1NM-SETTINGS-NMCLI(5)             Configuration            NM-SETTINGS-NMCLI(5)
2
3
4

NAME

6       nm-settings-nmcli - Description of settings and properties of
7       NetworkManager connection profiles for nmcli
8

DESCRIPTION

10       NetworkManager is based on a concept of connection profiles, sometimes
11       referred to as connections only. These connection profiles contain a
12       network configuration. When NetworkManager activates a connection
13       profile on a network device the configuration will be applied and an
14       active network connection will be established. Users are free to create
15       as many connection profiles as they see fit. Thus they are flexible in
16       having various network configurations for different networking needs.
17
18       NetworkManager provides an API for configuring connection profiles, for
19       activating them to configure the network, and inspecting the current
20       network configuration. The command line tool nmcli is a client
21       application to NetworkManager that uses this API. See nmcli(1) for
22       details.
23
24       With commands like nmcli connection add, nmcli connection modify and
25       nmcli connection show, connection profiles can be created, modified and
26       inspected. A profile consists of properties. On D-Bus this follows the
27       format as described by nm-settings-dbus(5), while this manual page
28       describes the settings format how they are expected by nmcli.
29
30       The settings and properties shown in tables below list all available
31       connection configuration options. However, note that not all settings
32       are applicable to all connection types.  nmcli connection editor has
33       also a built-in describe command that can display description of
34       particular settings and properties of this page.
35
36       The setting and property can be abbreviated provided they are unique.
37       The list below also shows aliases that can be used unqualified instead
38       of the full name. For example connection.interface-name and ifname
39       refer to the same property.
40
41   connection setting
42       General Connection Profile Settings.
43
44       Properties:
45
46       auth-retries
47           The number of retries for the authentication. Zero means to try
48           indefinitely; -1 means to use a global default. If the global
49           default is not set, the authentication retries for 3 times before
50           failing the connection.
51
52           Currently, this only applies to 802-1x authentication.
53
54           Format: int32
55
56       autoconnect
57           Alias: autoconnect
58
59           Whether or not the connection should be automatically connected by
60           NetworkManager when the resources for the connection are available.
61           TRUE to automatically activate the connection, FALSE to require
62           manual intervention to activate the connection.
63
64           Autoconnect happens when the circumstances are suitable. That means
65           for example that the device is currently managed and not active.
66           Autoconnect thus never replaces or competes with an already active
67           profile.
68
69           Note that autoconnect is not implemented for VPN profiles. See
70           "secondaries" as an alternative to automatically connect VPN
71           profiles.
72
73           If multiple profiles are ready to autoconnect on the same device,
74           the one with the better "connection.autoconnect-priority" is
75           chosen. If the priorities are equal, then the most recently
76           connected profile is activated. If the profiles were not connected
77           earlier or their "connection.timestamp" is identical, the choice is
78           undefined.
79
80           Depending on "connection.multi-connect", a profile can
81           (auto)connect only once at a time or multiple times.
82
83           Format: boolean
84
85       autoconnect-priority
86           The autoconnect priority in range -999 to 999. If the connection is
87           set to autoconnect, connections with higher priority will be
88           preferred. The higher number means higher priority. Defaults to 0.
89           Note that this property only matters if there are more than one
90           candidate profile to select for autoconnect. In case of equal
91           priority, the profile used most recently is chosen.
92
93           Format: int32
94
95       autoconnect-retries
96           The number of times a connection should be tried when
97           autoactivating before giving up. Zero means forever, -1 means the
98           global default (4 times if not overridden). Setting this to 1 means
99           to try activation only once before blocking autoconnect. Note that
100           after a timeout, NetworkManager will try to autoconnect again.
101
102           Format: int32
103
104       autoconnect-slaves
105           Whether or not slaves of this connection should be automatically
106           brought up when NetworkManager activates this connection. This only
107           has a real effect for master connections. The properties
108           "autoconnect", "autoconnect-priority" and "autoconnect-retries" are
109           unrelated to this setting. The permitted values are: 0: leave slave
110           connections untouched, 1: activate all the slave connections with
111           this connection, -1: default. If -1 (default) is set, global
112           connection.autoconnect-slaves is read to determine the real value.
113           If it is default as well, this fallbacks to 0.
114
115           Format: NMSettingConnectionAutoconnectSlaves (int32)
116
117       dns-over-tls
118           Whether DNSOverTls (dns-over-tls) is enabled for the connection.
119           DNSOverTls is a technology which uses TLS to encrypt dns traffic.
120
121           The permitted values are: "yes" (2) use DNSOverTls and disabled
122           fallback, "opportunistic" (1) use DNSOverTls but allow fallback to
123           unencrypted resolution, "no" (0) don't ever use DNSOverTls. If
124           unspecified "default" depends on the plugin used. Systemd-resolved
125           uses global setting.
