1NM-SETTINGS-NMCLI(5) Configuration NM-SETTINGS-NMCLI(5)
2
6 nm-settings-nmcli - Description of settings and properties of
7 NetworkManager connection profiles for nmcli
8
10 NetworkManager is based on a concept of connection profiles, sometimes
11 referred to as connections only. These connection profiles contain a
12 network configuration. When NetworkManager activates a connection
13 profile on a network device the configuration will be applied and an
14 active network connection will be established. Users are free to create
15 as many connection profiles as they see fit. Thus they are flexible in
16 having various network configurations for different networking needs.
17 NetworkManager provides an API for configuring connection profiles, for
19 activating them to configure the network, and inspecting the current
20 network configuration. The command line tool nmcli is a client
21 application to NetworkManager that uses this API. See nmcli(1) for
22 details.
23 With commands like nmcli connection add, nmcli connection modify and
25 nmcli connection show, connection profiles can be created, modified and
26 inspected. A profile consists of properties. On D-Bus this follows the
27 format as described by nm-settings-dbus(5), while this manual page
28 describes the settings format how they are expected by nmcli.
29 The settings and properties shown in tables below list all available
31 connection configuration options. However, note that not all settings
32 are applicable to all connection types. nmcli connection editor has
33 also a built-in describe command that can display description of
34 particular settings and properties of this page.
35 The setting and property can be abbreviated provided they are unique.
37 The list below also shows aliases that can be used unqualified instead
38 of the full name. For example connection.interface-name and ifname
39 refer to the same property.
40 connection setting
42 General Connection Profile Settings.
43 Properties:
45 auth-retries
47 The number of retries for the authentication. Zero means to try
48 indefinitely; -1 means to use a global default. If the global
49 default is not set, the authentication retries for 3 times before
50 failing the connection.
51 Currently, this only applies to 802-1x authentication.
53 Format: int32
55 autoconnect
57 Alias: autoconnect
58 Whether or not the connection should be automatically connected by
60 NetworkManager when the resources for the connection are available.
61 TRUE to automatically activate the connection, FALSE to require
62 manual intervention to activate the connection.
63 Autoconnect happens when the circumstances are suitable. That means
65 for example that the device is currently managed and not active.
66 Autoconnect thus never replaces or competes with an already active
67 profile.
68 Note that autoconnect is not implemented for VPN profiles. See
70 "secondaries" as an alternative to automatically connect VPN
71 profiles.
72 If multiple profiles are ready to autoconnect on the same device,
74 the one with the better "connection.autoconnect-priority" is
75 chosen. If the priorities are equal, then the most recently
76 connected profile is activated. If the profiles were not connected
77 earlier or their "connection.timestamp" is identical, the choice is
78 undefined.
79 Depending on "connection.multi-connect", a profile can
81 (auto)connect only once at a time or multiple times.
82 Format: boolean
84 autoconnect-priority
86 The autoconnect priority in range -999 to 999. If the connection is
87 set to autoconnect, connections with higher priority will be
88 preferred. The higher number means higher priority. Defaults to 0.
89 Note that this property only matters if there are more than one
90 candidate profile to select for autoconnect. In case of equal
91 priority, the profile used most recently is chosen.
92 Format: int32
94 autoconnect-retries
96 The number of times a connection should be tried when
97 autoactivating before giving up. Zero means forever, -1 means the
98 global default (4 times if not overridden). Setting this to 1 means
99 to try activation only once before blocking autoconnect. Note that
100 after a timeout, NetworkManager will try to autoconnect again.
101 Format: int32
103 autoconnect-slaves
105 Whether or not slaves of this connection should be automatically
106 brought up when NetworkManager activates this connection. This only
107 has a real effect for master connections. The properties
108 "autoconnect", "autoconnect-priority" and "autoconnect-retries" are
109 unrelated to this setting. The permitted values are: 0: leave slave
110 connections untouched, 1: activate all the slave connections with
111 this connection, -1: default. If -1 (default) is set, global
112 connection.autoconnect-slaves is read to determine the real value.
113 If it is default as well, this fallbacks to 0.
114 Format: NMSettingConnectionAutoconnectSlaves (int32)
116 dns-over-tls
118 Whether DNSOverTls (dns-over-tls) is enabled for the connection.
119 DNSOverTls is a technology which uses TLS to encrypt dns traffic.
120 The permitted values are: "yes" (2) use DNSOverTls and disabled
122 fallback, "opportunistic" (1) use DNSOverTls but allow fallback to
123 unencrypted resolution, "no" (0) don't ever use DNSOverTls. If
124 unspecified "default" depends on the plugin used. Systemd-resolved
125 uses global setting.
126 This feature requires a plugin which supports DNSOverTls.
128 Otherwise, the setting has no effect. One such plugin is
129 dns-systemd-resolved.
130 Format: int32
132 gateway-ping-timeout
134 If greater than zero, delay success of IP addressing until either
135 the timeout is reached, or an IP gateway replies to a ping.
136 Format: uint32
138 id
140 Alias: con-name
141 A human readable unique identifier for the connection, like "Work
143 Wi-Fi" or "T-Mobile 3G".
144 Format: string
146 interface-name
148 Alias: ifname
149 The name of the network interface this connection is bound to. If
151 not set, then the connection can be attached to any interface of
152 the appropriate type (subject to restrictions imposed by other
153 settings).
154 For software devices this specifies the name of the created device.
156 For connection types where interface names cannot easily be made
158 persistent (e.g. mobile broadband or USB Ethernet), this property
159 should not be used. Setting this property restricts the interfaces
160 a connection can be used with, and if interface names change or are
161 reordered the connection may be applied to the wrong interface.
162 Format: string
164 lldp
166 Whether LLDP is enabled for the connection.
167 Format: int32
169 llmnr
171 Whether Link-Local Multicast Name Resolution (LLMNR) is enabled for
172 the connection. LLMNR is a protocol based on the Domain Name System
173 (DNS) packet format that allows both IPv4 and IPv6 hosts to perform
174 name resolution for hosts on the same local link.
175 The permitted values are: "yes" (2) register hostname and resolving
177 for the connection, "no" (0) disable LLMNR for the interface,
178 "resolve" (1) do not register hostname but allow resolving of LLMNR
179 host names If unspecified, "default" ultimately depends on the DNS
180 plugin (which for systemd-resolved currently means "yes").
181 This feature requires a plugin which supports LLMNR. Otherwise, the
183 setting has no effect. One such plugin is dns-systemd-resolved.
184 Format: int32
186 master
188 Alias: master
189 Interface name of the master device or UUID of the master
191 connection.
192 Format: string
194 mdns
196 Whether mDNS is enabled for the connection.
197 The permitted values are: "yes" (2) register hostname and resolving
199 for the connection, "no" (0) disable mDNS for the interface,
200 "resolve" (1) do not register hostname but allow resolving of mDNS
201 host names and "default" (-1) to allow lookup of a global default
202 in NetworkManager.conf. If unspecified, "default" ultimately
203 depends on the DNS plugin (which for systemd-resolved currently
204 means "no").
205 This feature requires a plugin which supports mDNS. Otherwise, the
207 setting has no effect. One such plugin is dns-systemd-resolved.
208 Format: int32
210 metered
212 Whether the connection is metered.
213 When updating this property on a currently activated connection,
215 the change takes effect immediately.
216 Format: NMMetered (int32)
218 mptcp-flags
220 Whether to configure MPTCP endpoints and the address flags. If
221 MPTCP is enabled in NetworkManager, it will configure the addresses
222 of the interface as MPTCP endpoints. Note that IPv4 loopback
223 addresses (127.0.0.0/8), IPv4 link local addresses
224 (169.254.0.0/16), the IPv6 loopback address (::1), IPv6 link local
225 addresses (fe80::/10), IPv6 unique local addresses (ULA, fc00::/7)
226 and IPv6 privacy extension addresses (rfc3041, ipv6.ip6-privacy)
227 will be excluded from being configured as endpoints.
228 If "disabled" (0x1), MPTCP handling for the interface is disabled
230 and no endpoints are registered.
231 The "enabled" (0x2) flag means that MPTCP handling is enabled. This
233 flag can also be implied from the presence of other flags.
234 Even when enabled, MPTCP handling will by default still be disabled
236 unless "/proc/sys/net/mptcp/enabled" sysctl is on. NetworkManager
237 does not change the sysctl and this is up to the administrator or
238 distribution. To configure endpoints even if the sysctl is
239 disabled, "also-without-sysctl" (0x4) flag can be used. In that
240 case, NetworkManager doesn't look at the sysctl and configures
241 endpoints regardless.
242 Even when enabled, NetworkManager will only configure MPTCP
244 endpoints for a certain address family, if there is a unicast
245 default route (0.0.0.0/0 or ::/0) in the main routing table. The
246 flag "also-without-default-route" (0x8) can override that.
247 When MPTCP handling is enabled then endpoints are configured with
249 the specified address flags "signal" (0x10), "subflow" (0x20),
250 "backup" (0x40), "fullmesh" (0x80). See ip-mptcp(8) manual for
251 additional information about the flags.
252 If the flags are zero (0x0), the global connection default from
254 NetworkManager.conf is honored. If still unspecified, the fallback
255 is "enabled,subflow". Note that this means that MPTCP is by default
256 done depending on the "/proc/sys/net/mptcp/enabled" sysctl.
257 NetworkManager does not change the MPTCP limits nor enable MPTCP
259 via "/proc/sys/net/mptcp/enabled". That is a host configuration
260 which the admin can change via sysctl and ip-mptcp.
261 Strict reverse path filtering (rp_filter) breaks many MPTCP use
263 cases, so when MPTCP handling for IPv4 addresses on the interface
264 is enabled, NetworkManager would loosen the strict reverse path
265 filtering (1) to the loose setting (2).
266 Format: uint32
268 mud-url
270 If configured, set to a Manufacturer Usage Description (MUD) URL
271 that points to manufacturer-recommended network policies for IoT
272 devices. It is transmitted as a DHCPv4 or DHCPv6 option. The value
273 must be a valid URL starting with "https://".
274 The special value "none" is allowed to indicate that no MUD URL is
276 used.
277 If the per-profile value is unspecified (the default), a global
279 connection default gets consulted. If still unspecified, the
280 ultimate default is "none".
281 Format: string
283 multi-connect
285 Specifies whether the profile can be active multiple times at a
286 particular moment. The value is of type NMConnectionMultiConnect.
287 Format: int32
289 permissions
291 An array of strings defining what access a given user has to this
292 connection. If this is NULL or empty, all users are allowed to
293 access this connection; otherwise users are allowed if and only if
294 they are in this list. When this is not empty, the connection can
295 be active only when one of the specified users is logged into an
296 active session. Each entry is of the form "[type]:[id]:[reserved]";
297 for example, "user:dcbw:blah".
298 At this time only the "user" [type] is allowed. Any other values
300 are ignored and reserved for future use. [id] is the username that
301 this permission refers to, which may not contain the ":" character.
302 Any [reserved] information present must be ignored and is reserved
303 for future use. All of [type], [id], and [reserved] must be valid
304 UTF-8.
305 Format: array of string
307 read-only
309 FALSE if the connection can be modified using the provided settings
310 service's D-Bus interface with the right privileges, or TRUE if the
311 connection is read-only and cannot be modified.
312 Format: boolean
314 secondaries
316 List of connection UUIDs that should be activated when the base
317 connection itself is activated. Currently, only VPN connections are
318 supported.
319 Format: array of string
321 slave-type
323 Alias: slave-type
324 Setting name of the device type of this slave's master connection
326 (eg, "bond"), or NULL if this connection is not a slave.
327 Format: string
329 stable-id
331 This represents the identity of the connection used for various
332 purposes. It allows to configure multiple profiles to share the
333 identity. Also, the stable-id can contain placeholders that are
334 substituted dynamically and deterministically depending on the
335 context.
336 The stable-id is used for generating IPv6 stable private addresses
338 with ipv6.addr-gen-mode=stable-privacy. It is also used to seed the
339 generated cloned MAC address for ethernet.cloned-mac-address=stable
340 and wifi.cloned-mac-address=stable. It is also used as DHCP client
341 identifier with ipv4.dhcp-client-id=stable and to derive the DHCP
342 DUID with ipv6.dhcp-duid=stable-[llt,ll,uuid].
343 Note that depending on the context where it is used, other
345 parameters are also seeded into the generation algorithm. For
346 example, a per-host key is commonly also included, so that
347 different systems end up generating different IDs. Or with
348 ipv6.addr-gen-mode=stable-privacy, also the device's name is
349 included, so that different interfaces yield different addresses.
350 The per-host key is the identity of your machine and stored in
351 /var/lib/NetworkManager/secret_key. See NetworkManager(8) manual
352 about the secret-key and the host identity.
353 The '$' character is treated special to perform dynamic
355 substitutions at runtime. Currently, supported are "${CONNECTION}",
356 "${DEVICE}", "${MAC}", "${BOOT}", "${RANDOM}". These effectively
357 create unique IDs per-connection, per-device, per-boot, or every
358 time. Note that "${DEVICE}" corresponds to the interface name of
359 the device and "${MAC}" is the permanent MAC address of the device.
360 Any unrecognized patterns following '$' are treated verbatim,
361 however are reserved for future use. You are thus advised to avoid
362 '$' or escape it as "$$". For example, set it to
363 "${CONNECTION}-${BOOT}-${DEVICE}" to create a unique id for this
364 connection that changes with every reboot and differs depending on
365 the interface where the profile activates.
366 If the value is unset, a global connection default is consulted. If
368 the value is still unset, the default is similar to "${CONNECTION}"
369 and uses a unique, fixed ID for the connection.
370 Format: string
372 timestamp
374 The time, in seconds since the Unix Epoch, that the connection was
375 last _successfully_ fully activated.
376 NetworkManager updates the connection timestamp periodically when
378 the connection is active to ensure that an active connection has
379 the latest timestamp. The property is only meant for reading
380 (changes to this property will not be preserved).
381 Format: uint64
383 type
385 Alias: type
386 Base type of the connection. For hardware-dependent connections,
388 should contain the setting name of the hardware-type specific
389 setting (ie, "802-3-ethernet" or "802-11-wireless" or "bluetooth",
390 etc), and for non-hardware dependent connections like VPN or
391 otherwise, should contain the setting name of that setting type
392 (ie, "vpn" or "bridge", etc).
393 Format: string
395 uuid
397 A universally unique identifier for the connection, for example
398 generated with libuuid. It should be assigned when the connection
399 is created, and never changed as long as the connection still
400 applies to the same network. For example, it should not be changed
401 when the "id" property or NMSettingIP4Config changes, but might
402 need to be re-created when the Wi-Fi SSID, mobile broadband network
403 provider, or "type" property changes.
404 The UUID must be in the format
406 "2815492f-7e56-435e-b2e9-246bd7cdc664" (ie, contains only
407 hexadecimal characters and "-").
408 Format: string
410 wait-activation-delay
412 Time in milliseconds to wait for connection to be considered
413 activated. The wait will start after the pre-up dispatcher event.
414 The value 0 means no wait time. The default value is -1, which
416 currently has the same meaning as no wait time.
417 Format: int32
419 wait-device-timeout
421 Timeout in milliseconds to wait for device at startup. During boot,
422 devices may take a while to be detected by the driver. This
423 property will cause to delay NetworkManager-wait-online.service and
424 nm-online to give the device a chance to appear. This works by
425 waiting for the given timeout until a compatible device for the
426 profile is available and managed.
427 The value 0 means no wait time. The default value is -1, which
429 currently has the same meaning as no wait time.
430 Format: int32
432 zone
434 The trust level of a the connection. Free form case-insensitive
435 string (for example "Home", "Work", "Public"). NULL or unspecified
436 zone means the connection will be placed in the default zone as
437 defined by the firewall.
438 When updating this property on a currently activated connection,
440 the change takes effect immediately.
441 Format: string
443 6lowpan setting
445 6LoWPAN Settings.
446 Properties:
448 parent
450 Alias: dev
451 If given, specifies the parent interface name or parent connection
453 UUID from which this 6LowPAN interface should be created.
454 Format: string
456 802-1x setting
458 IEEE 802.1x Authentication Settings.
459 Properties:
461 altsubject-matches
463 List of strings to be matched against the altSubjectName of the
464 certificate presented by the authentication server. If the list is
465 empty, no verification of the server certificate's altSubjectName
466 is performed.
467 Format: array of string
469 anonymous-identity
471 Anonymous identity string for EAP authentication methods. Used as
472 the unencrypted identity with EAP types that support different
473 tunneled identity like EAP-TTLS.
474 Format: string
476 auth-timeout
478 A timeout for the authentication. Zero means the global default; if
479 the global default is not set, the authentication timeout is 25
480 seconds.
481 Format: int32
483 ca-cert
485 Contains the CA certificate if used by the EAP method specified in
486 the "eap" property.
487 Certificate data is specified using a "scheme"; three are currently
489 supported: blob, path and pkcs#11 URL. When using the blob scheme
490 this property should be set to the certificate's DER encoded data.
491 When using the path scheme, this property should be set to the full
492 UTF-8 encoded path of the certificate, prefixed with the string
493 "file://" and ending with a terminating NUL byte. This property can
494 be unset even if the EAP method supports CA certificates, but this
495 allows man-in-the-middle attacks and is NOT recommended.
496 Note that enabling NMSetting8021x:system-ca-certs will override
498 this setting to use the built-in path, if the built-in path is not
499 a directory.
500 Format: byte array
502 ca-cert-password
504 The password used to access the CA certificate stored in "ca-cert"
505 property. Only makes sense if the certificate is stored on a
506 PKCS#11 token that requires a login.
507 Format: string
509 ca-cert-password-flags
511 Flags indicating how to handle the "ca-cert-password" property.
512 Format: NMSettingSecretFlags (uint32)
514 ca-path
516 UTF-8 encoded path to a directory containing PEM or DER formatted
517 certificates to be added to the verification chain in addition to
518 the certificate specified in the "ca-cert" property.
519 If NMSetting8021x:system-ca-certs is enabled and the built-in CA
521 path is an existing directory, then this setting is ignored.
522 Format: string
524 client-cert
526 Contains the client certificate if used by the EAP method specified
527 in the "eap" property.
528 Certificate data is specified using a "scheme"; two are currently
530 supported: blob and path. When using the blob scheme (which is
531 backwards compatible with NM 0.7.x) this property should be set to
532 the certificate's DER encoded data. When using the path scheme,
533 this property should be set to the full UTF-8 encoded path of the
534 certificate, prefixed with the string "file://" and ending with a
535 terminating NUL byte.
536 Format: byte array
538 client-cert-password
540 The password used to access the client certificate stored in
541 "client-cert" property. Only makes sense if the certificate is
542 stored on a PKCS#11 token that requires a login.
543 Format: string
545 client-cert-password-flags
547 Flags indicating how to handle the "client-cert-password" property.
548 Format: NMSettingSecretFlags (uint32)
550 domain-match
552 Constraint for server domain name. If set, this list of FQDNs is
553 used as a match requirement for dNSName element(s) of the
554 certificate presented by the authentication server. If a matching
555 dNSName is found, this constraint is met. If no dNSName values are
556 present, this constraint is matched against SubjectName CN using
557 the same comparison. Multiple valid FQDNs can be passed as a ";"
558 delimited list.
559 Format: string
561 domain-suffix-match
563 Constraint for server domain name. If set, this FQDN is used as a
564 suffix match requirement for dNSName element(s) of the certificate
565 presented by the authentication server. If a matching dNSName is
566 found, this constraint is met. If no dNSName values are present,
567 this constraint is matched against SubjectName CN using same suffix
568 match comparison. Since version 1.24, multiple valid FQDNs can be
569 passed as a ";" delimited list.
