resolve" (1) do not
184           register hostname but allow resolving of mDNS host names and
185           "default" (-1) to allow lookup of a global default in
186           NetworkManager.conf. If unspecified, "default" ultimately depends
187           on the DNS plugin (which for systemd-resolved currently means
188           "no"). This feature requires a plugin which supports mDNS.
189           Otherwise, the setting has no effect. One such plugin is
190           dns-systemd-resolved.
191
192           Format: int32
193
194       metered
195           Whether the connection is metered. When updating this property on a
196           currently activated connection, the change takes effect
197           immediately.
198
199           Format: NMMetered (int32)
200
201       mud-url
202           If configured, set to a Manufacturer Usage Description (MUD) URL
203           that points to manufacturer-recommended network policies for IoT
204           devices. It is transmitted as a DHCPv4 or DHCPv6 option. The value
205           must be a valid URL starting with "https://". The special value
206           "none" is allowed to indicate that no MUD URL is used. If the
207           per-profile value is unspecified (the default), a global connection
208           default gets consulted. If still unspecified, the ultimate default
209           is "none".
210
211           Format: string
212
213       multi-connect
214           Specifies whether the profile can be active multiple times at a
215           particular moment. The value is of type NMConnectionMultiConnect.
216
217           Format: int32
218
219       permissions
220           An array of strings defining what access a given user has to this
221           connection. If this is NULL or empty, all users are allowed to
222           access this connection; otherwise users are allowed if and only if
223           they are in this list. When this is not empty, the connection can
224           be active only when one of the specified users is logged into an
225           active session. Each entry is of the form "[type]:[id]:[reserved]";
226           for example, "user:dcbw:blah". At this time only the "user" [type]
227           is allowed. Any other values are ignored and reserved for future
228           use. [id] is the username that this permission refers to, which may
229           not contain the ":" character. Any [reserved] information present
230           must be ignored and is reserved for future use. All of [type],
231           [id], and [reserved] must be valid UTF-8.
232
233           Format: array of string
234
235       read-only
236           FALSE if the connection can be modified using the provided settings
237           service's D-Bus interface with the right privileges, or TRUE if the
238           connection is read-only and cannot be modified.
239
240           Format: boolean
241
242       secondaries
243           List of connection UUIDs that should be activated when the base
244           connection itself is activated. Currently, only VPN connections are
245           supported.
246
247           Format: array of string
248
249       slave-type
250           Alias: slave-type
251
252           Setting name of the device type of this slave's master connection
253           (eg, "bond"), or NULL if this connection is not a slave.
254
255           Format: string
256
257       stable-id
258           This represents the identity of the connection used for various
259           purposes. It allows to configure multiple profiles to share the
260           identity. Also, the stable-id can contain placeholders that are
261           substituted dynamically and deterministically depending on the
262           context. The stable-id is used for generating IPv6 stable private
263           addresses with ipv6.addr-gen-mode=stable-privacy. It is also used
264           to seed the generated cloned MAC address for
265           ethernet.cloned-mac-address=stable and
266           wifi.cloned-mac-address=stable. It is also used as DHCP client
267           identifier with ipv4.dhcp-client-id=stable and to derive the DHCP
268           DUID with ipv6.dhcp-duid=stable-[llt,ll,uuid]. Note that depending
269           on the context where it is used, other parameters are also seeded
270           into the generation algorithm. For example, a per-host key is
271           commonly also included, so that different systems end up generating
272           different IDs. Or with ipv6.addr-gen-mode=stable-privacy, also the
273           device's name is included, so that different interfaces yield
274           different addresses. The per-host key is the identity of your
275           machine and stored in /var/lib/NetworkManager/secret_key. See
276           NetworkManager(8) manual about the secret-key and the host
277           identity. The '$' character is treated special to perform dynamic
278           substitutions at runtime. Currently, supported are "${CONNECTION}",
279           "${DEVICE}", "${MAC}", "${BOOT}", "${RANDOM}". These effectively
280           create unique IDs per-connection, per-device, per-boot, or every
281           time. Note that "${DEVICE}" corresponds to the interface name of
282           the device and "${MAC}" is the permanent MAC address of the device.
283           Any unrecognized patterns following '$' are treated verbatim,
284           however are reserved for future use. You are thus advised to avoid
285           '$' or escape it as "$$". For example, set it to
286           "${CONNECTION}-${BOOT}-${DEVICE}" to create a unique id for this
287           connection that changes with every reboot and differs depending on
288           the interface where the profile activates. If the value is unset, a
289           global connection default is consulted. If the value is still
290           unset, the default is similar to "${CONNECTION}" and uses a unique,
291           fixed ID for the connection.
292
293           Format: string
294
295       timestamp
296           The time, in seconds since the Unix Epoch, that the connection was
297           last _successfully_ fully activated. NetworkManager updates the
298           connection timestamp periodically when the connection is active to
299           ensure that an active connection has the latest timestamp. The
300           property is only meant for reading (changes to this property will
301           not be preserved).
302
303           Format: uint64
304
305       type
306           Alias: type
307
308           Base type of the connection. For hardware-dependent connections,
309           should contain the setting name of the hardware-type specific
310           setting (ie, "802-3-ethernet" or "802-11-wireless" or "bluetooth",
311           etc), and for non-hardware dependent connections like VPN or
312           otherwise, should contain the setting name of that setting type
313           (ie, "vpn" or "bridge", etc).
314
315           Format: string
316
317       uuid
318           A universally unique identifier for the connection, for example
319           generated with libuuid. It should be assigned when the connection
320           is created, and never changed as long as the connection still
321           applies to the same network. For example, it should not be changed
322           when the "id" property or NMSettingIP4Config changes, but might
323           need to be re-created when the Wi-Fi SSID, mobile broadband network
324           provider, or "type" property changes. The UUID must be in the
325           format "2815492f-7e56-435e-b2e9-246bd7cdc664" (ie, contains only
326           hexadecimal characters and "-").
327
328           Format: string
329
330       wait-device-timeout
331           Timeout in milliseconds to wait for device at startup. During boot,
332           devices may take a while to be detected by the driver. This
333           property will cause to delay NetworkManager-wait-online.service and
334           nm-online to give the device a chance to appear. This works by
335           waiting for the given timeout until a compatible device for the
336           profile is available and managed. The value 0 means no wait time.
337           The default value is -1, which currently has the same meaning as no
338           wait time.
339
340           Format: int32
341
342       zone
343           The trust level of a the connection. Free form case-insensitive
344           string (for example "Home", "Work", "Public"). NULL or unspecified
345           zone means the connection will be placed in the default zone as
346           defined by the firewall. When updating this property on a currently
347           activated connection, the change takes effect immediately.
348
349           Format: string
350
351   6lowpan setting
352       6LoWPAN Settings.
353
354       Properties:
355
356       parent
357           Alias: dev
358
359           If given, specifies the parent interface name or parent connection
360           UUID from which this 6LowPAN interface should be created.
361
362           Format: string
363
364   802-1x setting
365       IEEE 802.1x Authentication Settings.
366
367       Properties:
368
369       altsubject-matches
370           List of strings to be matched against the altSubjectName of the
371           certificate presented by the authentication server. If the list is
372           empty, no verification of the server certificate's altSubjectName
373           is performed.
374
375           Format: array of string
376
377       anonymous-identity
378           Anonymous identity string for EAP authentication methods. Used as
379           the unencrypted identity with EAP types that support different
380           tunneled identity like EAP-TTLS.
381
382           Format: string
383
384       auth-timeout
385           A timeout for the authentication. Zero means the global default; if
386           the global default is not set, the authentication timeout is 25
387           seconds.
388
389           Format: int32
390
391       ca-cert
392           Contains the CA certificate if used by the EAP method specified in
393           the "eap" property. Certificate data is specified using a "scheme";
394           three are currently supported: blob, path and pkcs#11 URL. When
395           using the blob scheme this property should be set to the
396           certificate's DER encoded data. When using the path scheme, this
397           property should be set to the full UTF-8 encoded path of the
398           certificate, prefixed with the string "file://" and ending with a
399           terminating NUL byte. This property can be unset even if the EAP
400           method supports CA certificates, but this allows man-in-the-middle
401           attacks and is NOT recommended. Note that enabling
402           NMSetting8021x:system-ca-certs will override this setting to use
403           the built-in path, if the built-in path is not a directory.
404
405           Format: byte array
406
407       ca-cert-password
408           The password used to access the CA certificate stored in "ca-cert"
409           property. Only makes sense if the certificate is stored on a
410           PKCS#11 token that requires a login.
411
412           Format: string
413
414       ca-cert-password-flags
415           Flags indicating how to handle the "ca-cert-password" property. See
416           the section called “Secret flag types:” for flag values.
417
418           Format: NMSettingSecretFlags (uint32)
419
420       ca-path
421           UTF-8 encoded path to a directory containing PEM or DER formatted
422           certificates to be added to the verification chain in addition to
423           the certificate specified in the "ca-cert" property. If
424           NMSetting8021x:system-ca-certs is enabled and the built-in CA path
425           is an existing directory, then this setting is ignored.
426
427           Format: string
428
429       client-cert
430           Contains the client certificate if used by the EAP method specified
431           in the "eap" property. Certificate data is specified using a
432           "scheme"; two are currently supported: blob and path. When using
433           the blob scheme (which is backwards compatible with NM 0.7.x) this
434           property should be set to the certificate's DER encoded data. When
435           using the path scheme, this property should be set to the full
436           UTF-8 encoded path of the certificate, prefixed with the string
437           "file://" and ending with a terminating NUL byte.
438
439           Format: byte array
440
441       client-cert-password
442           The password used to access the client certificate stored in
443           "client-cert" property. Only makes sense if the certificate is
444           stored on a PKCS#11 token that requires a login.
445
446           Format: string
447
448       client-cert-password-flags
449           Flags indicating how to handle the "client-cert-password" property.
450           See the section called “Secret flag types:” for flag values.
451
452           Format: NMSettingSecretFlags (uint32)
453
454       domain-match
455           Constraint for server domain name. If set, this list of FQDNs is
456           used as a match requirement for dNSName element(s) of the
457           certificate presented by the authentication server. If a matching
458           dNSName is found, this constraint is met. If no dNSName values are
459           present, this constraint is matched against SubjectName CN using
460           the same comparison. Multiple valid FQDNs can be passed as a ";"
461           delimited list.
462
463           Format: string
464
465       domain-suffix-match
466           Constraint for server domain name. If set, this FQDN is used as a
467           suffix match requirement for dNSName element(s) of the certificate
468           presented by the authentication server. If a matching dNSName is
469           found, this constraint is met. If no dNSName values are present,
470           this constraint is matched against SubjectName CN using same suffix
471           match comparison. Since version 1.24, multiple valid FQDNs can be
472           passed as a ";" delimited list.
473
474           Format: string
475
476       eap
477           The allowed EAP method to be used when authenticating to the
478           network with 802.1x. Valid methods are: "leap", "md5", "tls",
479           "peap", "ttls", "pwd", and "fast". Each method requires different
480           configuration using the properties of this setting; refer to
481           wpa_supplicant documentation for the allowed combinations.
482
483           Format: array of string
484
485       identity
486           Identity string for EAP authentication methods. Often the user's
487           user or login name.
488
489           Format: string
490
491       optional
492           Whether the 802.1X authentication is optional. If TRUE, the
493           activation will continue even after a timeout or an authentication
494           failure. Setting the property to TRUE is currently allowed only for
495           Ethernet connections. If set to FALSE, the activation can continue
496           only after a successful authentication.
497
498           Format: boolean
499
500       pac-file
501           UTF-8 encoded file path containing PAC for EAP-FAST.
502
503           Format: string
504
505       password
506           UTF-8 encoded password used for EAP authentication methods. If both
507           the "password" property and the "password-raw" property are
508           specified, "password" is preferred.
509
510           Format: string
511
512       password-flags
513           Flags indicating how to handle the "password" property. See the
514           section called “Secret flag types:” for flag values.
515
516           Format: NMSettingSecretFlags (uint32)
517
518       password-raw
519           Password used for EAP authentication methods, given as a byte array
520           to allow passwords in other encodings than UTF-8 to be used. If
521           both the "password" property and the "password-raw" property are
522           specified, "password" is preferred.
523
524           Format: byte array
525
526       password-raw-flags
527           Flags indicating how to handle the "password-raw" property. See the
528           section called “Secret flag types:” for flag values.
529
530           Format: NMSettingSecretFlags (uint32)
531
532       phase1-auth-flags
533           Specifies authentication flags to use in "phase 1" outer
534           authentication using NMSetting8021xAuthFlags options. The
535           individual TLS versions can be explicitly disabled. If a certain
536           TLS disable flag is not set, it is up to the supplicant to allow or
537           forbid it. The TLS options map to tls_disable_tlsv1_x settings. See
538           the wpa_supplicant documentation for more details.
539
540           Format: uint32
541
542       phase1-fast-provisioning
543           Enables or disables in-line provisioning of EAP-FAST credentials
544           when FAST is specified as the EAP method in the "eap" property.
545           Recognized values are "0" (disabled), "1" (allow unauthenticated
546           provisioning), "2" (allow authenticated provisioning), and "3"
547           (allow both authenticated and unauthenticated provisioning). See
548           the wpa_supplicant documentation for more details.
549
550           Format: string
551
552       phase1-peaplabel
553           Forces use of the new PEAP label during key derivation. Some RADIUS
554           servers may require forcing the new PEAP label to interoperate with
555           PEAPv1. Set to "1" to force use of the new PEAP label. See the
556           wpa_supplicant documentation for more details.
557
558           Format: string
559
560       phase1-peapver
561           Forces which PEAP version is used when PEAP is set as the EAP
562           method in the "eap" property. When unset, the version reported by
563           the server will be used. Sometimes when using older RADIUS servers,
564           it is necessary to force the client to use a particular PEAP
565           version. To do so, this property may be set to "0" or "1" to force
566           that specific PEAP version.
567
568           Format: string
569
570       phase2-altsubject-matches
571           List of strings to be matched against the altSubjectName of the
572           certificate presented by the authentication server during the inner
573           "phase 2" authentication. If the list is empty, no verification of
574           the server certificate's altSubjectName is performed.
575
576           Format: array of string
577
578       phase2-auth
579           Specifies the allowed "phase 2" inner authentication method when an
580           EAP method that uses an inner TLS tunnel is specified in the "eap"
581           property. For TTLS this property selects one of the supported
582           non-EAP inner methods: "pap", "chap", "mschap", "mschapv2" while
583           "phase2-autheap" selects an EAP inner method. For PEAP this selects
584           an inner EAP method, one of: "gtc", "otp", "md5" and "tls". Each
585           "phase 2" inner method requires specific parameters for successful
586           authentication; see the wpa_supplicant documentation for more
587           details. Both "phase2-auth" and "phase2-autheap" cannot be
588           specified.
589
590           Format: string
591
592       phase2-autheap
593           Specifies the allowed "phase 2" inner EAP-based authentication
594           method when TTLS is specified in the "eap" property. Recognized
595           EAP-based "phase 2" methods are "md5", "mschapv2", "otp", "gtc",
596           and "tls". Each "phase 2" inner method requires specific parameters
597           for successful authentication; see the wpa_supplicant documentation
598           for more details.
599
600           Format: string
601
602       phase2-ca-cert
603           Contains the "phase 2" CA certificate if used by the EAP method
604           specified in the "phase2-auth" or "phase2-autheap" properties.
605           Certificate data is specified using a "scheme"; three are currently
606           supported: blob, path and pkcs#11 URL. When using the blob scheme
607           this property should be set to the certificate's DER encoded data.
608           When using the path scheme, this property should be set to the full
609           UTF-8 encoded path of the certificate, prefixed with the string
610           "file://" and ending with a terminating NUL byte. This property can
611           be unset even if the EAP method supports CA certificates, but this
612           allows man-in-the-middle attacks and is NOT recommended. Note that
613           enabling NMSetting8021x:system-ca-certs will override this setting
614           to use the built-in path, if the built-in path is not a directory.
615
616           Format: byte array
617
618       phase2-ca-cert-password
619           The password used to access the "phase2" CA certificate stored in
620           "phase2-ca-cert" property. Only makes sense if the certificate is
621           stored on a PKCS#11 token that requires a login.
622
623           Format: string
624
625       phase2-ca-cert-password-flags
626           Flags indicating how to handle the "phase2-ca-cert-password"
627           property. See the section called “Secret flag types:” for flag
628           values.
629
630           Format: NMSettingSecretFlags (uint32)
631
632       phase2-ca-path
633           UTF-8 encoded path to a directory containing PEM or DER formatted
634           certificates to be added to the verification chain in addition to
635           the certificate specified in the "phase2-ca-cert" property. If
636           NMSetting8021x:system-ca-certs is enabled and the built-in CA path
637           is an existing directory, then this setting is ignored.
638
639           Format: string
640
641       phase2-client-cert
642           Contains the "phase 2" client certificate if used by the EAP method
643           specified in the "phase2-auth" or "phase2-autheap" properties.
644           Certificate data is specified using a "scheme"; two are currently
645           supported: blob and path. When using the blob scheme (which is
646           backwards compatible with NM 0.7.x) this property should be set to
647           the certificate's DER encoded data. When using the path scheme,
648           this property should be set to the full UTF-8 encoded path of the
649           certificate, prefixed with the string "file://" and ending with a
650           terminating NUL byte. This property can be unset even if the EAP
651           method supports CA certificates, but this allows man-in-the-middle
652           attacks and is NOT recommended.
653
654           Format: byte array
655
656       phase2-client-cert-password
657           The password used to access the "phase2" client certificate stored
658           in "phase2-client-cert" property. Only makes sense if the
659           certificate is stored on a PKCS#11 token that requires a login.
660
661           Format: string
662
663       phase2-client-cert-password-flags
664           Flags indicating how to handle the "phase2-client-cert-password"
665           property. See the section called “Secret flag types:” for flag
666           values.
667
668           Format: NMSettingSecretFlags (uint32)
669
670       phase2-domain-match
671           Constraint for server domain name. If set, this list of FQDNs is
672           used as a match requirement for dNSName element(s) of the
673           certificate presented by the authentication server during the inner
674           "phase 2" authentication. If a matching dNSName is found, this
675           constraint is met. If no dNSName values are present, this
676           constraint is matched against SubjectName CN using the same
677           comparison. Multiple valid FQDNs can be passed as a ";" delimited
678           list.
679
680           Format: string
681
682       phase2-domain-suffix-match
683           Constraint for server domain name. If set, this FQDN is used as a
684           suffix match requirement for dNSName element(s) of the certificate
685           presented by the authentication server during the inner "phase 2"
686           authentication. If a matching dNSName is found, this constraint is
687           met. If no dNSName values are present, this constraint is matched
688           against SubjectName CN using same suffix match comparison. Since
689           version 1.24, multiple valid FQDNs can be passed as a ";" delimited
690           list.