126
127           This feature requires a plugin which supports DNSOverTls.
128           Otherwise, the setting has no effect. One such plugin is
129           dns-systemd-resolved.
130
131           Format: int32
132
133       gateway-ping-timeout
134           If greater than zero, delay success of IP addressing until either
135           the timeout is reached, or an IP gateway replies to a ping.
136
137           Format: uint32
138
139       id
140           Alias: con-name
141
142           A human readable unique identifier for the connection, like "Work
143           Wi-Fi" or "T-Mobile 3G".
144
145           Format: string
146
147       interface-name
148           Alias: ifname
149
150           The name of the network interface this connection is bound to. If
151           not set, then the connection can be attached to any interface of
152           the appropriate type (subject to restrictions imposed by other
153           settings).
154
155           For software devices this specifies the name of the created device.
156
157           For connection types where interface names cannot easily be made
158           persistent (e.g. mobile broadband or USB Ethernet), this property
159           should not be used. Setting this property restricts the interfaces
160           a connection can be used with, and if interface names change or are
161           reordered the connection may be applied to the wrong interface.
162
163           Format: string
164
165       lldp
166           Whether LLDP is enabled for the connection.
167
168           Format: int32
169
170       llmnr
171           Whether Link-Local Multicast Name Resolution (LLMNR) is enabled for
172           the connection. LLMNR is a protocol based on the Domain Name System
173           (DNS) packet format that allows both IPv4 and IPv6 hosts to perform
174           name resolution for hosts on the same local link.
175
176           The permitted values are: "yes" (2) register hostname and resolving
177           for the connection, "no" (0) disable LLMNR for the interface,
178           "resolve" (1) do not register hostname but allow resolving of LLMNR
179           host names If unspecified, "default" ultimately depends on the DNS
180           plugin (which for systemd-resolved currently means "yes").
181
182           This feature requires a plugin which supports LLMNR. Otherwise, the
183           setting has no effect. One such plugin is dns-systemd-resolved.
184
185           Format: int32
186
187       master
188           Alias: master
189
190           Interface name of the master device or UUID of the master
191           connection.
192
193           Format: string
194
195       mdns
196           Whether mDNS is enabled for the connection.
197
198           The permitted values are: "yes" (2) register hostname and resolving
199           for the connection, "no" (0) disable mDNS for the interface,
200           "resolve" (1) do not register hostname but allow resolving of mDNS
201           host names and "default" (-1) to allow lookup of a global default
202           in NetworkManager.conf. If unspecified, "default" ultimately
203           depends on the DNS plugin (which for systemd-resolved currently
204           means "no").
205
206           This feature requires a plugin which supports mDNS. Otherwise, the
207           setting has no effect. One such plugin is dns-systemd-resolved.
208
209           Format: int32
210
211       metered
212           Whether the connection is metered.
213
214           When updating this property on a currently activated connection,
215           the change takes effect immediately.
216
217           Format: NMMetered (int32)
218
219       mptcp-flags
220           Whether to configure MPTCP endpoints and the address flags. If
221           MPTCP is enabled in NetworkManager, it will configure the addresses
222           of the interface as MPTCP endpoints. Note that IPv4 loopback
223           addresses (127.0.0.0/8), IPv4 link local addresses
224           (169.254.0.0/16), the IPv6 loopback address (::1), IPv6 link local
225           addresses (fe80::/10), IPv6 unique local addresses (ULA, fc00::/7)
226           and IPv6 privacy extension addresses (rfc3041, ipv6.ip6-privacy)
227           will be excluded from being configured as endpoints.
228
229           If "disabled" (0x1), MPTCP handling for the interface is disabled
230           and no endpoints are registered.
231
232           The "enabled" (0x2) flag means that MPTCP handling is enabled. This
233           flag can also be implied from the presence of other flags.
234
235           Even when enabled, MPTCP handling will by default still be disabled
236           unless "/proc/sys/net/mptcp/enabled" sysctl is on. NetworkManager
237           does not change the sysctl and this is up to the administrator or
238           distribution. To configure endpoints even if the sysctl is
239           disabled, "also-without-sysctl" (0x4) flag can be used. In that
240           case, NetworkManager doesn't look at the sysctl and configures
241           endpoints regardless.
242
243           Even when enabled, NetworkManager will only configure MPTCP
244           endpoints for a certain address family, if there is a unicast
245           default route (0.0.0.0/0 or ::/0) in the main routing table. The
246           flag "also-without-default-route" (0x8) can override that.
247
248           When MPTCP handling is enabled then endpoints are configured with
249           the specified address flags "signal" (0x10), "subflow" (0x20),
250           "backup" (0x40), "fullmesh" (0x80). See ip-mptcp(8) manual for
251           additional information about the flags.