570 Format: string
572 eap
574 The allowed EAP method to be used when authenticating to the
575 network with 802.1x. Valid methods are: "leap", "md5", "tls",
576 "peap", "ttls", "pwd", and "fast". Each method requires different
577 configuration using the properties of this setting; refer to
578 wpa_supplicant documentation for the allowed combinations.
579 Format: array of string
581 identity
583 Identity string for EAP authentication methods. Often the user's
584 user or login name.
585 Format: string
587 optional
589 Whether the 802.1X authentication is optional. If TRUE, the
590 activation will continue even after a timeout or an authentication
591 failure. Setting the property to TRUE is currently allowed only for
592 Ethernet connections. If set to FALSE, the activation can continue
593 only after a successful authentication.
594 Format: boolean
596 pac-file
598 UTF-8 encoded file path containing PAC for EAP-FAST.
599 Format: string
601 password
603 UTF-8 encoded password used for EAP authentication methods. If both
604 the "password" property and the "password-raw" property are
605 specified, "password" is preferred.
606 Format: string
608 password-flags
610 Flags indicating how to handle the "password" property.
611 Format: NMSettingSecretFlags (uint32)
613 password-raw
615 Password used for EAP authentication methods, given as a byte array
616 to allow passwords in other encodings than UTF-8 to be used. If
617 both the "password" property and the "password-raw" property are
618 specified, "password" is preferred.
619 Format: byte array
621 password-raw-flags
623 Flags indicating how to handle the "password-raw" property.
624 Format: NMSettingSecretFlags (uint32)
626 phase1-auth-flags
628 Specifies authentication flags to use in "phase 1" outer
629 authentication using NMSetting8021xAuthFlags options. The
630 individual TLS versions can be explicitly disabled. If a certain
631 TLS disable flag is not set, it is up to the supplicant to allow or
632 forbid it. The TLS options map to tls_disable_tlsv1_x settings. See
633 the wpa_supplicant documentation for more details.
634 Format: uint32
636 phase1-fast-provisioning
638 Enables or disables in-line provisioning of EAP-FAST credentials
639 when FAST is specified as the EAP method in the "eap" property.
640 Recognized values are "0" (disabled), "1" (allow unauthenticated
641 provisioning), "2" (allow authenticated provisioning), and "3"
642 (allow both authenticated and unauthenticated provisioning). See
643 the wpa_supplicant documentation for more details.
644 Format: string
646 phase1-peaplabel
648 Forces use of the new PEAP label during key derivation. Some RADIUS
649 servers may require forcing the new PEAP label to interoperate with
650 PEAPv1. Set to "1" to force use of the new PEAP label. See the
651 wpa_supplicant documentation for more details.
652 Format: string
654 phase1-peapver
656 Forces which PEAP version is used when PEAP is set as the EAP
657 method in the "eap" property. When unset, the version reported by
658 the server will be used. Sometimes when using older RADIUS servers,
659 it is necessary to force the client to use a particular PEAP
660 version. To do so, this property may be set to "0" or "1" to force
661 that specific PEAP version.
662 Format: string
664 phase2-altsubject-matches
666 List of strings to be matched against the altSubjectName of the
667 certificate presented by the authentication server during the inner
668 "phase 2" authentication. If the list is empty, no verification of
669 the server certificate's altSubjectName is performed.
670 Format: array of string
672 phase2-auth
674 Specifies the allowed "phase 2" inner authentication method when an
675 EAP method that uses an inner TLS tunnel is specified in the "eap"
676 property. For TTLS this property selects one of the supported
677 non-EAP inner methods: "pap", "chap", "mschap", "mschapv2" while
678 "phase2-autheap" selects an EAP inner method. For PEAP this selects
679 an inner EAP method, one of: "gtc", "otp", "md5" and "tls". Each
680 "phase 2" inner method requires specific parameters for successful
681 authentication; see the wpa_supplicant documentation for more
682 details. Both "phase2-auth" and "phase2-autheap" cannot be
683 specified.
684 Format: string
686 phase2-autheap
688 Specifies the allowed "phase 2" inner EAP-based authentication
689 method when TTLS is specified in the "eap" property. Recognized
690 EAP-based "phase 2" methods are "md5", "mschapv2", "otp", "gtc",
691 and "tls". Each "phase 2" inner method requires specific parameters
692 for successful authentication; see the wpa_supplicant documentation
693 for more details.
694 Format: string
696 phase2-ca-cert
698 Contains the "phase 2" CA certificate if used by the EAP method
699 specified in the "phase2-auth" or "phase2-autheap" properties.
700 Certificate data is specified using a "scheme"; three are currently
702 supported: blob, path and pkcs#11 URL. When using the blob scheme
703 this property should be set to the certificate's DER encoded data.
704 When using the path scheme, this property should be set to the full
705 UTF-8 encoded path of the certificate, prefixed with the string
706 "file://" and ending with a terminating NUL byte. This property can
707 be unset even if the EAP method supports CA certificates, but this
708 allows man-in-the-middle attacks and is NOT recommended.
709 Note that enabling NMSetting8021x:system-ca-certs will override
711 this setting to use the built-in path, if the built-in path is not
712 a directory.
713 Format: byte array
715 phase2-ca-cert-password
717 The password used to access the "phase2" CA certificate stored in
718 "phase2-ca-cert" property. Only makes sense if the certificate is
719 stored on a PKCS#11 token that requires a login.
720 Format: string
722 phase2-ca-cert-password-flags
724 Flags indicating how to handle the "phase2-ca-cert-password"
725 property.
726 Format: NMSettingSecretFlags (uint32)
728 phase2-ca-path
730 UTF-8 encoded path to a directory containing PEM or DER formatted
731 certificates to be added to the verification chain in addition to
732 the certificate specified in the "phase2-ca-cert" property.
733 If NMSetting8021x:system-ca-certs is enabled and the built-in CA
735 path is an existing directory, then this setting is ignored.
736 Format: string
738 phase2-client-cert
740 Contains the "phase 2" client certificate if used by the EAP method
741 specified in the "phase2-auth" or "phase2-autheap" properties.
742 Certificate data is specified using a "scheme"; two are currently
744 supported: blob and path. When using the blob scheme (which is
745 backwards compatible with NM 0.7.x) this property should be set to
746 the certificate's DER encoded data. When using the path scheme,
747 this property should be set to the full UTF-8 encoded path of the
748 certificate, prefixed with the string "file://" and ending with a
749 terminating NUL byte. This property can be unset even if the EAP
750 method supports CA certificates, but this allows man-in-the-middle
751 attacks and is NOT recommended.
752 Format: byte array
754 phase2-client-cert-password
756 The password used to access the "phase2" client certificate stored
757 in "phase2-client-cert" property. Only makes sense if the
758 certificate is stored on a PKCS#11 token that requires a login.
759 Format: string
761 phase2-client-cert-password-flags
763 Flags indicating how to handle the "phase2-client-cert-password"
764 property.
765 Format: NMSettingSecretFlags (uint32)
767 phase2-domain-match
769 Constraint for server domain name. If set, this list of FQDNs is
770 used as a match requirement for dNSName element(s) of the
771 certificate presented by the authentication server during the inner
772 "phase 2" authentication. If a matching dNSName is found, this
773 constraint is met. If no dNSName values are present, this
774 constraint is matched against SubjectName CN using the same
775 comparison. Multiple valid FQDNs can be passed as a ";" delimited
776 list.
777 Format: string
779 phase2-domain-suffix-match
781 Constraint for server domain name. If set, this FQDN is used as a
782 suffix match requirement for dNSName element(s) of the certificate
783 presented by the authentication server during the inner "phase 2"
784 authentication. If a matching dNSName is found, this constraint is
785 met. If no dNSName values are present, this constraint is matched
786 against SubjectName CN using same suffix match comparison. Since
787 version 1.24, multiple valid FQDNs can be passed as a ";" delimited
788 list.
789 Format: string
791 phase2-private-key
793 Contains the "phase 2" inner private key when the "phase2-auth" or
794 "phase2-autheap" property is set to "tls".
795 Key data is specified using a "scheme"; two are currently
797 supported: blob and path. When using the blob scheme and private
798 keys, this property should be set to the key's encrypted PEM
799 encoded data. When using private keys with the path scheme, this
800 property should be set to the full UTF-8 encoded path of the key,
801 prefixed with the string "file://" and ending with a terminating
802 NUL byte. When using PKCS#12 format private keys and the blob
803 scheme, this property should be set to the PKCS#12 data and the
804 "phase2-private-key-password" property must be set to password used
805 to decrypt the PKCS#12 certificate and key. When using PKCS#12
806 files and the path scheme, this property should be set to the full
807 UTF-8 encoded path of the key, prefixed with the string "file://"
808 and ending with a terminating NUL byte, and as with the blob scheme
809 the "phase2-private-key-password" property must be set to the
810 password used to decode the PKCS#12 private key and certificate.
811 Format: byte array
813 phase2-private-key-password
815 The password used to decrypt the "phase 2" private key specified in
816 the "phase2-private-key" property when the private key either uses
817 the path scheme, or is a PKCS#12 format key.
818 Format: string
820 phase2-private-key-password-flags
822 Flags indicating how to handle the "phase2-private-key-password"
823 property.
824 Format: NMSettingSecretFlags (uint32)
826 phase2-subject-match
828 Substring to be matched against the subject of the certificate
829 presented by the authentication server during the inner "phase 2"
830 authentication. When unset, no verification of the authentication
831 server certificate's subject is performed. This property provides
832 little security, if any, and its use is deprecated in favor of
833 NMSetting8021x:phase2-domain-suffix-match.
834 Format: string
836 pin
838 PIN used for EAP authentication methods.
839 Format: string
841 pin-flags
843 Flags indicating how to handle the "pin" property.
844 Format: NMSettingSecretFlags (uint32)
846 private-key
848 Contains the private key when the "eap" property is set to "tls".
849 Key data is specified using a "scheme"; two are currently
851 supported: blob and path. When using the blob scheme and private
852 keys, this property should be set to the key's encrypted PEM
853 encoded data. When using private keys with the path scheme, this
854 property should be set to the full UTF-8 encoded path of the key,
855 prefixed with the string "file://" and ending with a terminating
856 NUL byte. When using PKCS#12 format private keys and the blob
857 scheme, this property should be set to the PKCS#12 data and the
858 "private-key-password" property must be set to password used to
859 decrypt the PKCS#12 certificate and key. When using PKCS#12 files
860 and the path scheme, this property should be set to the full UTF-8
861 encoded path of the key, prefixed with the string "file://" and
862 ending with a terminating NUL byte, and as with the blob scheme the
863 "private-key-password" property must be set to the password used to
864 decode the PKCS#12 private key and certificate.
865 WARNING: "private-key" is not a "secret" property, and thus
867 unencrypted private key data using the BLOB scheme may be readable
868 by unprivileged users. Private keys should always be encrypted with
869 a private key password to prevent unauthorized access to
870 unencrypted private key data.
871 Format: byte array
873 private-key-password
875 The password used to decrypt the private key specified in the
876 "private-key" property when the private key either uses the path
877 scheme, or if the private key is a PKCS#12 format key.
878 Format: string
880 private-key-password-flags
882 Flags indicating how to handle the "private-key-password" property.
883 Format: NMSettingSecretFlags (uint32)
885 subject-match
887 Substring to be matched against the subject of the certificate
888 presented by the authentication server. When unset, no verification
889 of the authentication server certificate's subject is performed.
890 This property provides little security, if any, and its use is
891 deprecated in favor of NMSetting8021x:domain-suffix-match.
892 Format: string
894 system-ca-certs
896 When TRUE, overrides the "ca-path" and "phase2-ca-path" properties
897 using the system CA directory specified at configure time with the
898 --system-ca-path switch. The certificates in this directory are
899 added to the verification chain in addition to any certificates
900 specified by the "ca-cert" and "phase2-ca-cert" properties. If the
901 path provided with --system-ca-path is rather a file name (bundle
902 of trusted CA certificates), it overrides "ca-cert" and
903 "phase2-ca-cert" properties instead (sets ca_cert/ca_cert2 options
904 for wpa_supplicant).
905 Format: boolean
907 adsl setting
909 ADSL Settings.
910 Properties:
912 encapsulation
914 Alias: encapsulation
915 Encapsulation of ADSL connection. Can be "vcmux" or "llc".
917 Format: string
919 password
921 Alias: password
922 Password used to authenticate with the ADSL service.
924 Format: string
926 password-flags
928 Flags indicating how to handle the "password" property.
929 Format: NMSettingSecretFlags (uint32)
931 protocol
933 Alias: protocol
934 ADSL connection protocol. Can be "pppoa", "pppoe" or "ipoatm".
936 Format: string
938 username
940 Alias: username
941 Username used to authenticate with the ADSL service.
943 Format: string
945 vci
947 VCI of ADSL connection
948 Format: uint32
950 vpi
952 VPI of ADSL connection
953 Format: uint32
955 bluetooth setting
957 Bluetooth Settings.
958 Properties:
960 bdaddr
962 Alias: addr
963 The Bluetooth address of the device.
965 Format: byte array
967 type
969 Alias: bt-type
970 Either "dun" for Dial-Up Networking connections or "panu" for
972 Personal Area Networking connections to devices supporting the NAP
973 profile.
974 Format: string
976 bond setting
978 Bonding Settings.
979 Properties:
981 options
983 Dictionary of key/value pairs of bonding options. Both keys and
984 values must be strings. Option names must contain only alphanumeric
985 characters (ie, [a-zA-Z0-9]).
986 Format: dict of string to string
988 bridge setting
990 Bridging Settings.
991 Properties:
993 ageing-time
995 Alias: ageing-time
996 The Ethernet MAC address aging time, in seconds.
998 Format: uint32
1000 forward-delay
1002 Alias: forward-delay
1003 The Spanning Tree Protocol (STP) forwarding delay, in seconds.
1005 Format: uint32
1007 group-address
1009 If specified, The MAC address of the multicast group this bridge
1010 uses for STP.
1011 The address must be a link-local address in standard Ethernet MAC
1013 address format, ie an address of the form 01:80:C2:00:00:0X, with X
1014 in [0, 4..F]. If not specified the default value is
1015 01:80:C2:00:00:00.
1016 Format: byte array
1018 group-forward-mask
1020 Alias: group-forward-mask
1021 A mask of group addresses to forward. Usually, group addresses in
1023 the range from 01:80:C2:00:00:00 to 01:80:C2:00:00:0F are not
1024 forwarded according to standards. This property is a mask of 16
1025 bits, each corresponding to a group address in that range that must
1026 be forwarded. The mask can't have bits 0, 1 or 2 set because they
1027 are used for STP, MAC pause frames and LACP.
1028 Format: uint32
1030 hello-time
1032 Alias: hello-time
1033 The Spanning Tree Protocol (STP) hello time, in seconds.
1035 Format: uint32
1037 mac-address
1039 Alias: mac
1040 If specified, the MAC address of bridge. When creating a new
1042 bridge, this MAC address will be set.
1043 If this field is left unspecified, the
1045 "ethernet.cloned-mac-address" is referred instead to generate the
1046 initial MAC address. Note that setting
1047 "ethernet.cloned-mac-address" anyway overwrites the MAC address of
1048 the bridge later while activating the bridge. Hence, this property
1049 is deprecated. Deprecated: 1
1050 Format: byte array
1052 max-age
1054 Alias: max-age
1055 The Spanning Tree Protocol (STP) maximum message age, in seconds.
1057 Format: uint32
1059 multicast-hash-max
1061 Set maximum size of multicast hash table (value must be a power of
1062 2).
1063 Format: uint32
1065 multicast-last-member-count
1067 Set the number of queries the bridge will send before stopping
1068 forwarding a multicast group after a "leave" message has been
1069 received.
1070 Format: uint32
1072 multicast-last-member-interval
1074 Set interval (in deciseconds) between queries to find remaining
1075 members of a group, after a "leave" message is received.
1076 Format: uint64
1078 multicast-membership-interval
1080 Set delay (in deciseconds) after which the bridge will leave a
1081 group, if no membership reports for this group are received.
1082 Format: uint64
1084 multicast-querier
1086 Enable or disable sending of multicast queries by the bridge. If
1087 not specified the option is disabled.
1088 Format: boolean
1090 multicast-querier-interval
1092 If no queries are seen after this delay (in deciseconds) has
1093 passed, the bridge will start to send its own queries.
1094 Format: uint64
1096 multicast-query-interval
1098 Interval (in deciseconds) between queries sent by the bridge after
1099 the end of the startup phase.
1100 Format: uint64
1102 multicast-query-response-interval
1104 Set the Max Response Time/Max Response Delay (in deciseconds) for
1105 IGMP/MLD queries sent by the bridge.
1106 Format: uint64
1108 multicast-query-use-ifaddr
1110 If enabled the bridge's own IP address is used as the source
1111 address for IGMP queries otherwise the default of 0.0.0.0 is used.
1112 Format: boolean
1114 multicast-router
1116 Sets bridge's multicast router. Multicast-snooping must be enabled
1117 for this option to work.
1118 Supported values are: 'auto', 'disabled', 'enabled' to which kernel
1120 assigns the numbers 1, 0, and 2, respectively. If not specified the
1121 default value is 'auto' (1).
1122 Format: string
1124 multicast-snooping
1126 Alias: multicast-snooping
1127 Controls whether IGMP snooping is enabled for this bridge. Note
1129 that if snooping was automatically disabled due to hash collisions,
1130 the system may refuse to enable the feature until the collisions
1131 are resolved.
1132 Format: boolean
1134 multicast-startup-query-count
1136 Set the number of IGMP queries to send during startup phase.
1137 Format: uint32
1139 multicast-startup-query-interval
1141 Sets the time (in deciseconds) between queries sent out at startup
1142 to determine membership information.
1143 Format: uint64
1145 priority
1147 Alias: priority
1148 Sets the Spanning Tree Protocol (STP) priority for this bridge.
1150 Lower values are "better"; the lowest priority bridge will be
1151 elected the root bridge.
1152 Format: uint32
1154 stp
1156 Alias: stp
1157 Controls whether Spanning Tree Protocol (STP) is enabled for this
1159 bridge.
1160 Format: boolean
1162 vlan-default-pvid
1164 The default PVID for the ports of the bridge, that is the VLAN id
1165 assigned to incoming untagged frames.
1166 Format: uint32
1168 vlan-filtering
1170 Control whether VLAN filtering is enabled on the bridge.
1171 Format: boolean
1173 vlan-protocol
1175 If specified, the protocol used for VLAN filtering.
1176 Supported values are: '802.1Q', '802.1ad'. If not specified the
1178 default value is '802.1Q'.
1179 Format: string
1181 vlan-stats-enabled
1183 Controls whether per-VLAN stats accounting is enabled.
1184 Format: boolean
1186 vlans
1188 Array of bridge VLAN objects. In addition to the VLANs specified
1189 here, the bridge will also have the default-pvid VLAN configured by
1190 the bridge.vlan-default-pvid property.
1191 In nmcli the VLAN list can be specified with the following syntax:
1193 $vid [pvid] [untagged] [, $vid [pvid] [untagged]]...
1195 where $vid is either a single id between 1 and 4094 or a range,
1197 represented as a couple of ids separated by a dash.
1198 Format: array of vardict
1200 bridge-port setting
1202 Bridge Port Settings.
1203 Properties:
1205 hairpin-mode
1207 Alias: hairpin
1208 Enables or disables "hairpin mode" for the port, which allows
1210 frames to be sent back out through the port the frame was received
1211 on.
1212 Format: boolean
1214 path-cost
1216 Alias: path-cost
1217 The Spanning Tree Protocol (STP) port cost for destinations via
1219 this port.