691
692           Format: string
693
694       phase2-private-key
695           Contains the "phase 2" inner private key when the "phase2-auth" or
696           "phase2-autheap" property is set to "tls". Key data is specified
697           using a "scheme"; two are currently supported: blob and path. When
698           using the blob scheme and private keys, this property should be set
699           to the key's encrypted PEM encoded data. When using private keys
700           with the path scheme, this property should be set to the full UTF-8
701           encoded path of the key, prefixed with the string "file://" and
702           ending with a terminating NUL byte. When using PKCS#12 format
703           private keys and the blob scheme, this property should be set to
704           the PKCS#12 data and the "phase2-private-key-password" property
705           must be set to password used to decrypt the PKCS#12 certificate and
706           key. When using PKCS#12 files and the path scheme, this property
707           should be set to the full UTF-8 encoded path of the key, prefixed
708           with the string "file://" and ending with a terminating NUL byte,
709           and as with the blob scheme the "phase2-private-key-password"
710           property must be set to the password used to decode the PKCS#12
711           private key and certificate.
712
713           Format: byte array
714
715       phase2-private-key-password
716           The password used to decrypt the "phase 2" private key specified in
717           the "phase2-private-key" property when the private key either uses
718           the path scheme, or is a PKCS#12 format key.
719
720           Format: string
721
722       phase2-private-key-password-flags
723           Flags indicating how to handle the "phase2-private-key-password"
724           property. See the section called “Secret flag types:” for flag
725           values.
726
727           Format: NMSettingSecretFlags (uint32)
728
729       phase2-subject-match
730           Substring to be matched against the subject of the certificate
731           presented by the authentication server during the inner "phase 2"
732           authentication. When unset, no verification of the authentication
733           server certificate's subject is performed. This property provides
734           little security, if any, and its use is deprecated in favor of
735           NMSetting8021x:phase2-domain-suffix-match.
736
737           Format: string
738
739       pin
740           PIN used for EAP authentication methods.
741
742           Format: string
743
744       pin-flags
745           Flags indicating how to handle the "pin" property. See the section
746           called “Secret flag types:” for flag values.
747
748           Format: NMSettingSecretFlags (uint32)
749
750       private-key
751           Contains the private key when the "eap" property is set to "tls".
752           Key data is specified using a "scheme"; two are currently
753           supported: blob and path. When using the blob scheme and private
754           keys, this property should be set to the key's encrypted PEM
755           encoded data. When using private keys with the path scheme, this
756           property should be set to the full UTF-8 encoded path of the key,
757           prefixed with the string "file://" and ending with a terminating
758           NUL byte. When using PKCS#12 format private keys and the blob
759           scheme, this property should be set to the PKCS#12 data and the
760           "private-key-password" property must be set to password used to
761           decrypt the PKCS#12 certificate and key. When using PKCS#12 files
762           and the path scheme, this property should be set to the full UTF-8
763           encoded path of the key, prefixed with the string "file://" and
764           ending with a terminating NUL byte, and as with the blob scheme the
765           "private-key-password" property must be set to the password used to
766           decode the PKCS#12 private key and certificate. WARNING:
767           "private-key" is not a "secret" property, and thus unencrypted
768           private key data using the BLOB scheme may be readable by
769           unprivileged users. Private keys should always be encrypted with a
770           private key password to prevent unauthorized access to unencrypted
771           private key data.
772
773           Format: byte array
774
775       private-key-password
776           The password used to decrypt the private key specified in the
777           "private-key" property when the private key either uses the path
778           scheme, or if the private key is a PKCS#12 format key.
779
780           Format: string
781
782       private-key-password-flags
783           Flags indicating how to handle the "private-key-password" property.
784           See the section called “Secret flag types:” for flag values.
785
786           Format: NMSettingSecretFlags (uint32)
787
788       subject-match
789           Substring to be matched against the subject of the certificate
790           presented by the authentication server. When unset, no verification
791           of the authentication server certificate's subject is performed.
792           This property provides little security, if any, and its use is
793           deprecated in favor of NMSetting8021x:domain-suffix-match.
794
795           Format: string
796
797       system-ca-certs
798           When TRUE, overrides the "ca-path" and "phase2-ca-path" properties
799           using the system CA directory specified at configure time with the
800           --system-ca-path switch. The certificates in this directory are
801           added to the verification chain in addition to any certificates
802           specified by the "ca-cert" and "phase2-ca-cert" properties. If the
803           path provided with --system-ca-path is rather a file name (bundle
804           of trusted CA certificates), it overrides "ca-cert" and
805           "phase2-ca-cert" properties instead (sets ca_cert/ca_cert2 options
806           for wpa_supplicant).
807
808           Format: boolean
809
810   adsl setting
811       ADSL Settings.
812
813       Properties:
814
815       encapsulation
816           Alias: encapsulation
817
818           Encapsulation of ADSL connection. Can be "vcmux" or "llc".
819
820           Format: string
821
822       password
823           Alias: password
824
825           Password used to authenticate with the ADSL service.
826
827           Format: string
828
829       password-flags
830           Flags indicating how to handle the "password" property. See the
831           section called “Secret flag types:” for flag values.
832
833           Format: NMSettingSecretFlags (uint32)
834
835       protocol
836           Alias: protocol
837
838           ADSL connection protocol. Can be "pppoa", "pppoe" or "ipoatm".
839
840           Format: string
841
842       username
843           Alias: username
844
845           Username used to authenticate with the ADSL service.
846
847           Format: string
848
849       vci
850           VCI of ADSL connection
851
852           Format: uint32
853
854       vpi
855           VPI of ADSL connection
856
857           Format: uint32
858
859   bluetooth setting
860       Bluetooth Settings.
861
862       Properties:
863
864       bdaddr
865           Alias: addr
866
867           The Bluetooth address of the device.
868
869           Format: byte array
870
871       type
872           Alias: bt-type
873
874           Either "dun" for Dial-Up Networking connections or "panu" for
875           Personal Area Networking connections to devices supporting the NAP
876           profile.
877
878           Format: string
879
880   bond setting
881       Bonding Settings.
882
883       Properties:
884
885       options
886           Dictionary of key/value pairs of bonding options. Both keys and
887           values must be strings. Option names must contain only alphanumeric
888           characters (ie, [a-zA-Z0-9]).
889
890           Format: dict of string to string
891
892   bridge setting
893       Bridging Settings.
894
895       Properties:
896
897       ageing-time
898           Alias: ageing-time
899
900           The Ethernet MAC address aging time, in seconds.
901
902           Format: uint32
903
904       forward-delay
905           Alias: forward-delay
906
907           The Spanning Tree Protocol (STP) forwarding delay, in seconds.
908
909           Format: uint32
910
911       group-address
912           If specified, The MAC address of the multicast group this bridge
913           uses for STP. The address must be a link-local address in standard
914           Ethernet MAC address format, ie an address of the form
915           01:80:C2:00:00:0X, with X in [0, 4..F]. If not specified the
916           default value is 01:80:C2:00:00:00.
917
918           Format: byte array
919
920       group-forward-mask
921           Alias: group-forward-mask
922
923           A mask of group addresses to forward. Usually, group addresses in
924           the range from 01:80:C2:00:00:00 to 01:80:C2:00:00:0F are not
925           forwarded according to standards. This property is a mask of 16
926           bits, each corresponding to a group address in that range that must
927           be forwarded. The mask can't have bits 0, 1 or 2 set because they
928           are used for STP, MAC pause frames and LACP.
929
930           Format: uint32
931
932       hello-time
933           Alias: hello-time
934
935           The Spanning Tree Protocol (STP) hello time, in seconds.
936
937           Format: uint32
938
939       mac-address
940           Alias: mac
941
942           If specified, the MAC address of bridge. When creating a new
943           bridge, this MAC address will be set. If this field is left
944           unspecified, the "ethernet.cloned-mac-address" is referred instead
945           to generate the initial MAC address. Note that setting
946           "ethernet.cloned-mac-address" anyway overwrites the MAC address of
947           the bridge later while activating the bridge. Hence, this property
948           is deprecated. Deprecated: 1
949
950           Format: byte array
951
952       max-age
953           Alias: max-age
954
955           The Spanning Tree Protocol (STP) maximum message age, in seconds.
956
957           Format: uint32
958
959       multicast-hash-max
960           Set maximum size of multicast hash table (value must be a power of
961           2).
962
963           Format: uint32
964
965       multicast-last-member-count
966           Set the number of queries the bridge will send before stopping
967           forwarding a multicast group after a "leave" message has been
968           received.
969
970           Format: uint32
971
972       multicast-last-member-interval
973           Set interval (in deciseconds) between queries to find remaining
974           members of a group, after a "leave" message is received.
975
976           Format: uint64
977
978       multicast-membership-interval
979           Set delay (in deciseconds) after which the bridge will leave a
980           group, if no membership reports for this group are received.
981
982           Format: uint64
983
984       multicast-querier
985           Enable or disable sending of multicast queries by the bridge. If
986           not specified the option is disabled.
987
988           Format: boolean
989
990       multicast-querier-interval
991           If no queries are seen after this delay (in deciseconds) has
992           passed, the bridge will start to send its own queries.
993
994           Format: uint64
995
996       multicast-query-interval
997           Interval (in deciseconds) between queries sent by the bridge after
998           the end of the startup phase.
999
1000           Format: uint64
1001
1002       multicast-query-response-interval
1003           Set the Max Response Time/Max Response Delay (in deciseconds) for
1004           IGMP/MLD queries sent by the bridge.
1005
1006           Format: uint64
1007
1008       multicast-query-use-ifaddr
1009           If enabled the bridge's own IP address is used as the source
1010           address for IGMP queries otherwise the default of 0.0.0.0 is used.
1011
1012           Format: boolean
1013
1014       multicast-router
1015           Sets bridge's multicast router. Multicast-snooping must be enabled
1016           for this option to work. Supported values are: 'auto', 'disabled',
1017           'enabled' to which kernel assigns the numbers 1, 0, and 2,
1018           respectively. If not specified the default value is 'auto' (1).
1019
1020           Format: string
1021
1022       multicast-snooping
1023           Alias: multicast-snooping
1024
1025           Controls whether IGMP snooping is enabled for this bridge. Note
1026           that if snooping was automatically disabled due to hash collisions,
1027           the system may refuse to enable the feature until the collisions
1028           are resolved.
1029
1030           Format: boolean
1031
1032       multicast-startup-query-count
1033           Set the number of IGMP queries to send during startup phase.
1034
1035           Format: uint32
1036
1037       multicast-startup-query-interval
1038           Sets the time (in deciseconds) between queries sent out at startup
1039           to determine membership information.
1040
1041           Format: uint64
1042
1043       priority
1044           Alias: priority
1045
1046           Sets the Spanning Tree Protocol (STP) priority for this bridge.
1047           Lower values are "better"; the lowest priority bridge will be
1048           elected the root bridge.
1049
1050           Format: uint32
1051
1052       stp
1053           Alias: stp
1054
1055           Controls whether Spanning Tree Protocol (STP) is enabled for this
1056           bridge.
1057
1058           Format: boolean
1059
1060       vlan-default-pvid
1061           The default PVID for the ports of the bridge, that is the VLAN id
1062           assigned to incoming untagged frames.
1063
1064           Format: uint32
1065
1066       vlan-filtering
1067           Control whether VLAN filtering is enabled on the bridge.
1068
1069           Format: boolean
1070
1071       vlan-protocol
1072           If specified, the protocol used for VLAN filtering. Supported
1073           values are: '802.1Q', '802.1ad'. If not specified the default value
1074           is '802.1Q'.
1075
1076           Format: string
1077
1078       vlan-stats-enabled
1079           Controls whether per-VLAN stats accounting is enabled.
1080
1081           Format: boolean
1082
1083       vlans
1084           Array of bridge VLAN objects. In addition to the VLANs specified
1085           here, the bridge will also have the default-pvid VLAN configured by
1086           the bridge.vlan-default-pvid property. In nmcli the VLAN list can
1087           be specified with the following syntax: $vid [pvid] [untagged] [,
1088           $vid [pvid] [untagged]]... where $vid is either a single id between
1089           1 and 4094 or a range, represented as a couple of ids separated by
1090           a dash.
1091
1092           Format: array of vardict
1093
1094   bridge-port setting
1095       Bridge Port Settings.
1096
1097       Properties:
1098
1099       hairpin-mode
1100           Alias: hairpin
1101
1102           Enables or disables "hairpin mode" for the port, which allows
1103           frames to be sent back out through the port the frame was received
1104           on.
1105
1106           Format: boolean
1107
1108       path-cost
1109           Alias: path-cost
1110
1111           The Spanning Tree Protocol (STP) port cost for destinations via
1112           this port.
1113
1114           Format: uint32
1115
1116       priority
1117           Alias: priority
1118
1119           The Spanning Tree Protocol (STP) priority of this bridge port.
1120
1121           Format: uint32
1122
1123       vlans
1124           Array of bridge VLAN objects. In addition to the VLANs specified
1125           here, the port will also have the default-pvid VLAN configured on
1126           the bridge by the bridge.vlan-default-pvid property. In nmcli the
1127           VLAN list can be specified with the following syntax: $vid [pvid]
1128           [untagged] [, $vid [pvid] [untagged]]... where $vid is either a
1129           single id between 1 and 4094 or a range, represented as a couple of
1130           ids separated by a dash.
1131
1132           Format: array of vardict
1133
1134   cdma setting
1135       CDMA-based Mobile Broadband Settings.
1136
1137       Properties:
1138
1139       mtu
1140           If non-zero, only transmit packets of the specified size or
1141           smaller, breaking larger packets up into multiple frames.
1142
1143           Format: uint32
1144
1145       number
1146           The number to dial to establish the connection to the CDMA-based
1147           mobile broadband network, if any. If not specified, the default
1148           number (#777) is used when required.
1149
1150           Format: string
1151
1152       password
1153           Alias: password
1154
1155           The password used to authenticate with the network, if required.
1156           Many providers do not require a password, or accept any password.
1157           But if a password is required, it is specified here.
1158
1159           Format: string
1160
1161       password-flags
1162           Flags indicating how to handle the "password" property. See the
1163           section called “Secret flag types:” for flag values.
1164
1165           Format: NMSettingSecretFlags (uint32)
1166
1167       username
1168           Alias: user
1169
1170           The username used to authenticate with the network, if required.
1171           Many providers do not require a username, or accept any username.
1172           But if a username is required, it is specified here.
1173
1174           Format: string
1175
1176   dcb setting
1177       Data Center Bridging Settings.
1178
1179       Properties:
1180
1181       app-fcoe-flags
1182           Specifies the NMSettingDcbFlags for the DCB FCoE application. Flags
1183           may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1184           NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1185           NM_SETTING_DCB_FLAG_WILLING (0x4).
1186
1187           Format: NMSettingDcbFlags (uint32)
1188
1189       app-fcoe-mode
1190           The FCoE controller mode; either "fabric" or "vn2vn". Since 1.34,
1191           NULL is the default and means "fabric". Before 1.34, NULL was
1192           rejected as invalid and the default was "fabric".
1193
1194           Format: string
1195
1196       app-fcoe-priority
1197           The highest User Priority (0 - 7) which FCoE frames should use, or
1198           -1 for default priority. Only used when the "app-fcoe-flags"
1199           property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1200
1201           Format: int32
1202
1203       app-fip-flags
1204           Specifies the NMSettingDcbFlags for the DCB FIP application. Flags
1205           may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1206           NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1207           NM_SETTING_DCB_FLAG_WILLING (0x4).
1208
1209           Format: NMSettingDcbFlags (uint32)
1210
1211       app-fip-priority
1212           The highest User Priority (0 - 7) which FIP frames should use, or
1213           -1 for default priority. Only used when the "app-fip-flags"
1214           property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1215
1216           Format: int32
1217
1218       app-iscsi-flags
1219           Specifies the NMSettingDcbFlags for the DCB iSCSI application.
1220           Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1221           NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1222           NM_SETTING_DCB_FLAG_WILLING (0x4).
1223
1224           Format: NMSettingDcbFlags (uint32)
1225
1226       app-iscsi-priority
1227           The highest User Priority (0 - 7) which iSCSI frames should use, or
1228           -1 for default priority. Only used when the "app-iscsi-flags"
1229           property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1230
1231           Format: int32
1232
1233       priority-bandwidth
1234           An array of 8 uint values, where the array index corresponds to the
1235           User Priority (0 - 7) and the value indicates the percentage of
1236           bandwidth of the priority's assigned group that the priority may
1237           use. The sum of all percentages for priorities which belong to the
1238           same group must total 100 percents.
1239
1240           Format: array of uint32
1241
1242       priority-flow-control
1243           An array of 8 boolean values, where the array index corresponds to
1244           the User Priority (0 - 7) and the value indicates whether or not
1245           the corresponding priority should transmit priority pause.
1246
1247           Format: array of uint32
1248
1249       priority-flow-control-flags
1250           Specifies the NMSettingDcbFlags for DCB Priority Flow Control
1251           (PFC). Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE
1252           (0x1), NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1253           NM_SETTING_DCB_FLAG_WILLING (0x4).
1254
1255           Format: NMSettingDcbFlags (uint32)
1256
1257       priority-group-bandwidth
1258           An array of 8 uint values, where the array index corresponds to the
1259           Priority Group ID (0 - 7) and the value indicates the percentage of
1260           link bandwidth allocated to that group. Allowed values are 0 - 100,
1261           and the sum of all values must total 100 percents.
1262
1263           Format: array of uint32
1264
1265       priority-group-flags
1266           Specifies the NMSettingDcbFlags for DCB Priority Groups. Flags may
1267           be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1268           NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1269           NM_SETTING_DCB_FLAG_WILLING (0x4).
1270
1271           Format: NMSettingDcbFlags (uint32)
1272
1273       priority-group-id
1274           An array of 8 uint values, where the array index corresponds to the
1275           User Priority (0 - 7) and the value indicates the Priority Group
1276           ID. Allowed Priority Group ID values are 0 - 7 or 15 for the
1277           unrestricted group.
1278
1279           Format: array of uint32
1280
1281       priority-strict-bandwidth
1282           An array of 8 boolean values, where the array index corresponds to
1283           the User Priority (0 - 7) and the value indicates whether or not
1284           the priority may use all of the bandwidth allocated to its assigned
1285           group.
1286
1287           Format: array of uint32
1288
1289       priority-traffic-class
1290           An array of 8 uint values, where the array index corresponds to the
1291           User Priority (0 - 7) and the value indicates the traffic class (0
1292           - 7) to which the priority is mapped.