252
253           If the flags are zero (0x0), the global connection default from
254           NetworkManager.conf is honored. If still unspecified, the fallback
255           is "enabled,subflow". Note that this means that MPTCP is by default
256           done depending on the "/proc/sys/net/mptcp/enabled" sysctl.
257
258           NetworkManager does not change the MPTCP limits nor enable MPTCP
259           via "/proc/sys/net/mptcp/enabled". That is a host configuration
260           which the admin can change via sysctl and ip-mptcp.
261
262           Strict reverse path filtering (rp_filter) breaks many MPTCP use
263           cases, so when MPTCP handling for IPv4 addresses on the interface
264           is enabled, NetworkManager would loosen the strict reverse path
265           filtering (1) to the loose setting (2).
266
267           Format: uint32
268
269       mud-url
270           If configured, set to a Manufacturer Usage Description (MUD) URL
271           that points to manufacturer-recommended network policies for IoT
272           devices. It is transmitted as a DHCPv4 or DHCPv6 option. The value
273           must be a valid URL starting with "https://".
274
275           The special value "none" is allowed to indicate that no MUD URL is
276           used.
277
278           If the per-profile value is unspecified (the default), a global
279           connection default gets consulted. If still unspecified, the
280           ultimate default is "none".
281
282           Format: string
283
284       multi-connect
285           Specifies whether the profile can be active multiple times at a
286           particular moment. The value is of type NMConnectionMultiConnect.
287
288           Format: int32
289
290       permissions
291           An array of strings defining what access a given user has to this
292           connection. If this is NULL or empty, all users are allowed to
293           access this connection; otherwise users are allowed if and only if
294           they are in this list. When this is not empty, the connection can
295           be active only when one of the specified users is logged into an
296           active session. Each entry is of the form "[type]:[id]:[reserved]";
297           for example, "user:dcbw:blah".
298
299           At this time only the "user" [type] is allowed. Any other values
300           are ignored and reserved for future use. [id] is the username that
301           this permission refers to, which may not contain the ":" character.
302           Any [reserved] information present must be ignored and is reserved
303           for future use. All of [type], [id], and [reserved] must be valid
304           UTF-8.
305
306           Format: array of string
307
308       read-only
309           FALSE if the connection can be modified using the provided settings
310           service's D-Bus interface with the right privileges, or TRUE if the
311           connection is read-only and cannot be modified.
312
313           Format: boolean
314
315       secondaries
316           List of connection UUIDs that should be activated when the base
317           connection itself is activated. Currently, only VPN connections are
318           supported.
319
320           Format: array of string
321
322       slave-type
323           Alias: slave-type
324
325           Setting name of the device type of this slave's master connection
326           (eg, "bond"), or NULL if this connection is not a slave.
327
328           Format: string
329
330       stable-id
331           This represents the identity of the connection used for various
332           purposes. It allows to configure multiple profiles to share the
333           identity. Also, the stable-id can contain placeholders that are
334           substituted dynamically and deterministically depending on the
335           context.
336
337           The stable-id is used for generating IPv6 stable private addresses
338           with ipv6.addr-gen-mode=stable-privacy. It is also used to seed the
339           generated cloned MAC address for ethernet.cloned-mac-address=stable
340           and wifi.cloned-mac-address=stable. It is also used as DHCP client
341           identifier with ipv4.dhcp-client-id=stable and to derive the DHCP
342           DUID with ipv6.dhcp-duid=stable-[llt,ll,uuid].
343
344           Note that depending on the context where it is used, other
345           parameters are also seeded into the generation algorithm. For
346           example, a per-host key is commonly also included, so that
347           different systems end up generating different IDs. Or with
348           ipv6.addr-gen-mode=stable-privacy, also the device's name is
349           included, so that different interfaces yield different addresses.
350           The per-host key is the identity of your machine and stored in
351           /var/lib/NetworkManager/secret_key. See NetworkManager(8) manual
352           about the secret-key and the host identity.
353
354           The '$' character is treated special to perform dynamic
355           substitutions at runtime. Currently, supported are "${CONNECTION}",
356           "${DEVICE}", "${MAC}", "${BOOT}", "${RANDOM}". These effectively
357           create unique IDs per-connection, per-device, per-boot, or every
358           time. Note that "${DEVICE}" corresponds to the interface name of
359           the device and "${MAC}" is the permanent MAC address of the device.
360           Any unrecognized patterns following '$' are treated verbatim,
361           however are reserved for future use. You are thus advised to avoid
362           '$' or escape it as "$$". For example, set it to
363           "${CONNECTION}-${BOOT}-${DEVICE}" to create a unique id for this
364           connection that changes with every reboot and differs depending on
365           the interface where the profile activates.
366
367           If the value is unset, a global connection default is consulted. If
368           the value is still unset, the default is similar to "${CONNECTION}"
369           and uses a unique, fixed ID for the connection.