1220 Format: uint32
1222 priority
1224 Alias: priority
1225 The Spanning Tree Protocol (STP) priority of this bridge port.
1227 Format: uint32
1229 vlans
1231 Array of bridge VLAN objects. In addition to the VLANs specified
1232 here, the port will also have the default-pvid VLAN configured on
1233 the bridge by the bridge.vlan-default-pvid property.
1234 In nmcli the VLAN list can be specified with the following syntax:
1236 $vid [pvid] [untagged] [, $vid [pvid] [untagged]]...
1238 where $vid is either a single id between 1 and 4094 or a range,
1240 represented as a couple of ids separated by a dash.
1241 Format: array of vardict
1243 cdma setting
1245 CDMA-based Mobile Broadband Settings.
1246 Properties:
1248 mtu
1250 If non-zero, only transmit packets of the specified size or
1251 smaller, breaking larger packets up into multiple frames.
1252 Format: uint32
1254 number
1256 The number to dial to establish the connection to the CDMA-based
1257 mobile broadband network, if any. If not specified, the default
1258 number (#777) is used when required.
1259 Format: string
1261 password
1263 Alias: password
1264 The password used to authenticate with the network, if required.
1266 Many providers do not require a password, or accept any password.
1267 But if a password is required, it is specified here.
1268 Format: string
1270 password-flags
1272 Flags indicating how to handle the "password" property.
1273 Format: NMSettingSecretFlags (uint32)
1275 username
1277 Alias: user
1278 The username used to authenticate with the network, if required.
1280 Many providers do not require a username, or accept any username.
1281 But if a username is required, it is specified here.
1282 Format: string
1284 dcb setting
1286 Data Center Bridging Settings.
1287 Properties:
1289 app-fcoe-flags
1291 Specifies the NMSettingDcbFlags for the DCB FCoE application. Flags
1292 may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1293 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1294 NM_SETTING_DCB_FLAG_WILLING (0x4).
1295 Format: NMSettingDcbFlags (uint32)
1297 app-fcoe-mode
1299 The FCoE controller mode; either "fabric" or "vn2vn".
1300 Since 1.34, NULL is the default and means "fabric". Before 1.34,
1302 NULL was rejected as invalid and the default was "fabric".
1303 Format: string
1305 app-fcoe-priority
1307 The highest User Priority (0 - 7) which FCoE frames should use, or
1308 -1 for default priority. Only used when the "app-fcoe-flags"
1309 property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1310 Format: int32
1312 app-fip-flags
1314 Specifies the NMSettingDcbFlags for the DCB FIP application. Flags
1315 may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1316 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1317 NM_SETTING_DCB_FLAG_WILLING (0x4).
1318 Format: NMSettingDcbFlags (uint32)
1320 app-fip-priority
1322 The highest User Priority (0 - 7) which FIP frames should use, or
1323 -1 for default priority. Only used when the "app-fip-flags"
1324 property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1325 Format: int32
1327 app-iscsi-flags
1329 Specifies the NMSettingDcbFlags for the DCB iSCSI application.
1330 Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1331 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1332 NM_SETTING_DCB_FLAG_WILLING (0x4).
1333 Format: NMSettingDcbFlags (uint32)
1335 app-iscsi-priority
1337 The highest User Priority (0 - 7) which iSCSI frames should use, or
1338 -1 for default priority. Only used when the "app-iscsi-flags"
1339 property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1340 Format: int32
1342 priority-bandwidth
1344 An array of 8 uint values, where the array index corresponds to the
1345 User Priority (0 - 7) and the value indicates the percentage of
1346 bandwidth of the priority's assigned group that the priority may
1347 use. The sum of all percentages for priorities which belong to the
1348 same group must total 100 percents.
1349 Format: array of uint32
1351 priority-flow-control
1353 An array of 8 boolean values, where the array index corresponds to
1354 the User Priority (0 - 7) and the value indicates whether or not
1355 the corresponding priority should transmit priority pause.
1356 Format: array of uint32
1358 priority-flow-control-flags
1360 Specifies the NMSettingDcbFlags for DCB Priority Flow Control
1361 (PFC). Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE
1362 (0x1), NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1363 NM_SETTING_DCB_FLAG_WILLING (0x4).
1364 Format: NMSettingDcbFlags (uint32)
1366 priority-group-bandwidth
1368 An array of 8 uint values, where the array index corresponds to the
1369 Priority Group ID (0 - 7) and the value indicates the percentage of
1370 link bandwidth allocated to that group. Allowed values are 0 - 100,
1371 and the sum of all values must total 100 percents.
1372 Format: array of uint32
1374 priority-group-flags
1376 Specifies the NMSettingDcbFlags for DCB Priority Groups. Flags may
1377 be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1378 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1379 NM_SETTING_DCB_FLAG_WILLING (0x4).
1380 Format: NMSettingDcbFlags (uint32)
1382 priority-group-id
1384 An array of 8 uint values, where the array index corresponds to the
1385 User Priority (0 - 7) and the value indicates the Priority Group
1386 ID. Allowed Priority Group ID values are 0 - 7 or 15 for the
1387 unrestricted group.
1388 Format: array of uint32
1390 priority-strict-bandwidth
1392 An array of 8 boolean values, where the array index corresponds to
1393 the User Priority (0 - 7) and the value indicates whether or not
1394 the priority may use all of the bandwidth allocated to its assigned
1395 group.
1396 Format: array of uint32
1398 priority-traffic-class
1400 An array of 8 uint values, where the array index corresponds to the
1401 User Priority (0 - 7) and the value indicates the traffic class (0
1402 - 7) to which the priority is mapped.
1403 Format: array of uint32
1405 ethtool setting
1407 Ethtool Ethernet Settings.
1408 Properties:
1410 coalesce-adaptive-rx
1412 coalesce-adaptive-tx
1414 coalesce-pkt-rate-high
1416 coalesce-pkt-rate-low
1418 coalesce-rx-frames
1420 coalesce-rx-frames-high
1422 coalesce-rx-frames-irq
1424 coalesce-rx-frames-low
1426 coalesce-rx-usecs
1428 coalesce-rx-usecs-high
1430 coalesce-rx-usecs-irq
1432 coalesce-rx-usecs-low
1434 coalesce-sample-interval
1436 coalesce-stats-block-usecs
1438 coalesce-tx-frames
1440 coalesce-tx-frames-high
1442 coalesce-tx-frames-irq
1444 coalesce-tx-frames-low
1446 coalesce-tx-usecs
1448 coalesce-tx-usecs-high
1450 coalesce-tx-usecs-irq
1452 coalesce-tx-usecs-low
1454 feature-esp-hw-offload
1456 feature-esp-tx-csum-hw-offload
1458 feature-fcoe-mtu
1460 feature-gro
1462 feature-gso
1464 feature-highdma
1466 feature-hw-tc-offload
1468 feature-l2-fwd-offload
1470 feature-loopback
1472 feature-lro
1474 feature-macsec-hw-offload
1476 feature-ntuple
1478 feature-rx
1480 feature-rx-all
1482 feature-rx-fcs
1484 feature-rx-gro-hw
1486 feature-rx-gro-list
1488 feature-rx-udp-gro-forwarding
1490 feature-rx-udp_tunnel-port-offload
1492 feature-rx-vlan-filter
1494 feature-rx-vlan-stag-filter
1496 feature-rx-vlan-stag-hw-parse
1498 feature-rxhash
1500 feature-rxvlan
1502 feature-sg
1504 feature-tls-hw-record
1506 feature-tls-hw-rx-offload
1508 feature-tls-hw-tx-offload
1510 feature-tso
1512 feature-tx
1514 feature-tx-checksum-fcoe-crc
1516 feature-tx-checksum-ip-generic
1518 feature-tx-checksum-ipv4
1520 feature-tx-checksum-ipv6
1522 feature-tx-checksum-sctp
1524 feature-tx-esp-segmentation
1526 feature-tx-fcoe-segmentation
1528 feature-tx-gre-csum-segmentation
1530 feature-tx-gre-segmentation
1532 feature-tx-gso-list
1534 feature-tx-gso-partial
1536 feature-tx-gso-robust
1538 feature-tx-ipxip4-segmentation
1540 feature-tx-ipxip6-segmentation
1542 feature-tx-nocache-copy
1544 feature-tx-scatter-gather
1546 feature-tx-scatter-gather-fraglist
1548 feature-tx-sctp-segmentation
1550 feature-tx-tcp-ecn-segmentation
1552 feature-tx-tcp-mangleid-segmentation
1554 feature-tx-tcp-segmentation
1556 feature-tx-tcp6-segmentation
1558 feature-tx-tunnel-remcsum-segmentation
1560 feature-tx-udp-segmentation
1562 feature-tx-udp_tnl-csum-segmentation
1564 feature-tx-udp_tnl-segmentation
1566 feature-tx-vlan-stag-hw-insert
1568 feature-txvlan
1570 pause-autoneg
1572 pause-rx
1574 pause-tx
1576 ring-rx
1578 ring-rx-jumbo
1580 ring-rx-mini
1582 ring-tx
1584 gsm setting
1586 GSM-based Mobile Broadband Settings.
1587 Properties:
1589 apn
1591 Alias: apn
1592 The GPRS Access Point Name specifying the APN used when
1594 establishing a data session with the GSM-based network. The APN
1595 often determines how the user will be billed for their network
1596 usage and whether the user has access to the Internet or just a
1597 provider-specific walled-garden, so it is important to use the
1598 correct APN for the user's mobile broadband plan. The APN may only
1599 be composed of the characters a-z, 0-9, ., and - per GSM 03.60
1600 Section 14.9.
1601 Format: string
1603 auto-config
1605 When TRUE, the settings such as APN, username, or password will
1606 default to values that match the network the modem will register to
1607 in the Mobile Broadband Provider database.
1608 Format: boolean
1610 device-id
1612 The device unique identifier (as given by the WWAN management
1613 service) which this connection applies to. If given, the connection
1614 will only apply to the specified device.
1615 Format: string
1617 home-only
1619 When TRUE, only connections to the home network will be allowed.
1620 Connections to roaming networks will not be made.
1621 Format: boolean
1623 mtu
1625 If non-zero, only transmit packets of the specified size or
1626 smaller, breaking larger packets up into multiple frames.
1627 Format: uint32
1629 network-id
1631 The Network ID (GSM LAI format, ie MCC-MNC) to force specific
1632 network registration. If the Network ID is specified,
1633 NetworkManager will attempt to force the device to register only on
1634 the specified network. This can be used to ensure that the device
1635 does not roam when direct roaming control of the device is not
1636 otherwise possible.
1637 Format: string
1639 number
1641 Legacy setting that used to help establishing PPP data sessions for
1642 GSM-based modems. Deprecated: 1
1643 Format: string
1645 password
1647 Alias: password
1648 The password used to authenticate with the network, if required.
1650 Many providers do not require a password, or accept any password.
1651 But if a password is required, it is specified here.
1652 Format: string
1654 password-flags
1656 Flags indicating how to handle the "password" property.
1657 Format: NMSettingSecretFlags (uint32)
1659 pin
1661 If the SIM is locked with a PIN it must be unlocked before any
1662 other operations are requested. Specify the PIN here to allow
1663 operation of the device.
1664 Format: string
1666 pin-flags
1668 Flags indicating how to handle the "pin" property.
1669 Format: NMSettingSecretFlags (uint32)
1671 sim-id
1673 The SIM card unique identifier (as given by the WWAN management
1674 service) which this connection applies to. If given, the connection
1675 will apply to any device also allowed by "device-id" which contains
1676 a SIM card matching the given identifier.
1677 Format: string
1679 sim-operator-id
1681 A MCC/MNC string like "310260" or "21601" identifying the specific
1682 mobile network operator which this connection applies to. If given,
1683 the connection will apply to any device also allowed by "device-id"
1684 and "sim-id" which contains a SIM card provisioned by the given
1685 operator.
1686 Format: string
1688 username
1690 Alias: user
1691 The username used to authenticate with the network, if required.
1693 Many providers do not require a username, or accept any username.
1694 But if a username is required, it is specified here.
1695 Format: string
1697 infiniband setting
1699 Infiniband Settings.
1700 Properties:
1702 mac-address
1704 Alias: mac
1705 If specified, this connection will only apply to the IPoIB device
1707 whose permanent MAC address matches. This property does not change
1708 the MAC address of the device (i.e. MAC spoofing).
1709 Format: byte array
1711 mtu
1713 Alias: mtu
1714 If non-zero, only transmit packets of the specified size or
1716 smaller, breaking larger packets up into multiple frames.
1717 Format: uint32
1719 p-key
1721 Alias: p-key
1722 The InfiniBand P_Key to use for this device. A value of -1 means to
1724 use the default P_Key (aka "the P_Key at index 0"). Otherwise, it
1725 is a 16-bit unsigned integer, whose high bit is set if it is a
1726 "full membership" P_Key.
1727 Format: int32
1729 parent
1731 Alias: parent
1732 The interface name of the parent device of this device. Normally
1734 NULL, but if the "p_key" property is set, then you must specify the
1735 base device by setting either this property or "mac-address".
1736 Format: string
1738 transport-mode
1740 Alias: transport-mode
1741 The IP-over-InfiniBand transport mode. Either "datagram" or
1743 "connected".
1744 Format: string
1746 ipv4 setting
1748 IPv4 Settings.
1749 Properties:
1751 addresses
1753 Alias: ip4
1754 Array of IP addresses.
1756 Format: a comma separated list of addresses
1758 dad-timeout
1760 Timeout in milliseconds used to check for the presence of duplicate
1761 IP addresses on the network. If an address conflict is detected,
1762 the activation will fail. A zero value means that no duplicate
1763 address detection is performed, -1 means the default value (either
1764 configuration ipvx.dad-timeout override or zero). A value greater
1765 than zero is a timeout in milliseconds.
1766 The property is currently implemented only for IPv4.
1768 Format: int32
1770 dhcp-client-id
1772 A string sent to the DHCP server to identify the local machine
1773 which the DHCP server may use to customize the DHCP lease and
1774 options. When the property is a hex string ('aa:bb:cc') it is
1775 interpreted as a binary client ID, in which case the first byte is
1776 assumed to be the 'type' field as per RFC 2132 section 9.14 and the
1777 remaining bytes may be an hardware address (e.g.
1778 '01:xx:xx:xx:xx:xx:xx' where 1 is the Ethernet ARP type and the
1779 rest is a MAC address). If the property is not a hex string it is
1780 considered as a non-hardware-address client ID and the 'type' field
1781 is set to 0.
1782 The special values "mac" and "perm-mac" are supported, which use
1784 the current or permanent MAC address of the device to generate a
1785 client identifier with type ethernet (01). Currently, these options
1786 only work for ethernet type of links.
1787 The special value "ipv6-duid" uses the DUID from "ipv6.dhcp-duid"
1789 property as an RFC4361-compliant client identifier. As IAID it uses
1790 "ipv4.dhcp-iaid" and falls back to "ipv6.dhcp-iaid" if unset.
1791 The special value "duid" generates a RFC4361-compliant client
1793 identifier based on "ipv4.dhcp-iaid" and uses a DUID generated by
1794 hashing /etc/machine-id.
1795 The special value "stable" is supported to generate a type 0 client
1797 identifier based on the stable-id (see connection.stable-id) and a
1798 per-host key. If you set the stable-id, you may want to include the
1799 "${DEVICE}" or "${MAC}" specifier to get a per-device key.
1800 If unset, a globally configured default is used. If still unset,
1802 the default depends on the DHCP plugin.
1803 Format: string
1805 dhcp-fqdn
1807 If the "dhcp-send-hostname" property is TRUE, then the specified
1808 FQDN will be sent to the DHCP server when acquiring a lease. This
1809 property and "dhcp-hostname" are mutually exclusive and cannot be
1810 set at the same time.
1811 Format: string
1813 dhcp-hostname
1815 If the "dhcp-send-hostname" property is TRUE, then the specified
1816 name will be sent to the DHCP server when acquiring a lease. This
1817 property and "dhcp-fqdn" are mutually exclusive and cannot be set
1818 at the same time.
1819 Format: string
1821 dhcp-hostname-flags
1823 Flags for the DHCP hostname and FQDN.
1824 Currently, this property only includes flags to control the FQDN
1826 flags set in the DHCP FQDN option. Supported FQDN flags are
1827 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1828 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
1829 NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is
1830 set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the
1831 DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag
1832 is set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set,
1833 the standard FQDN flags are set in the request:
1834 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1835 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
1836 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6.
1837 When this property is set to the default value
1839 NM_DHCP_HOSTNAME_FLAG_NONE (0x0), a global default is looked up in
1840 NetworkManager configuration. If that value is unset or also
1841 NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
1842 described above are sent in the DHCP requests.
1843 Format: uint32
1845 dhcp-iaid
1847 A string containing the "Identity Association Identifier" (IAID)
1848 used by the DHCP client. The property is a 32-bit decimal value or
1849 a special value among "mac", "perm-mac", "ifname" and "stable".
1850 When set to "mac" (or "perm-mac"), the last 4 bytes of the current
1851 (or permanent) MAC address are used as IAID. When set to "ifname",
1852 the IAID is computed by hashing the interface name. The special
1853 value "stable" can be used to generate an IAID based on the
1854 stable-id (see connection.stable-id), a per-host key and the
1855 interface name. When the property is unset, the value from global
1856 configuration is used; if no global default is set then the IAID is
1857 assumed to be "ifname". Note that at the moment this property is
1858 ignored for IPv6 by dhclient, which always derives the IAID from
1859 the MAC address.
1860 Format: string
1862 dhcp-reject-servers
1864 Array of servers from which DHCP offers must be rejected. This
1865 property is useful to avoid getting a lease from misconfigured or
1866 rogue servers.
1867 For DHCPv4, each element must be an IPv4 address, optionally
1869 followed by a slash and a prefix length (e.g. "192.168.122.0/24").
1870 This property is currently not implemented for DHCPv6.
1872 Format: array of string
1874 dhcp-send-hostname
1876 If TRUE, a hostname is sent to the DHCP server when acquiring a
1877 lease. Some DHCP servers use this hostname to update DNS databases,
1878 essentially providing a static hostname for the computer. If the
1879 "dhcp-hostname" property is NULL and this property is TRUE, the
1880 current persistent hostname of the computer is sent.
1881 Format: boolean
1883 dhcp-timeout
1885 A timeout for a DHCP transaction in seconds. If zero (the default),
1886 a globally configured default is used. If still unspecified, a
1887 device specific timeout is used (usually 45 seconds).
1888 Set to 2147483647 (MAXINT32) for infinity.
1890 Format: int32
1892 dhcp-vendor-class-identifier
1894 The Vendor Class Identifier DHCP option (60). Special characters in
1895 the data string may be escaped using C-style escapes, nevertheless
1896 this property cannot contain nul bytes. If the per-profile value is
1897 unspecified (the default), a global connection default gets
1898 consulted. If still unspecified, the DHCP option is not sent to the
1899 server.
1900 Format: string
1902 dns
1904 Array of IP addresses of DNS servers.
1905 Format: array of uint32
1907 dns-options
1909 Array of DNS options as described in man 5 resolv.conf.
1910 NULL means that the options are unset and left at the default. In
1912 this case NetworkManager will use default options. This is distinct
1913 from an empty list of properties.
1914 The currently supported options are "attempts", "debug", "edns0",
1916 "inet6", "ip6-bytestring", "ip6-dotint", "ndots", "no-check-names",
1917 "no-ip6-dotint", "no-reload", "no-tld-query", "rotate",
1918 "single-request", "single-request-reopen", "timeout", "trust-ad",
1919 "use-vc".