1293
1294           Format: array of uint32
1295
1296   ethtool setting
1297       Ethtool Ethernet Settings.
1298
1299       Properties:
1300
1301       coalesce-adaptive-rx
1302
1303       coalesce-adaptive-tx
1304
1305       coalesce-pkt-rate-high
1306
1307       coalesce-pkt-rate-low
1308
1309       coalesce-rx-frames
1310
1311       coalesce-rx-frames-high
1312
1313       coalesce-rx-frames-irq
1314
1315       coalesce-rx-frames-low
1316
1317       coalesce-rx-usecs
1318
1319       coalesce-rx-usecs-high
1320
1321       coalesce-rx-usecs-irq
1322
1323       coalesce-rx-usecs-low
1324
1325       coalesce-sample-interval
1326
1327       coalesce-stats-block-usecs
1328
1329       coalesce-tx-frames
1330
1331       coalesce-tx-frames-high
1332
1333       coalesce-tx-frames-irq
1334
1335       coalesce-tx-frames-low
1336
1337       coalesce-tx-usecs
1338
1339       coalesce-tx-usecs-high
1340
1341       coalesce-tx-usecs-irq
1342
1343       coalesce-tx-usecs-low
1344
1345       feature-esp-hw-offload
1346
1347       feature-esp-tx-csum-hw-offload
1348
1349       feature-fcoe-mtu
1350
1351       feature-gro
1352
1353       feature-gso
1354
1355       feature-highdma
1356
1357       feature-hw-tc-offload
1358
1359       feature-l2-fwd-offload
1360
1361       feature-loopback
1362
1363       feature-lro
1364
1365       feature-macsec-hw-offload
1366
1367       feature-ntuple
1368
1369       feature-rx
1370
1371       feature-rx-all
1372
1373       feature-rx-fcs
1374
1375       feature-rx-gro-hw
1376
1377       feature-rx-gro-list
1378
1379       feature-rx-udp-gro-forwarding
1380
1381       feature-rx-udp_tunnel-port-offload
1382
1383       feature-rx-vlan-filter
1384
1385       feature-rx-vlan-stag-filter
1386
1387       feature-rx-vlan-stag-hw-parse
1388
1389       feature-rxhash
1390
1391       feature-rxvlan
1392
1393       feature-sg
1394
1395       feature-tls-hw-record
1396
1397       feature-tls-hw-rx-offload
1398
1399       feature-tls-hw-tx-offload
1400
1401       feature-tso
1402
1403       feature-tx
1404
1405       feature-tx-checksum-fcoe-crc
1406
1407       feature-tx-checksum-ip-generic
1408
1409       feature-tx-checksum-ipv4
1410
1411       feature-tx-checksum-ipv6
1412
1413       feature-tx-checksum-sctp
1414
1415       feature-tx-esp-segmentation
1416
1417       feature-tx-fcoe-segmentation
1418
1419       feature-tx-gre-csum-segmentation
1420
1421       feature-tx-gre-segmentation
1422
1423       feature-tx-gso-list
1424
1425       feature-tx-gso-partial
1426
1427       feature-tx-gso-robust
1428
1429       feature-tx-ipxip4-segmentation
1430
1431       feature-tx-ipxip6-segmentation
1432
1433       feature-tx-nocache-copy
1434
1435       feature-tx-scatter-gather
1436
1437       feature-tx-scatter-gather-fraglist
1438
1439       feature-tx-sctp-segmentation
1440
1441       feature-tx-tcp-ecn-segmentation
1442
1443       feature-tx-tcp-mangleid-segmentation
1444
1445       feature-tx-tcp-segmentation
1446
1447       feature-tx-tcp6-segmentation
1448
1449       feature-tx-tunnel-remcsum-segmentation
1450
1451       feature-tx-udp-segmentation
1452
1453       feature-tx-udp_tnl-csum-segmentation
1454
1455       feature-tx-udp_tnl-segmentation
1456
1457       feature-tx-vlan-stag-hw-insert
1458
1459       feature-txvlan
1460
1461       pause-autoneg
1462           Whether to automatically negotiate on pause frame of flow control
1463           mechanism defined by IEEE 802.3x standard.
1464
1465       pause-rx
1466           Whether RX pause should be enabled. Only valid when automatic
1467           negotiation is disabled
1468
1469       pause-tx
1470           Whether TX pause should be enabled. Only valid when automatic
1471           negotiation is disabled
1472
1473       ring-rx
1474
1475       ring-rx-jumbo
1476
1477       ring-rx-mini
1478
1479       ring-tx
1480
1481   gsm setting
1482       GSM-based Mobile Broadband Settings.
1483
1484       Properties:
1485
1486       apn
1487           Alias: apn
1488
1489           The GPRS Access Point Name specifying the APN used when
1490           establishing a data session with the GSM-based network. The APN
1491           often determines how the user will be billed for their network
1492           usage and whether the user has access to the Internet or just a
1493           provider-specific walled-garden, so it is important to use the
1494           correct APN for the user's mobile broadband plan. The APN may only
1495           be composed of the characters a-z, 0-9, ., and - per GSM 03.60
1496           Section 14.9.
1497
1498           Format: string
1499
1500       auto-config
1501           When TRUE, the settings such as APN, username, or password will
1502           default to values that match the network the modem will register to
1503           in the Mobile Broadband Provider database.
1504
1505           Format: boolean
1506
1507       device-id
1508           The device unique identifier (as given by the WWAN management
1509           service) which this connection applies to. If given, the connection
1510           will only apply to the specified device.
1511
1512           Format: string
1513
1514       home-only
1515           When TRUE, only connections to the home network will be allowed.
1516           Connections to roaming networks will not be made.
1517
1518           Format: boolean
1519
1520       mtu
1521           If non-zero, only transmit packets of the specified size or
1522           smaller, breaking larger packets up into multiple frames.
1523
1524           Format: uint32
1525
1526       network-id
1527           The Network ID (GSM LAI format, ie MCC-MNC) to force specific
1528           network registration. If the Network ID is specified,
1529           NetworkManager will attempt to force the device to register only on
1530           the specified network. This can be used to ensure that the device
1531           does not roam when direct roaming control of the device is not
1532           otherwise possible.
1533
1534           Format: string
1535
1536       number
1537           Legacy setting that used to help establishing PPP data sessions for
1538           GSM-based modems. Deprecated: 1
1539
1540           Format: string
1541
1542       password
1543           Alias: password
1544
1545           The password used to authenticate with the network, if required.
1546           Many providers do not require a password, or accept any password.
1547           But if a password is required, it is specified here.
1548
1549           Format: string
1550
1551       password-flags
1552           Flags indicating how to handle the "password" property. See the
1553           section called “Secret flag types:” for flag values.
1554
1555           Format: NMSettingSecretFlags (uint32)
1556
1557       pin
1558           If the SIM is locked with a PIN it must be unlocked before any
1559           other operations are requested. Specify the PIN here to allow
1560           operation of the device.
1561
1562           Format: string
1563
1564       pin-flags
1565           Flags indicating how to handle the "pin" property. See the section
1566           called “Secret flag types:” for flag values.
1567
1568           Format: NMSettingSecretFlags (uint32)
1569
1570       sim-id
1571           The SIM card unique identifier (as given by the WWAN management
1572           service) which this connection applies to. If given, the connection
1573           will apply to any device also allowed by "device-id" which contains
1574           a SIM card matching the given identifier.
1575
1576           Format: string
1577
1578       sim-operator-id
1579           A MCC/MNC string like "310260" or "21601" identifying the specific
1580           mobile network operator which this connection applies to. If given,
1581           the connection will apply to any device also allowed by "device-id"
1582           and "sim-id" which contains a SIM card provisioned by the given
1583           operator.
1584
1585           Format: string
1586
1587       username
1588           Alias: user
1589
1590           The username used to authenticate with the network, if required.
1591           Many providers do not require a username, or accept any username.
1592           But if a username is required, it is specified here.
1593
1594           Format: string
1595
1596   infiniband setting
1597       Infiniband Settings.
1598
1599       Properties:
1600
1601       mac-address
1602           Alias: mac
1603
1604           If specified, this connection will only apply to the IPoIB device
1605           whose permanent MAC address matches. This property does not change
1606           the MAC address of the device (i.e. MAC spoofing).
1607
1608           Format: byte array
1609
1610       mtu
1611           Alias: mtu
1612
1613           If non-zero, only transmit packets of the specified size or
1614           smaller, breaking larger packets up into multiple frames.
1615
1616           Format: uint32
1617
1618       p-key
1619           Alias: p-key
1620
1621           The InfiniBand P_Key to use for this device. A value of -1 means to
1622           use the default P_Key (aka "the P_Key at index 0"). Otherwise, it
1623           is a 16-bit unsigned integer, whose high bit is set if it is a
1624           "full membership" P_Key.
1625
1626           Format: int32
1627
1628       parent
1629           Alias: parent
1630
1631           The interface name of the parent device of this device. Normally
1632           NULL, but if the "p_key" property is set, then you must specify the
1633           base device by setting either this property or "mac-address".
1634
1635           Format: string
1636
1637       transport-mode
1638           Alias: transport-mode
1639
1640           The IP-over-InfiniBand transport mode. Either "datagram" or
1641           "connected".
1642
1643           Format: string
1644
1645   ipv4 setting
1646       IPv4 Settings.
1647
1648       Properties:
1649
1650       addresses
1651           Alias: ip4
1652
1653           A list of IPv4 addresses and their prefix length. Multiple
1654           addresses can be separated by comma. For example "192.168.1.5/24,
1655           10.1.0.5/24". The addresses are listed in decreasing priority,
1656           meaning the first address will be the primary address.
1657
1658           Format: a comma separated list of addresses
1659
1660       dad-timeout
1661           Timeout in milliseconds used to check for the presence of duplicate
1662           IP addresses on the network. If an address conflict is detected,
1663           the activation will fail. A zero value means that no duplicate
1664           address detection is performed, -1 means the default value (either
1665           configuration ipvx.dad-timeout override or zero). A value greater
1666           than zero is a timeout in milliseconds. The property is currently
1667           implemented only for IPv4.
1668
1669           Format: int32
1670
1671       dhcp-client-id
1672           A string sent to the DHCP server to identify the local machine
1673           which the DHCP server may use to customize the DHCP lease and
1674           options. When the property is a hex string ('aa:bb:cc') it is
1675           interpreted as a binary client ID, in which case the first byte is
1676           assumed to be the 'type' field as per RFC 2132 section 9.14 and the
1677           remaining bytes may be an hardware address (e.g.
1678           '01:xx:xx:xx:xx:xx:xx' where 1 is the Ethernet ARP type and the
1679           rest is a MAC address). If the property is not a hex string it is
1680           considered as a non-hardware-address client ID and the 'type' field
1681           is set to 0. The special values "mac" and "perm-mac" are supported,
1682           which use the current or permanent MAC address of the device to
1683           generate a client identifier with type ethernet (01). Currently,
1684           these options only work for ethernet type of links. The special
1685           value "ipv6-duid" uses the DUID from "ipv6.dhcp-duid" property as
1686           an RFC4361-compliant client identifier. As IAID it uses
1687           "ipv4.dhcp-iaid" and falls back to "ipv6.dhcp-iaid" if unset. The
1688           special value "duid" generates a RFC4361-compliant client
1689           identifier based on "ipv4.dhcp-iaid" and uses a DUID generated by
1690           hashing /etc/machine-id. The special value "stable" is supported to
1691           generate a type 0 client identifier based on the stable-id (see
1692           connection.stable-id) and a per-host key. If you set the stable-id,
1693           you may want to include the "${DEVICE}" or "${MAC}" specifier to
1694           get a per-device key. If unset, a globally configured default is
1695           used. If still unset, the default depends on the DHCP plugin.
1696
1697           Format: string
1698
1699       dhcp-fqdn
1700           If the "dhcp-send-hostname" property is TRUE, then the specified
1701           FQDN will be sent to the DHCP server when acquiring a lease. This
1702           property and "dhcp-hostname" are mutually exclusive and cannot be
1703           set at the same time.
1704
1705           Format: string
1706
1707       dhcp-hostname
1708           If the "dhcp-send-hostname" property is TRUE, then the specified
1709           name will be sent to the DHCP server when acquiring a lease. This
1710           property and "dhcp-fqdn" are mutually exclusive and cannot be set
1711           at the same time.
1712
1713           Format: string
1714
1715       dhcp-hostname-flags
1716           Flags for the DHCP hostname and FQDN. Currently, this property only
1717           includes flags to control the FQDN flags set in the DHCP FQDN
1718           option. Supported FQDN flags are
1719           NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1720           NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
1721           NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is
1722           set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the
1723           DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag
1724           is set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set,
1725           the standard FQDN flags are set in the request:
1726           NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1727           NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
1728           NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6. When this
1729           property is set to the default value NM_DHCP_HOSTNAME_FLAG_NONE
1730           (0x0), a global default is looked up in NetworkManager
1731           configuration. If that value is unset or also
1732           NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
1733           described above are sent in the DHCP requests.
1734
1735           Format: uint32
1736
1737       dhcp-iaid
1738           A string containing the "Identity Association Identifier" (IAID)
1739           used by the DHCP client. The property is a 32-bit decimal value or
1740           a special value among "mac", "perm-mac", "ifname" and "stable".
1741           When set to "mac" (or "perm-mac"), the last 4 bytes of the current
1742           (or permanent) MAC address are used as IAID. When set to "ifname",
1743           the IAID is computed by hashing the interface name. The special
1744           value "stable" can be used to generate an IAID based on the
1745           stable-id (see connection.stable-id), a per-host key and the
1746           interface name. When the property is unset, the value from global
1747           configuration is used; if no global default is set then the IAID is
1748           assumed to be "ifname". Note that at the moment this property is
1749           ignored for IPv6 by dhclient, which always derives the IAID from
1750           the MAC address.
1751
1752           Format: string
1753
1754       dhcp-reject-servers
1755           Array of servers from which DHCP offers must be rejected. This
1756           property is useful to avoid getting a lease from misconfigured or
1757           rogue servers. For DHCPv4, each element must be an IPv4 address,
1758           optionally followed by a slash and a prefix length (e.g.
1759           "192.168.122.0/24"). This property is currently not implemented for
1760           DHCPv6.
1761
1762           Format: array of string
1763
1764       dhcp-send-hostname
1765           If TRUE, a hostname is sent to the DHCP server when acquiring a
1766           lease. Some DHCP servers use this hostname to update DNS databases,
1767           essentially providing a static hostname for the computer. If the
1768           "dhcp-hostname" property is NULL and this property is TRUE, the
1769           current persistent hostname of the computer is sent.
1770
1771           Format: boolean
1772
1773       dhcp-timeout
1774           A timeout for a DHCP transaction in seconds. If zero (the default),
1775           a globally configured default is used. If still unspecified, a
1776           device specific timeout is used (usually 45 seconds). Set to
1777           2147483647 (MAXINT32) for infinity.
1778
1779           Format: int32
1780
1781       dhcp-vendor-class-identifier
1782           The Vendor Class Identifier DHCP option (60). Special characters in
1783           the data string may be escaped using C-style escapes, nevertheless
1784           this property cannot contain nul bytes. If the per-profile value is
1785           unspecified (the default), a global connection default gets
1786           consulted. If still unspecified, the DHCP option is not sent to the
1787           server. Since 1.28
1788
1789           Format: string
1790
1791       dns
1792           Array of IP addresses of DNS servers.
1793
1794           Format: array of uint32
1795
1796       dns-options
1797           Array of DNS options as described in man 5 resolv.conf. NULL means
1798           that the options are unset and left at the default. In this case
1799           NetworkManager will use default options. This is distinct from an
1800           empty list of properties. The currently supported options are
1801           "attempts", "debug", "edns0", "inet6", "ip6-bytestring",
1802           "ip6-dotint", "ndots", "no-check-names", "no-ip6-dotint",
1803           "no-reload", "no-tld-query", "rotate", "single-request",
1804           "single-request-reopen", "timeout", "trust-ad", "use-vc". The
1805           "trust-ad" setting is only honored if the profile contributes name
1806           servers to resolv.conf, and if all contributing profiles have
1807           "trust-ad" enabled. When using a caching DNS plugin (dnsmasq or
1808           systemd-resolved in NetworkManager.conf) then "edns0" and
1809           "trust-ad" are automatically added.
1810
1811           Format: array of string
1812
1813       dns-priority
1814           DNS servers priority. The relative priority for DNS servers
1815           specified by this setting. A lower numerical value is better
1816           (higher priority). Negative values have the special effect of
1817           excluding other configurations with a greater numerical priority
1818           value; so in presence of at least one negative priority, only DNS
1819           servers from connections with the lowest priority value will be
1820           used. To avoid all DNS leaks, set the priority of the profile that
1821           should be used to the most negative value of all active connections
1822           profiles. Zero selects a globally configured default value. If the
1823           latter is missing or zero too, it defaults to 50 for VPNs
1824           (including WireGuard) and 100 for other connections. Note that the
1825           priority is to order DNS settings for multiple active connections.
1826           It does not disambiguate multiple DNS servers within the same
1827           connection profile. When multiple devices have configurations with
1828           the same priority, VPNs will be considered first, then devices with
1829           the best (lowest metric) default route and then all other devices.
1830           When using dns=default, servers with higher priority will be on top
1831           of resolv.conf. To prioritize a given server over another one
1832           within the same connection, just specify them in the desired order.
1833           Note that commonly the resolver tries name servers in
1834           /etc/resolv.conf in the order listed, proceeding with the next
1835           server in the list on failure. See for example the "rotate" option
1836           of the dns-options setting. If there are any negative DNS
1837           priorities, then only name servers from the devices with that
1838           lowest priority will be considered. When using a DNS resolver that
1839           supports Conditional Forwarding or Split DNS (with dns=dnsmasq or
1840           dns=systemd-resolved settings), each connection is used to query
1841           domains in its search list. The search domains determine which name
1842           servers to ask, and the DNS priority is used to prioritize name
1843           servers based on the domain. Queries for domains not present in any
1844           search list are routed through connections having the '~.' special
1845           wildcard domain, which is added automatically to connections with
1846           the default route (or can be added manually). When multiple
1847           connections specify the same domain, the one with the best priority
1848           (lowest numerical value) wins. If a sub domain is configured on
1849           another interface it will be accepted regardless the priority,
1850           unless parent domain on the other interface has a negative
1851           priority, which causes the sub domain to be shadowed. With Split
1852           DNS one can avoid undesired DNS leaks by properly configuring DNS
1853           priorities and the search domains, so that only name servers of the
1854           desired interface are configured.
1855
1856           Format: int32
1857
1858       dns-search
1859           Array of DNS search domains. Domains starting with a tilde ('~')
1860           are considered 'routing' domains and are used only to decide the
1861           interface over which a query must be forwarded; they are not used
1862           to complete unqualified host names. When using a DNS plugin that
1863           supports Conditional Forwarding or Split DNS, then the search
1864           domains specify which name servers to query. This makes the
1865           behavior different from running with plain /etc/resolv.conf. For
1866           more information see also the dns-priority setting.
1867
1868           Format: array of string
1869
1870       gateway
1871           Alias: gw4
1872
1873           The gateway associated with this configuration. This is only
1874           meaningful if "addresses" is also set. The gateway's main purpose
1875           is to control the next hop of the standard default route on the
1876           device. Hence, the gateway property conflicts with "never-default"
1877           and will be automatically dropped if the IP configuration is set to
1878           never-default. As an alternative to set the gateway, configure a
1879           static default route with /0 as prefix length.
1880
1881           Format: string
1882
1883       ignore-auto-dns
1884           When "method" is set to "auto" and this property to TRUE,
1885           automatically configured name servers and search domains are
1886           ignored and only name servers and search domains specified in the
1887           "dns" and "dns-search" properties, if any, are used.
1888
1889           Format: boolean
1890
1891       ignore-auto-routes
1892           When "method" is set to "auto" and this property to TRUE,
1893           automatically configured routes are ignored and only routes
1894           specified in the "routes" property, if any, are used.
1895
1896           Format: boolean
1897
1898       may-fail
1899           If TRUE, allow overall network configuration to proceed even if the
1900           configuration specified by this property times out. Note that at
1901           least one IP configuration must succeed or overall network
1902           configuration will still fail. For example, in IPv6-only networks,
1903           setting this property to TRUE on the NMSettingIP4Config allows the
1904           overall network configuration to succeed if IPv4 configuration
1905           fails but IPv6 configuration completes successfully.