370
371           Format: string
372
373       timestamp
374           The time, in seconds since the Unix Epoch, that the connection was
375           last _successfully_ fully activated.
376
377           NetworkManager updates the connection timestamp periodically when
378           the connection is active to ensure that an active connection has
379           the latest timestamp. The property is only meant for reading
380           (changes to this property will not be preserved).
381
382           Format: uint64
383
384       type
385           Alias: type
386
387           Base type of the connection. For hardware-dependent connections,
388           should contain the setting name of the hardware-type specific
389           setting (ie, "802-3-ethernet" or "802-11-wireless" or "bluetooth",
390           etc), and for non-hardware dependent connections like VPN or
391           otherwise, should contain the setting name of that setting type
392           (ie, "vpn" or "bridge", etc).
393
394           Format: string
395
396       uuid
397           A universally unique identifier for the connection, for example
398           generated with libuuid. It should be assigned when the connection
399           is created, and never changed as long as the connection still
400           applies to the same network. For example, it should not be changed
401           when the "id" property or NMSettingIP4Config changes, but might
402           need to be re-created when the Wi-Fi SSID, mobile broadband network
403           provider, or "type" property changes.
404
405           The UUID must be in the format
406           "2815492f-7e56-435e-b2e9-246bd7cdc664" (ie, contains only
407           hexadecimal characters and "-").
408
409           Format: string
410
411       wait-activation-delay
412           Time in milliseconds to wait for connection to be considered
413           activated. The wait will start after the pre-up dispatcher event.
414
415           The value 0 means no wait time. The default value is -1, which
416           currently has the same meaning as no wait time.
417
418           Format: int32
419
420       wait-device-timeout
421           Timeout in milliseconds to wait for device at startup. During boot,
422           devices may take a while to be detected by the driver. This
423           property will cause to delay NetworkManager-wait-online.service and
424           nm-online to give the device a chance to appear. This works by
425           waiting for the given timeout until a compatible device for the
426           profile is available and managed.
427
428           The value 0 means no wait time. The default value is -1, which
429           currently has the same meaning as no wait time.
430
431           Format: int32
432
433       zone
434           The trust level of a the connection. Free form case-insensitive
435           string (for example "Home", "Work", "Public"). NULL or unspecified
436           zone means the connection will be placed in the default zone as
437           defined by the firewall.
438
439           When updating this property on a currently activated connection,
440           the change takes effect immediately.
441
442           Format: string
443
444   6lowpan setting
445       6LoWPAN Settings.
446
447       Properties:
448
449       parent
450           Alias: dev
451
452           If given, specifies the parent interface name or parent connection
453           UUID from which this 6LowPAN interface should be created.
454
455           Format: string
456
457   802-1x setting
458       IEEE 802.1x Authentication Settings.
459
460       Properties:
461
462       altsubject-matches
463           List of strings to be matched against the altSubjectName of the
464           certificate presented by the authentication server. If the list is
465           empty, no verification of the server certificate's altSubjectName
466           is performed.
467
468           Format: array of string
469
470       anonymous-identity
471           Anonymous identity string for EAP authentication methods. Used as
472           the unencrypted identity with EAP types that support different
473           tunneled identity like EAP-TTLS.
474
475           Format: string
476
477       auth-timeout
478           A timeout for the authentication. Zero means the global default; if
479           the global default is not set, the authentication timeout is 25
480           seconds.
481
482           Format: int32
483
484       ca-cert
485           Contains the CA certificate if used by the EAP method specified in
486           the "eap" property.
487
488           Certificate data is specified using a "scheme"; three are currently
489           supported: blob, path and pkcs#11 URL. When using the blob scheme
490           this property should be set to the certificate's DER encoded data.
491           When using the path scheme, this property should be set to the full
492           UTF-8 encoded path of the certificate, prefixed with the string
493           "file://" and ending with a terminating NUL byte. This property can
494           be unset even if the EAP method supports CA certificates, but this
495           allows man-in-the-middle attacks and is NOT recommended.
496
497           Note that enabling NMSetting8021x:system-ca-certs will override
498           this setting to use the built-in path, if the built-in path is not
499           a directory.
500
501           Format: byte array
502
503       ca-cert-password
504           The password used to access the CA certificate stored in "ca-cert"
505           property. Only makes sense if the certificate is stored on a
506           PKCS#11 token that requires a login.
507
508           Format: string
509
510       ca-cert-password-flags
511           Flags indicating how to handle the "ca-cert-password" property.
512
513           Format: NMSettingSecretFlags (uint32)
514
515       ca-path
516           UTF-8 encoded path to a directory containing PEM or DER formatted
517           certificates to be added to the verification chain in addition to
518           the certificate specified in the "ca-cert" property.
519
520           If NMSetting8021x:system-ca-certs is enabled and the built-in CA
521           path is an existing directory, then this setting is ignored.