1920 The "trust-ad" setting is only honored if the profile contributes
1922 name servers to resolv.conf, and if all contributing profiles have
1923 "trust-ad" enabled.
1924 When using a caching DNS plugin (dnsmasq or systemd-resolved in
1926 NetworkManager.conf) then "edns0" and "trust-ad" are automatically
1927 added.
1928 Format: array of string
1930 dns-priority
1932 DNS servers priority.
1933 The relative priority for DNS servers specified by this setting. A
1935 lower numerical value is better (higher priority).
1936 Negative values have the special effect of excluding other
1938 configurations with a greater numerical priority value; so in
1939 presence of at least one negative priority, only DNS servers from
1940 connections with the lowest priority value will be used. To avoid
1941 all DNS leaks, set the priority of the profile that should be used
1942 to the most negative value of all active connections profiles.
1943 Zero selects a globally configured default value. If the latter is
1945 missing or zero too, it defaults to 50 for VPNs (including
1946 WireGuard) and 100 for other connections.
1947 Note that the priority is to order DNS settings for multiple active
1949 connections. It does not disambiguate multiple DNS servers within
1950 the same connection profile.
1951 When multiple devices have configurations with the same priority,
1953 VPNs will be considered first, then devices with the best (lowest
1954 metric) default route and then all other devices.
1955 When using dns=default, servers with higher priority will be on top
1957 of resolv.conf. To prioritize a given server over another one
1958 within the same connection, just specify them in the desired order.
1959 Note that commonly the resolver tries name servers in
1960 /etc/resolv.conf in the order listed, proceeding with the next
1961 server in the list on failure. See for example the "rotate" option
1962 of the dns-options setting. If there are any negative DNS
1963 priorities, then only name servers from the devices with that
1964 lowest priority will be considered.
1965 When using a DNS resolver that supports Conditional Forwarding or
1967 Split DNS (with dns=dnsmasq or dns=systemd-resolved settings), each
1968 connection is used to query domains in its search list. The search
1969 domains determine which name servers to ask, and the DNS priority
1970 is used to prioritize name servers based on the domain. Queries for
1971 domains not present in any search list are routed through
1972 connections having the '~.' special wildcard domain, which is added
1973 automatically to connections with the default route (or can be
1974 added manually). When multiple connections specify the same domain,
1975 the one with the best priority (lowest numerical value) wins. If a
1976 sub domain is configured on another interface it will be accepted
1977 regardless the priority, unless parent domain on the other
1978 interface has a negative priority, which causes the sub domain to
1979 be shadowed. With Split DNS one can avoid undesired DNS leaks by
1980 properly configuring DNS priorities and the search domains, so that
1981 only name servers of the desired interface are configured.
1982 Format: int32
1984 dns-search
1986 List of DNS search domains. Domains starting with a tilde ('~') are
1987 considered 'routing' domains and are used only to decide the
1988 interface over which a query must be forwarded; they are not used
1989 to complete unqualified host names.
1990 When using a DNS plugin that supports Conditional Forwarding or
1992 Split DNS, then the search domains specify which name servers to
1993 query. This makes the behavior different from running with plain
1994 /etc/resolv.conf. For more information see also the dns-priority
1995 setting.
1996 When set on a profile that also enabled DHCP, the DNS search list
1998 received automatically (option 119 for DHCPv4 and option 24 for
1999 DHCPv6) gets merged with the manual list. This can be prevented by
2000 setting "ignore-auto-dns". Note that if no DNS searches are
2001 configured, the fallback will be derived from the domain from DHCP
2002 (option 15).
2003 Format: array of string
2005 gateway
2007 Alias: gw4
2008 The gateway associated with this configuration. This is only
2010 meaningful if "addresses" is also set.
2011 Setting the gateway causes NetworkManager to configure a standard
2013 default route with the gateway as next hop. This is ignored if
2014 "never-default" is set. An alternative is to configure the default
2015 route explicitly with a manual route and /0 as prefix length.
2016 Note that the gateway usually conflicts with routing that
2018 NetworkManager configures for WireGuard interfaces, so usually it
2019 should not be set in that case. See "ip4-auto-default-route".
2020 Format: string
2022 ignore-auto-dns
2024 When "method" is set to "auto" and this property to TRUE,
2025 automatically configured name servers and search domains are
2026 ignored and only name servers and search domains specified in the
2027 "dns" and "dns-search" properties, if any, are used.
2028 Format: boolean
2030 ignore-auto-routes
2032 When "method" is set to "auto" and this property to TRUE,
2033 automatically configured routes are ignored and only routes
2034 specified in the "routes" property, if any, are used.
2035 Format: boolean
2037 link-local
2039 Enable and disable the IPv4 link-local configuration independently
2040 of the ipv4.method configuration. This allows a link-local address
2041 (169.254.x.y/16) to be obtained in addition to other addresses,
2042 such as those manually configured or obtained from a DHCP server.
2043 When set to "auto", the value is dependent on "ipv4.method". When
2045 set to "default", it honors the global connection default, before
2046 falling back to "auto". Note that if "ipv4.method" is "disabled",
2047 then link local addressing is always disabled too. The default is
2048 "default".
2049 Format: int32
2051 may-fail
2053 If TRUE, allow overall network configuration to proceed even if the
2054 configuration specified by this property times out. Note that at
2055 least one IP configuration must succeed or overall network
2056 configuration will still fail. For example, in IPv6-only networks,
2057 setting this property to TRUE on the NMSettingIP4Config allows the
2058 overall network configuration to succeed if IPv4 configuration
2059 fails but IPv6 configuration completes successfully.
2060 Format: boolean
2062 method
2064 IP configuration method.
2065 NMSettingIP4Config and NMSettingIP6Config both support "disabled",
2067 "auto", "manual", and "link-local". See the subclass-specific
2068 documentation for other values.
2069 In general, for the "auto" method, properties such as "dns" and
2071 "routes" specify information that is added on to the information
2072 returned from automatic configuration. The "ignore-auto-routes" and
2073 "ignore-auto-dns" properties modify this behavior.
2074 For methods that imply no upstream network, such as "shared" or
2076 "link-local", these properties must be empty.
2077 For IPv4 method "shared", the IP subnet can be configured by adding
2079 one manual IPv4 address or otherwise 10.42.x.0/24 is chosen. Note
2080 that the shared method must be configured on the interface which
2081 shares the internet to a subnet, not on the uplink which is shared.
2082 Format: string
2084 never-default
2086 If TRUE, this connection will never be the default connection for
2087 this IP type, meaning it will never be assigned the default route
2088 by NetworkManager.
2089 Format: boolean
2091 required-timeout
2093 The minimum time interval in milliseconds for which dynamic IP
2094 configuration should be tried before the connection succeeds.
2095 This property is useful for example if both IPv4 and IPv6 are
2097 enabled and are allowed to fail. Normally the connection succeeds
2098 as soon as one of the two address families completes; by setting a
2099 required timeout for e.g. IPv4, one can ensure that even if IP6
2100 succeeds earlier than IPv4, NetworkManager waits some time for IPv4
2101 before the connection becomes active.
2102 Note that if "may-fail" is FALSE for the same address family, this
2104 property has no effect as NetworkManager needs to wait for the full
2105 DHCP timeout.
2106 A zero value means that no required timeout is present, -1 means
2108 the default value (either configuration ipvx.required-timeout
2109 override or zero).
2110 Format: int32
2112 route-metric
2114 The default metric for routes that don't explicitly specify a
2115 metric. The default value -1 means that the metric is chosen
2116 automatically based on the device type. The metric applies to
2117 dynamic routes, manual (static) routes that don't have an explicit
2118 metric setting, address prefix routes, and the default route. Note
2119 that for IPv6, the kernel accepts zero (0) but coerces it to 1024
2120 (user default). Hence, setting this property to zero effectively
2121 mean setting it to 1024. For IPv4, zero is a regular value for the
2122 metric.
2123 Format: int64
2125 route-table
2127 Enable policy routing (source routing) and set the routing table
2128 used when adding routes.
2129 This affects all routes, including device-routes, IPv4LL, DHCP,
2131 SLAAC, default-routes and static routes. But note that static
2132 routes can individually overwrite the setting by explicitly
2133 specifying a non-zero routing table.
2134 If the table setting is left at zero, it is eligible to be
2136 overwritten via global configuration. If the property is zero even
2137 after applying the global configuration value, policy routing is
2138 disabled for the address family of this connection.
2139 Policy routing disabled means that NetworkManager will add all
2141 routes to the main table (except static routes that explicitly
2142 configure a different table). Additionally, NetworkManager will not
2143 delete any extraneous routes from tables except the main table.
2144 This is to preserve backward compatibility for users who manage
2145 routing tables outside of NetworkManager.
2146 Format: uint32
2148 routes
2150 A list of IPv4 destination addresses, prefix length, optional IPv4
2151 next hop addresses, optional route metric, optional attribute. The
2152 valid syntax is: "ip[/prefix] [next-hop] [metric]
2153 [attribute=val]...[,ip[/prefix]...]". For example "192.0.2.0/24
2154 10.1.1.1 77, 198.51.100.0/24".
2155 Various attributes are supported:
2157 • "advmss" - an unsigned 32 bit integer.
2159 • "cwnd" - an unsigned 32 bit integer.
2161 • "initcwnd" - an unsigned 32 bit integer.
2163 • "initrwnd" - an unsigned 32 bit integer.
2165 • "lock-advmss" - a boolean value.
2167 • "lock-cwnd" - a boolean value.
2169 • "lock-initcwnd" - a boolean value.
2171 • "lock-initrwnd" - a boolean value.
2173 • "lock-mtu" - a boolean value.
2175 • "lock-window" - a boolean value.
2177 • "mtu" - an unsigned 32 bit integer.
2179 • "onlink" - a boolean value.
2181 • "quickack" - a boolean value.
2183 • "rto_min" - an unsigned 32 bit integer. The value is in
2185 milliseconds.
2186 • "scope" - an unsigned 8 bit integer. IPv4 only.
2188 • "src" - an IPv4 address.
2190 • "table" - an unsigned 32 bit integer. The default depends on
2192 ipv4.route-table.
2193 • "tos" - an unsigned 8 bit integer. IPv4 only.
2195 • "type" - one of unicast, local, blackhole, unavailable,
2197 prohibit, throw. The default is unicast.
2198 • "window" - an unsigned 32 bit integer.
2200 For details see also `man ip-route`.
2202 Format: a comma separated list of routes
2204 routing-rules
2206 A comma separated list of routing rules for policy routing. The
2207 format is based on ip rule add syntax and mostly compatible. One
2208 difference is that routing rules in NetworkManager always need a
2209 fixed priority.
2210 Example: priority 5 from 192.167.4.0/24 table 45
2212 Format: a comma separated list of routing rules
2214 ipv6 setting
2216 IPv6 Settings.
2217 Properties:
2219 addr-gen-mode
2221 Configure method for creating the address for use with RFC4862 IPv6
2222 Stateless Address Autoconfiguration. The permitted values are:
2223 NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_EUI64 (0),
2224 NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_STABLE_PRIVACY (1).
2225 NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_DEFAULT_OR_EUI64 (2) or
2226 NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_DEFAULT (3).
2227 If the property is set to EUI64, the addresses will be generated
2229 using the interface tokens derived from hardware address. This
2230 makes the host part of the address to stay constant, making it
2231 possible to track host's presence when it changes networks. The
2232 address changes when the interface hardware is replaced.
2233 The value of stable-privacy enables use of cryptographically secure
2235 hash of a secret host-specific key along with the connection's
2236 stable-id and the network address as specified by RFC7217. This
2237 makes it impossible to use the address track host's presence, and
2238 makes the address stable when the network interface hardware is
2239 replaced.
2240 The special values "default" and "default-or-eui64" will fallback
2242 to the global connection default in as documented in
2243 NetworkManager.conf(5) manual. If the global default is not
2244 specified, the fallback value is "stable-privacy" or "eui64",
2245 respectively.
2246 For libnm, the property defaults to "default" since 1.40.
2248 Previously it defaulted to "stable-privacy". On D-Bus, the absence
2249 of an addr-gen-mode setting equals "default". For keyfile plugin,
2250 the absence of the setting on disk means "default-or-eui64" so that
2251 the property doesn't change on upgrade from older versions.
2252 Note that this setting is distinct from the Privacy Extensions as
2254 configured by "ip6-privacy" property and it does not affect the
2255 temporary addresses configured with this option.
2256 Format: int32
2258 addresses
2260 Alias: ip6
2261 Array of IP addresses.
2263 Format: a comma separated list of addresses
2265 dhcp-duid
2267 A string containing the DHCPv6 Unique Identifier (DUID) used by the
2268 dhcp client to identify itself to DHCPv6 servers (RFC 3315). The
2269 DUID is carried in the Client Identifier option. If the property is
2270 a hex string ('aa:bb:cc') it is interpreted as a binary DUID and
2271 filled as an opaque value in the Client Identifier option.
2272 The special value "lease" will retrieve the DUID previously used
2274 from the lease file belonging to the connection. If no DUID is
2275 found and "dhclient" is the configured dhcp client, the DUID is
2276 searched in the system-wide dhclient lease file. If still no DUID
2277 is found, or another dhcp client is used, a global and permanent
2278 DUID-UUID (RFC 6355) will be generated based on the machine-id.
2279 The special values "llt" and "ll" will generate a DUID of type LLT
2281 or LL (see RFC 3315) based on the current MAC address of the
2282 device. In order to try providing a stable DUID-LLT, the time field
2283 will contain a constant timestamp that is used globally (for all
2284 profiles) and persisted to disk.
2285 The special values "stable-llt", "stable-ll" and "stable-uuid" will
2287 generate a DUID of the corresponding type, derived from the
2288 connection's stable-id and a per-host unique key. You may want to
2289 include the "${DEVICE}" or "${MAC}" specifier in the stable-id, in
2290 case this profile gets activated on multiple devices. So, the
2291 link-layer address of "stable-ll" and "stable-llt" will be a
2292 generated address derived from the stable id. The DUID-LLT time
2293 value in the "stable-llt" option will be picked among a static
2294 timespan of three years (the upper bound of the interval is the
2295 same constant timestamp used in "llt").
2296 When the property is unset, the global value provided for
2298 "ipv6.dhcp-duid" is used. If no global value is provided, the
2299 default "lease" value is assumed.
2300 Format: string
2302 dhcp-hostname
2304 If the "dhcp-send-hostname" property is TRUE, then the specified
2305 name will be sent to the DHCP server when acquiring a lease. This
2306 property and "dhcp-fqdn" are mutually exclusive and cannot be set
2307 at the same time.
2308 Format: string
2310 dhcp-hostname-flags
2312 Flags for the DHCP hostname and FQDN.
2313 Currently, this property only includes flags to control the FQDN
2315 flags set in the DHCP FQDN option. Supported FQDN flags are
2316 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
2317 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
2318 NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is
2319 set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the
2320 DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag
2321 is set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set,
2322 the standard FQDN flags are set in the request:
2323 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
2324 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
2325 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6.
2326 When this property is set to the default value
2328 NM_DHCP_HOSTNAME_FLAG_NONE (0x0), a global default is looked up in
2329 NetworkManager configuration. If that value is unset or also
2330 NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
2331 described above are sent in the DHCP requests.
2332 Format: uint32
2334 dhcp-iaid
2336 A string containing the "Identity Association Identifier" (IAID)
2337 used by the DHCP client. The property is a 32-bit decimal value or
2338 a special value among "mac", "perm-mac", "ifname" and "stable".
2339 When set to "mac" (or "perm-mac"), the last 4 bytes of the current
2340 (or permanent) MAC address are used as IAID. When set to "ifname",
2341 the IAID is computed by hashing the interface name. The special
2342 value "stable" can be used to generate an IAID based on the
2343 stable-id (see connection.stable-id), a per-host key and the
2344 interface name. When the property is unset, the value from global
2345 configuration is used; if no global default is set then the IAID is
2346 assumed to be "ifname". Note that at the moment this property is
2347 ignored for IPv6 by dhclient, which always derives the IAID from
2348 the MAC address.
2349 Format: string
2351 dhcp-send-hostname
2353 If TRUE, a hostname is sent to the DHCP server when acquiring a
2354 lease. Some DHCP servers use this hostname to update DNS databases,
2355 essentially providing a static hostname for the computer. If the
2356 "dhcp-hostname" property is NULL and this property is TRUE, the
2357 current persistent hostname of the computer is sent.
2358 Format: boolean
2360 dhcp-timeout
2362 A timeout for a DHCP transaction in seconds. If zero (the default),
2363 a globally configured default is used. If still unspecified, a
2364 device specific timeout is used (usually 45 seconds).
2365 Set to 2147483647 (MAXINT32) for infinity.
2367 Format: int32
2369 dns
2371 Array of IP addresses of DNS servers.
2372 Format: array of byte array
2374 dns-options
2376 Array of DNS options as described in man 5 resolv.conf.
2377 NULL means that the options are unset and left at the default. In
2379 this case NetworkManager will use default options. This is distinct
2380 from an empty list of properties.
2381 The currently supported options are "attempts", "debug", "edns0",
2383 "inet6", "ip6-bytestring", "ip6-dotint", "ndots", "no-check-names",
2384 "no-ip6-dotint", "no-reload", "no-tld-query", "rotate",
2385 "single-request", "single-request-reopen", "timeout", "trust-ad",
2386 "use-vc".
2387 The "trust-ad" setting is only honored if the profile contributes
2389 name servers to resolv.conf, and if all contributing profiles have
2390 "trust-ad" enabled.
2391 When using a caching DNS plugin (dnsmasq or systemd-resolved in
2393 NetworkManager.conf) then "edns0" and "trust-ad" are automatically
2394 added.
2395 Format: array of string
2397 dns-priority
2399 DNS servers priority.
2400 The relative priority for DNS servers specified by this setting. A
2402 lower numerical value is better (higher priority).
2403 Negative values have the special effect of excluding other
2405 configurations with a greater numerical priority value; so in
2406 presence of at least one negative priority, only DNS servers from
2407 connections with the lowest priority value will be used. To avoid
2408 all DNS leaks, set the priority of the profile that should be used
2409 to the most negative value of all active connections profiles.
2410 Zero selects a globally configured default value. If the latter is
2412 missing or zero too, it defaults to 50 for VPNs (including
2413 WireGuard) and 100 for other connections.
2414 Note that the priority is to order DNS settings for multiple active
2416 connections. It does not disambiguate multiple DNS servers within
2417 the same connection profile.
2418 When multiple devices have configurations with the same priority,
2420 VPNs will be considered first, then devices with the best (lowest
2421 metric) default route and then all other devices.
2422 When using dns=default, servers with higher priority will be on top
2424 of resolv.conf. To prioritize a given server over another one
2425 within the same connection, just specify them in the desired order.
2426 Note that commonly the resolver tries name servers in
2427 /etc/resolv.conf in the order listed, proceeding with the next
2428 server in the list on failure. See for example the "rotate" option
2429 of the dns-options setting. If there are any negative DNS
2430 priorities, then only name servers from the devices with that
2431 lowest priority will be considered.
2432 When using a DNS resolver that supports Conditional Forwarding or
2434 Split DNS (with dns=dnsmasq or dns=systemd-resolved settings), each
2435 connection is used to query domains in its search list. The search
2436 domains determine which name servers to ask, and the DNS priority
2437 is used to prioritize name servers based on the domain. Queries for
2438 domains not present in any search list are routed through
2439 connections having the '~.' special wildcard domain, which is added
2440 automatically to connections with the default route (or can be
2441 added manually). When multiple connections specify the same domain,
2442 the one with the best priority (lowest numerical value) wins. If a
2443 sub domain is configured on another interface it will be accepted
2444 regardless the priority, unless parent domain on the other
2445 interface has a negative priority, which causes the sub domain to
2446 be shadowed. With Split DNS one can avoid undesired DNS leaks by
2447 properly configuring DNS priorities and the search domains, so that
2448 only name servers of the desired interface are configured.