1906
1907           Format: boolean
1908
1909       method
1910           IP configuration method. NMSettingIP4Config and NMSettingIP6Config
1911           both support "disabled", "auto", "manual", and "link-local". See
1912           the subclass-specific documentation for other values. In general,
1913           for the "auto" method, properties such as "dns" and "routes"
1914           specify information that is added on to the information returned
1915           from automatic configuration. The "ignore-auto-routes" and
1916           "ignore-auto-dns" properties modify this behavior. For methods that
1917           imply no upstream network, such as "shared" or "link-local", these
1918           properties must be empty. For IPv4 method "shared", the IP subnet
1919           can be configured by adding one manual IPv4 address or otherwise
1920           10.42.x.0/24 is chosen. Note that the shared method must be
1921           configured on the interface which shares the internet to a subnet,
1922           not on the uplink which is shared.
1923
1924           Format: string
1925
1926       never-default
1927           If TRUE, this connection will never be the default connection for
1928           this IP type, meaning it will never be assigned the default route
1929           by NetworkManager.
1930
1931           Format: boolean
1932
1933       required-timeout
1934           The minimum time interval in milliseconds for which dynamic IP
1935           configuration should be tried before the connection succeeds. This
1936           property is useful for example if both IPv4 and IPv6 are enabled
1937           and are allowed to fail. Normally the connection succeeds as soon
1938           as one of the two address families completes; by setting a required
1939           timeout for e.g. IPv4, one can ensure that even if IP6 succeeds
1940           earlier than IPv4, NetworkManager waits some time for IPv4 before
1941           the connection becomes active. Note that if "may-fail" is FALSE for
1942           the same address family, this property has no effect as
1943           NetworkManager needs to wait for the full DHCP timeout. A zero
1944           value means that no required timeout is present, -1 means the
1945           default value (either configuration ipvx.required-timeout override
1946           or zero).
1947
1948           Format: int32
1949
1950       route-metric
1951           The default metric for routes that don't explicitly specify a
1952           metric. The default value -1 means that the metric is chosen
1953           automatically based on the device type. The metric applies to
1954           dynamic routes, manual (static) routes that don't have an explicit
1955           metric setting, address prefix routes, and the default route. Note
1956           that for IPv6, the kernel accepts zero (0) but coerces it to 1024
1957           (user default). Hence, setting this property to zero effectively
1958           mean setting it to 1024. For IPv4, zero is a regular value for the
1959           metric.
1960
1961           Format: int64
1962
1963       route-table
1964           Enable policy routing (source routing) and set the routing table
1965           used when adding routes. This affects all routes, including
1966           device-routes, IPv4LL, DHCP, SLAAC, default-routes and static
1967           routes. But note that static routes can individually overwrite the
1968           setting by explicitly specifying a non-zero routing table. If the
1969           table setting is left at zero, it is eligible to be overwritten via
1970           global configuration. If the property is zero even after applying
1971           the global configuration value, policy routing is disabled for the
1972           address family of this connection. Policy routing disabled means
1973           that NetworkManager will add all routes to the main table (except
1974           static routes that explicitly configure a different table).
1975           Additionally, NetworkManager will not delete any extraneous routes
1976           from tables except the main table. This is to preserve backward
1977           compatibility for users who manage routing tables outside of
1978           NetworkManager.
1979
1980           Format: uint32
1981
1982       routes
1983           A list of IPv4 destination addresses, prefix length, optional IPv4
1984           next hop addresses, optional route metric, optional attribute. The
1985           valid syntax is: "ip[/prefix] [next-hop] [metric]
1986           [attribute=val]...[,ip[/prefix]...]". For example "192.0.2.0/24
1987           10.1.1.1 77, 198.51.100.0/24".
1988
1989           Various attributes are supported:
1990
1991           •   "cwnd" - an unsigned 32 bit integer.
1992
1993           •   "initcwnd" - an unsigned 32 bit integer.
1994
1995           •   "initrwnd" - an unsigned 32 bit integer.
1996
1997           •   "lock-cwnd" - a boolean value.
1998
1999           •   "lock-initcwnd" - a boolean value.
2000
2001           •   "lock-initrwnd" - a boolean value.
2002
2003           •   "lock-mtu" - a boolean value.
2004
2005           •   "lock-window" - a boolean value.
2006
2007           •   "mtu" - an unsigned 32 bit integer.
2008
2009           •   "onlink" - a boolean value.
2010
2011           •   "scope" - an unsigned 8 bit integer. IPv4 only.
2012
2013           •   "src" - an IPv4 address.
2014
2015           •   "table" - an unsigned 32 bit integer. The default depends on
2016               ipv4.route-table.
2017
2018           •   "tos" - an unsigned 8 bit integer. IPv4 only.
2019
2020           •   "type" - one of unicast, local, blackhole, unavailable,
2021               prohibit, throw. The default is unicast.
2022
2023           •   "window" - an unsigned 32 bit integer.
2024
2025           For details see also `man ip-route`.
2026
2027           Format: a comma separated list of routes
2028
2029       routing-rules
2030           A comma separated list of routing rules for policy routing. The
2031           format is based on ip rule add syntax and mostly compatible. One
2032           difference is that routing rules in NetworkManager always need a
2033           fixed priority.
2034
2035           Example: priority 5 from 192.167.4.0/24 table 45
2036
2037           Format: a comma separated list of routing rules
2038
2039   ipv6 setting
2040       IPv6 Settings.
2041
2042       Properties:
2043
2044       addr-gen-mode
2045           Configure method for creating the address for use with RFC4862 IPv6
2046           Stateless Address Autoconfiguration. The permitted values are:
2047           NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_EUI64 (0) or
2048           NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_STABLE_PRIVACY (1). If the
2049           property is set to EUI64, the addresses will be generated using the
2050           interface tokens derived from hardware address. This makes the host
2051           part of the address to stay constant, making it possible to track
2052           host's presence when it changes networks. The address changes when
2053           the interface hardware is replaced. The value of stable-privacy
2054           enables use of cryptographically secure hash of a secret
2055           host-specific key along with the connection's stable-id and the
2056           network address as specified by RFC7217. This makes it impossible
2057           to use the address track host's presence, and makes the address
2058           stable when the network interface hardware is replaced. On D-Bus,
2059           the absence of an addr-gen-mode setting equals enabling
2060           stable-privacy. For keyfile plugin, the absence of the setting on
2061           disk means EUI64 so that the property doesn't change on upgrade
2062           from older versions. Note that this setting is distinct from the
2063           Privacy Extensions as configured by "ip6-privacy" property and it
2064           does not affect the temporary addresses configured with this
2065           option.
2066
2067           Format: int32
2068
2069       addresses
2070           Alias: ip6
2071
2072           A list of IPv6 addresses and their prefix length. Multiple
2073           addresses can be separated by comma. For example
2074           "2001:db8:85a3::8a2e:370:7334/64, 2001:db8:85a3::5/64". The
2075           addresses are listed in decreasing priority, meaning the first
2076           address will be the primary address. This can make a difference
2077           with IPv6 source address selection (RFC 6724, section 5).
2078
2079           Format: a comma separated list of addresses
2080
2081       dhcp-duid
2082           A string containing the DHCPv6 Unique Identifier (DUID) used by the
2083           dhcp client to identify itself to DHCPv6 servers (RFC 3315). The
2084           DUID is carried in the Client Identifier option. If the property is
2085           a hex string ('aa:bb:cc') it is interpreted as a binary DUID and
2086           filled as an opaque value in the Client Identifier option. The
2087           special value "lease" will retrieve the DUID previously used from
2088           the lease file belonging to the connection. If no DUID is found and
2089           "dhclient" is the configured dhcp client, the DUID is searched in
2090           the system-wide dhclient lease file. If still no DUID is found, or
2091           another dhcp client is used, a global and permanent DUID-UUID (RFC
2092           6355) will be generated based on the machine-id. The special values
2093           "llt" and "ll" will generate a DUID of type LLT or LL (see RFC
2094           3315) based on the current MAC address of the device. In order to
2095           try providing a stable DUID-LLT, the time field will contain a
2096           constant timestamp that is used globally (for all profiles) and
2097           persisted to disk. The special values "stable-llt", "stable-ll" and
2098           "stable-uuid" will generate a DUID of the corresponding type,
2099           derived from the connection's stable-id and a per-host unique key.
2100           You may want to include the "${DEVICE}" or "${MAC}" specifier in
2101           the stable-id, in case this profile gets activated on multiple
2102           devices. So, the link-layer address of "stable-ll" and "stable-llt"
2103           will be a generated address derived from the stable id. The
2104           DUID-LLT time value in the "stable-llt" option will be picked among
2105           a static timespan of three years (the upper bound of the interval
2106           is the same constant timestamp used in "llt"). When the property is
2107           unset, the global value provided for "ipv6.dhcp-duid" is used. If
2108           no global value is provided, the default "lease" value is assumed.
2109
2110           Format: string
2111
2112       dhcp-hostname
2113           If the "dhcp-send-hostname" property is TRUE, then the specified
2114           name will be sent to the DHCP server when acquiring a lease. This
2115           property and "dhcp-fqdn" are mutually exclusive and cannot be set
2116           at the same time.
2117
2118           Format: string
2119
2120       dhcp-hostname-flags
2121           Flags for the DHCP hostname and FQDN. Currently, this property only
2122           includes flags to control the FQDN flags set in the DHCP FQDN
2123           option. Supported FQDN flags are
2124           NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
2125           NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
2126           NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is
2127           set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the
2128           DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag
2129           is set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set,
2130           the standard FQDN flags are set in the request:
2131           NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
2132           NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
2133           NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6. When this
2134           property is set to the default value NM_DHCP_HOSTNAME_FLAG_NONE
2135           (0x0), a global default is looked up in NetworkManager
2136           configuration. If that value is unset or also
2137           NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
2138           described above are sent in the DHCP requests.
2139
2140           Format: uint32
2141
2142       dhcp-iaid
2143           A string containing the "Identity Association Identifier" (IAID)
2144           used by the DHCP client. The property is a 32-bit decimal value or
2145           a special value among "mac", "perm-mac", "ifname" and "stable".
2146           When set to "mac" (or "perm-mac"), the last 4 bytes of the current
2147           (or permanent) MAC address are used as IAID. When set to "ifname",
2148           the IAID is computed by hashing the interface name. The special
2149           value "stable" can be used to generate an IAID based on the
2150           stable-id (see connection.stable-id), a per-host key and the
2151           interface name. When the property is unset, the value from global
2152           configuration is used; if no global default is set then the IAID is
2153           assumed to be "ifname". Note that at the moment this property is
2154           ignored for IPv6 by dhclient, which always derives the IAID from
2155           the MAC address.
2156
2157           Format: string
2158
2159       dhcp-send-hostname
2160           If TRUE, a hostname is sent to the DHCP server when acquiring a
2161           lease. Some DHCP servers use this hostname to update DNS databases,
2162           essentially providing a static hostname for the computer. If the
2163           "dhcp-hostname" property is NULL and this property is TRUE, the
2164           current persistent hostname of the computer is sent.
2165
2166           Format: boolean
2167
2168       dhcp-timeout
2169           A timeout for a DHCP transaction in seconds. If zero (the default),
2170           a globally configured default is used. If still unspecified, a
2171           device specific timeout is used (usually 45 seconds). Set to
2172           2147483647 (MAXINT32) for infinity.
2173
2174           Format: int32
2175
2176       dns
2177           Array of IP addresses of DNS servers.
2178
2179           Format: array of byte array
2180
2181       dns-options
2182           Array of DNS options as described in man 5 resolv.conf. NULL means
2183           that the options are unset and left at the default. In this case
2184           NetworkManager will use default options. This is distinct from an
2185           empty list of properties. The currently supported options are
2186           "attempts", "debug", "edns0", "inet6", "ip6-bytestring",
2187           "ip6-dotint", "ndots", "no-check-names", "no-ip6-dotint",
2188           "no-reload", "no-tld-query", "rotate", "single-request",
2189           "single-request-reopen", "timeout", "trust-ad", "use-vc". The
2190           "trust-ad" setting is only honored if the profile contributes name
2191           servers to resolv.conf, and if all contributing profiles have
2192           "trust-ad" enabled. When using a caching DNS plugin (dnsmasq or
2193           systemd-resolved in NetworkManager.conf) then "edns0" and
2194           "trust-ad" are automatically added.
2195
2196           Format: array of string
2197
2198       dns-priority
2199           DNS servers priority. The relative priority for DNS servers
2200           specified by this setting. A lower numerical value is better
2201           (higher priority). Negative values have the special effect of
2202           excluding other configurations with a greater numerical priority
2203           value; so in presence of at least one negative priority, only DNS
2204           servers from connections with the lowest priority value will be
2205           used. To avoid all DNS leaks, set the priority of the profile that
2206           should be used to the most negative value of all active connections
2207           profiles. Zero selects a globally configured default value. If the
2208           latter is missing or zero too, it defaults to 50 for VPNs
2209           (including WireGuard) and 100 for other connections. Note that the
2210           priority is to order DNS settings for multiple active connections.
2211           It does not disambiguate multiple DNS servers within the same
2212           connection profile. When multiple devices have configurations with
2213           the same priority, VPNs will be considered first, then devices with
2214           the best (lowest metric) default route and then all other devices.
2215           When using dns=default, servers with higher priority will be on top
2216           of resolv.conf. To prioritize a given server over another one
2217           within the same connection, just specify them in the desired order.
2218           Note that commonly the resolver tries name servers in
2219           /etc/resolv.conf in the order listed, proceeding with the next
2220           server in the list on failure. See for example the "rotate" option
2221           of the dns-options setting. If there are any negative DNS
2222           priorities, then only name servers from the devices with that
2223           lowest priority will be considered. When using a DNS resolver that
2224           supports Conditional Forwarding or Split DNS (with dns=dnsmasq or
2225           dns=systemd-resolved settings), each connection is used to query
2226           domains in its search list. The search domains determine which name
2227           servers to ask, and the DNS priority is used to prioritize name
2228           servers based on the domain. Queries for domains not present in any
2229           search list are routed through connections having the '~.' special
2230           wildcard domain, which is added automatically to connections with
2231           the default route (or can be added manually). When multiple
2232           connections specify the same domain, the one with the best priority
2233           (lowest numerical value) wins. If a sub domain is configured on
2234           another interface it will be accepted regardless the priority,
2235           unless parent domain on the other interface has a negative
2236           priority, which causes the sub domain to be shadowed. With Split
2237           DNS one can avoid undesired DNS leaks by properly configuring DNS
2238           priorities and the search domains, so that only name servers of the
2239           desired interface are configured.
2240
2241           Format: int32
2242
2243       dns-search
2244           Array of DNS search domains. Domains starting with a tilde ('~')
2245           are considered 'routing' domains and are used only to decide the
2246           interface over which a query must be forwarded; they are not used
2247           to complete unqualified host names. When using a DNS plugin that
2248           supports Conditional Forwarding or Split DNS, then the search
2249           domains specify which name servers to query. This makes the
2250           behavior different from running with plain /etc/resolv.conf. For
2251           more information see also the dns-priority setting.
2252
2253           Format: array of string
2254
2255       gateway
2256           Alias: gw6
2257
2258           The gateway associated with this configuration. This is only
2259           meaningful if "addresses" is also set. The gateway's main purpose
2260           is to control the next hop of the standard default route on the
2261           device. Hence, the gateway property conflicts with "never-default"
2262           and will be automatically dropped if the IP configuration is set to
2263           never-default. As an alternative to set the gateway, configure a
2264           static default route with /0 as prefix length.
2265
2266           Format: string
2267
2268       ignore-auto-dns
2269           When "method" is set to "auto" and this property to TRUE,
2270           automatically configured name servers and search domains are
2271           ignored and only name servers and search domains specified in the
2272           "dns" and "dns-search" properties, if any, are used.
2273
2274           Format: boolean
2275
2276       ignore-auto-routes
2277           When "method" is set to "auto" and this property to TRUE,
2278           automatically configured routes are ignored and only routes
2279           specified in the "routes" property, if any, are used.
2280
2281           Format: boolean
2282
2283       ip6-privacy
2284           Configure IPv6 Privacy Extensions for SLAAC, described in RFC4941.
2285           If enabled, it makes the kernel generate a temporary IPv6 address
2286           in addition to the public one generated from MAC address via
2287           modified EUI-64. This enhances privacy, but could cause problems in
2288           some applications, on the other hand. The permitted values are: -1:
2289           unknown, 0: disabled, 1: enabled (prefer public address), 2:
2290           enabled (prefer temporary addresses). Having a per-connection
2291           setting set to "-1" (unknown) means fallback to global
2292           configuration "ipv6.ip6-privacy". If also global configuration is
2293           unspecified or set to "-1", fallback to read
2294           "/proc/sys/net/ipv6/conf/default/use_tempaddr". Note that this
2295           setting is distinct from the Stable Privacy addresses that can be
2296           enabled with the "addr-gen-mode" property's "stable-privacy"
2297           setting as another way of avoiding host tracking with IPv6
2298           addresses.
2299
2300           Format: NMSettingIP6ConfigPrivacy (int32)
2301
2302       may-fail
2303           If TRUE, allow overall network configuration to proceed even if the
2304           configuration specified by this property times out. Note that at
2305           least one IP configuration must succeed or overall network
2306           configuration will still fail. For example, in IPv6-only networks,
2307           setting this property to TRUE on the NMSettingIP4Config allows the
2308           overall network configuration to succeed if IPv4 configuration
2309           fails but IPv6 configuration completes successfully.
2310
2311           Format: boolean
2312
2313       method
2314           IP configuration method. NMSettingIP4Config and NMSettingIP6Config
2315           both support "disabled", "auto", "manual", and "link-local". See
2316           the subclass-specific documentation for other values. In general,
2317           for the "auto" method, properties such as "dns" and "routes"
2318           specify information that is added on to the information returned
2319           from automatic configuration. The "ignore-auto-routes" and
2320           "ignore-auto-dns" properties modify this behavior. For methods that
2321           imply no upstream network, such as "shared" or "link-local", these
2322           properties must be empty. For IPv4 method "shared", the IP subnet
2323           can be configured by adding one manual IPv4 address or otherwise
2324           10.42.x.0/24 is chosen. Note that the shared method must be
2325           configured on the interface which shares the internet to a subnet,
2326           not on the uplink which is shared.
2327
2328           Format: string
2329
2330       never-default
2331           If TRUE, this connection will never be the default connection for
2332           this IP type, meaning it will never be assigned the default route
2333           by NetworkManager.
2334
2335           Format: boolean
2336
2337       ra-timeout
2338           A timeout for waiting Router Advertisements in seconds. If zero
2339           (the default), a globally configured default is used. If still
2340           unspecified, the timeout depends on the sysctl settings of the
2341           device. Set to 2147483647 (MAXINT32) for infinity.
2342
2343           Format: int32
2344
2345       required-timeout
2346           The minimum time interval in milliseconds for which dynamic IP
2347           configuration should be tried before the connection succeeds. This
2348           property is useful for example if both IPv4 and IPv6 are enabled
2349           and are allowed to fail. Normally the connection succeeds as soon
2350           as one of the two address families completes; by setting a required
2351           timeout for e.g. IPv4, one can ensure that even if IP6 succeeds
2352           earlier than IPv4, NetworkManager waits some time for IPv4 before
2353           the connection becomes active. Note that if "may-fail" is FALSE for
2354           the same address family, this property has no effect as
2355           NetworkManager needs to wait for the full DHCP timeout. A zero
2356           value means that no required timeout is present, -1 means the
2357           default value (either configuration ipvx.required-timeout override
2358           or zero).