522
523           Format: string
524
525       client-cert
526           Contains the client certificate if used by the EAP method specified
527           in the "eap" property.
528
529           Certificate data is specified using a "scheme"; two are currently
530           supported: blob and path. When using the blob scheme (which is
531           backwards compatible with NM 0.7.x) this property should be set to
532           the certificate's DER encoded data. When using the path scheme,
533           this property should be set to the full UTF-8 encoded path of the
534           certificate, prefixed with the string "file://" and ending with a
535           terminating NUL byte.
536
537           Format: byte array
538
539       client-cert-password
540           The password used to access the client certificate stored in
541           "client-cert" property. Only makes sense if the certificate is
542           stored on a PKCS#11 token that requires a login.
543
544           Format: string
545
546       client-cert-password-flags
547           Flags indicating how to handle the "client-cert-password" property.
548
549           Format: NMSettingSecretFlags (uint32)
550
551       domain-match
552           Constraint for server domain name. If set, this list of FQDNs is
553           used as a match requirement for dNSName element(s) of the
554           certificate presented by the authentication server. If a matching
555           dNSName is found, this constraint is met. If no dNSName values are
556           present, this constraint is matched against SubjectName CN using
557           the same comparison. Multiple valid FQDNs can be passed as a ";"
558           delimited list.
559
560           Format: string
561
562       domain-suffix-match
563           Constraint for server domain name. If set, this FQDN is used as a
564           suffix match requirement for dNSName element(s) of the certificate
565           presented by the authentication server. If a matching dNSName is
566           found, this constraint is met. If no dNSName values are present,
567           this constraint is matched against SubjectName CN using same suffix
568           match comparison. Since version 1.24, multiple valid FQDNs can be
569           passed as a ";" delimited list.
570
571           Format: string
572
573       eap
574           The allowed EAP method to be used when authenticating to the
575           network with 802.1x. Valid methods are: "leap", "md5", "tls",
576           "peap", "ttls", "pwd", and "fast". Each method requires different
577           configuration using the properties of this setting; refer to
578           wpa_supplicant documentation for the allowed combinations.
579
580           Format: array of string
581
582       identity
583           Identity string for EAP authentication methods. Often the user's
584           user or login name.
585
586           Format: string
587
588       optional
589           Whether the 802.1X authentication is optional. If TRUE, the
590           activation will continue even after a timeout or an authentication
591           failure. Setting the property to TRUE is currently allowed only for
592           Ethernet connections. If set to FALSE, the activation can continue
593           only after a successful authentication.
594
595           Format: boolean
596
597       pac-file
598           UTF-8 encoded file path containing PAC for EAP-FAST.
599
600           Format: string
601
602       password
603           UTF-8 encoded password used for EAP authentication methods. If both
604           the "password" property and the "password-raw" property are
605           specified, "password" is preferred.
606
607           Format: string
608
609       password-flags
610           Flags indicating how to handle the "password" property.
611
612           Format: NMSettingSecretFlags (uint32)
613
614       password-raw
615           Password used for EAP authentication methods, given as a byte array
616           to allow passwords in other encodings than UTF-8 to be used. If
617           both the "password" property and the "password-raw" property are
618           specified, "password" is preferred.
619
620           Format: byte array
621
622       password-raw-flags
623           Flags indicating how to handle the "password-raw" property.
624
625           Format: NMSettingSecretFlags (uint32)
626
627       phase1-auth-flags
628           Specifies authentication flags to use in "phase 1" outer
629           authentication using NMSetting8021xAuthFlags options. The
630           individual TLS versions can be explicitly disabled. If a certain
631           TLS disable flag is not set, it is up to the supplicant to allow or
632           forbid it. The TLS options map to tls_disable_tlsv1_x settings. See
633           the wpa_supplicant documentation for more details.
634
635           Format: uint32
636
637       phase1-fast-provisioning
638           Enables or disables in-line provisioning of EAP-FAST credentials
639           when FAST is specified as the EAP method in the "eap" property.
640           Recognized values are "0" (disabled), "1" (allow unauthenticated
641           provisioning), "2" (allow authenticated provisioning), and "3"
642           (allow both authenticated and unauthenticated provisioning). See
643           the wpa_supplicant documentation for more details.
644
645           Format: string
646
647       phase1-peaplabel
648           Forces use of the new PEAP label during key derivation. Some RADIUS
649           servers may require forcing the new PEAP label to interoperate with
650           PEAPv1. Set to "1" to force use of the new PEAP label. See the
651           wpa_supplicant documentation for more details.
652
653           Format: string
654
655       phase1-peapver
656           Forces which PEAP version is used when PEAP is set as the EAP
657           method in the "eap" property. When unset, the version reported by
658           the server will be used. Sometimes when using older RADIUS servers,
659           it is necessary to force the client to use a particular PEAP
660           version. To do so, this property may be set to "0" or "1" to force
661           that specific PEAP version.