2449 Format: int32
2451 dns-search
2453 List of DNS search domains. Domains starting with a tilde ('~') are
2454 considered 'routing' domains and are used only to decide the
2455 interface over which a query must be forwarded; they are not used
2456 to complete unqualified host names.
2457 When using a DNS plugin that supports Conditional Forwarding or
2459 Split DNS, then the search domains specify which name servers to
2460 query. This makes the behavior different from running with plain
2461 /etc/resolv.conf. For more information see also the dns-priority
2462 setting.
2463 When set on a profile that also enabled DHCP, the DNS search list
2465 received automatically (option 119 for DHCPv4 and option 24 for
2466 DHCPv6) gets merged with the manual list. This can be prevented by
2467 setting "ignore-auto-dns". Note that if no DNS searches are
2468 configured, the fallback will be derived from the domain from DHCP
2469 (option 15).
2470 Format: array of string
2472 gateway
2474 Alias: gw6
2475 The gateway associated with this configuration. This is only
2477 meaningful if "addresses" is also set.
2478 Setting the gateway causes NetworkManager to configure a standard
2480 default route with the gateway as next hop. This is ignored if
2481 "never-default" is set. An alternative is to configure the default
2482 route explicitly with a manual route and /0 as prefix length.
2483 Note that the gateway usually conflicts with routing that
2485 NetworkManager configures for WireGuard interfaces, so usually it
2486 should not be set in that case. See "ip4-auto-default-route".
2487 Format: string
2489 ignore-auto-dns
2491 When "method" is set to "auto" and this property to TRUE,
2492 automatically configured name servers and search domains are
2493 ignored and only name servers and search domains specified in the
2494 "dns" and "dns-search" properties, if any, are used.
2495 Format: boolean
2497 ignore-auto-routes
2499 When "method" is set to "auto" and this property to TRUE,
2500 automatically configured routes are ignored and only routes
2501 specified in the "routes" property, if any, are used.
2502 Format: boolean
2504 ip6-privacy
2506 Configure IPv6 Privacy Extensions for SLAAC, described in RFC4941.
2507 If enabled, it makes the kernel generate a temporary IPv6 address
2508 in addition to the public one generated from MAC address via
2509 modified EUI-64. This enhances privacy, but could cause problems in
2510 some applications, on the other hand. The permitted values are: -1:
2511 unknown, 0: disabled, 1: enabled (prefer public address), 2:
2512 enabled (prefer temporary addresses).
2513 Having a per-connection setting set to "-1" (unknown) means
2515 fallback to global configuration "ipv6.ip6-privacy".
2516 If also global configuration is unspecified or set to "-1",
2518 fallback to read "/proc/sys/net/ipv6/conf/default/use_tempaddr".
2519 Note that this setting is distinct from the Stable Privacy
2521 addresses that can be enabled with the "addr-gen-mode" property's
2522 "stable-privacy" setting as another way of avoiding host tracking
2523 with IPv6 addresses.
2524 Format: NMSettingIP6ConfigPrivacy (int32)
2526 may-fail
2528 If TRUE, allow overall network configuration to proceed even if the
2529 configuration specified by this property times out. Note that at
2530 least one IP configuration must succeed or overall network
2531 configuration will still fail. For example, in IPv6-only networks,
2532 setting this property to TRUE on the NMSettingIP4Config allows the
2533 overall network configuration to succeed if IPv4 configuration
2534 fails but IPv6 configuration completes successfully.
2535 Format: boolean
2537 method
2539 IP configuration method.
2540 NMSettingIP4Config and NMSettingIP6Config both support "disabled",
2542 "auto", "manual", and "link-local". See the subclass-specific
2543 documentation for other values.
2544 In general, for the "auto" method, properties such as "dns" and
2546 "routes" specify information that is added on to the information
2547 returned from automatic configuration. The "ignore-auto-routes" and
2548 "ignore-auto-dns" properties modify this behavior.
2549 For methods that imply no upstream network, such as "shared" or
2551 "link-local", these properties must be empty.
2552 For IPv4 method "shared", the IP subnet can be configured by adding
2554 one manual IPv4 address or otherwise 10.42.x.0/24 is chosen. Note
2555 that the shared method must be configured on the interface which
2556 shares the internet to a subnet, not on the uplink which is shared.
2557 Format: string
2559 mtu
2561 Maximum transmission unit size, in bytes. If zero (the default),
2562 the MTU is set automatically from router advertisements or is left
2563 equal to the link-layer MTU. If greater than the link-layer MTU, or
2564 greater than zero but less than the minimum IPv6 MTU of 1280, this
2565 value has no effect.
2566 Format: uint32
2568 never-default
2570 If TRUE, this connection will never be the default connection for
2571 this IP type, meaning it will never be assigned the default route
2572 by NetworkManager.
2573 Format: boolean
2575 ra-timeout
2577 A timeout for waiting Router Advertisements in seconds. If zero
2578 (the default), a globally configured default is used. If still
2579 unspecified, the timeout depends on the sysctl settings of the
2580 device.
2581 Set to 2147483647 (MAXINT32) for infinity.
2583 Format: int32
2585 required-timeout
2587 The minimum time interval in milliseconds for which dynamic IP
2588 configuration should be tried before the connection succeeds.
2589 This property is useful for example if both IPv4 and IPv6 are
2591 enabled and are allowed to fail. Normally the connection succeeds
2592 as soon as one of the two address families completes; by setting a
2593 required timeout for e.g. IPv4, one can ensure that even if IP6
2594 succeeds earlier than IPv4, NetworkManager waits some time for IPv4
2595 before the connection becomes active.
2596 Note that if "may-fail" is FALSE for the same address family, this
2598 property has no effect as NetworkManager needs to wait for the full
2599 DHCP timeout.
2600 A zero value means that no required timeout is present, -1 means
2602 the default value (either configuration ipvx.required-timeout
2603 override or zero).
2604 Format: int32
2606 route-metric
2608 The default metric for routes that don't explicitly specify a
2609 metric. The default value -1 means that the metric is chosen
2610 automatically based on the device type. The metric applies to
2611 dynamic routes, manual (static) routes that don't have an explicit
2612 metric setting, address prefix routes, and the default route. Note
2613 that for IPv6, the kernel accepts zero (0) but coerces it to 1024
2614 (user default). Hence, setting this property to zero effectively
2615 mean setting it to 1024. For IPv4, zero is a regular value for the
2616 metric.
2617 Format: int64
2619 route-table
2621 Enable policy routing (source routing) and set the routing table
2622 used when adding routes.
2623 This affects all routes, including device-routes, IPv4LL, DHCP,
2625 SLAAC, default-routes and static routes. But note that static
2626 routes can individually overwrite the setting by explicitly
2627 specifying a non-zero routing table.
2628 If the table setting is left at zero, it is eligible to be
2630 overwritten via global configuration. If the property is zero even
2631 after applying the global configuration value, policy routing is
2632 disabled for the address family of this connection.
2633 Policy routing disabled means that NetworkManager will add all
2635 routes to the main table (except static routes that explicitly
2636 configure a different table). Additionally, NetworkManager will not
2637 delete any extraneous routes from tables except the main table.
2638 This is to preserve backward compatibility for users who manage
2639 routing tables outside of NetworkManager.
2640 Format: uint32
2642 routes
2644 A list of IPv6 destination addresses, prefix length, optional IPv6
2645 next hop addresses, optional route metric, optional attribute. The
2646 valid syntax is: "ip[/prefix] [next-hop] [metric]
2647 [attribute=val]...[,ip[/prefix]...]".
2648 Various attributes are supported:
2650 • "advmss" - an unsigned 32 bit integer.
2652 • "cwnd" - an unsigned 32 bit integer.
2654 • "from" - an IPv6 address with optional prefix. IPv6 only.
2656 • "initcwnd" - an unsigned 32 bit integer.
2658 • "initrwnd" - an unsigned 32 bit integer.
2660 • "lock-advmss" - a boolean value.
2662 • "lock-cwnd" - a boolean value.
2664 • "lock-initcwnd" - a boolean value.
2666 • "lock-initrwnd" - a boolean value.
2668 • "lock-mtu" - a boolean value.
2670 • "lock-window" - a boolean value.
2672 • "mtu" - an unsigned 32 bit integer.
2674 • "onlink" - a boolean value.
2676 • "quickack" - a boolean value.
2678 • "rto_min" - an unsigned 32 bit integer. The value is in
2680 milliseconds.
2681 • "src" - an IPv6 address.
2683 • "table" - an unsigned 32 bit integer. The default depends on
2685 ipv6.route-table.
2686 • "type" - one of unicast, local, blackhole, unavailable,
2688 prohibit, throw. The default is unicast.
2689 • "window" - an unsigned 32 bit integer.
2691 For details see also `man ip-route`.
2693 Format: a comma separated list of routes
2695 routing-rules
2697 A comma separated list of routing rules for policy routing. The
2698 format is based on ip rule add syntax and mostly compatible. One
2699 difference is that routing rules in NetworkManager always need a
2700 fixed priority.
2701 Example: priority 5 from 1:2:3::5/128 table 45
2703 Format: a comma separated list of routing rules
2705 token
2707 Configure the token for
2708 draft-chown-6man-tokenised-ipv6-identifiers-02 IPv6 tokenized
2709 interface identifiers. Useful with eui64 addr-gen-mode.
2710 Format: string
2712 ip-tunnel setting
2714 IP Tunneling Settings.
2715 Properties:
2717 encapsulation-limit
2719 How many additional levels of encapsulation are permitted to be
2720 prepended to packets. This property applies only to IPv6 tunnels.
2721 Format: uint32
2723 flags
2725 Tunnel flags. Currently, the following values are supported:
2726 NM_IP_TUNNEL_FLAG_IP6_IGN_ENCAP_LIMIT (0x1),
2727 NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_TCLASS (0x2),
2728 NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FLOWLABEL (0x4),
2729 NM_IP_TUNNEL_FLAG_IP6_MIP6_DEV (0x8),
2730 NM_IP_TUNNEL_FLAG_IP6_RCV_DSCP_COPY (0x10),
2731 NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FWMARK (0x20). They are valid only
2732 for IPv6 tunnels.
2733 Format: uint32
2735 flow-label
2737 The flow label to assign to tunnel packets. This property applies
2738 only to IPv6 tunnels.
2739 Format: uint32
2741 input-key
2743 The key used for tunnel input packets; the property is valid only
2744 for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
2745 Format: string
2747 local
2749 Alias: local
2750 The local endpoint of the tunnel; the value can be empty, otherwise
2752 it must contain an IPv4 or IPv6 address.
2753 Format: string
2755 mode
2757 Alias: mode
2758 The tunneling mode, for example NM_IP_TUNNEL_MODE_IPIP (1) or
2760 NM_IP_TUNNEL_MODE_GRE (2).
2761 Format: uint32
2763 mtu
2765 If non-zero, only transmit packets of the specified size or
2766 smaller, breaking larger packets up into multiple fragments.
2767 Format: uint32
2769 output-key
2771 The key used for tunnel output packets; the property is valid only
2772 for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
2773 Format: string
2775 parent
2777 Alias: dev
2778 If given, specifies the parent interface name or parent connection
2780 UUID the new device will be bound to so that tunneled packets will
2781 only be routed via that interface.
2782 Format: string
2784 path-mtu-discovery
2786 Whether to enable Path MTU Discovery on this tunnel.
2787 Format: boolean
2789 remote
2791 Alias: remote
2792 The remote endpoint of the tunnel; the value must contain an IPv4
2794 or IPv6 address.
2795 Format: string
2797 tos
2799 The type of service (IPv4) or traffic class (IPv6) field to be set
2800 on tunneled packets.
2801 Format: uint32
2803 ttl
2805 The TTL to assign to tunneled packets. 0 is a special value meaning
2806 that packets inherit the TTL value.
2807 Format: uint32
2809 macsec setting
2811 MACSec Settings.
2812 Properties:
2814 encrypt
2816 Alias: encrypt
2817 Whether the transmitted traffic must be encrypted.
2819 Format: boolean
2821 mka-cak
2823 Alias: cak
2824 The pre-shared CAK (Connectivity Association Key) for MACsec Key
2826 Agreement. Must be a string of 32 hexadecimal characters.
2827 Format: string
2829 mka-cak-flags
2831 Flags indicating how to handle the "mka-cak" property.
2832 Format: NMSettingSecretFlags (uint32)
2834 mka-ckn
2836 Alias: ckn
2837 The pre-shared CKN (Connectivity-association Key Name) for MACsec
2839 Key Agreement. Must be a string of hexadecimal characters with a
2840 even length between 2 and 64.
2841 Format: string
2843 mode
2845 Alias: mode
2846 Specifies how the CAK (Connectivity Association Key) for MKA
2848 (MACsec Key Agreement) is obtained.
2849 Format: int32
2851 parent
2853 Alias: dev
2854 If given, specifies the parent interface name or parent connection
2856 UUID from which this MACSEC interface should be created. If this
2857 property is not specified, the connection must contain an
2858 "802-3-ethernet" setting with a "mac-address" property.
2859 Format: string
2861 port
2863 Alias: port
2864 The port component of the SCI (Secure Channel Identifier), between
2866 1 and 65534.
2867 Format: int32
2869 send-sci
2871 Specifies whether the SCI (Secure Channel Identifier) is included
2872 in every packet.
2873 Format: boolean
2875 validation
2877 Specifies the validation mode for incoming frames.
2878 Format: int32
2880 macvlan setting
2882 MAC VLAN Settings.
2883 Properties:
2885 mode
2887 Alias: mode
2888 The macvlan mode, which specifies the communication mechanism
2890 between multiple macvlans on the same lower device.
2891 Format: uint32
2893 parent
2895 Alias: dev
2896 If given, specifies the parent interface name or parent connection
2898 UUID from which this MAC-VLAN interface should be created. If this
2899 property is not specified, the connection must contain an
2900 "802-3-ethernet" setting with a "mac-address" property.
2901 Format: string
2903 promiscuous
2905 Whether the interface should be put in promiscuous mode.
2906 Format: boolean
2908 tap
2910 Alias: tap
2911 Whether the interface should be a MACVTAP.
2913 Format: boolean
2915 match setting
2917 Match settings.
2918 Properties:
2920 driver
2922 A list of driver names to match. Each element is a shell wildcard
2923 pattern.
2924 See NMSettingMatch:interface-name for how special characters '|',
2926 '&', '!' and '\\' are used for optional and mandatory matches and
2927 inverting the pattern.
2928 Format: array of string
2930 interface-name
2932 A list of interface names to match. Each element is a shell
2933 wildcard pattern.
2934 An element can be prefixed with a pipe symbol (|) or an ampersand
2936 (&). The former means that the element is optional and the latter
2937 means that it is mandatory. If there are any optional elements,
2938 than the match evaluates to true if at least one of the optional
2939 element matches (logical OR). If there are any mandatory elements,
2940 then they all must match (logical AND). By default, an element is
2941 optional. This means that an element "foo" behaves the same as
2942 "|foo". An element can also be inverted with exclamation mark (!)
2943 between the pipe symbol (or the ampersand) and before the pattern.
2944 Note that "!foo" is a shortcut for the mandatory match "&!foo".
2945 Finally, a backslash can be used at the beginning of the element
2946 (after the optional special characters) to escape the start of the
2947 pattern. For example, "&\\!a" is an mandatory match for literally
2948 "!a".
2949 Format: array of string
2951 kernel-command-line
2953 A list of kernel command line arguments to match. This may be used
2954 to check whether a specific kernel command line option is set (or
2955 unset, if prefixed with the exclamation mark). The argument must
2956 either be a single word, or an assignment (i.e. two words, joined
2957 by "="). In the former case the kernel command line is searched for
2958 the word appearing as is, or as left hand side of an assignment. In
2959 the latter case, the exact assignment is looked for with right and
2960 left hand side matching. Wildcard patterns are not supported.
2961 See NMSettingMatch:interface-name for how special characters '|',
2963 '&', '!' and '\\' are used for optional and mandatory matches and
2964 inverting the match.
2965 Format: array of string
2967 path
2969 A list of paths to match against the ID_PATH udev property of
2970 devices. ID_PATH represents the topological persistent path of a
2971 device. It typically contains a subsystem string (pci, usb,
2972 platform, etc.) and a subsystem-specific identifier.
2973 For PCI devices the path has the form
2975 "pci-$domain:$bus:$device.$function", where each variable is an
2976 hexadecimal value; for example "pci-0000:0a:00.0".
2977 The path of a device can be obtained with "udevadm info
2979 /sys/class/net/$dev | grep ID_PATH=" or by looking at the "path"
2980 property exported by NetworkManager ("nmcli -f general.path device
2981 show $dev").
2982 Each element of the list is a shell wildcard pattern.
2984 See NMSettingMatch:interface-name for how special characters '|',
2986 '&', '!' and '\\' are used for optional and mandatory matches and
2987 inverting the pattern.
2988 Format: array of string
2990 802-11-olpc-mesh setting
2992 Alias: olpc-mesh
2993 OLPC Wireless Mesh Settings.
2995 Properties:
2997 channel
2999 Alias: channel
3000 Channel on which the mesh network to join is located.
3002 Format: uint32
3004 dhcp-anycast-address
3006 Alias: dhcp-anycast
3007 Anycast DHCP MAC address used when requesting an IP address via
3009 DHCP. The specific anycast address used determines which DHCP
3010 server class answers the request.
3011 This is currently only implemented by dhclient DHCP plugin.
3013 Format: byte array
3015 ssid
3017 Alias: ssid
3018 SSID of the mesh network to join.
3020 Format: byte array
3022 ovs-bridge setting
3024 OvsBridge Link Settings.
3025 Properties:
3027 datapath-type
3029 The data path type. One of "system", "netdev" or empty.
3030 Format: string
3032 fail-mode
3034 The bridge failure mode. One of "secure", "standalone" or empty.
3035 Format: string
3037 mcast-snooping-enable
3039 Enable or disable multicast snooping.
3040 Format: boolean
3042 rstp-enable
3044 Enable or disable RSTP.
3045 Format: boolean
3047 stp-enable
3049 Enable or disable STP.
3050 Format: boolean
3052 ovs-dpdk setting
3054 OvsDpdk Link Settings.
3055 Properties:
3057 devargs
3059 Open vSwitch DPDK device arguments.
3060 Format: string
3062 n-rxq
3064 Open vSwitch DPDK number of rx queues. Defaults to zero which means
3065 to leave the parameter in OVS unspecified and effectively
3066 configures one queue.
3067 Format: uint32
3069 ovs-interface setting
3071 Open vSwitch Interface Settings.
3072 Properties:
3074 type
3076 The interface type. Either "internal", "system", "patch", "dpdk",
3077 or empty.
3078 Format: string
3080 ovs-patch setting
3082 OvsPatch Link Settings.
3083 Properties:
3085 peer
3087 Specifies the name of the interface for the other side of the
3088 patch. The patch on the other side must also set this interface as
3089 peer.
3090 Format: string
3092 ovs-port setting
3094 OvsPort Link Settings.
3095 Properties:
3097 bond-downdelay
3099 The time port must be inactive in order to be considered down.
3100 Format: uint32
3102 bond-mode
3104 Bonding mode. One of "active-backup", "balance-slb", or
3105 "balance-tcp".