2359
2360           Format: int32
2361
2362       route-metric
2363           The default metric for routes that don't explicitly specify a
2364           metric. The default value -1 means that the metric is chosen
2365           automatically based on the device type. The metric applies to
2366           dynamic routes, manual (static) routes that don't have an explicit
2367           metric setting, address prefix routes, and the default route. Note
2368           that for IPv6, the kernel accepts zero (0) but coerces it to 1024
2369           (user default). Hence, setting this property to zero effectively
2370           mean setting it to 1024. For IPv4, zero is a regular value for the
2371           metric.
2372
2373           Format: int64
2374
2375       route-table
2376           Enable policy routing (source routing) and set the routing table
2377           used when adding routes. This affects all routes, including
2378           device-routes, IPv4LL, DHCP, SLAAC, default-routes and static
2379           routes. But note that static routes can individually overwrite the
2380           setting by explicitly specifying a non-zero routing table. If the
2381           table setting is left at zero, it is eligible to be overwritten via
2382           global configuration. If the property is zero even after applying
2383           the global configuration value, policy routing is disabled for the
2384           address family of this connection. Policy routing disabled means
2385           that NetworkManager will add all routes to the main table (except
2386           static routes that explicitly configure a different table).
2387           Additionally, NetworkManager will not delete any extraneous routes
2388           from tables except the main table. This is to preserve backward
2389           compatibility for users who manage routing tables outside of
2390           NetworkManager.
2391
2392           Format: uint32
2393
2394       routes
2395           A list of IPv6 destination addresses, prefix length, optional IPv6
2396           next hop addresses, optional route metric, optional attribute. The
2397           valid syntax is: "ip[/prefix] [next-hop] [metric]
2398           [attribute=val]...[,ip[/prefix]...]".
2399
2400           Various attributes are supported:
2401
2402           •   "cwnd" - an unsigned 32 bit integer.
2403
2404           •   "from" - an IPv6 address with optional prefix. IPv6 only.
2405
2406           •   "initcwnd" - an unsigned 32 bit integer.
2407
2408           •   "initrwnd" - an unsigned 32 bit integer.
2409
2410           •   "lock-cwnd" - a boolean value.
2411
2412           •   "lock-initcwnd" - a boolean value.
2413
2414           •   "lock-initrwnd" - a boolean value.
2415
2416           •   "lock-mtu" - a boolean value.
2417
2418           •   "lock-window" - a boolean value.
2419
2420           •   "mtu" - an unsigned 32 bit integer.
2421
2422           •   "onlink" - a boolean value.
2423
2424           •   "src" - an IPv6 address.
2425
2426           •   "table" - an unsigned 32 bit integer. The default depends on
2427               ipv6.route-table.
2428
2429           •   "type" - one of unicast, local, blackhole, unavailable,
2430               prohibit, throw. The default is unicast.
2431
2432           •   "window" - an unsigned 32 bit integer.
2433
2434           For details see also `man ip-route`.
2435
2436           Format: a comma separated list of routes
2437
2438       routing-rules
2439           A comma separated list of routing rules for policy routing. The
2440           format is based on ip rule add syntax and mostly compatible. One
2441           difference is that routing rules in NetworkManager always need a
2442           fixed priority.
2443
2444           Example: priority 5 from 1:2:3::5/128 table 45
2445
2446           Format: a comma separated list of routing rules
2447
2448       token
2449           Configure the token for
2450           draft-chown-6man-tokenised-ipv6-identifiers-02 IPv6 tokenized
2451           interface identifiers. Useful with eui64 addr-gen-mode.
2452
2453           Format: string
2454
2455   ip-tunnel setting
2456       IP Tunneling Settings.
2457
2458       Properties:
2459
2460       encapsulation-limit
2461           How many additional levels of encapsulation are permitted to be
2462           prepended to packets. This property applies only to IPv6 tunnels.
2463
2464           Format: uint32
2465
2466       flags
2467           Tunnel flags. Currently, the following values are supported:
2468           NM_IP_TUNNEL_FLAG_IP6_IGN_ENCAP_LIMIT (0x1),
2469           NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_TCLASS (0x2),
2470           NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FLOWLABEL (0x4),
2471           NM_IP_TUNNEL_FLAG_IP6_MIP6_DEV (0x8),
2472           NM_IP_TUNNEL_FLAG_IP6_RCV_DSCP_COPY (0x10),
2473           NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FWMARK (0x20). They are valid only
2474           for IPv6 tunnels.
2475
2476           Format: uint32
2477
2478       flow-label
2479           The flow label to assign to tunnel packets. This property applies
2480           only to IPv6 tunnels.
2481
2482           Format: uint32
2483
2484       input-key
2485           The key used for tunnel input packets; the property is valid only
2486           for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
2487
2488           Format: string
2489
2490       local
2491           Alias: local
2492
2493           The local endpoint of the tunnel; the value can be empty, otherwise
2494           it must contain an IPv4 or IPv6 address.
2495
2496           Format: string
2497
2498       mode
2499           Alias: mode
2500
2501           The tunneling mode, for example NM_IP_TUNNEL_MODE_IPIP (1) or
2502           NM_IP_TUNNEL_MODE_GRE (2).
2503
2504           Format: uint32
2505
2506       mtu
2507           If non-zero, only transmit packets of the specified size or
2508           smaller, breaking larger packets up into multiple fragments.
2509
2510           Format: uint32
2511
2512       output-key
2513           The key used for tunnel output packets; the property is valid only
2514           for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
2515
2516           Format: string
2517
2518       parent
2519           Alias: dev
2520
2521           If given, specifies the parent interface name or parent connection
2522           UUID the new device will be bound to so that tunneled packets will
2523           only be routed via that interface.
2524
2525           Format: string
2526
2527       path-mtu-discovery
2528           Whether to enable Path MTU Discovery on this tunnel.
2529
2530           Format: boolean
2531
2532       remote
2533           Alias: remote
2534
2535           The remote endpoint of the tunnel; the value must contain an IPv4
2536           or IPv6 address.
2537
2538           Format: string
2539
2540       tos
2541           The type of service (IPv4) or traffic class (IPv6) field to be set
2542           on tunneled packets.
2543
2544           Format: uint32
2545
2546       ttl
2547           The TTL to assign to tunneled packets. 0 is a special value meaning
2548           that packets inherit the TTL value.
2549
2550           Format: uint32
2551
2552   macsec setting
2553       MACSec Settings.
2554
2555       Properties:
2556
2557       encrypt
2558           Alias: encrypt
2559
2560           Whether the transmitted traffic must be encrypted.
2561
2562           Format: boolean
2563
2564       mka-cak
2565           Alias: cak
2566
2567           The pre-shared CAK (Connectivity Association Key) for MACsec Key
2568           Agreement.
2569
2570           Format: string
2571
2572       mka-cak-flags
2573           Flags indicating how to handle the "mka-cak" property. See the
2574           section called “Secret flag types:” for flag values.
2575
2576           Format: NMSettingSecretFlags (uint32)
2577
2578       mka-ckn
2579           Alias: ckn
2580
2581           The pre-shared CKN (Connectivity-association Key Name) for MACsec
2582           Key Agreement.
2583
2584           Format: string
2585
2586       mode
2587           Alias: mode
2588
2589           Specifies how the CAK (Connectivity Association Key) for MKA
2590           (MACsec Key Agreement) is obtained.
2591
2592           Format: int32
2593
2594       parent
2595           Alias: dev
2596
2597           If given, specifies the parent interface name or parent connection
2598           UUID from which this MACSEC interface should be created. If this
2599           property is not specified, the connection must contain an
2600           "802-3-ethernet" setting with a "mac-address" property.
2601
2602           Format: string
2603
2604       port
2605           Alias: port
2606
2607           The port component of the SCI (Secure Channel Identifier), between
2608           1 and 65534.
2609
2610           Format: int32
2611
2612       send-sci
2613           Specifies whether the SCI (Secure Channel Identifier) is included
2614           in every packet.
2615
2616           Format: boolean
2617
2618       validation
2619           Specifies the validation mode for incoming frames.
2620
2621           Format: int32
2622
2623   macvlan setting
2624       MAC VLAN Settings.
2625
2626       Properties:
2627
2628       mode
2629           Alias: mode
2630
2631           The macvlan mode, which specifies the communication mechanism
2632           between multiple macvlans on the same lower device.
2633
2634           Format: uint32
2635
2636       parent
2637           Alias: dev
2638
2639           If given, specifies the parent interface name or parent connection
2640           UUID from which this MAC-VLAN interface should be created. If this
2641           property is not specified, the connection must contain an
2642           "802-3-ethernet" setting with a "mac-address" property.
2643
2644           Format: string
2645
2646       promiscuous
2647           Whether the interface should be put in promiscuous mode.
2648
2649           Format: boolean
2650
2651       tap
2652           Alias: tap
2653
2654           Whether the interface should be a MACVTAP.
2655
2656           Format: boolean
2657
2658   match setting
2659       Match settings.
2660
2661       Properties:
2662
2663       driver
2664           A list of driver names to match. Each element is a shell wildcard
2665           pattern. See NMSettingMatch:interface-name for how special
2666           characters '|', '&', '!' and '\' are used for optional and
2667           mandatory matches and inverting the pattern.
2668
2669           Format: array of string
2670
2671       interface-name
2672           A list of interface names to match. Each element is a shell
2673           wildcard pattern. An element can be prefixed with a pipe symbol (|)
2674           or an ampersand (&). The former means that the element is optional
2675           and the latter means that it is mandatory. If there are any
2676           optional elements, than the match evaluates to true if at least one
2677           of the optional element matches (logical OR). If there are any
2678           mandatory elements, then they all must match (logical AND). By
2679           default, an element is optional. This means that an element "foo"
2680           behaves the same as "|foo". An element can also be inverted with
2681           exclamation mark (!) between the pipe symbol (or the ampersand) and
2682           before the pattern. Note that "!foo" is a shortcut for the
2683           mandatory match "&!foo". Finally, a backslash can be used at the
2684           beginning of the element (after the optional special characters) to
2685           escape the start of the pattern. For example, "&\!a" is an
2686           mandatory match for literally "!a".
2687
2688           Format: array of string
2689
2690       kernel-command-line
2691           A list of kernel command line arguments to match. This may be used
2692           to check whether a specific kernel command line option is set (or
2693           unset, if prefixed with the exclamation mark). The argument must
2694           either be a single word, or an assignment (i.e. two words, joined
2695           by "="). In the former case the kernel command line is searched for
2696           the word appearing as is, or as left hand side of an assignment. In
2697           the latter case, the exact assignment is looked for with right and
2698           left hand side matching. Wildcard patterns are not supported. See
2699           NMSettingMatch:interface-name for how special characters '|', '&',
2700           '!' and '\' are used for optional and mandatory matches and
2701           inverting the match.
2702
2703           Format: array of string
2704
2705       path
2706           A list of paths to match against the ID_PATH udev property of
2707           devices. ID_PATH represents the topological persistent path of a
2708           device. It typically contains a subsystem string (pci, usb,
2709           platform, etc.) and a subsystem-specific identifier. For PCI
2710           devices the path has the form "pci-$domain:$bus:$device.$function",
2711           where each variable is an hexadecimal value; for example
2712           "pci-0000:0a:00.0". The path of a device can be obtained with
2713           "udevadm info /sys/class/net/$dev | grep ID_PATH=" or by looking at
2714           the "path" property exported by NetworkManager ("nmcli -f
2715           general.path device show $dev"). Each element of the list is a
2716           shell wildcard pattern. See NMSettingMatch:interface-name for how
2717           special characters '|', '&', '!' and '\' are used for optional and
2718           mandatory matches and inverting the pattern.
2719
2720           Format: array of string
2721
2722   802-11-olpc-mesh setting
2723       Alias: olpc-mesh
2724
2725       OLPC Wireless Mesh Settings.
2726
2727       Properties:
2728
2729       channel
2730           Alias: channel
2731
2732           Channel on which the mesh network to join is located.
2733
2734           Format: uint32
2735
2736       dhcp-anycast-address
2737           Alias: dhcp-anycast
2738
2739           Anycast DHCP MAC address used when requesting an IP address via
2740           DHCP. The specific anycast address used determines which DHCP
2741           server class answers the request. This is currently only
2742           implemented by dhclient DHCP plugin.
2743
2744           Format: byte array
2745
2746       ssid
2747           Alias: ssid
2748
2749           SSID of the mesh network to join.
2750
2751           Format: byte array
2752
2753   ovs-bridge setting
2754       OvsBridge Link Settings.
2755
2756       Properties:
2757
2758       datapath-type
2759           The data path type. One of "system", "netdev" or empty.
2760
2761           Format: string
2762
2763       fail-mode
2764           The bridge failure mode. One of "secure", "standalone" or empty.
2765
2766           Format: string
2767
2768       mcast-snooping-enable
2769           Enable or disable multicast snooping.
2770
2771           Format: boolean
2772
2773       rstp-enable
2774           Enable or disable RSTP.
2775
2776           Format: boolean
2777
2778       stp-enable
2779           Enable or disable STP.
2780
2781           Format: boolean
2782
2783   ovs-dpdk setting
2784       OvsDpdk Link Settings.
2785
2786       Properties:
2787
2788       devargs
2789           Open vSwitch DPDK device arguments.
2790
2791           Format: string
2792
2793       n-rxq
2794           Open vSwitch DPDK number of rx queues. Defaults to zero which means
2795           to leave the parameter in OVS unspecified and effectively
2796           configures one queue.
2797
2798           Format: uint32
2799
2800   ovs-interface setting
2801       Open vSwitch Interface Settings.
2802
2803       Properties:
2804
2805       type
2806           The interface type. Either "internal", "system", "patch", "dpdk",
2807           or empty.
2808
2809           Format: string
2810
2811   ovs-patch setting
2812       OvsPatch Link Settings.
2813
2814       Properties:
2815
2816       peer
2817           Specifies the name of the interface for the other side of the
2818           patch. The patch on the other side must also set this interface as
2819           peer.
2820
2821           Format: string
2822
2823   ovs-port setting
2824       OvsPort Link Settings.
2825
2826       Properties:
2827
2828       bond-downdelay
2829           The time port must be inactive in order to be considered down.
2830
2831           Format: uint32
2832
2833       bond-mode
2834           Bonding mode. One of "active-backup", "balance-slb", or
2835           "balance-tcp".
2836
2837           Format: string
2838
2839       bond-updelay
2840           The time port must be active before it starts forwarding traffic.
2841
2842           Format: uint32
2843
2844       lacp
2845           LACP mode. One of "active", "off", or "passive".
2846
2847           Format: string
2848
2849       tag
2850           The VLAN tag in the range 0-4095.
2851
2852           Format: uint32
2853
2854       vlan-mode
2855           The VLAN mode. One of "access", "native-tagged", "native-untagged",
2856           "trunk" or unset.
2857
2858           Format: string
2859
2860   ppp setting
2861       Point-to-Point Protocol Settings.
2862
2863       Properties:
2864
2865       baud
2866           If non-zero, instruct pppd to set the serial port to the specified
2867           baudrate. This value should normally be left as 0 to automatically
2868           choose the speed.
2869
2870           Format: uint32
2871
2872       crtscts
2873           If TRUE, specify that pppd should set the serial port to use
2874           hardware flow control with RTS and CTS signals. This value should
2875           normally be set to FALSE.
2876
2877           Format: boolean
2878
2879       lcp-echo-failure
2880           If non-zero, instruct pppd to presume the connection to the peer
2881           has failed if the specified number of LCP echo-requests go
2882           unanswered by the peer. The "lcp-echo-interval" property must also
2883           be set to a non-zero value if this property is used.
2884
2885           Format: uint32
2886
2887       lcp-echo-interval
2888           If non-zero, instruct pppd to send an LCP echo-request frame to the
2889           peer every n seconds (where n is the specified value). Note that
2890           some PPP peers will respond to echo requests and some will not, and
2891           it is not possible to autodetect this.
2892
2893           Format: uint32
2894
2895       mppe-stateful
2896           If TRUE, stateful MPPE is used. See pppd documentation for more
2897           information on stateful MPPE.
2898
2899           Format: boolean
2900
2901       mru
2902           If non-zero, instruct pppd to request that the peer send packets no
2903           larger than the specified size. If non-zero, the MRU should be
2904           between 128 and 16384.
2905
2906           Format: uint32
2907
2908       mtu
2909           If non-zero, instruct pppd to send packets no larger than the
2910           specified size.
2911
2912           Format: uint32
2913
2914       no-vj-comp
2915           If TRUE, Van Jacobsen TCP header compression will not be requested.
2916
2917           Format: boolean
2918
2919       noauth
2920           If TRUE, do not require the other side (usually the PPP server) to
2921           authenticate itself to the client. If FALSE, require authentication
2922           from the remote side. In almost all cases, this should be TRUE.
2923
2924           Format: boolean
2925
2926       nobsdcomp
2927           If TRUE, BSD compression will not be requested.
2928
2929           Format: boolean
2930
2931       nodeflate
2932           If TRUE, "deflate" compression will not be requested.
2933
2934           Format: boolean
2935
2936       refuse-chap
2937           If TRUE, the CHAP authentication method will not be used.
2938
2939           Format: boolean
2940
2941       refuse-eap
2942           If TRUE, the EAP authentication method will not be used.
2943
2944           Format: boolean
2945
2946       refuse-mschap
2947           If TRUE, the MSCHAP authentication method will not be used.
2948
2949           Format: boolean
2950
2951       refuse-mschapv2
2952           If TRUE, the MSCHAPv2 authentication method will not be used.
2953
2954           Format: boolean
2955
2956       refuse-pap
2957           If TRUE, the PAP authentication method will not be used.
2958
2959           Format: boolean
2960
2961       require-mppe
2962           If TRUE, MPPE (Microsoft Point-to-Point Encryption) will be
2963           required for the PPP session. If either 64-bit or 128-bit MPPE is
2964           not available the session will fail. Note that MPPE is not used on
2965           mobile broadband connections.
2966
2967           Format: boolean
2968
2969       require-mppe-128
2970           If TRUE, 128-bit MPPE (Microsoft Point-to-Point Encryption) will be
2971           required for the PPP session, and the "require-mppe" property must
2972           also be set to TRUE. If 128-bit MPPE is not available the session
2973           will fail.
2974
2975           Format: boolean
2976
2977   pppoe setting
2978       PPP-over-Ethernet Settings.
2979
2980       Properties:
2981
2982       parent
2983           Alias: parent
2984
2985           If given, specifies the parent interface name on which this PPPoE
2986           connection should be created. If this property is not specified,
2987           the connection is activated on the interface specified in
2988           "interface-name" of NMSettingConnection.
2989
2990           Format: string
2991
2992       password
2993           Alias: password
2994
2995           Password used to authenticate with the PPPoE service.
2996
2997           Format: string
2998
2999       password-flags
3000           Flags indicating how to handle the "password" property. See the
3001           section called “Secret flag types:” for flag values.
3002
3003           Format: NMSettingSecretFlags (uint32)
3004
3005       service
3006           Alias: service
3007
3008           If specified, instruct PPPoE to only initiate sessions with access
3009           concentrators that provide the specified service. For most
3010           providers, this should be left blank. It is only required if there
3011           are multiple access concentrators or a specific service is known to
3012           be required.