662
663           Format: string
664
665       phase2-altsubject-matches
666           List of strings to be matched against the altSubjectName of the
667           certificate presented by the authentication server during the inner
668           "phase 2" authentication. If the list is empty, no verification of
669           the server certificate's altSubjectName is performed.
670
671           Format: array of string
672
673       phase2-auth
674           Specifies the allowed "phase 2" inner authentication method when an
675           EAP method that uses an inner TLS tunnel is specified in the "eap"
676           property. For TTLS this property selects one of the supported
677           non-EAP inner methods: "pap", "chap", "mschap", "mschapv2" while
678           "phase2-autheap" selects an EAP inner method. For PEAP this selects
679           an inner EAP method, one of: "gtc", "otp", "md5" and "tls". Each
680           "phase 2" inner method requires specific parameters for successful
681           authentication; see the wpa_supplicant documentation for more
682           details. Both "phase2-auth" and "phase2-autheap" cannot be
683           specified.
684
685           Format: string
686
687       phase2-autheap
688           Specifies the allowed "phase 2" inner EAP-based authentication
689           method when TTLS is specified in the "eap" property. Recognized
690           EAP-based "phase 2" methods are "md5", "mschapv2", "otp", "gtc",
691           and "tls". Each "phase 2" inner method requires specific parameters
692           for successful authentication; see the wpa_supplicant documentation
693           for more details.
694
695           Format: string
696
697       phase2-ca-cert
698           Contains the "phase 2" CA certificate if used by the EAP method
699           specified in the "phase2-auth" or "phase2-autheap" properties.
700
701           Certificate data is specified using a "scheme"; three are currently
702           supported: blob, path and pkcs#11 URL. When using the blob scheme
703           this property should be set to the certificate's DER encoded data.
704           When using the path scheme, this property should be set to the full
705           UTF-8 encoded path of the certificate, prefixed with the string
706           "file://" and ending with a terminating NUL byte. This property can
707           be unset even if the EAP method supports CA certificates, but this
708           allows man-in-the-middle attacks and is NOT recommended.
709
710           Note that enabling NMSetting8021x:system-ca-certs will override
711           this setting to use the built-in path, if the built-in path is not
712           a directory.
713
714           Format: byte array
715
716       phase2-ca-cert-password
717           The password used to access the "phase2" CA certificate stored in
718           "phase2-ca-cert" property. Only makes sense if the certificate is
719           stored on a PKCS#11 token that requires a login.
720
721           Format: string
722
723       phase2-ca-cert-password-flags
724           Flags indicating how to handle the "phase2-ca-cert-password"
725           property.
726
727           Format: NMSettingSecretFlags (uint32)
728
729       phase2-ca-path
730           UTF-8 encoded path to a directory containing PEM or DER formatted
731           certificates to be added to the verification chain in addition to
732           the certificate specified in the "phase2-ca-cert" property.
733
734           If NMSetting8021x:system-ca-certs is enabled and the built-in CA
735           path is an existing directory, then this setting is ignored.
736
737           Format: string
738
739       phase2-client-cert
740           Contains the "phase 2" client certificate if used by the EAP method
741           specified in the "phase2-auth" or "phase2-autheap" properties.
742
743           Certificate data is specified using a "scheme"; two are currently
744           supported: blob and path. When using the blob scheme (which is
745           backwards compatible with NM 0.7.x) this property should be set to
746           the certificate's DER encoded data. When using the path scheme,
747           this property should be set to the full UTF-8 encoded path of the
748           certificate, prefixed with the string "file://" and ending with a
749           terminating NUL byte. This property can be unset even if the EAP
750           method supports CA certificates, but this allows man-in-the-middle
751           attacks and is NOT recommended.
752
753           Format: byte array
754
755       phase2-client-cert-password
756           The password used to access the "phase2" client certificate stored
757           in "phase2-client-cert" property. Only makes sense if the
758           certificate is stored on a PKCS#11 token that requires a login.
759
760           Format: string
761
762       phase2-client-cert-password-flags
763           Flags indicating how to handle the "phase2-client-cert-password"
764           property.
765
766           Format: NMSettingSecretFlags (uint32)
767
768       phase2-domain-match
769           Constraint for server domain name. If set, this list of FQDNs is
770           used as a match requirement for dNSName element(s) of the
771           certificate presented by the authentication server during the inner
772           "phase 2" authentication. If a matching dNSName is found, this
773           constraint is met. If no dNSName values are present, this
774           constraint is matched against SubjectName CN using the same
775           comparison. Multiple valid FQDNs can be passed as a ";" delimited
776           list.
777
778           Format: string
779
780       phase2-domain-suffix-match
781           Constraint for server domain name. If set, this FQDN is used as a
782           suffix match requirement for dNSName element(s) of the certificate
783           presented by the authentication server during the inner "phase 2"
784           authentication. If a matching dNSName is found, this constraint is
785           met. If no dNSName values are present, this constraint is matched
786           against SubjectName CN using same suffix match comparison. Since
787           version 1.24, multiple valid FQDNs can be passed as a ";" delimited
788           list.