3106 Format: string
3108 bond-updelay
3110 The time port must be active before it starts forwarding traffic.
3111 Format: uint32
3113 lacp
3115 LACP mode. One of "active", "off", or "passive".
3116 Format: string
3118 tag
3120 The VLAN tag in the range 0-4095.
3121 Format: uint32
3123 vlan-mode
3125 The VLAN mode. One of "access", "native-tagged", "native-untagged",
3126 "trunk" or unset.
3127 Format: string
3129 ppp setting
3131 Point-to-Point Protocol Settings.
3132 Properties:
3134 baud
3136 If non-zero, instruct pppd to set the serial port to the specified
3137 baudrate. This value should normally be left as 0 to automatically
3138 choose the speed.
3139 Format: uint32
3141 crtscts
3143 If TRUE, specify that pppd should set the serial port to use
3144 hardware flow control with RTS and CTS signals. This value should
3145 normally be set to FALSE.
3146 Format: boolean
3148 lcp-echo-failure
3150 If non-zero, instruct pppd to presume the connection to the peer
3151 has failed if the specified number of LCP echo-requests go
3152 unanswered by the peer. The "lcp-echo-interval" property must also
3153 be set to a non-zero value if this property is used.
3154 Format: uint32
3156 lcp-echo-interval
3158 If non-zero, instruct pppd to send an LCP echo-request frame to the
3159 peer every n seconds (where n is the specified value). Note that
3160 some PPP peers will respond to echo requests and some will not, and
3161 it is not possible to autodetect this.
3162 Format: uint32
3164 mppe-stateful
3166 If TRUE, stateful MPPE is used. See pppd documentation for more
3167 information on stateful MPPE.
3168 Format: boolean
3170 mru
3172 If non-zero, instruct pppd to request that the peer send packets no
3173 larger than the specified size. If non-zero, the MRU should be
3174 between 128 and 16384.
3175 Format: uint32
3177 mtu
3179 If non-zero, instruct pppd to send packets no larger than the
3180 specified size.
3181 Format: uint32
3183 no-vj-comp
3185 If TRUE, Van Jacobsen TCP header compression will not be requested.
3186 Format: boolean
3188 noauth
3190 If TRUE, do not require the other side (usually the PPP server) to
3191 authenticate itself to the client. If FALSE, require authentication
3192 from the remote side. In almost all cases, this should be TRUE.
3193 Format: boolean
3195 nobsdcomp
3197 If TRUE, BSD compression will not be requested.
3198 Format: boolean
3200 nodeflate
3202 If TRUE, "deflate" compression will not be requested.
3203 Format: boolean
3205 refuse-chap
3207 If TRUE, the CHAP authentication method will not be used.
3208 Format: boolean
3210 refuse-eap
3212 If TRUE, the EAP authentication method will not be used.
3213 Format: boolean
3215 refuse-mschap
3217 If TRUE, the MSCHAP authentication method will not be used.
3218 Format: boolean
3220 refuse-mschapv2
3222 If TRUE, the MSCHAPv2 authentication method will not be used.
3223 Format: boolean
3225 refuse-pap
3227 If TRUE, the PAP authentication method will not be used.
3228 Format: boolean
3230 require-mppe
3232 If TRUE, MPPE (Microsoft Point-to-Point Encryption) will be
3233 required for the PPP session. If either 64-bit or 128-bit MPPE is
3234 not available the session will fail. Note that MPPE is not used on
3235 mobile broadband connections.
3236 Format: boolean
3238 require-mppe-128
3240 If TRUE, 128-bit MPPE (Microsoft Point-to-Point Encryption) will be
3241 required for the PPP session, and the "require-mppe" property must
3242 also be set to TRUE. If 128-bit MPPE is not available the session
3243 will fail.
3244 Format: boolean
3246 pppoe setting
3248 PPP-over-Ethernet Settings.
3249 Properties:
3251 parent
3253 Alias: parent
3254 If given, specifies the parent interface name on which this PPPoE
3256 connection should be created. If this property is not specified,
3257 the connection is activated on the interface specified in
3258 "interface-name" of NMSettingConnection.
3259 Format: string
3261 password
3263 Alias: password
3264 Password used to authenticate with the PPPoE service.
3266 Format: string
3268 password-flags
3270 Flags indicating how to handle the "password" property.
3271 Format: NMSettingSecretFlags (uint32)
3273 service
3275 Alias: service
3276 If specified, instruct PPPoE to only initiate sessions with access
3278 concentrators that provide the specified service. For most
3279 providers, this should be left blank. It is only required if there
3280 are multiple access concentrators or a specific service is known to
3281 be required.
3282 Format: string
3284 username
3286 Alias: username
3287 Username used to authenticate with the PPPoE service.
3289 Format: string
3291 proxy setting
3293 WWW Proxy Settings.
3294 Properties:
3296 browser-only
3298 Alias: browser-only
3299 Whether the proxy configuration is for browser only.
3301 Format: boolean
3303 method
3305 Alias: method
3306 Method for proxy configuration, Default is
3308 NM_SETTING_PROXY_METHOD_NONE (0)
3309 Format: int32
3311 pac-script
3313 Alias: pac-script
3314 PAC script for the connection. This is an UTF-8 encoded javascript
3316 code that defines a FindProxyForURL() function.
3317 Format: string
3319 pac-url
3321 Alias: pac-url
3322 PAC URL for obtaining PAC file.
3324 Format: string
3326 serial setting
3328 Serial Link Settings.
3329 Properties:
3331 baud
3333 Speed to use for communication over the serial port. Note that this
3334 value usually has no effect for mobile broadband modems as they
3335 generally ignore speed settings and use the highest available
3336 speed.
3337 Format: uint32
3339 bits
3341 Byte-width of the serial communication. The 8 in "8n1" for example.
3342 Format: uint32
3344 parity
3346 Parity setting of the serial port.
3347 Format: NMSettingSerialParity (byte)
3349 send-delay
3351 Time to delay between each byte sent to the modem, in microseconds.
3352 Format: uint64
3354 stopbits
3356 Number of stop bits for communication on the serial port. Either 1
3357 or 2. The 1 in "8n1" for example.
3358 Format: uint32
3360 sriov setting
3362 SR-IOV settings.
3363 Properties:
3365 autoprobe-drivers
3367 Whether to autoprobe virtual functions by a compatible driver.
3368 If set to NM_TERNARY_TRUE (1), the kernel will try to bind VFs to a
3370 compatible driver and if this succeeds a new network interface will
3371 be instantiated for each VF.
3372 If set to NM_TERNARY_FALSE (0), VFs will not be claimed and no
3374 network interfaces will be created for them.
3375 When set to NM_TERNARY_DEFAULT (-1), the global default is used; in
3377 case the global default is unspecified it is assumed to be
3378 NM_TERNARY_TRUE (1).
3379 Format: NMTernary (int32)
3381 total-vfs
3383 The total number of virtual functions to create.
3384 Note that when the sriov setting is present NetworkManager enforces
3386 the number of virtual functions on the interface (also when it is
3387 zero) during activation and resets it upon deactivation. To prevent
3388 any changes to SR-IOV parameters don't add a sriov setting to the
3389 connection.
3390 Format: uint32
3392 vfs
3394 Array of virtual function descriptors.
3395 Each VF descriptor is a dictionary mapping attribute names to
3397 GVariant values. The 'index' entry is mandatory for each VF.
3398 When represented as string a VF is in the form:
3400 "INDEX [ATTR=VALUE[ ATTR=VALUE]...]".
3402 for example:
3404 "2 mac=00:11:22:33:44:55 spoof-check=true".
3406 Multiple VFs can be specified using a comma as separator.
3408 Currently, the following attributes are supported: mac,
3409 spoof-check, trust, min-tx-rate, max-tx-rate, vlans.
3410 The "vlans" attribute is represented as a semicolon-separated list
3412 of VLAN descriptors, where each descriptor has the form
3413 "ID[.PRIORITY[.PROTO]]".
3415 PROTO can be either 'q' for 802.1Q (the default) or 'ad' for
3417 802.1ad.
3418 Format: array of vardict
3420 tc setting
3422 Linux Traffic Control Settings.
3423 Properties:
3425 qdiscs
3427 Array of TC queueing disciplines. qdisc is a basic block in the
3428 Linux traffic control subsystem
3429 Each qdisc can be specified by the following attributes:
3431 handle HANDLE
3433 specifies the qdisc handle. A qdisc, which potentially can have
3434 children, gets assigned a major number, called a 'handle',
3435 leaving the minor number namespace available for classes. The
3436 handle is expressed as '10:'. It is customary to explicitly
3437 assign a handle to qdiscs expected to have children.
3438 parent HANDLE
3440 specifies the handle of the parent qdisc the current qdisc must
3441 be attached to.
3442 root
3444 specifies that the qdisc is attached to the root of device.
3445 KIND
3447 this is the qdisc kind. NetworkManager currently supports the
3448 following kinds: fq_codel, sfq, tbf. Each qdisc kind has a
3449 different set of parameters, described below. There are also
3450 some kinds like pfifo, pfifo_fast, prio supported by
3451 NetworkManager but their parameters are not supported by
3452 NetworkManager.
3453 Parameters for 'fq_codel':
3455 limit U32
3457 the hard limit on the real queue size. When this limit is
3458 reached, incoming packets are dropped. Default is 10240
3459 packets.
3460 memory_limit U32
3462 sets a limit on the total number of bytes that can be queued in
3463 this FQ-CoDel instance. The lower of the packet limit of the
3464 limit parameter and the memory limit will be enforced. Default
3465 is 32 MB.
3466 flows U32
3468 the number of flows into which the incoming packets are
3469 classified. Due to the stochastic nature of hashing, multiple
3470 flows may end up being hashed into the same slot. Newer flows
3471 have priority over older ones. This parameter can be set only
3472 at load time since memory has to be allocated for the hash
3473 table. Default value is 1024.
3474 target U32
3476 the acceptable minimum standing/persistent queue delay. This
3477 minimum delay is identified by tracking the local minimum queue
3478 delay that packets experience. The unit of measurement is
3479 microsecond(us). Default value is 5ms.
3480 interval U32
3482 used to ensure that the measured minimum delay does not become
3483 too stale. The minimum delay must be experienced in the last
3484 epoch of length .B interval. It should be set on the order of
3485 the worst-case RTT through the bottleneck to give endpoints
3486 sufficient time to react. Default value is 100ms.
3487 quantum U32
3489 the number of bytes used as 'deficit' in the fair queuing
3490 algorithm. Default is set to 1514 bytes which corresponds to
3491 the Ethernet MTU plus the hardware header length of 14 bytes.
3492 ecn BOOL
3494 can be used to mark packets instead of dropping them. ecn is
3495 turned on by default.
3496 ce_threshold U32
3498 sets a threshold above which all packets are marked with ECN
3499 Congestion Experienced. This is useful for DCTCP-style
3500 congestion control algorithms that require marking at very
3501 shallow queueing thresholds.
3502 Parameters for 'sfq':
3504 divisor U32
3506 can be used to set a different hash table size, available from
3507 kernel 2.6.39 onwards. The specified divisor must be a power of
3508 two and cannot be larger than 65536. Default value: 1024.
3509 limit U32
3511 Upper limit of the SFQ. Can be used to reduce the default
3512 length of 127 packets.
3513 depth U32
3515 Limit of packets per flow. Default to 127 and can be lowered.
3516 perturb_period U32
3518 Interval in seconds for queue algorithm perturbation. Defaults
3519 to 0, which means that no perturbation occurs. Do not set too
3520 low for each perturbation may cause some packet reordering or
3521 losses. Advised value: 60 This value has no effect when
3522 external flow classification is used. Its better to increase
3523 divisor value to lower risk of hash collisions.
3524 quantum U32
3526 Amount of bytes a flow is allowed to dequeue during a round of
3527 the round robin process. Defaults to the MTU of the interface
3528 which is also the advised value and the minimum value.
3529 flows U32
3531 Default value is 127.
3532 Parameters for 'tbf':
3534 rate U64
3536 Bandwidth or rate. These parameters accept a floating point
3537 number, possibly followed by either a unit (both SI and IEC
3538 units supported), or a float followed by a percent character to
3539 specify the rate as a percentage of the device's speed.
3540 burst U32
3542 Also known as buffer or maxburst. Size of the bucket, in bytes.
3543 This is the maximum amount of bytes that tokens can be
3544 available for instantaneously. In general, larger shaping rates
3545 require a larger buffer. For 10mbit/s on Intel, you need at
3546 least 10kbyte buffer if you want to reach your configured rate!
3547 If your buffer is too small, packets may be dropped because
3549 more tokens arrive per timer tick than fit in your bucket. The
3550 minimum buffer size can be calculated by dividing the rate by
3551 HZ.
3552 Token usage calculations are performed using a table which by
3554 default has a resolution of 8 packets. This resolution can be
3555 changed by specifying the cell size with the burst. For
3556 example, to specify a 6000 byte buffer with a 16 byte cell
3557 size, set a burst of 6000/16. You will probably never have to
3558 set this. Must be an integral power of 2.
3559 limit U32
3561 Limit is the number of bytes that can be queued waiting for
3562 tokens to become available.
3563 latency U32
3565 specifies the maximum amount of time a packet can sit in the
3566 TBF. The latency calculation takes into account the size of the
3567 bucket, the rate and possibly the peakrate (if set). The
3568 latency and limit are mutually exclusive.
3569 Format: GPtrArray(NMTCQdisc)
3571 tfilters
3573 Array of TC traffic filters. Traffic control can manage the packet
3574 content during classification by using filters.
3575 Each tfilters can be specified by the following attributes:
3577 handle HANDLE
3579 specifies the tfilters handle. A filter is used by a classful
3580 qdisc to determine in which class a packet will be enqueued. It
3581 is important to notice that filters reside within qdiscs.
3582 Therefore, see qdiscs handle for detailed information.
3583 parent HANDLE
3585 specifies the handle of the parent qdisc the current qdisc must
3586 be attached to.
3587 root
3589 specifies that the qdisc is attached to the root of device.
3590 KIND
3592 this is the tfilters kind. NetworkManager currently supports
3593 following kinds: mirred, simple. Each filter kind has a
3594 different set of actions, described below. There are also some
3595 other kinds like matchall, basic, u32 supported by
3596 NetworkManager.
3597 Actions for 'mirred':
3599 egress bool
3601 Define whether the packet should exit from the interface.
3602 ingress bool
3604 Define whether the packet should come into the interface.
3605 mirror bool
3607 Define whether the packet should be copied to the destination
3608 space.
3609 redirect bool
3611 Define whether the packet should be moved to the destination
3612 space.
3613 Action for 'simple':
3615 sdata char[32]
3617 The actual string to print.
3618 Format: GPtrArray(NMTCTfilter)
3620 team setting
3622 Teaming Settings.
3623 Properties:
3625 config
3627 Alias: config
3628 The JSON configuration for the team network interface. The property
3630 should contain raw JSON configuration data suitable for teamd,
3631 because the value is passed directly to teamd. If not specified,
3632 the default configuration is used. See man teamd.conf for the
3633 format details.
3634 Format: string
3636 link-watchers
3638 Link watchers configuration for the connection: each link watcher
3639 is defined by a dictionary, whose keys depend upon the selected
3640 link watcher. Available link watchers are 'ethtool', 'nsna_ping'
3641 and 'arp_ping' and it is specified in the dictionary with the key
3642 'name'. Available keys are: ethtool: 'delay-up', 'delay-down',
3643 'init-wait'; nsna_ping: 'init-wait', 'interval', 'missed-max',
3644 'target-host'; arp_ping: all the ones in nsna_ping and
3645 'source-host', 'validate-active', 'validate-inactive',
3646 'send-always'. See teamd.conf man for more details.
3647 Format: array of vardict
3649 mcast-rejoin-count
3651 Corresponds to the teamd mcast_rejoin.count.
3652 Format: int32
3654 mcast-rejoin-interval
3656 Corresponds to the teamd mcast_rejoin.interval.
3657 Format: int32
3659 notify-peers-count
3661 Corresponds to the teamd notify_peers.count.
3662 Format: int32
3664 notify-peers-interval
3666 Corresponds to the teamd notify_peers.interval.
3667 Format: int32
3669 runner
3671 Corresponds to the teamd runner.name. Permitted values are:
3672 "roundrobin", "broadcast", "activebackup", "loadbalance", "lacp",
3673 "random".
3674 Format: string
3676 runner-active
3678 Corresponds to the teamd runner.active.
3679 Format: boolean
3681 runner-agg-select-policy
3683 Corresponds to the teamd runner.agg_select_policy.
3684 Format: string
3686 runner-fast-rate
3688 Corresponds to the teamd runner.fast_rate.
3689 Format: boolean
3691 runner-hwaddr-policy
3693 Corresponds to the teamd runner.hwaddr_policy.
3694 Format: string
3696 runner-min-ports
3698 Corresponds to the teamd runner.min_ports.
3699 Format: int32
3701 runner-sys-prio
3703 Corresponds to the teamd runner.sys_prio.
3704 Format: int32
3706 runner-tx-balancer
3708 Corresponds to the teamd runner.tx_balancer.name.
3709 Format: string
3711 runner-tx-balancer-interval
3713 Corresponds to the teamd runner.tx_balancer.interval.
3714 Format: int32
3716 runner-tx-hash
3718 Corresponds to the teamd runner.tx_hash.
3719 Format: array of string
3721 team-port setting
3723 Team Port Settings.
3724 Properties:
3726 config
3728 Alias: config
3729 The JSON configuration for the team port. The property should
3731 contain raw JSON configuration data suitable for teamd, because the
3732 value is passed directly to teamd. If not specified, the default
3733 configuration is used. See man teamd.conf for the format details.
3734 Format: string
3736 lacp-key
3738 Corresponds to the teamd ports.PORTIFNAME.lacp_key.
3739 Format: int32
3741 lacp-prio
3743 Corresponds to the teamd ports.PORTIFNAME.lacp_prio.
3744 Format: int32
3746 link-watchers
3748 Link watchers configuration for the connection: each link watcher
3749 is defined by a dictionary, whose keys depend upon the selected
3750 link watcher. Available link watchers are 'ethtool', 'nsna_ping'
3751 and 'arp_ping' and it is specified in the dictionary with the key
3752 'name'. Available keys are: ethtool: 'delay-up', 'delay-down',
3753 'init-wait'; nsna_ping: 'init-wait', 'interval', 'missed-max',
3754 'target-host'; arp_ping: all the ones in nsna_ping and
3755 'source-host', 'validate-active', 'validate-inactive',
3756 'send-always'. See teamd.conf man for more details.
3757 Format: array of vardict
3759 prio
3761 Corresponds to the teamd ports.PORTIFNAME.prio.
3762 Format: int32
3764 queue-id
3766 Corresponds to the teamd ports.PORTIFNAME.queue_id. When set to -1
3767 means the parameter is skipped from the json config.
3768 Format: int32
3770 sticky
3772 Corresponds to the teamd ports.PORTIFNAME.sticky.
3773 Format: boolean
3775 tun setting
3777 Tunnel Settings.
3778 Properties:
3780 group
3782 Alias: group
3783 The group ID which will own the device. If set to NULL everyone
3785 will be able to use the device.
3786 Format: string
3788 mode
3790 Alias: mode
3791 The operating mode of the virtual device. Allowed values are
3793 NM_SETTING_TUN_MODE_TUN (1) to create a layer 3 device and
3794 NM_SETTING_TUN_MODE_TAP (2) to create an Ethernet-like layer 2 one.
3795 Format: uint32
3797 multi-queue
3799 Alias: multi-queue
3800 If the property is set to TRUE, the interface will support multiple
3802 file descriptors (queues) to parallelize packet sending or
3803 receiving. Otherwise, the interface will only support a single
3804 queue.
3805 Format: boolean
3807 owner
3809 Alias: owner
3810 The user ID which will own the device. If set to NULL everyone will
3812 be able to use the device.