3013
3014           Format: string
3015
3016       username
3017           Alias: username
3018
3019           Username used to authenticate with the PPPoE service.
3020
3021           Format: string
3022
3023   proxy setting
3024       WWW Proxy Settings.
3025
3026       Properties:
3027
3028       browser-only
3029           Alias: browser-only
3030
3031           Whether the proxy configuration is for browser only.
3032
3033           Format: boolean
3034
3035       method
3036           Alias: method
3037
3038           Method for proxy configuration, Default is
3039           NM_SETTING_PROXY_METHOD_NONE (0)
3040
3041           Format: int32
3042
3043       pac-script
3044           Alias: pac-script
3045
3046           The PAC script. In the profile this must be an UTF-8 encoded
3047           javascript code that defines a FindProxyForURL() function. When
3048           setting the property in nmcli, a filename is accepted too. In that
3049           case, nmcli will read the content of the file and set the script.
3050           The prefixes "file://" and "js://" are supported to explicitly
3051           differentiate between the two.
3052
3053           Format: string
3054
3055       pac-url
3056           Alias: pac-url
3057
3058           PAC URL for obtaining PAC file.
3059
3060           Format: string
3061
3062   serial setting
3063       Serial Link Settings.
3064
3065       Properties:
3066
3067       baud
3068           Speed to use for communication over the serial port. Note that this
3069           value usually has no effect for mobile broadband modems as they
3070           generally ignore speed settings and use the highest available
3071           speed.
3072
3073           Format: uint32
3074
3075       bits
3076           Byte-width of the serial communication. The 8 in "8n1" for example.
3077
3078           Format: uint32
3079
3080       parity
3081           Parity setting of the serial port.
3082
3083           Format: NMSettingSerialParity (byte)
3084
3085       send-delay
3086           Time to delay between each byte sent to the modem, in microseconds.
3087
3088           Format: uint64
3089
3090       stopbits
3091           Number of stop bits for communication on the serial port. Either 1
3092           or 2. The 1 in "8n1" for example.
3093
3094           Format: uint32
3095
3096   sriov setting
3097       SR-IOV settings.
3098
3099       Properties:
3100
3101       autoprobe-drivers
3102           Whether to autoprobe virtual functions by a compatible driver. If
3103           set to NM_TERNARY_TRUE (1), the kernel will try to bind VFs to a
3104           compatible driver and if this succeeds a new network interface will
3105           be instantiated for each VF. If set to NM_TERNARY_FALSE (0), VFs
3106           will not be claimed and no network interfaces will be created for
3107           them. When set to NM_TERNARY_DEFAULT (-1), the global default is
3108           used; in case the global default is unspecified it is assumed to be
3109           NM_TERNARY_TRUE (1).
3110
3111           Format: NMTernary (int32)
3112
3113       total-vfs
3114           The total number of virtual functions to create. Note that when the
3115           sriov setting is present NetworkManager enforces the number of
3116           virtual functions on the interface (also when it is zero) during
3117           activation and resets it upon deactivation. To prevent any changes
3118           to SR-IOV parameters don't add a sriov setting to the connection.
3119
3120           Format: uint32
3121
3122       vfs
3123           Array of virtual function descriptors. Each VF descriptor is a
3124           dictionary mapping attribute names to GVariant values. The 'index'
3125           entry is mandatory for each VF. When represented as string a VF is
3126           in the form: "INDEX [ATTR=VALUE[ ATTR=VALUE]...]". for example: "2
3127           mac=00:11:22:33:44:55 spoof-check=true". Multiple VFs can be
3128           specified using a comma as separator. Currently, the following
3129           attributes are supported: mac, spoof-check, trust, min-tx-rate,
3130           max-tx-rate, vlans. The "vlans" attribute is represented as a
3131           semicolon-separated list of VLAN descriptors, where each descriptor
3132           has the form "ID[.PRIORITY[.PROTO]]". PROTO can be either 'q' for
3133           802.1Q (the default) or 'ad' for 802.1ad.
3134
3135           Format: array of vardict
3136
3137   tc setting
3138       Linux Traffic Control Settings.
3139
3140       Properties:
3141
3142       qdiscs
3143           Array of TC queueing disciplines. qdisc is a basic block in the
3144           Linux traffic control subsystem
3145
3146           Each qdisc can be specified by the following attributes:
3147
3148           handle HANDLE
3149               specifies the qdisc handle. A qdisc, which potentially can have
3150               children, gets assigned a major number, called a 'handle',
3151               leaving the minor number namespace available for classes. The
3152               handle is expressed as '10:'. It is customary to explicitly
3153               assign a handle to qdiscs expected to have children.
3154
3155           parent HANDLE
3156               specifies the handle of the parent qdisc the current qdisc must
3157               be attached to.
3158
3159           root
3160               specifies that the qdisc is attached to the root of device.
3161
3162           KIND
3163               this is the qdisc kind. NetworkManager currently supports the
3164               following kinds: fq_codel, sfq, tbf. Each qdisc kind has a
3165               different set of parameters, described below. There are also
3166               some kinds like pfifo, pfifo_fast, prio supported by
3167               NetworkManager but their parameters are not supported by
3168               NetworkManager.
3169
3170           Parameters for 'fq_codel':
3171
3172           limit U32
3173               the hard limit on the real queue size. When this limit is
3174               reached, incoming packets are dropped. Default is 10240
3175               packets.
3176
3177           memory_limit U32
3178               sets a limit on the total number of bytes that can be queued in
3179               this FQ-CoDel instance. The lower of the packet limit of the
3180               limit parameter and the memory limit will be enforced. Default
3181               is 32 MB.
3182
3183           flows U32
3184               the number of flows into which the incoming packets are
3185               classified. Due to the stochastic nature of hashing, multiple
3186               flows may end up being hashed into the same slot. Newer flows
3187               have priority over older ones. This parameter can be set only
3188               at load time since memory has to be allocated for the hash
3189               table. Default value is 1024.
3190
3191           target U32
3192               the acceptable minimum standing/persistent queue delay. This
3193               minimum delay is identified by tracking the local minimum queue
3194               delay that packets experience. The unit of measurement is
3195               microsecond(us). Default value is 5ms.
3196
3197           interval U32
3198               used to ensure that the measured minimum delay does not become
3199               too stale. The minimum delay must be experienced in the last
3200               epoch of length .B interval. It should be set on the order of
3201               the worst-case RTT through the bottleneck to give endpoints
3202               sufficient time to react. Default value is 100ms.
3203
3204           quantum U32
3205               the number of bytes used as 'deficit' in the fair queuing
3206               algorithm. Default is set to 1514 bytes which corresponds to
3207               the Ethernet MTU plus the hardware header length of 14 bytes.
3208
3209           ecn BOOL
3210               can be used to mark packets instead of dropping them. ecn is
3211               turned on by default.
3212
3213           ce_threshold U32
3214               sets a threshold above which all packets are marked with ECN
3215               Congestion Experienced. This is useful for DCTCP-style
3216               congestion control algorithms that require marking at very
3217               shallow queueing thresholds.
3218
3219           Parameters for 'sfq':
3220
3221           divisor U32
3222               can be used to set a different hash table size, available from
3223               kernel 2.6.39 onwards. The specified divisor must be a power of
3224               two and cannot be larger than 65536. Default value: 1024.
3225
3226           limit U32
3227               Upper limit of the SFQ. Can be used to reduce the default
3228               length of 127 packets.
3229
3230           depth U32
3231               Limit of packets per flow. Default to 127 and can be lowered.
3232
3233           perturb_period U32
3234               Interval in seconds for queue algorithm perturbation. Defaults
3235               to 0, which means that no perturbation occurs. Do not set too
3236               low for each perturbation may cause some packet reordering or
3237               losses. Advised value: 60 This value has no effect when
3238               external flow classification is used. Its better to increase
3239               divisor value to lower risk of hash collisions.
3240
3241           quantum U32
3242               Amount of bytes a flow is allowed to dequeue during a round of
3243               the round robin process. Defaults to the MTU of the interface
3244               which is also the advised value and the minimum value.
3245
3246           flows U32
3247               Default value is 127.
3248
3249           Parameters for 'tbf':
3250
3251           rate U64
3252               Bandwidth or rate. These parameters accept a floating point
3253               number, possibly followed by either a unit (both SI and IEC
3254               units supported), or a float followed by a percent character to
3255               specify the rate as a percentage of the device's speed.
3256
3257           burst U32
3258               Also known as buffer or maxburst. Size of the bucket, in bytes.
3259               This is the maximum amount of bytes that tokens can be
3260               available for instantaneously. In general, larger shaping rates
3261               require a larger buffer. For 10mbit/s on Intel, you need at
3262               least 10kbyte buffer if you want to reach your configured rate!
3263
3264               If your buffer is too small, packets may be dropped because
3265               more tokens arrive per timer tick than fit in your bucket. The
3266               minimum buffer size can be calculated by dividing the rate by
3267               HZ.
3268
3269               Token usage calculations are performed using a table which by
3270               default has a resolution of 8 packets. This resolution can be
3271               changed by specifying the cell size with the burst. For
3272               example, to specify a 6000 byte buffer with a 16 byte cell
3273               size, set a burst of 6000/16. You will probably never have to
3274               set this. Must be an integral power of 2.
3275
3276           limit U32
3277               Limit is the number of bytes that can be queued waiting for
3278               tokens to become available.
3279
3280           latency U32
3281               specifies the maximum amount of time a packet can sit in the
3282               TBF. The latency calculation takes into account the size of the
3283               bucket, the rate and possibly the peakrate (if set). The
3284               latency and limit are mutually exclusive.
3285
3286           Format: GPtrArray(NMTCQdisc)
3287
3288       tfilters
3289           Array of TC traffic filters. Traffic control can manage the packet
3290           content during classification by using filters.
3291
3292           Each tfilters can be specified by the following attributes:
3293
3294           handle HANDLE
3295               specifies the tfilters handle. A filter is used by a classful
3296               qdisc to determine in which class a packet will be enqueued. It
3297               is important to notice that filters reside within qdiscs.
3298               Therefore, see qdiscs handle for detailed information.
3299
3300           parent HANDLE
3301               specifies the handle of the parent qdisc the current qdisc must
3302               be attached to.
3303
3304           root
3305               specifies that the qdisc is attached to the root of device.
3306
3307           KIND
3308               this is the tfilters kind. NetworkManager currently supports
3309               following kinds: mirred, simple. Each filter kind has a
3310               different set of actions, described below. There are also some
3311               other kinds like matchall, basic, u32 supported by
3312               NetworkManager.
3313
3314           Actions for 'mirred':
3315
3316           egress bool
3317               Define whether the packet should exit from the interface.
3318
3319           ingress bool
3320               Define whether the packet should come into the interface.
3321
3322           mirror bool
3323               Define whether the packet should be copied to the destination
3324               space.
3325
3326           redirect bool
3327               Define whether the packet should be moved to the destination
3328               space.
3329
3330           Action for 'simple':
3331
3332           sdata char[32]
3333               The actual string to print.
3334
3335           Format: GPtrArray(NMTCTfilter)
3336
3337   team setting
3338       Teaming Settings.
3339
3340       Properties:
3341
3342       config
3343           Alias: config
3344
3345           The JSON configuration for the team network interface. The property
3346           should contain raw JSON configuration data suitable for teamd,
3347           because the value is passed directly to teamd. If not specified,
3348           the default configuration is used. See man teamd.conf for the
3349           format details.
3350
3351           Format: string
3352
3353       link-watchers
3354           Link watchers configuration for the connection: each link watcher
3355           is defined by a dictionary, whose keys depend upon the selected
3356           link watcher. Available link watchers are 'ethtool', 'nsna_ping'
3357           and 'arp_ping' and it is specified in the dictionary with the key
3358           'name'. Available keys are: ethtool: 'delay-up', 'delay-down',
3359           'init-wait'; nsna_ping: 'init-wait', 'interval', 'missed-max',
3360           'target-host'; arp_ping: all the ones in nsna_ping and
3361           'source-host', 'validate-active', 'validate-inactive',
3362           'send-always'. See teamd.conf man for more details.
3363
3364           Format: array of vardict
3365
3366       mcast-rejoin-count
3367           Corresponds to the teamd mcast_rejoin.count.
3368
3369           Format: int32
3370
3371       mcast-rejoin-interval
3372           Corresponds to the teamd mcast_rejoin.interval.
3373
3374           Format: int32
3375
3376       notify-peers-count
3377           Corresponds to the teamd notify_peers.count.
3378
3379           Format: int32
3380
3381       notify-peers-interval
3382           Corresponds to the teamd notify_peers.interval.
3383
3384           Format: int32
3385
3386       runner
3387           Corresponds to the teamd runner.name. Permitted values are:
3388           "roundrobin", "broadcast", "activebackup", "loadbalance", "lacp",
3389           "random".
3390
3391           Format: string
3392
3393       runner-active
3394           Corresponds to the teamd runner.active.
3395
3396           Format: boolean
3397
3398       runner-agg-select-policy
3399           Corresponds to the teamd runner.agg_select_policy.
3400
3401           Format: string
3402
3403       runner-fast-rate
3404           Corresponds to the teamd runner.fast_rate.
3405
3406           Format: boolean
3407
3408       runner-hwaddr-policy
3409           Corresponds to the teamd runner.hwaddr_policy.
3410
3411           Format: string
3412
3413       runner-min-ports
3414           Corresponds to the teamd runner.min_ports.
3415
3416           Format: int32
3417
3418       runner-sys-prio
3419           Corresponds to the teamd runner.sys_prio.
3420
3421           Format: int32
3422
3423       runner-tx-balancer
3424           Corresponds to the teamd runner.tx_balancer.name.
3425
3426           Format: string
3427
3428       runner-tx-balancer-interval
3429           Corresponds to the teamd runner.tx_balancer.interval.
3430
3431           Format: int32
3432
3433       runner-tx-hash
3434           Corresponds to the teamd runner.tx_hash.
3435
3436           Format: array of string
3437
3438   team-port setting
3439       Team Port Settings.
3440
3441       Properties:
3442
3443       config
3444           Alias: config
3445
3446           The JSON configuration for the team port. The property should
3447           contain raw JSON configuration data suitable for teamd, because the
3448           value is passed directly to teamd. If not specified, the default
3449           configuration is used. See man teamd.conf for the format details.
3450
3451           Format: string
3452
3453       lacp-key
3454           Corresponds to the teamd ports.PORTIFNAME.lacp_key.
3455
3456           Format: int32
3457
3458       lacp-prio
3459           Corresponds to the teamd ports.PORTIFNAME.lacp_prio.
3460
3461           Format: int32
3462
3463       link-watchers
3464           Link watchers configuration for the connection: each link watcher
3465           is defined by a dictionary, whose keys depend upon the selected
3466           link watcher. Available link watchers are 'ethtool', 'nsna_ping'
3467           and 'arp_ping' and it is specified in the dictionary with the key
3468           'name'. Available keys are: ethtool: 'delay-up', 'delay-down',
3469           'init-wait'; nsna_ping: 'init-wait', 'interval', 'missed-max',
3470           'target-host'; arp_ping: all the ones in nsna_ping and
3471           'source-host', 'validate-active', 'validate-inactive',
3472           'send-always'. See teamd.conf man for more details.
3473
3474           Format: array of vardict
3475
3476       prio
3477           Corresponds to the teamd ports.PORTIFNAME.prio.
3478
3479           Format: int32
3480
3481       queue-id
3482           Corresponds to the teamd ports.PORTIFNAME.queue_id. When set to -1
3483           means the parameter is skipped from the json config.
3484
3485           Format: int32
3486
3487       sticky
3488           Corresponds to the teamd ports.PORTIFNAME.sticky.
3489
3490           Format: boolean
3491
3492   tun setting
3493       Tunnel Settings.
3494
3495       Properties:
3496
3497       group
3498           Alias: group
3499
3500           The group ID which will own the device. If set to NULL everyone
3501           will be able to use the device.
3502
3503           Format: string
3504
3505       mode
3506           Alias: mode
3507
3508           The operating mode of the virtual device. Allowed values are
3509           NM_SETTING_TUN_MODE_TUN (1) to create a layer 3 device and
3510           NM_SETTING_TUN_MODE_TAP (2) to create an Ethernet-like layer 2 one.
3511
3512           Format: uint32
3513
3514       multi-queue
3515           Alias: multi-queue
3516
3517           If the property is set to TRUE, the interface will support multiple
3518           file descriptors (queues) to parallelize packet sending or
3519           receiving. Otherwise, the interface will only support a single
3520           queue.
3521
3522           Format: boolean
3523
3524       owner
3525           Alias: owner
3526
3527           The user ID which will own the device. If set to NULL everyone will
3528           be able to use the device.
3529
3530           Format: string
3531
3532       pi
3533           Alias: pi
3534
3535           If TRUE the interface will prepend a 4 byte header describing the
3536           physical interface to the packets.
3537
3538           Format: boolean
3539
3540       vnet-hdr
3541           Alias: vnet-hdr
3542
3543           If TRUE the IFF_VNET_HDR the tunnel packets will include a virtio
3544           network header.
3545
3546           Format: boolean
3547
3548   vlan setting
3549       VLAN Settings.
3550
3551       Properties:
3552
3553       egress-priority-map
3554           Alias: egress
3555
3556           For outgoing packets, a list of mappings from Linux SKB priorities
3557           to 802.1p priorities. The mapping is given in the format "from:to"
3558           where both "from" and "to" are unsigned integers, ie "7:3".
3559
3560           Format: array of string
3561
3562       flags
3563           Alias: flags
3564
3565           One or more flags which control the behavior and features of the
3566           VLAN interface. Flags include NM_VLAN_FLAG_REORDER_HEADERS (0x1)
3567           (reordering of output packet headers), NM_VLAN_FLAG_GVRP (0x2) (use
3568           of the GVRP protocol), and NM_VLAN_FLAG_LOOSE_BINDING (0x4) (loose
3569           binding of the interface to its master device's operating state).
3570           NM_VLAN_FLAG_MVRP (0x8) (use of the MVRP protocol). The default
3571           value of this property is NM_VLAN_FLAG_REORDER_HEADERS, but it used
3572           to be 0. To preserve backward compatibility, the default-value in
3573           the D-Bus API continues to be 0 and a missing property on D-Bus is
3574           still considered as 0.
3575
3576           Format: NMVlanFlags (uint32)
3577
3578       id
3579           Alias: id
3580
3581           The VLAN identifier that the interface created by this connection
3582           should be assigned. The valid range is from 0 to 4094, without the
3583           reserved id 4095.
3584
3585           Format: uint32
3586
3587       ingress-priority-map
3588           Alias: ingress
3589
3590           For incoming packets, a list of mappings from 802.1p priorities to
3591           Linux SKB priorities. The mapping is given in the format "from:to"
3592           where both "from" and "to" are unsigned integers, ie "7:3".
3593
3594           Format: array of string
3595
3596       parent
3597           Alias: dev
3598
3599           If given, specifies the parent interface name or parent connection
3600           UUID from which this VLAN interface should be created. If this
3601           property is not specified, the connection must contain an
3602           "802-3-ethernet" setting with a "mac-address" property.