789
790           Format: string
791
792       phase2-private-key
793           Contains the "phase 2" inner private key when the "phase2-auth" or
794           "phase2-autheap" property is set to "tls".
795
796           Key data is specified using a "scheme"; two are currently
797           supported: blob and path. When using the blob scheme and private
798           keys, this property should be set to the key's encrypted PEM
799           encoded data. When using private keys with the path scheme, this
800           property should be set to the full UTF-8 encoded path of the key,
801           prefixed with the string "file://" and ending with a terminating
802           NUL byte. When using PKCS#12 format private keys and the blob
803           scheme, this property should be set to the PKCS#12 data and the
804           "phase2-private-key-password" property must be set to password used
805           to decrypt the PKCS#12 certificate and key. When using PKCS#12
806           files and the path scheme, this property should be set to the full
807           UTF-8 encoded path of the key, prefixed with the string "file://"
808           and ending with a terminating NUL byte, and as with the blob scheme
809           the "phase2-private-key-password" property must be set to the
810           password used to decode the PKCS#12 private key and certificate.
811
812           Format: byte array
813
814       phase2-private-key-password
815           The password used to decrypt the "phase 2" private key specified in
816           the "phase2-private-key" property when the private key either uses
817           the path scheme, or is a PKCS#12 format key.
818
819           Format: string
820
821       phase2-private-key-password-flags
822           Flags indicating how to handle the "phase2-private-key-password"
823           property.
824
825           Format: NMSettingSecretFlags (uint32)
826
827       phase2-subject-match
828           Substring to be matched against the subject of the certificate
829           presented by the authentication server during the inner "phase 2"
830           authentication. When unset, no verification of the authentication
831           server certificate's subject is performed. This property provides
832           little security, if any, and its use is deprecated in favor of
833           NMSetting8021x:phase2-domain-suffix-match.
834
835           Format: string
836
837       pin
838           PIN used for EAP authentication methods.
839
840           Format: string
841
842       pin-flags
843           Flags indicating how to handle the "pin" property.
844
845           Format: NMSettingSecretFlags (uint32)
846
847       private-key
848           Contains the private key when the "eap" property is set to "tls".
849
850           Key data is specified using a "scheme"; two are currently
851           supported: blob and path. When using the blob scheme and private
852           keys, this property should be set to the key's encrypted PEM
853           encoded data. When using private keys with the path scheme, this
854           property should be set to the full UTF-8 encoded path of the key,
855           prefixed with the string "file://" and ending with a terminating
856           NUL byte. When using PKCS#12 format private keys and the blob
857           scheme, this property should be set to the PKCS#12 data and the
858           "private-key-password" property must be set to password used to
859           decrypt the PKCS#12 certificate and key. When using PKCS#12 files
860           and the path scheme, this property should be set to the full UTF-8
861           encoded path of the key, prefixed with the string "file://" and
862           ending with a terminating NUL byte, and as with the blob scheme the
863           "private-key-password" property must be set to the password used to
864           decode the PKCS#12 private key and certificate.
865
866           WARNING: "private-key" is not a "secret" property, and thus
867           unencrypted private key data using the BLOB scheme may be readable
868           by unprivileged users. Private keys should always be encrypted with
869           a private key password to prevent unauthorized access to
870           unencrypted private key data.
871
872           Format: byte array
873
874       private-key-password
875           The password used to decrypt the private key specified in the
876           "private-key" property when the private key either uses the path
877           scheme, or if the private key is a PKCS#12 format key.
878
879           Format: string
880
881       private-key-password-flags
882           Flags indicating how to handle the "private-key-password" property.
883
884           Format: NMSettingSecretFlags (uint32)
885
886       subject-match
887           Substring to be matched against the subject of the certificate
888           presented by the authentication server. When unset, no verification
889           of the authentication server certificate's subject is performed.
890           This property provides little security, if any, and its use is
891           deprecated in favor of NMSetting8021x:domain-suffix-match.
892
893           Format: string
894
895       system-ca-certs
896           When TRUE, overrides the "ca-path" and "phase2-ca-path" properties
897           using the system CA directory specified at configure time with the
898           --system-ca-path switch. The certificates in this directory are
899           added to the verification chain in addition to any certificates
900           specified by the "ca-cert" and "phase2-ca-cert" properties. If the
901           path provided with --system-ca-path is rather a file name (bundle
902           of trusted CA certificates), it overrides "ca-cert" and
903           "phase2-ca-cert" properties instead (sets ca_cert/ca_cert2 options
904           for wpa_supplicant).