3813 Format: string
3815 pi
3817 Alias: pi
3818 If TRUE the interface will prepend a 4 byte header describing the
3820 physical interface to the packets.
3821 Format: boolean
3823 vnet-hdr
3825 Alias: vnet-hdr
3826 If TRUE the IFF_VNET_HDR the tunnel packets will include a virtio
3828 network header.
3829 Format: boolean
3831 vlan setting
3833 VLAN Settings.
3834 Properties:
3836 egress-priority-map
3838 Alias: egress
3839 For outgoing packets, a list of mappings from Linux SKB priorities
3841 to 802.1p priorities. The mapping is given in the format "from:to"
3842 where both "from" and "to" are unsigned integers, ie "7:3".
3843 Format: array of string
3845 flags
3847 Alias: flags
3848 One or more flags which control the behavior and features of the
3850 VLAN interface. Flags include NM_VLAN_FLAG_REORDER_HEADERS (0x1)
3851 (reordering of output packet headers), NM_VLAN_FLAG_GVRP (0x2) (use
3852 of the GVRP protocol), and NM_VLAN_FLAG_LOOSE_BINDING (0x4) (loose
3853 binding of the interface to its master device's operating state).
3854 NM_VLAN_FLAG_MVRP (0x8) (use of the MVRP protocol).
3855 The default value of this property is NM_VLAN_FLAG_REORDER_HEADERS,
3857 but it used to be 0. To preserve backward compatibility, the
3858 default-value in the D-Bus API continues to be 0 and a missing
3859 property on D-Bus is still considered as 0.
3860 Format: NMVlanFlags (uint32)
3862 id
3864 Alias: id
3865 The VLAN identifier that the interface created by this connection
3867 should be assigned. The valid range is from 0 to 4094, without the
3868 reserved id 4095.
3869 Format: uint32
3871 ingress-priority-map
3873 Alias: ingress
3874 For incoming packets, a list of mappings from 802.1p priorities to
3876 Linux SKB priorities. The mapping is given in the format "from:to"
3877 where both "from" and "to" are unsigned integers, ie "7:3".
3878 Format: array of string
3880 parent
3882 Alias: dev
3883 If given, specifies the parent interface name or parent connection
3885 UUID from which this VLAN interface should be created. If this
3886 property is not specified, the connection must contain an
3887 "802-3-ethernet" setting with a "mac-address" property.
3888 Format: string
3890 vpn setting
3892 VPN Settings.
3893 Properties:
3895 data
3897 Dictionary of key/value pairs of VPN plugin specific data. Both
3898 keys and values must be strings.
3899 Format: dict of string to string
3901 persistent
3903 If the VPN service supports persistence, and this property is TRUE,
3904 the VPN will attempt to stay connected across link changes and
3905 outages, until explicitly disconnected.
3906 Format: boolean
3908 secrets
3910 Dictionary of key/value pairs of VPN plugin specific secrets like
3911 passwords or private keys. Both keys and values must be strings.
3912 Format: dict of string to string
3914 service-type
3916 Alias: vpn-type
3917 D-Bus service name of the VPN plugin that this setting uses to
3919 connect to its network. i.e. org.freedesktop.NetworkManager.vpnc
3920 for the vpnc plugin.
3921 Format: string
3923 timeout
3925 Timeout for the VPN service to establish the connection. Some
3926 services may take quite a long time to connect. Value of 0 means a
3927 default timeout, which is 60 seconds (unless overridden by
3928 vpn.timeout in configuration file). Values greater than zero mean
3929 timeout in seconds.
3930 Format: uint32
3932 user-name
3934 Alias: user
3935 If the VPN connection requires a user name for authentication, that
3937 name should be provided here. If the connection is available to
3938 more than one user, and the VPN requires each user to supply a
3939 different name, then leave this property empty. If this property is
3940 empty, NetworkManager will automatically supply the username of the
3941 user which requested the VPN connection.
3942 Format: string
3944 vrf setting
3946 VRF settings.
3947 Properties:
3949 table
3951 Alias: table
3952 The routing table for this VRF.
3954 Format: uint32
3956 vxlan setting
3958 VXLAN Settings.
3959 Properties:
3961 ageing
3963 Specifies the lifetime in seconds of FDB entries learnt by the
3964 kernel.
3965 Format: uint32
3967 destination-port
3969 Alias: destination-port
3970 Specifies the UDP destination port to communicate to the remote
3972 VXLAN tunnel endpoint.
3973 Format: uint32
3975 id
3977 Alias: id
3978 Specifies the VXLAN Network Identifier (or VXLAN Segment
3980 Identifier) to use.
3981 Format: uint32
3983 l2-miss
3985 Specifies whether netlink LL ADDR miss notifications are generated.
3986 Format: boolean
3988 l3-miss
3990 Specifies whether netlink IP ADDR miss notifications are generated.
3991 Format: boolean
3993 learning
3995 Specifies whether unknown source link layer addresses and IP
3996 addresses are entered into the VXLAN device forwarding database.
3997 Format: boolean
3999 limit
4001 Specifies the maximum number of FDB entries. A value of zero means
4002 that the kernel will store unlimited entries.
4003 Format: uint32
4005 local
4007 Alias: local
4008 If given, specifies the source IP address to use in outgoing
4010 packets.
4011 Format: string
4013 parent
4015 Alias: dev
4016 If given, specifies the parent interface name or parent connection
4018 UUID.
4019 Format: string
4021 proxy
4023 Specifies whether ARP proxy is turned on.
4024 Format: boolean
4026 remote
4028 Alias: remote
4029 Specifies the unicast destination IP address to use in outgoing
4031 packets when the destination link layer address is not known in the
4032 VXLAN device forwarding database, or the multicast IP address to
4033 join.
4034 Format: string
4036 rsc
4038 Specifies whether route short circuit is turned on.
4039 Format: boolean
4041 source-port-max
4043 Alias: source-port-max
4044 Specifies the maximum UDP source port to communicate to the remote
4046 VXLAN tunnel endpoint.
4047 Format: uint32
4049 source-port-min
4051 Alias: source-port-min
4052 Specifies the minimum UDP source port to communicate to the remote
4054 VXLAN tunnel endpoint.
4055 Format: uint32
4057 tos
4059 Specifies the TOS value to use in outgoing packets.
4060 Format: uint32
4062 ttl
4064 Specifies the time-to-live value to use in outgoing packets.
4065 Format: uint32
4067 wifi-p2p setting
4069 Wi-Fi P2P Settings.
4070 Properties:
4072 peer
4074 Alias: peer
4075 The P2P device that should be connected to. Currently, this is the
4077 only way to create or join a group.
4078 Format: string
4080 wfd-ies
4082 The Wi-Fi Display (WFD) Information Elements (IEs) to set.
4083 Wi-Fi Display requires a protocol specific information element to
4085 be set in certain Wi-Fi frames. These can be specified here for the
4086 purpose of establishing a connection. This setting is only useful
4087 when implementing a Wi-Fi Display client.
4088 Format: byte array
4090 wps-method
4092 Flags indicating which mode of WPS is to be used.
4093 There's little point in changing the default setting as
4095 NetworkManager will automatically determine the best method to use.
4096 Format: uint32
4098 wimax setting
4100 WiMax Settings.
4101 Properties:
4103 mac-address
4105 Alias: mac
4106 If specified, this connection will only apply to the WiMAX device
4108 whose MAC address matches. This property does not change the MAC
4109 address of the device (known as MAC spoofing). Deprecated: 1
4110 Format: byte array
4112 network-name
4114 Alias: nsp
4115 Network Service Provider (NSP) name of the WiMAX network this
4117 connection should use. Deprecated: 1
4118 Format: string
4120 802-3-ethernet setting
4122 Alias: ethernet
4123 Wired Ethernet Settings.
4125 Properties:
4127 accept-all-mac-addresses
4129 When TRUE, setup the interface to accept packets for all MAC
4130 addresses. This is enabling the kernel interface flag IFF_PROMISC.
4131 When FALSE, the interface will only accept the packets with the
4132 interface destination mac address or broadcast.
4133 Format: NMTernary (int32)
4135 auto-negotiate
4137 When TRUE, enforce auto-negotiation of speed and duplex mode. If
4138 "speed" and "duplex" properties are both specified, only that
4139 single mode will be advertised and accepted during the link
4140 auto-negotiation process: this works only for BASE-T 802.3
4141 specifications and is useful for enforcing gigabits modes, as in
4142 these cases link negotiation is mandatory. When FALSE, "speed" and
4143 "duplex" properties should be both set or link configuration will
4144 be skipped.
4145 Format: boolean
4147 cloned-mac-address
4149 Alias: cloned-mac
4150 If specified, request that the device use this MAC address instead.
4152 This is known as MAC cloning or spoofing.
4153 Beside explicitly specifying a MAC address, the special values
4155 "preserve", "permanent", "random" and "stable" are supported.
4156 "preserve" means not to touch the MAC address on activation.
4157 "permanent" means to use the permanent hardware address if the
4158 device has one (otherwise this is treated as "preserve"). "random"
4159 creates a random MAC address on each connect. "stable" creates a
4160 hashed MAC address based on connection.stable-id and a machine
4161 dependent key.
4162 If unspecified, the value can be overwritten via global defaults,
4164 see manual of NetworkManager.conf. If still unspecified, it
4165 defaults to "preserve" (older versions of NetworkManager may use a
4166 different default value).
4167 On D-Bus, this field is expressed as "assigned-mac-address" or the
4169 deprecated "cloned-mac-address".
4170 Format: byte array
4172 duplex
4174 When a value is set, either "half" or "full", configures the device
4175 to use the specified duplex mode. If "auto-negotiate" is "yes" the
4176 specified duplex mode will be the only one advertised during link
4177 negotiation: this works only for BASE-T 802.3 specifications and is
4178 useful for enforcing gigabits modes, as in these cases link
4179 negotiation is mandatory. If the value is unset (the default), the
4180 link configuration will be either skipped (if "auto-negotiate" is
4181 "no", the default) or will be auto-negotiated (if "auto-negotiate"
4182 is "yes") and the local device will advertise all the supported
4183 duplex modes. Must be set together with the "speed" property if
4184 specified. Before specifying a duplex mode be sure your device
4185 supports it.
4186 Format: string
4188 generate-mac-address-mask
4190 With "cloned-mac-address" setting "random" or "stable", by default
4191 all bits of the MAC address are scrambled and a
4192 locally-administered, unicast MAC address is created. This property
4193 allows to specify that certain bits are fixed. Note that the least
4194 significant bit of the first MAC address will always be unset to
4195 create a unicast MAC address.
4196 If the property is NULL, it is eligible to be overwritten by a
4198 default connection setting. If the value is still NULL or an empty
4199 string, the default is to create a locally-administered, unicast
4200 MAC address.
4201 If the value contains one MAC address, this address is used as
4203 mask. The set bits of the mask are to be filled with the current
4204 MAC address of the device, while the unset bits are subject to
4205 randomization. Setting "FE:FF:FF:00:00:00" means to preserve the
4206 OUI of the current MAC address and only randomize the lower 3 bytes
4207 using the "random" or "stable" algorithm.
4208 If the value contains one additional MAC address after the mask,
4210 this address is used instead of the current MAC address to fill the
4211 bits that shall not be randomized. For example, a value of
4212 "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set the OUI of the MAC
4213 address to 68:F7:28, while the lower bits are randomized. A value
4214 of "02:00:00:00:00:00 00:00:00:00:00:00" will create a fully
4215 scrambled globally-administered, burned-in MAC address.
4216 If the value contains more than one additional MAC addresses, one
4218 of them is chosen randomly. For example, "02:00:00:00:00:00
4219 00:00:00:00:00:00 02:00:00:00:00:00" will create a fully scrambled
4220 MAC address, randomly locally or globally administered.
4221 Format: string
4223 mac-address
4225 Alias: mac
4226 If specified, this connection will only apply to the Ethernet
4228 device whose permanent MAC address matches. This property does not
4229 change the MAC address of the device (i.e. MAC spoofing).
4230 Format: byte array
4232 mac-address-blacklist
4234 If specified, this connection will never apply to the Ethernet
4235 device whose permanent MAC address matches an address in the list.
4236 Each MAC address is in the standard hex-digits-and-colons notation
4237 (00:11:22:33:44:55).
4238 Format: array of string
4240 mtu
4242 Alias: mtu
4243 If non-zero, only transmit packets of the specified size or
4245 smaller, breaking larger packets up into multiple Ethernet frames.
4246 Format: uint32
4248 port
4250 Specific port type to use if the device supports multiple
4251 attachment methods. One of "tp" (Twisted Pair), "aui" (Attachment
4252 Unit Interface), "bnc" (Thin Ethernet) or "mii" (Media Independent
4253 Interface). If the device supports only one port type, this setting
4254 is ignored.
4255 Format: string
4257 s390-nettype
4259 s390 network device type; one of "qeth", "lcs", or "ctc",
4260 representing the different types of virtual network devices
4261 available on s390 systems.
4262 Format: string
4264 s390-options
4266 Dictionary of key/value pairs of s390-specific device options. Both
4267 keys and values must be strings. Allowed keys include "portno",
4268 "layer2", "portname", "protocol", among others. Key names must
4269 contain only alphanumeric characters (ie, [a-zA-Z0-9]).
4270 Currently, NetworkManager itself does nothing with this
4272 information. However, s390utils ships a udev rule which parses this
4273 information and applies it to the interface.
4274 Format: dict of string to string
4276 s390-subchannels
4278 Identifies specific subchannels that this network device uses for
4279 communication with z/VM or s390 host. Like the "mac-address"
4280 property for non-z/VM devices, this property can be used to ensure
4281 this connection only applies to the network device that uses these
4282 subchannels. The list should contain exactly 3 strings, and each
4283 string may only be composed of hexadecimal characters and the
4284 period (.) character.
4285 Format: array of string
4287 speed
4289 When a value greater than 0 is set, configures the device to use
4290 the specified speed. If "auto-negotiate" is "yes" the specified
4291 speed will be the only one advertised during link negotiation: this
4292 works only for BASE-T 802.3 specifications and is useful for
4293 enforcing gigabit speeds, as in this case link negotiation is
4294 mandatory. If the value is unset (0, the default), the link
4295 configuration will be either skipped (if "auto-negotiate" is "no",
4296 the default) or will be auto-negotiated (if "auto-negotiate" is
4297 "yes") and the local device will advertise all the supported
4298 speeds. In Mbit/s, ie 100 == 100Mbit/s. Must be set together with
4299 the "duplex" property when non-zero. Before specifying a speed
4300 value be sure your device supports it.
4301 Format: uint32
4303 wake-on-lan
4305 The NMSettingWiredWakeOnLan options to enable. Not all devices
4306 support all options. May be any combination of
4307 NM_SETTING_WIRED_WAKE_ON_LAN_PHY (0x2),
4308 NM_SETTING_WIRED_WAKE_ON_LAN_UNICAST (0x4),
4309 NM_SETTING_WIRED_WAKE_ON_LAN_MULTICAST (0x8),
4310 NM_SETTING_WIRED_WAKE_ON_LAN_BROADCAST (0x10),
4311 NM_SETTING_WIRED_WAKE_ON_LAN_ARP (0x20),
4312 NM_SETTING_WIRED_WAKE_ON_LAN_MAGIC (0x40) or the special values
4313 NM_SETTING_WIRED_WAKE_ON_LAN_DEFAULT (0x1) (to use global settings)
4314 and NM_SETTING_WIRED_WAKE_ON_LAN_IGNORE (0x8000) (to disable
4315 management of Wake-on-LAN in NetworkManager).
4316 Format: uint32
4318 wake-on-lan-password
4320 If specified, the password used with magic-packet-based
4321 Wake-on-LAN, represented as an Ethernet MAC address. If NULL, no
4322 password will be required.
4323 Format: string
4325 wireguard setting
4327 WireGuard Settings.
4328 Properties:
4330 fwmark
4332 The use of fwmark is optional and is by default off. Setting it to
4333 0 disables it. Otherwise, it is a 32-bit fwmark for outgoing
4334 packets.
4335 Note that "ip4-auto-default-route" or "ip6-auto-default-route"
4337 enabled, implies to automatically choose a fwmark.
4338 Format: uint32
4340 ip4-auto-default-route
4342 Whether to enable special handling of the IPv4 default route. If
4343 enabled, the IPv4 default route from wireguard.peer-routes will be
4344 placed to a dedicated routing-table and two policy routing rules
4345 will be added. The fwmark number is also used as routing-table for
4346 the default-route, and if fwmark is zero, an unused fwmark/table is
4347 chosen automatically. This corresponds to what wg-quick does with
4348 Table=auto and what WireGuard calls "Improved Rule-based Routing".
4349 Note that for this automatism to work, you usually don't want to
4351 set ipv4.gateway, because that will result in a conflicting default
4352 route.
4353 Leaving this at the default will enable this option automatically
4355 if ipv4.never-default is not set and there are any peers that use a
4356 default-route as allowed-ips. Since this automatism only makes
4357 sense if you also have a peer with an /0 allowed-ips, it is usually
4358 not necessary to enable this explicitly. However, you can disable
4359 it if you want to configure your own routing and rules.
4360 Format: NMTernary (int32)
4362 ip6-auto-default-route
4364 Like ip4-auto-default-route, but for the IPv6 default route.
4365 Format: NMTernary (int32)
4367 listen-port
4369 The listen-port. If listen-port is not specified, the port will be
4370 chosen randomly when the interface comes up.
4371 Format: uint32
4373 mtu
4375 If non-zero, only transmit packets of the specified size or
4376 smaller, breaking larger packets up into multiple fragments.
4377 If zero a default MTU is used. Note that contrary to wg-quick's MTU
4379 setting, this does not take into account the current routes at the
4380 time of activation.
4381 Format: uint32
4383 peer-routes
4385 Whether to automatically add routes for the AllowedIPs ranges of
4386 the peers. If TRUE (the default), NetworkManager will automatically
4387 add routes in the routing tables according to ipv4.route-table and
4388 ipv6.route-table. Usually you want this automatism enabled. If
4389 FALSE, no such routes are added automatically. In this case, the
4390 user may want to configure static routes in ipv4.routes and
4391 ipv6.routes, respectively.
4392 Note that if the peer's AllowedIPs is "0.0.0.0/0" or "::/0" and the
4394 profile's ipv4.never-default or ipv6.never-default setting is
4395 enabled, the peer route for this peer won't be added automatically.
4396 Format: boolean
4398 private-key
4400 The 256 bit private-key in base64 encoding.
4401 Format: string
4403 private-key-flags
4405 Flags indicating how to handle the "private-key" property.
4406 Format: NMSettingSecretFlags (uint32)
4408 802-11-wireless setting
4410 Alias: wifi
4411 Wi-Fi Settings.
4413 Properties:
4415 ap-isolation
4417 Configures AP isolation, which prevents communication between
4418 wireless devices connected to this AP. This property can be set to
4419 a value different from NM_TERNARY_DEFAULT (-1) only when the
4420 interface is configured in AP mode.
4421 If set to NM_TERNARY_TRUE (1), devices are not able to communicate
4423 with each other. This increases security because it protects
4424 devices against attacks from other clients in the network. At the
4425 same time, it prevents devices to access resources on the same
4426 wireless networks as file shares, printers, etc.
4427 If set to NM_TERNARY_FALSE (0), devices can talk to each other.
4429 When set to NM_TERNARY_DEFAULT (-1), the global default is used; in
4431 case the global default is unspecified it is assumed to be
4432 NM_TERNARY_FALSE (0).
4433 Format: NMTernary (int32)
4435 band
4437 802.11 frequency band of the network. One of "a" for 5GHz 802.11a
4438 or "bg" for 2.4GHz 802.11. This will lock associations to the Wi-Fi
4439 network to the specific band, i.e. if "a" is specified, the device
4440 will not associate with the same network in the 2.4GHz band even if
4441 the network's settings are compatible. This setting depends on
4442 specific driver capability and may not work with all drivers.