3603
3604           Format: string
3605
3606   vpn setting
3607       VPN Settings.
3608
3609       Properties:
3610
3611       data
3612           Dictionary of key/value pairs of VPN plugin specific data. Both
3613           keys and values must be strings.
3614
3615           Format: dict of string to string
3616
3617       persistent
3618           If the VPN service supports persistence, and this property is TRUE,
3619           the VPN will attempt to stay connected across link changes and
3620           outages, until explicitly disconnected.
3621
3622           Format: boolean
3623
3624       secrets
3625           Dictionary of key/value pairs of VPN plugin specific secrets like
3626           passwords or private keys. Both keys and values must be strings.
3627
3628           Format: dict of string to string
3629
3630       service-type
3631           Alias: vpn-type
3632
3633           D-Bus service name of the VPN plugin that this setting uses to
3634           connect to its network. i.e. org.freedesktop.NetworkManager.vpnc
3635           for the vpnc plugin.
3636
3637           Format: string
3638
3639       timeout
3640           Timeout for the VPN service to establish the connection. Some
3641           services may take quite a long time to connect. Value of 0 means a
3642           default timeout, which is 60 seconds (unless overridden by
3643           vpn.timeout in configuration file). Values greater than zero mean
3644           timeout in seconds.
3645
3646           Format: uint32
3647
3648       user-name
3649           Alias: user
3650
3651           If the VPN connection requires a user name for authentication, that
3652           name should be provided here. If the connection is available to
3653           more than one user, and the VPN requires each user to supply a
3654           different name, then leave this property empty. If this property is
3655           empty, NetworkManager will automatically supply the username of the
3656           user which requested the VPN connection.
3657
3658           Format: string
3659
3660   vrf setting
3661       VRF settings.
3662
3663       Properties:
3664
3665       table
3666           Alias: table
3667
3668           The routing table for this VRF.
3669
3670           Format: uint32
3671
3672   vxlan setting
3673       VXLAN Settings.
3674
3675       Properties:
3676
3677       ageing
3678           Specifies the lifetime in seconds of FDB entries learnt by the
3679           kernel.
3680
3681           Format: uint32
3682
3683       destination-port
3684           Alias: destination-port
3685
3686           Specifies the UDP destination port to communicate to the remote
3687           VXLAN tunnel endpoint.
3688
3689           Format: uint32
3690
3691       id
3692           Alias: id
3693
3694           Specifies the VXLAN Network Identifier (or VXLAN Segment
3695           Identifier) to use.
3696
3697           Format: uint32
3698
3699       l2-miss
3700           Specifies whether netlink LL ADDR miss notifications are generated.
3701
3702           Format: boolean
3703
3704       l3-miss
3705           Specifies whether netlink IP ADDR miss notifications are generated.
3706
3707           Format: boolean
3708
3709       learning
3710           Specifies whether unknown source link layer addresses and IP
3711           addresses are entered into the VXLAN device forwarding database.
3712
3713           Format: boolean
3714
3715       limit
3716           Specifies the maximum number of FDB entries. A value of zero means
3717           that the kernel will store unlimited entries.
3718
3719           Format: uint32
3720
3721       local
3722           Alias: local
3723
3724           If given, specifies the source IP address to use in outgoing
3725           packets.
3726
3727           Format: string
3728
3729       parent
3730           Alias: dev
3731
3732           If given, specifies the parent interface name or parent connection
3733           UUID.
3734
3735           Format: string
3736
3737       proxy
3738           Specifies whether ARP proxy is turned on.
3739
3740           Format: boolean
3741
3742       remote
3743           Alias: remote
3744
3745           Specifies the unicast destination IP address to use in outgoing
3746           packets when the destination link layer address is not known in the
3747           VXLAN device forwarding database, or the multicast IP address to
3748           join.
3749
3750           Format: string
3751
3752       rsc
3753           Specifies whether route short circuit is turned on.
3754
3755           Format: boolean
3756
3757       source-port-max
3758           Alias: source-port-max
3759
3760           Specifies the maximum UDP source port to communicate to the remote
3761           VXLAN tunnel endpoint.
3762
3763           Format: uint32
3764
3765       source-port-min
3766           Alias: source-port-min
3767
3768           Specifies the minimum UDP source port to communicate to the remote
3769           VXLAN tunnel endpoint.
3770
3771           Format: uint32
3772
3773       tos
3774           Specifies the TOS value to use in outgoing packets.
3775
3776           Format: uint32
3777
3778       ttl
3779           Specifies the time-to-live value to use in outgoing packets.
3780
3781           Format: uint32
3782
3783   wifi-p2p setting
3784       Wi-Fi P2P Settings.
3785
3786       Properties:
3787
3788       peer
3789           Alias: peer
3790
3791           The P2P device that should be connected to. Currently, this is the
3792           only way to create or join a group.
3793
3794           Format: string
3795
3796       wfd-ies
3797           The Wi-Fi Display (WFD) Information Elements (IEs) to set. Wi-Fi
3798           Display requires a protocol specific information element to be set
3799           in certain Wi-Fi frames. These can be specified here for the
3800           purpose of establishing a connection. This setting is only useful
3801           when implementing a Wi-Fi Display client.
3802
3803           Format: byte array
3804
3805       wps-method
3806           Flags indicating which mode of WPS is to be used. There's little
3807           point in changing the default setting as NetworkManager will
3808           automatically determine the best method to use.
3809
3810           Format: uint32
3811
3812   wimax setting
3813       WiMax Settings.
3814
3815       Properties:
3816
3817       mac-address
3818           Alias: mac
3819
3820           If specified, this connection will only apply to the WiMAX device
3821           whose MAC address matches. This property does not change the MAC
3822           address of the device (known as MAC spoofing). Deprecated: 1
3823
3824           Format: byte array
3825
3826       network-name
3827           Alias: nsp
3828
3829           Network Service Provider (NSP) name of the WiMAX network this
3830           connection should use. Deprecated: 1
3831
3832           Format: string
3833
3834   802-3-ethernet setting
3835       Alias: ethernet
3836
3837       Wired Ethernet Settings.
3838
3839       Properties:
3840
3841       accept-all-mac-addresses
3842           When TRUE, setup the interface to accept packets for all MAC
3843           addresses. This is enabling the kernel interface flag IFF_PROMISC.
3844           When FALSE, the interface will only accept the packets with the
3845           interface destination mac address or broadcast.
3846
3847           Format: NMTernary (int32)
3848
3849       auto-negotiate
3850           When TRUE, enforce auto-negotiation of speed and duplex mode. If
3851           "speed" and "duplex" properties are both specified, only that
3852           single mode will be advertised and accepted during the link
3853           auto-negotiation process: this works only for BASE-T 802.3
3854           specifications and is useful for enforcing gigabits modes, as in
3855           these cases link negotiation is mandatory. When FALSE, "speed" and
3856           "duplex" properties should be both set or link configuration will
3857           be skipped.
3858
3859           Format: boolean
3860
3861       cloned-mac-address
3862           Alias: cloned-mac
3863
3864           If specified, request that the device use this MAC address instead.
3865           This is known as MAC cloning or spoofing. Beside explicitly
3866           specifying a MAC address, the special values "preserve",
3867           "permanent", "random" and "stable" are supported. "preserve" means
3868           not to touch the MAC address on activation. "permanent" means to
3869           use the permanent hardware address if the device has one (otherwise
3870           this is treated as "preserve"). "random" creates a random MAC
3871           address on each connect. "stable" creates a hashed MAC address
3872           based on connection.stable-id and a machine dependent key. If
3873           unspecified, the value can be overwritten via global defaults, see
3874           manual of NetworkManager.conf. If still unspecified, it defaults to
3875           "preserve" (older versions of NetworkManager may use a different
3876           default value). On D-Bus, this field is expressed as
3877           "assigned-mac-address" or the deprecated "cloned-mac-address".
3878
3879           Format: byte array
3880
3881       duplex
3882           When a value is set, either "half" or "full", configures the device
3883           to use the specified duplex mode. If "auto-negotiate" is "yes" the
3884           specified duplex mode will be the only one advertised during link
3885           negotiation: this works only for BASE-T 802.3 specifications and is
3886           useful for enforcing gigabits modes, as in these cases link
3887           negotiation is mandatory. If the value is unset (the default), the
3888           link configuration will be either skipped (if "auto-negotiate" is
3889           "no", the default) or will be auto-negotiated (if "auto-negotiate"
3890           is "yes") and the local device will advertise all the supported
3891           duplex modes. Must be set together with the "speed" property if
3892           specified. Before specifying a duplex mode be sure your device
3893           supports it.
3894
3895           Format: string
3896
3897       generate-mac-address-mask
3898           With "cloned-mac-address" setting "random" or "stable", by default
3899           all bits of the MAC address are scrambled and a
3900           locally-administered, unicast MAC address is created. This property
3901           allows to specify that certain bits are fixed. Note that the least
3902           significant bit of the first MAC address will always be unset to
3903           create a unicast MAC address. If the property is NULL, it is
3904           eligible to be overwritten by a default connection setting. If the
3905           value is still NULL or an empty string, the default is to create a
3906           locally-administered, unicast MAC address. If the value contains
3907           one MAC address, this address is used as mask. The set bits of the
3908           mask are to be filled with the current MAC address of the device,
3909           while the unset bits are subject to randomization. Setting
3910           "FE:FF:FF:00:00:00" means to preserve the OUI of the current MAC
3911           address and only randomize the lower 3 bytes using the "random" or
3912           "stable" algorithm. If the value contains one additional MAC
3913           address after the mask, this address is used instead of the current
3914           MAC address to fill the bits that shall not be randomized. For
3915           example, a value of "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set
3916           the OUI of the MAC address to 68:F7:28, while the lower bits are
3917           randomized. A value of "02:00:00:00:00:00 00:00:00:00:00:00" will
3918           create a fully scrambled globally-administered, burned-in MAC
3919           address. If the value contains more than one additional MAC
3920           addresses, one of them is chosen randomly. For example,
3921           "02:00:00:00:00:00 00:00:00:00:00:00 02:00:00:00:00:00" will create
3922           a fully scrambled MAC address, randomly locally or globally
3923           administered.
3924
3925           Format: string
3926
3927       mac-address
3928           Alias: mac
3929
3930           If specified, this connection will only apply to the Ethernet
3931           device whose permanent MAC address matches. This property does not
3932           change the MAC address of the device (i.e. MAC spoofing).
3933
3934           Format: byte array
3935
3936       mac-address-blacklist
3937           If specified, this connection will never apply to the Ethernet
3938           device whose permanent MAC address matches an address in the list.
3939           Each MAC address is in the standard hex-digits-and-colons notation
3940           (00:11:22:33:44:55).
3941
3942           Format: array of string
3943
3944       mtu
3945           Alias: mtu
3946
3947           If non-zero, only transmit packets of the specified size or
3948           smaller, breaking larger packets up into multiple Ethernet frames.
3949
3950           Format: uint32
3951
3952       port
3953           Specific port type to use if the device supports multiple
3954           attachment methods. One of "tp" (Twisted Pair), "aui" (Attachment
3955           Unit Interface), "bnc" (Thin Ethernet) or "mii" (Media Independent
3956           Interface). If the device supports only one port type, this setting
3957           is ignored.
3958
3959           Format: string
3960
3961       s390-nettype
3962           s390 network device type; one of "qeth", "lcs", or "ctc",
3963           representing the different types of virtual network devices
3964           available on s390 systems.
3965
3966           Format: string
3967
3968       s390-options
3969           Dictionary of key/value pairs of s390-specific device options. Both
3970           keys and values must be strings. Allowed keys include "portno",
3971           "layer2", "portname", "protocol", among others. Key names must
3972           contain only alphanumeric characters (ie, [a-zA-Z0-9]). Currently,
3973           NetworkManager itself does nothing with this information. However,
3974           s390utils ships a udev rule which parses this information and
3975           applies it to the interface.
3976
3977           Format: dict of string to string
3978
3979       s390-subchannels
3980           Identifies specific subchannels that this network device uses for
3981           communication with z/VM or s390 host. Like the "mac-address"
3982           property for non-z/VM devices, this property can be used to ensure
3983           this connection only applies to the network device that uses these
3984           subchannels. The list should contain exactly 3 strings, and each
3985           string may only be composed of hexadecimal characters and the
3986           period (.) character.
3987
3988           Format: array of string
3989
3990       speed
3991           When a value greater than 0 is set, configures the device to use
3992           the specified speed. If "auto-negotiate" is "yes" the specified
3993           speed will be the only one advertised during link negotiation: this
3994           works only for BASE-T 802.3 specifications and is useful for
3995           enforcing gigabit speeds, as in this case link negotiation is
3996           mandatory. If the value is unset (0, the default), the link
3997           configuration will be either skipped (if "auto-negotiate" is "no",
3998           the default) or will be auto-negotiated (if "auto-negotiate" is
3999           "yes") and the local device will advertise all the supported
4000           speeds. In Mbit/s, ie 100 == 100Mbit/s. Must be set together with
4001           the "duplex" property when non-zero. Before specifying a speed
4002           value be sure your device supports it.
4003
4004           Format: uint32
4005
4006       wake-on-lan
4007           The NMSettingWiredWakeOnLan options to enable. Not all devices
4008           support all options. May be any combination of
4009           NM_SETTING_WIRED_WAKE_ON_LAN_PHY (0x2),
4010           NM_SETTING_WIRED_WAKE_ON_LAN_UNICAST (0x4),
4011           NM_SETTING_WIRED_WAKE_ON_LAN_MULTICAST (0x8),
4012           NM_SETTING_WIRED_WAKE_ON_LAN_BROADCAST (0x10),
4013           NM_SETTING_WIRED_WAKE_ON_LAN_ARP (0x20),
4014           NM_SETTING_WIRED_WAKE_ON_LAN_MAGIC (0x40) or the special values
4015           NM_SETTING_WIRED_WAKE_ON_LAN_DEFAULT (0x1) (to use global settings)
4016           and NM_SETTING_WIRED_WAKE_ON_LAN_IGNORE (0x8000) (to disable
4017           management of Wake-on-LAN in NetworkManager).
4018
4019           Format: uint32
4020
4021       wake-on-lan-password
4022           If specified, the password used with magic-packet-based
4023           Wake-on-LAN, represented as an Ethernet MAC address. If NULL, no
4024           password will be required.
4025
4026           Format: string
4027
4028   wireguard setting
4029       WireGuard Settings.
4030
4031       Properties:
4032
4033       fwmark
4034           The use of fwmark is optional and is by default off. Setting it to
4035           0 disables it. Otherwise, it is a 32-bit fwmark for outgoing
4036           packets. Note that "ip4-auto-default-route" or
4037           "ip6-auto-default-route" enabled, implies to automatically choose a
4038           fwmark.
4039
4040           Format: uint32
4041
4042       ip4-auto-default-route
4043           Whether to enable special handling of the IPv4 default route. If
4044           enabled, the IPv4 default route from wireguard.peer-routes will be
4045           placed to a dedicated routing-table and two policy routing rules
4046           will be added. The fwmark number is also used as routing-table for
4047           the default-route, and if fwmark is zero, an unused fwmark/table is
4048           chosen automatically. This corresponds to what wg-quick does with
4049           Table=auto and what WireGuard calls "Improved Rule-based Routing".
4050           Note that for this automatism to work, you usually don't want to
4051           set ipv4.gateway, because that will result in a conflicting default
4052           route. Leaving this at the default will enable this option
4053           automatically if ipv4.never-default is not set and there are any
4054           peers that use a default-route as allowed-ips.
4055
4056           Format: NMTernary (int32)
4057
4058       ip6-auto-default-route
4059           Like ip4-auto-default-route, but for the IPv6 default route.
4060
4061           Format: NMTernary (int32)
4062
4063       listen-port
4064           The listen-port. If listen-port is not specified, the port will be
4065           chosen randomly when the interface comes up.
4066
4067           Format: uint32
4068
4069       mtu
4070           If non-zero, only transmit packets of the specified size or
4071           smaller, breaking larger packets up into multiple fragments. If
4072           zero a default MTU is used. Note that contrary to wg-quick's MTU
4073           setting, this does not take into account the current routes at the
4074           time of activation.
4075
4076           Format: uint32
4077
4078       peer-routes
4079           Whether to automatically add routes for the AllowedIPs ranges of
4080           the peers. If TRUE (the default), NetworkManager will automatically
4081           add routes in the routing tables according to ipv4.route-table and
4082           ipv6.route-table. Usually you want this automatism enabled. If
4083           FALSE, no such routes are added automatically. In this case, the
4084           user may want to configure static routes in ipv4.routes and
4085           ipv6.routes, respectively. Note that if the peer's AllowedIPs is
4086           "0.0.0.0/0" or "::/0" and the profile's ipv4.never-default or
4087           ipv6.never-default setting is enabled, the peer route for this peer
4088           won't be added automatically.
4089
4090           Format: boolean
4091
4092       private-key
4093           The 256 bit private-key in base64 encoding.
4094
4095           Format: string
4096
4097       private-key-flags
4098           Flags indicating how to handle the "private-key" property. See the
4099           section called “Secret flag types:” for flag values.
4100
4101           Format: NMSettingSecretFlags (uint32)
4102
4103   802-11-wireless setting
4104       Alias: wifi
4105
4106       Wi-Fi Settings.
4107
4108       Properties:
4109
4110       ap-isolation
4111           Configures AP isolation, which prevents communication between
4112           wireless devices connected to this AP. This property can be set to
4113           a value different from NM_TERNARY_DEFAULT (-1) only when the
4114           interface is configured in AP mode. If set to NM_TERNARY_TRUE (1),
4115           devices are not able to communicate with each other. This increases
4116           security because it protects devices against attacks from other
4117           clients in the network. At the same time, it prevents devices to
4118           access resources on the same wireless networks as file shares,
4119           printers, etc. If set to NM_TERNARY_FALSE (0), devices can talk to
4120           each other. When set to NM_TERNARY_DEFAULT (-1), the global default
4121           is used; in case the global default is unspecified it is assumed to
4122           be NM_TERNARY_FALSE (0).
4123
4124           Format: NMTernary (int32)
4125
4126       band
4127           802.11 frequency band of the network. One of "a" for 5GHz 802.11a
4128           or "bg" for 2.4GHz 802.11. This will lock associations to the Wi-Fi
4129           network to the specific band, i.e. if "a" is specified, the device
4130           will not associate with the same network in the 2.4GHz band even if
4131           the network's settings are compatible. This setting depends on
4132           specific driver capability and may not work with all drivers.
4133
4134           Format: string
4135
4136       bssid
4137           If specified, directs the device to only associate with the given
4138           access point. This capability is highly driver dependent and not
4139           supported by all devices. Note: this property does not control the
4140           BSSID used when creating an Ad-Hoc network and is unlikely to in
4141           the future.
4142
4143           Format: byte array
4144
4145       channel
4146           Wireless channel to use for the Wi-Fi connection. The device will
4147           only join (or create for Ad-Hoc networks) a Wi-Fi network on the
4148           specified channel. Because channel numbers overlap between bands,
4149           this property also requires the "band" property to be set.
4150
4151           Format: uint32
4152
4153       cloned-mac-address
4154           Alias: cloned-mac
4155
4156           If specified, request that the device use this MAC address instead.
4157           This is known as MAC cloning or spoofing. Beside explicitly
4158           specifying a MAC address, the special values "preserve",
4159           "permanent", "random" and "stable" are supported. "preserve" means
4160           not to touch the MAC address on activation. "permanent" means to
4161           use the permanent hardware address of the device. "random" creates
4162           a random MAC address on each connect. "stable" creates a hashed MAC
4163           address based on connection.stable-id and a machine dependent key.
4164           If unspecified, the value can be overwritten via global defaults,
4165           see manual of NetworkManager.conf. If still unspecified, it
4166           defaults to "preserve" (older versions of NetworkManager may use a
4167           different default value). On D-Bus, this field is expressed as
4168           "assigned-mac-address" or the deprecated "cloned-mac-address".
4169
4170           Format: byte array
4171
4172       generate-mac-address-mask
4173           With "cloned-mac-address" setting "random" or "stable", by default
4174           all bits of the MAC address are scrambled and a
4175           locally-administered, unicast MAC address is created. This property
4176           allows to specify that certain bits are fixed. Note that the least
4177           significant bit of the first MAC address will always be unset to
4178           create a unicast MAC address. If the property is NULL, it is
4179           eligible to be overwritten by a default connection setting. If the
4180           value is still NULL or an empty string, the default is to create a
4181           locally-administered, unicast MAC address. If the value contains
4182           one MAC address, this address is used as mask. The set bits of the
4183           mask are to be filled with the current MAC address of the device,
4184           while the unset bits are subject to randomization. Setting
4185           "FE:FF:FF:00:00:00" means to preserve the OUI of the current MAC
4186           address and only randomize the lower 3 bytes using the "random" or
4187           "stable" algorithm. If the value contains one additional MAC
4188           address after the mask, this address is used instead of the current
4189           MAC address to fill the bits that shall not be randomized. For
4190           example, a value of "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set
4191           the OUI of the MAC address to 68:F7:28, while the lower bits are
4192           randomized. A value of "02:00:00:00:00:00 00:00:00:00:00:00" will
4193           create a fully scrambled globally-administered, burned-in MAC
4194           address. If the value contains more than one additional MAC
4195           addresses, one of them is chosen randomly. For example,
4196           "02:00:00:00:00:00 00:00:00:00:00:00 02:00:00:00:00:00" will create
4197           a fully scrambled MAC address, randomly locally or globally
4198           administered.
4199
4200           Format: string
4201
4202       hidden
4203           If TRUE, indicates that the network is a non-broadcasting network
4204           that hides its SSID. This works both in infrastructure and AP mode.
4205           In infrastructure mode, various workarounds are used for a more
4206           reliable discovery of hidden networks, such as probe-scanning the
4207           SSID. However, these workarounds expose inherent insecurities with
4208           hidden SSID networks, and thus hidden SSID networks should be used
4209           with caution. In AP mode, the created network does not broadcast
4210           its SSID. Note that marking the network as hidden may be a privacy
4211           issue for you (in infrastructure mode) or client stations (in AP
4212           mode), as the explicit probe-scans are distinctly recognizable on
4213           the air.
4214
4215           Format: boolean
4216
4217       mac-address
4218           Alias: mac
4219
4220           If specified, this connection will only apply to the Wi-Fi device
4221           whose permanent MAC address matches. This property does not change
4222           the MAC address of the device (i.e. MAC spoofing).
4223
4224           Format: byte array
4225
4226       mac-address-blacklist
4227           A list of permanent MAC addresses of Wi-Fi devices to which this
4228           connection should never apply. Each MAC address should be given in
4229           the standard hex-digits-and-colons notation (eg
4230           "00:11:22:33:44:55").
4231
4232           Format: array of string
4233
4234       mac-address-randomization
4235           One of NM_SETTING_MAC_RANDOMIZATION_DEFAULT (0) (never randomize
4236           unless the user has set a global default to randomize and the
4237           supplicant supports randomization),
4238           NM_SETTING_MAC_RANDOMIZATION_NEVER (1) (never randomize the MAC
4239           address), or NM_SETTING_MAC_RANDOMIZATION_ALWAYS (2) (always
4240           randomize the MAC address). This property is deprecated for
4241           'cloned-mac-address'. Deprecated: 1
4242
4243           Format: uint32
4244
4245       mode
4246           Alias: mode
4247
4248           Wi-Fi network mode; one of "infrastructure", "mesh", "adhoc" or
4249           "ap". If blank, infrastructure is assumed.
4250
4251           Format: string
4252
4253       mtu
4254           Alias: mtu
4255
4256           If non-zero, only transmit packets of the specified size or
4257           smaller, breaking larger packets up into multiple Ethernet frames.
4258
4259           Format: uint32
4260
4261       powersave
4262           One of NM_SETTING_WIRELESS_POWERSAVE_DISABLE (2) (disable Wi-Fi
4263           power saving), NM_SETTING_WIRELESS_POWERSAVE_ENABLE (3) (enable
4264           Wi-Fi power saving), NM_SETTING_WIRELESS_POWERSAVE_IGNORE (1)
4265           (don't touch currently configure setting) or
4266           NM_SETTING_WIRELESS_POWERSAVE_DEFAULT (0) (use the globally
4267           configured value). All other values are reserved.
4268
4269           Format: uint32
4270
4271       rate
4272           If non-zero, directs the device to only use the specified bitrate
4273           for communication with the access point. Units are in Kb/s, ie 5500
4274           = 5.5 Mbit/s. This property is highly driver dependent and not all
4275           devices support setting a static bitrate.
4276
4277           Format: uint32
4278
4279       seen-bssids
4280           A list of BSSIDs (each BSSID formatted as a MAC address like
4281           "00:11:22:33:44:55") that have been detected as part of the Wi-Fi
4282           network. NetworkManager internally tracks previously seen BSSIDs.
4283           The property is only meant for reading and reflects the BSSID list
4284           of NetworkManager. The changes you make to this property will not
4285           be preserved.
4286
4287           Format: array of string
4288
4289       ssid
4290           Alias: ssid
4291
4292           SSID of the Wi-Fi network. Must be specified.
4293
4294           Format: byte array
4295
4296       tx-power
4297           If non-zero, directs the device to use the specified transmit
4298           power. Units are dBm. This property is highly driver dependent and
4299           not all devices support setting a static transmit power.
4300
4301           Format: uint32
4302
4303       wake-on-wlan
4304           The NMSettingWirelessWakeOnWLan options to enable. Not all devices
4305           support all options. May be any combination of
4306           NM_SETTING_WIRELESS_WAKE_ON_WLAN_ANY (0x2),
4307           NM_SETTING_WIRELESS_WAKE_ON_WLAN_DISCONNECT (0x4),
4308           NM_SETTING_WIRELESS_WAKE_ON_WLAN_MAGIC (0x8),
4309           NM_SETTING_WIRELESS_WAKE_ON_WLAN_GTK_REKEY_FAILURE (0x10),
4310           NM_SETTING_WIRELESS_WAKE_ON_WLAN_EAP_IDENTITY_REQUEST (0x20),
4311           NM_SETTING_WIRELESS_WAKE_ON_WLAN_4WAY_HANDSHAKE (0x40),
4312           NM_SETTING_WIRELESS_WAKE_ON_WLAN_RFKILL_RELEASE (0x80),
4313           NM_SETTING_WIRELESS_WAKE_ON_WLAN_TCP (0x100) or the special values
4314           NM_SETTING_WIRELESS_WAKE_ON_WLAN_DEFAULT (0x1) (to use global
4315           settings) and NM_SETTING_WIRELESS_WAKE_ON_WLAN_IGNORE (0x8000) (to
4316           disable management of Wake-on-LAN in NetworkManager).
4317
4318           Format: uint32
4319
4320   802-11-wireless-security setting
4321       Alias: wifi-sec
4322
4323       Wi-Fi Security Settings.
4324
4325       Properties:
4326
4327       auth-alg
4328           When WEP is used (ie, key-mgmt = "none" or "ieee8021x") indicate
4329           the 802.11 authentication algorithm required by the AP here. One of
4330           "open" for Open System, "shared" for Shared Key, or "leap" for
4331           Cisco LEAP. When using Cisco LEAP (ie, key-mgmt = "ieee8021x" and
4332           auth-alg = "leap") the "leap-username" and "leap-password"
4333           properties must be specified.
4334
4335           Format: string
4336
4337       fils
4338           Indicates whether Fast Initial Link Setup (802.11ai) must be
4339           enabled for the connection. One of
4340           NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) (use global default
4341           value), NM_SETTING_WIRELESS_SECURITY_FILS_DISABLE (1) (disable
4342           FILS), NM_SETTING_WIRELESS_SECURITY_FILS_OPTIONAL (2) (enable FILS
4343           if the supplicant and the access point support it) or
4344           NM_SETTING_WIRELESS_SECURITY_FILS_REQUIRED (3) (enable FILS and
4345           fail if not supported). When set to
4346           NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) and no global default
4347           is set, FILS will be optionally enabled.
4348
4349           Format: int32
4350
4351       group
4352           A list of group/broadcast encryption algorithms which prevents
4353           connections to Wi-Fi networks that do not utilize one of the
4354           algorithms in the list. For maximum compatibility leave this
4355           property empty. Each list element may be one of "wep40", "wep104",
4356           "tkip", or "ccmp".
4357
4358           Format: array of string
4359
4360       key-mgmt
4361           Key management used for the connection. One of "none" (WEP or no
4362           password protection), "ieee8021x" (Dynamic WEP), "owe"
4363           (Opportunistic Wireless Encryption), "wpa-psk" (WPA2 + WPA3
4364           personal), "sae" (WPA3 personal only), "wpa-eap" (WPA2 + WPA3
4365           enterprise) or "wpa-eap-suite-b-192" (WPA3 enterprise only). This
4366           property must be set for any Wi-Fi connection that uses security.
4367
4368           Format: string
4369
4370       leap-password
4371           The login password for legacy LEAP connections (ie, key-mgmt =
4372           "ieee8021x" and auth-alg = "leap").
4373
4374           Format: string
4375
4376       leap-password-flags
4377           Flags indicating how to handle the "leap-password" property. See
4378           the section called “Secret flag types:” for flag values.
4379
4380           Format: NMSettingSecretFlags (uint32)
4381
4382       leap-username
4383           The login username for legacy LEAP connections (ie, key-mgmt =
4384           "ieee8021x" and auth-alg = "leap").
4385
4386           Format: string
4387
4388       pairwise
4389           A list of pairwise encryption algorithms which prevents connections
4390           to Wi-Fi networks that do not utilize one of the algorithms in the
4391           list. For maximum compatibility leave this property empty. Each
4392           list element may be one of "tkip" or "ccmp".
4393
4394           Format: array of string
4395
4396       pmf
4397           Indicates whether Protected Management Frames (802.11w) must be
4398           enabled for the connection. One of
4399           NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) (use global default
4400           value), NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE (1) (disable PMF),
4401           NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL (2) (enable PMF if the
4402           supplicant and the access point support it) or
4403           NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED (3) (enable PMF and fail
4404           if not supported). When set to
4405           NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) and no global default
4406           is set, PMF will be optionally enabled.
4407
4408           Format: int32
4409
4410       proto
4411           List of strings specifying the allowed WPA protocol versions to
4412           use. Each element may be one "wpa" (allow WPA) or "rsn" (allow
4413           WPA2/RSN). If not specified, both WPA and RSN connections are
4414           allowed.
4415
4416           Format: array of string
4417
4418       psk
4419           Pre-Shared-Key for WPA networks. For WPA-PSK, it's either an ASCII
4420           passphrase of 8 to 63 characters that is (as specified in the
4421           802.11i standard) hashed to derive the actual key, or the key in
4422           form of 64 hexadecimal character. The WPA3-Personal networks use a
4423           passphrase of any length for SAE authentication.
4424
4425           Format: string
4426
4427       psk-flags
4428           Flags indicating how to handle the "psk" property. See the section
4429           called “Secret flag types:” for flag values.
4430
4431           Format: NMSettingSecretFlags (uint32)
4432
4433       wep-key-flags
4434           Flags indicating how to handle the "wep-key0", "wep-key1",
4435           "wep-key2", and "wep-key3" properties. See the section called
4436           “Secret flag types:” for flag values.
4437
4438           Format: NMSettingSecretFlags (uint32)
4439
4440       wep-key-type
4441           Controls the interpretation of WEP keys. Allowed values are
4442           NM_WEP_KEY_TYPE_KEY (1), in which case the key is either a 10- or
4443           26-character hexadecimal string, or a 5- or 13-character ASCII
4444           password; or NM_WEP_KEY_TYPE_PASSPHRASE (2), in which case the
4445           passphrase is provided as a string and will be hashed using the
4446           de-facto MD5 method to derive the actual WEP key.
4447
4448           Format: NMWepKeyType (uint32)
4449
4450       wep-key0
4451           Index 0 WEP key. This is the WEP key used in most networks. See the
4452           "wep-key-type" property for a description of how this key is
4453           interpreted.
4454
4455           Format: string
4456
4457       wep-key1
4458           Index 1 WEP key. This WEP index is not used by most networks. See
4459           the "wep-key-type" property for a description of how this key is
4460           interpreted.
4461
4462           Format: string
4463
4464       wep-key2
4465           Index 2 WEP key. This WEP index is not used by most networks. See
4466           the "wep-key-type" property for a description of how this key is
4467           interpreted.
4468
4469           Format: string
4470
4471       wep-key3
4472           Index 3 WEP key. This WEP index is not used by most networks. See
4473           the "wep-key-type" property for a description of how this key is
4474           interpreted.
4475
4476           Format: string
4477
4478       wep-tx-keyidx
4479           When static WEP is used (ie, key-mgmt = "none") and a non-default
4480           WEP key index is used by the AP, put that WEP key index here. Valid
4481           values are 0 (default key) through 3. Note that some consumer
4482           access points (like the Linksys WRT54G) number the keys 1 - 4.
4483
4484           Format: uint32
4485
4486       wps-method
4487           Flags indicating which mode of WPS is to be used if any. There's
4488           little point in changing the default setting as NetworkManager will
4489           automatically determine whether it's feasible to start WPS
4490           enrollment from the Access Point capabilities. WPS can be disabled
4491           by setting this property to a value of 1.
4492
4493           Format: uint32
4494
4495   wpan setting
4496       IEEE 802.15.4 (WPAN) MAC Settings.
4497
4498       Properties:
4499
4500       channel
4501           Alias: channel
4502
4503           IEEE 802.15.4 channel. A positive integer or -1, meaning "do not
4504           set, use whatever the device is already set to".
4505
4506           Format: int32
4507
4508       mac-address
4509           Alias: mac
4510
4511           If specified, this connection will only apply to the IEEE 802.15.4
4512           (WPAN) MAC layer device whose permanent MAC address matches.
4513
4514           Format: string
4515
4516       page
4517           Alias: page
4518
4519           IEEE 802.15.4 channel page. A positive integer or -1, meaning "do
4520           not set, use whatever the device is already set to".
4521
4522           Format: int32
4523
4524       pan-id
4525           Alias: pan-id
4526
4527           IEEE 802.15.4 Personal Area Network (PAN) identifier.
4528
4529           Format: uint32
4530
4531       short-address
4532           Alias: short-addr
4533
4534           Short IEEE 802.15.4 address to be used within a restricted
4535           environment.
4536
4537           Format: uint32
4538
4539   bond-port setting
4540       Bond Port Settings.
4541
4542       Properties:
4543
4544       queue-id
4545           Alias: queue-id
4546
4547           The queue ID of this bond port. The maximum value of queue ID is
4548           the number of TX queues currently active in device.
4549
4550           Format: uint32
4551
4552   hostname setting
4553       Hostname settings.
4554
4555       Properties:
4556
4557       from-dhcp
4558           Whether the system hostname can be determined from DHCP on this
4559           connection. When set to NM_TERNARY_DEFAULT (-1), the value from
4560           global configuration is used. If the property doesn't have a value
4561           in the global configuration, NetworkManager assumes the value to be
4562           NM_TERNARY_TRUE (1).
4563
4564           Format: NMTernary (int32)
4565
4566       from-dns-lookup
4567           Whether the system hostname can be determined from reverse DNS
4568           lookup of addresses on this device. When set to NM_TERNARY_DEFAULT
4569           (-1), the value from global configuration is used. If the property
4570           doesn't have a value in the global configuration, NetworkManager
4571           assumes the value to be NM_TERNARY_TRUE (1).
4572
4573           Format: NMTernary (int32)
4574
4575       only-from-default
4576           If set to NM_TERNARY_TRUE (1), NetworkManager attempts to get the
4577           hostname via DHCPv4/DHCPv6 or reverse DNS lookup on this device
4578           only when the device has the default route for the given address
4579           family (IPv4/IPv6). If set to NM_TERNARY_FALSE (0), the hostname
4580           can be set from this device even if it doesn't have the default
4581           route. When set to NM_TERNARY_DEFAULT (-1), the value from global
4582           configuration is used. If the property doesn't have a value in the
4583           global configuration, NetworkManager assumes the value to be
4584           NM_TERNARY_FALSE (0).
4585
4586           Format: NMTernary (int32)
4587
4588       priority
4589           The relative priority of this connection to determine the system
4590           hostname. A lower numerical value is better (higher priority). A
4591           connection with higher priority is considered before connections
4592           with lower priority. If the value is zero, it can be overridden by
4593           a global value from NetworkManager configuration. If the property
4594           doesn't have a value in the global configuration, the value is
4595           assumed to be 100. Negative values have the special effect of
4596           excluding other connections with a greater numerical priority
4597           value; so in presence of at least one negative priority, only
4598           connections with the lowest priority value will be used to
4599           determine the hostname.
4600
4601           Format: int32
4602
4603   veth setting
4604       Veth Settings.
4605
4606       Properties:
4607
4608       peer
4609           Alias: peer
4610
4611           This property specifies the peer interface name of the veth. This
4612           property is mandatory.
4613
4614           Format: string
4615
4616   Secret flag types:
4617       Each password or secret property in a setting has an associated flags
4618       property that describes how to handle that secret. The flags property
4619       is a bitfield that contains zero or more of the following values
4620       logically OR-ed together.
4621
4622       •   0x0 (none) - the system is responsible for providing and storing
4623           this secret. This may be required so that secrets are already
4624           available before the user logs in. It also commonly means that the
4625           secret will be stored in plain text on disk, accessible to root
4626           only. For example via the keyfile settings plugin as described in
4627           the "PLUGINS" section in NetworkManager.conf(5).
4628
4629       •   0x1 (agent-owned) - a user-session secret agent is responsible for
4630           providing and storing this secret; when it is required, agents will
4631           be asked to provide it.
4632
4633       •   0x2 (not-saved) - this secret should not be saved but should be
4634           requested from the user each time it is required. This flag should
4635           be used for One-Time-Pad secrets, PIN codes from hardware tokens,
4636           or if the user simply does not want to save the secret.
4637
4638       •   0x4 (not-required) - in some situations it cannot be automatically
4639           determined that a secret is required or not. This flag hints that
4640           the secret is not required and should not be requested from the
4641           user.
4642

FILES

4644       /etc/NetworkManager/system-connections or distro plugin-specific
4645       location
4646

SEE ALSO

4648       nmcli(1), nmcli-examples(7), NetworkManager(8), nm-settings-dbus(5),
4649       nm-settings-keyfile(5), NetworkManager.conf(5)
4650
4651
4652
4653NetworkManager 1.38.0                                     NM-SETTINGS-NMCLI(5)
Impressum