4443 Format: string
4445 bssid
4447 If specified, directs the device to only associate with the given
4448 access point. This capability is highly driver dependent and not
4449 supported by all devices. Note: this property does not control the
4450 BSSID used when creating an Ad-Hoc network and is unlikely to in
4451 the future.
4452 Locking a client profile to a certain BSSID will prevent roaming
4454 and also disable background scanning. That can be useful, if there
4455 is only one access point for the SSID.
4456 Format: byte array
4458 channel
4460 Wireless channel to use for the Wi-Fi connection. The device will
4461 only join (or create for Ad-Hoc networks) a Wi-Fi network on the
4462 specified channel. Because channel numbers overlap between bands,
4463 this property also requires the "band" property to be set.
4464 Format: uint32
4466 cloned-mac-address
4468 Alias: cloned-mac
4469 If specified, request that the device use this MAC address instead.
4471 This is known as MAC cloning or spoofing.
4472 Beside explicitly specifying a MAC address, the special values
4474 "preserve", "permanent", "random" and "stable" are supported.
4475 "preserve" means not to touch the MAC address on activation.
4476 "permanent" means to use the permanent hardware address of the
4477 device. "random" creates a random MAC address on each connect.
4478 "stable" creates a hashed MAC address based on connection.stable-id
4479 and a machine dependent key.
4480 If unspecified, the value can be overwritten via global defaults,
4482 see manual of NetworkManager.conf. If still unspecified, it
4483 defaults to "preserve" (older versions of NetworkManager may use a
4484 different default value).
4485 On D-Bus, this field is expressed as "assigned-mac-address" or the
4487 deprecated "cloned-mac-address".
4488 Format: byte array
4490 generate-mac-address-mask
4492 With "cloned-mac-address" setting "random" or "stable", by default
4493 all bits of the MAC address are scrambled and a
4494 locally-administered, unicast MAC address is created. This property
4495 allows to specify that certain bits are fixed. Note that the least
4496 significant bit of the first MAC address will always be unset to
4497 create a unicast MAC address.
4498 If the property is NULL, it is eligible to be overwritten by a
4500 default connection setting. If the value is still NULL or an empty
4501 string, the default is to create a locally-administered, unicast
4502 MAC address.
4503 If the value contains one MAC address, this address is used as
4505 mask. The set bits of the mask are to be filled with the current
4506 MAC address of the device, while the unset bits are subject to
4507 randomization. Setting "FE:FF:FF:00:00:00" means to preserve the
4508 OUI of the current MAC address and only randomize the lower 3 bytes
4509 using the "random" or "stable" algorithm.
4510 If the value contains one additional MAC address after the mask,
4512 this address is used instead of the current MAC address to fill the
4513 bits that shall not be randomized. For example, a value of
4514 "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set the OUI of the MAC
4515 address to 68:F7:28, while the lower bits are randomized. A value
4516 of "02:00:00:00:00:00 00:00:00:00:00:00" will create a fully
4517 scrambled globally-administered, burned-in MAC address.
4518 If the value contains more than one additional MAC addresses, one
4520 of them is chosen randomly. For example, "02:00:00:00:00:00
4521 00:00:00:00:00:00 02:00:00:00:00:00" will create a fully scrambled
4522 MAC address, randomly locally or globally administered.
4523 Format: string
4525 hidden
4527 If TRUE, indicates that the network is a non-broadcasting network
4528 that hides its SSID. This works both in infrastructure and AP mode.
4529 In infrastructure mode, various workarounds are used for a more
4531 reliable discovery of hidden networks, such as probe-scanning the
4532 SSID. However, these workarounds expose inherent insecurities with
4533 hidden SSID networks, and thus hidden SSID networks should be used
4534 with caution.
4535 In AP mode, the created network does not broadcast its SSID.
4537 Note that marking the network as hidden may be a privacy issue for
4539 you (in infrastructure mode) or client stations (in AP mode), as
4540 the explicit probe-scans are distinctly recognizable on the air.
4541 Format: boolean
4543 mac-address
4545 Alias: mac
4546 If specified, this connection will only apply to the Wi-Fi device
4548 whose permanent MAC address matches. This property does not change
4549 the MAC address of the device (i.e. MAC spoofing).
4550 Format: byte array
4552 mac-address-blacklist
4554 A list of permanent MAC addresses of Wi-Fi devices to which this
4555 connection should never apply. Each MAC address should be given in
4556 the standard hex-digits-and-colons notation (eg
4557 "00:11:22:33:44:55").
4558 Format: array of string
4560 mac-address-randomization
4562 One of NM_SETTING_MAC_RANDOMIZATION_DEFAULT (0) (never randomize
4563 unless the user has set a global default to randomize and the
4564 supplicant supports randomization),
4565 NM_SETTING_MAC_RANDOMIZATION_NEVER (1) (never randomize the MAC
4566 address), or NM_SETTING_MAC_RANDOMIZATION_ALWAYS (2) (always
4567 randomize the MAC address). This property is deprecated for
4568 'cloned-mac-address'. Deprecated: 1
4569 Format: uint32
4571 mode
4573 Alias: mode
4574 Wi-Fi network mode; one of "infrastructure", "mesh", "adhoc" or
4576 "ap". If blank, infrastructure is assumed.
4577 Format: string
4579 mtu
4581 Alias: mtu
4582 If non-zero, only transmit packets of the specified size or
4584 smaller, breaking larger packets up into multiple Ethernet frames.
4585 Format: uint32
4587 powersave
4589 One of NM_SETTING_WIRELESS_POWERSAVE_DISABLE (2) (disable Wi-Fi
4590 power saving), NM_SETTING_WIRELESS_POWERSAVE_ENABLE (3) (enable
4591 Wi-Fi power saving), NM_SETTING_WIRELESS_POWERSAVE_IGNORE (1)
4592 (don't touch currently configure setting) or
4593 NM_SETTING_WIRELESS_POWERSAVE_DEFAULT (0) (use the globally
4594 configured value). All other values are reserved.
4595 Format: uint32
4597 rate
4599 If non-zero, directs the device to only use the specified bitrate
4600 for communication with the access point. Units are in Kb/s, ie 5500
4601 = 5.5 Mbit/s. This property is highly driver dependent and not all
4602 devices support setting a static bitrate.
4603 Format: uint32
4605 seen-bssids
4607 A list of BSSIDs (each BSSID formatted as a MAC address like
4608 "00:11:22:33:44:55") that have been detected as part of the Wi-Fi
4609 network. NetworkManager internally tracks previously seen BSSIDs.
4610 The property is only meant for reading and reflects the BSSID list
4611 of NetworkManager. The changes you make to this property will not
4612 be preserved.
4613 Format: array of string
4615 ssid
4617 Alias: ssid
4618 SSID of the Wi-Fi network. Must be specified.
4620 Format: byte array
4622 tx-power
4624 If non-zero, directs the device to use the specified transmit
4625 power. Units are dBm. This property is highly driver dependent and
4626 not all devices support setting a static transmit power.
4627 Format: uint32
4629 wake-on-wlan
4631 The NMSettingWirelessWakeOnWLan options to enable. Not all devices
4632 support all options. May be any combination of
4633 NM_SETTING_WIRELESS_WAKE_ON_WLAN_ANY (0x2),
4634 NM_SETTING_WIRELESS_WAKE_ON_WLAN_DISCONNECT (0x4),
4635 NM_SETTING_WIRELESS_WAKE_ON_WLAN_MAGIC (0x8),
4636 NM_SETTING_WIRELESS_WAKE_ON_WLAN_GTK_REKEY_FAILURE (0x10),
4637 NM_SETTING_WIRELESS_WAKE_ON_WLAN_EAP_IDENTITY_REQUEST (0x20),
4638 NM_SETTING_WIRELESS_WAKE_ON_WLAN_4WAY_HANDSHAKE (0x40),
4639 NM_SETTING_WIRELESS_WAKE_ON_WLAN_RFKILL_RELEASE (0x80),
4640 NM_SETTING_WIRELESS_WAKE_ON_WLAN_TCP (0x100) or the special values
4641 NM_SETTING_WIRELESS_WAKE_ON_WLAN_DEFAULT (0x1) (to use global
4642 settings) and NM_SETTING_WIRELESS_WAKE_ON_WLAN_IGNORE (0x8000) (to
4643 disable management of Wake-on-LAN in NetworkManager).
4644 Format: uint32
4646 802-11-wireless-security setting
4648 Alias: wifi-sec
4649 Wi-Fi Security Settings.
4651 Properties:
4653 auth-alg
4655 When WEP is used (ie, key-mgmt = "none" or "ieee8021x") indicate
4656 the 802.11 authentication algorithm required by the AP here. One of
4657 "open" for Open System, "shared" for Shared Key, or "leap" for
4658 Cisco LEAP. When using Cisco LEAP (ie, key-mgmt = "ieee8021x" and
4659 auth-alg = "leap") the "leap-username" and "leap-password"
4660 properties must be specified.
4661 Format: string
4663 fils
4665 Indicates whether Fast Initial Link Setup (802.11ai) must be
4666 enabled for the connection. One of
4667 NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) (use global default
4668 value), NM_SETTING_WIRELESS_SECURITY_FILS_DISABLE (1) (disable
4669 FILS), NM_SETTING_WIRELESS_SECURITY_FILS_OPTIONAL (2) (enable FILS
4670 if the supplicant and the access point support it) or
4671 NM_SETTING_WIRELESS_SECURITY_FILS_REQUIRED (3) (enable FILS and
4672 fail if not supported). When set to
4673 NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) and no global default
4674 is set, FILS will be optionally enabled.
4675 Format: int32
4677 group
4679 A list of group/broadcast encryption algorithms which prevents
4680 connections to Wi-Fi networks that do not utilize one of the
4681 algorithms in the list. For maximum compatibility leave this
4682 property empty. Each list element may be one of "wep40", "wep104",
4683 "tkip", or "ccmp".
4684 Format: array of string
4686 key-mgmt
4688 Key management used for the connection. One of "none" (WEP or no
4689 password protection), "ieee8021x" (Dynamic WEP), "owe"
4690 (Opportunistic Wireless Encryption), "wpa-psk" (WPA2 + WPA3
4691 personal), "sae" (WPA3 personal only), "wpa-eap" (WPA2 + WPA3
4692 enterprise) or "wpa-eap-suite-b-192" (WPA3 enterprise only).
4693 This property must be set for any Wi-Fi connection that uses
4695 security.
4696 Format: string
4698 leap-password
4700 The login password for legacy LEAP connections (ie, key-mgmt =
4701 "ieee8021x" and auth-alg = "leap").
4702 Format: string
4704 leap-password-flags
4706 Flags indicating how to handle the "leap-password" property.
4707 Format: NMSettingSecretFlags (uint32)
4709 leap-username
4711 The login username for legacy LEAP connections (ie, key-mgmt =
4712 "ieee8021x" and auth-alg = "leap").
4713 Format: string
4715 pairwise
4717 A list of pairwise encryption algorithms which prevents connections
4718 to Wi-Fi networks that do not utilize one of the algorithms in the
4719 list. For maximum compatibility leave this property empty. Each
4720 list element may be one of "tkip" or "ccmp".
4721 Format: array of string
4723 pmf
4725 Indicates whether Protected Management Frames (802.11w) must be
4726 enabled for the connection. One of
4727 NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) (use global default
4728 value), NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE (1) (disable PMF),
4729 NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL (2) (enable PMF if the
4730 supplicant and the access point support it) or
4731 NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED (3) (enable PMF and fail
4732 if not supported). When set to
4733 NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) and no global default
4734 is set, PMF will be optionally enabled.
4735 Format: int32
4737 proto
4739 List of strings specifying the allowed WPA protocol versions to
4740 use. Each element may be one "wpa" (allow WPA) or "rsn" (allow
4741 WPA2/RSN). If not specified, both WPA and RSN connections are
4742 allowed.
4743 Format: array of string
4745 psk
4747 Pre-Shared-Key for WPA networks. For WPA-PSK, it's either an ASCII
4748 passphrase of 8 to 63 characters that is (as specified in the
4749 802.11i standard) hashed to derive the actual key, or the key in
4750 form of 64 hexadecimal character. The WPA3-Personal networks use a
4751 passphrase of any length for SAE authentication.
4752 Format: string
4754 psk-flags
4756 Flags indicating how to handle the "psk" property.
4757 Format: NMSettingSecretFlags (uint32)
4759 wep-key-flags
4761 Flags indicating how to handle the "wep-key0", "wep-key1",
4762 "wep-key2", and "wep-key3" properties.
4763 Format: NMSettingSecretFlags (uint32)
4765 wep-key-type
4767 Controls the interpretation of WEP keys. Allowed values are
4768 NM_WEP_KEY_TYPE_KEY (1), in which case the key is either a 10- or
4769 26-character hexadecimal string, or a 5- or 13-character ASCII
4770 password; or NM_WEP_KEY_TYPE_PASSPHRASE (2), in which case the
4771 passphrase is provided as a string and will be hashed using the
4772 de-facto MD5 method to derive the actual WEP key.
4773 Format: NMWepKeyType (uint32)
4775 wep-key0
4777 Index 0 WEP key. This is the WEP key used in most networks. See the
4778 "wep-key-type" property for a description of how this key is
4779 interpreted.
4780 Format: string
4782 wep-key1
4784 Index 1 WEP key. This WEP index is not used by most networks. See
4785 the "wep-key-type" property for a description of how this key is
4786 interpreted.
4787 Format: string
4789 wep-key2
4791 Index 2 WEP key. This WEP index is not used by most networks. See
4792 the "wep-key-type" property for a description of how this key is
4793 interpreted.
4794 Format: string
4796 wep-key3
4798 Index 3 WEP key. This WEP index is not used by most networks. See
4799 the "wep-key-type" property for a description of how this key is
4800 interpreted.
4801 Format: string
4803 wep-tx-keyidx
4805 When static WEP is used (ie, key-mgmt = "none") and a non-default
4806 WEP key index is used by the AP, put that WEP key index here. Valid
4807 values are 0 (default key) through 3. Note that some consumer
4808 access points (like the Linksys WRT54G) number the keys 1 - 4.
4809 Format: uint32
4811 wps-method
4813 Flags indicating which mode of WPS is to be used if any.
4814 There's little point in changing the default setting as
4816 NetworkManager will automatically determine whether it's feasible
4817 to start WPS enrollment from the Access Point capabilities.
4818 WPS can be disabled by setting this property to a value of 1.
4820 Format: uint32
4822 wpan setting
4824 IEEE 802.15.4 (WPAN) MAC Settings.
4825 Properties:
4827 channel
4829 Alias: channel
4830 IEEE 802.15.4 channel. A positive integer or -1, meaning "do not
4832 set, use whatever the device is already set to".
4833 Format: int32
4835 mac-address
4837 Alias: mac
4838 If specified, this connection will only apply to the IEEE 802.15.4
4840 (WPAN) MAC layer device whose permanent MAC address matches.
4841 Format: string
4843 page
4845 Alias: page
4846 IEEE 802.15.4 channel page. A positive integer or -1, meaning "do
4848 not set, use whatever the device is already set to".
4849 Format: int32
4851 pan-id
4853 Alias: pan-id
4854 IEEE 802.15.4 Personal Area Network (PAN) identifier.
4856 Format: uint32
4858 short-address
4860 Alias: short-addr
4861 Short IEEE 802.15.4 address to be used within a restricted
4863 environment.
4864 Format: uint32
4866 bond-port setting
4868 Bond Port Settings.
4869 Properties:
4871 queue-id
4873 Alias: queue-id
4874 The queue ID of this bond port. The maximum value of queue ID is
4876 the number of TX queues currently active in device.
4877 Format: uint32
4879 hostname setting
4881 Hostname settings.
4882 Properties:
4884 from-dhcp
4886 Whether the system hostname can be determined from DHCP on this
4887 connection.
4888 When set to NM_TERNARY_DEFAULT (-1), the value from global
4890 configuration is used. If the property doesn't have a value in the
4891 global configuration, NetworkManager assumes the value to be
4892 NM_TERNARY_TRUE (1).
4893 Format: NMTernary (int32)
4895 from-dns-lookup
4897 Whether the system hostname can be determined from reverse DNS
4898 lookup of addresses on this device.
4899 When set to NM_TERNARY_DEFAULT (-1), the value from global
4901 configuration is used. If the property doesn't have a value in the
4902 global configuration, NetworkManager assumes the value to be
4903 NM_TERNARY_TRUE (1).
4904 Format: NMTernary (int32)
4906 only-from-default
4908 If set to NM_TERNARY_TRUE (1), NetworkManager attempts to get the
4909 hostname via DHCPv4/DHCPv6 or reverse DNS lookup on this device
4910 only when the device has the default route for the given address
4911 family (IPv4/IPv6).
4912 If set to NM_TERNARY_FALSE (0), the hostname can be set from this
4914 device even if it doesn't have the default route.
4915 When set to NM_TERNARY_DEFAULT (-1), the value from global
4917 configuration is used. If the property doesn't have a value in the
4918 global configuration, NetworkManager assumes the value to be
4919 NM_TERNARY_FALSE (0).
4920 Format: NMTernary (int32)
4922 priority
4924 The relative priority of this connection to determine the system
4925 hostname. A lower numerical value is better (higher priority). A
4926 connection with higher priority is considered before connections
4927 with lower priority.
4928 If the value is zero, it can be overridden by a global value from
4930 NetworkManager configuration. If the property doesn't have a value
4931 in the global configuration, the value is assumed to be 100.
4932 Negative values have the special effect of excluding other
4934 connections with a greater numerical priority value; so in presence
4935 of at least one negative priority, only connections with the lowest
4936 priority value will be used to determine the hostname.
4937 Format: int32
4939 veth setting
4941 Veth Settings.
4942 Properties:
4944 peer
4946 Alias: peer
4947 This property specifies the peer interface name of the veth. This
4949 property is mandatory.
4950 Format: string
4952 Secret flag types:
4954 Each password or secret property in a setting has an associated flags
4955 property that describes how to handle that secret. The flags property
4956 is a bitfield that contains zero or more of the following values
4957 logically OR-ed together.
4958 • 0x0 (none) - the system is responsible for providing and storing
4960 this secret. This may be required so that secrets are already
4961 available before the user logs in. It also commonly means that the
4962 secret will be stored in plain text on disk, accessible to root
4963 only. For example via the keyfile settings plugin as described in
4964 the "PLUGINS" section in NetworkManager.conf(5).
4965 • 0x1 (agent-owned) - a user-session secret agent is responsible for
4967 providing and storing this secret; when it is required, agents will
4968 be asked to provide it.
4969 • 0x2 (not-saved) - this secret should not be saved but should be
4971 requested from the user each time it is required. This flag should
4972 be used for One-Time-Pad secrets, PIN codes from hardware tokens,
4973 or if the user simply does not want to save the secret.
4974 • 0x4 (not-required) - in some situations it cannot be automatically
4976 determined that a secret is required or not. This flag hints that
4977 the secret is not required and should not be requested from the
4978 user.
4979
4981 /etc/NetworkManager/system-connections or distro plugin-specific
4982 location
4983
4985 nmcli(1), nmcli-examples(7), NetworkManager(8), nm-settings-dbus(5),
4986 nm-settings-keyfile(5), NetworkManager.conf(5)
4987NetworkManager 1.40.10 NM-SETTINGS-NMCLI(5)