905
906           Format: boolean
907
908   adsl setting
909       ADSL Settings.
910
911       Properties:
912
913       encapsulation
914           Alias: encapsulation
915
916           Encapsulation of ADSL connection. Can be "vcmux" or "llc".
917
918           Format: string
919
920       password
921           Alias: password
922
923           Password used to authenticate with the ADSL service.
924
925           Format: string
926
927       password-flags
928           Flags indicating how to handle the "password" property.
929
930           Format: NMSettingSecretFlags (uint32)
931
932       protocol
933           Alias: protocol
934
935           ADSL connection protocol. Can be "pppoa", "pppoe" or "ipoatm".
936
937           Format: string
938
939       username
940           Alias: username
941
942           Username used to authenticate with the ADSL service.
943
944           Format: string
945
946       vci
947           VCI of ADSL connection
948
949           Format: uint32
950
951       vpi
952           VPI of ADSL connection
953
954           Format: uint32
955
956   bluetooth setting
957       Bluetooth Settings.
958
959       Properties:
960
961       bdaddr
962           Alias: addr
963
964           The Bluetooth address of the device.
965
966           Format: byte array
967
968       type
969           Alias: bt-type
970
971           Either "dun" for Dial-Up Networking connections or "panu" for
972           Personal Area Networking connections to devices supporting the NAP
973           profile.
974
975           Format: string
976
977   bond setting
978       Bonding Settings.
979
980       Properties:
981
982       options
983           Dictionary of key/value pairs of bonding options. Both keys and
984           values must be strings. Option names must contain only alphanumeric
985           characters (ie, [a-zA-Z0-9]).
986
987           Format: dict of string to string
988
989   bridge setting
990       Bridging Settings.
991
992       Properties:
993
994       ageing-time
995           Alias: ageing-time
996
997           The Ethernet MAC address aging time, in seconds.
998
999           Format: uint32
1000
1001       forward-delay
1002           Alias: forward-delay
1003
1004           The Spanning Tree Protocol (STP) forwarding delay, in seconds.
1005
1006           Format: uint32
1007
1008       group-address
1009           If specified, The MAC address of the multicast group this bridge
1010           uses for STP.
1011
1012           The address must be a link-local address in standard Ethernet MAC
1013           address format, ie an address of the form 01:80:C2:00:00:0X, with X
1014           in [0, 4..F]. If not specified the default value is
1015           01:80:C2:00:00:00.
1016
1017           Format: byte array
1018
1019       group-forward-mask
1020           Alias: group-forward-mask
1021
1022           A mask of group addresses to forward. Usually, group addresses in
1023           the range from 01:80:C2:00:00:00 to 01:80:C2:00:00:0F are not
1024           forwarded according to standards. This property is a mask of 16
1025           bits, each corresponding to a group address in that range that must
1026           be forwarded. The mask can't have bits 0, 1 or 2 set because they
1027           are used for STP, MAC pause frames and LACP.
1028
1029           Format: uint32
1030
1031       hello-time
1032           Alias: hello-time
1033
1034           The Spanning Tree Protocol (STP) hello time, in seconds.
1035
1036           Format: uint32
1037
1038       mac-address
1039           Alias: mac
1040
1041           If specified, the MAC address of bridge. When creating a new
1042           bridge, this MAC address will be set.
1043
1044           If this field is left unspecified, the
1045           "ethernet.cloned-mac-address" is referred instead to generate the
1046           initial MAC address. Note that setting
1047           "ethernet.cloned-mac-address" anyway overwrites the MAC address of
1048           the bridge later while activating the bridge. Hence, this property
1049           is deprecated. Deprecated: 1
1050
1051           Format: byte array
1052
1053       max-age
1054           Alias: max-age
1055
1056           The Spanning Tree Protocol (STP) maximum message age, in seconds.
1057
1058           Format: uint32
1059
1060       multicast-hash-max
1061           Set maximum size of multicast hash table (value must be a power of
1062           2).
1063
1064           Format: uint32
1065
1066       multicast-last-member-count
1067           Set the number of queries the bridge will send before stopping
1068           forwarding a multicast group after a "leave" message has been
1069           received.
1070
1071           Format: uint32
1072
1073       multicast-last-member-interval
1074           Set interval (in deciseconds) between queries to find remaining
1075           members of a group, after a "leave" message is received.
1076
1077           Format: uint64
1078
1079       multicast-membership-interval
1080           Set delay (in deciseconds) after which the bridge will leave a
1081           group, if no membership reports for this group are received.
1082
1083           Format: uint64
1084
1085       multicast-querier
1086           Enable or disable sending of multicast queries by the bridge. If
1087           not specified the option is disabled.
1088
1089           Format: boolean
1090
1091       multicast-querier-interval
1092           If no queries are seen after this delay (in deciseconds) has
1093           passed, the bridge will start to send its own queries.
1094
1095           Format: uint64
1096
1097       multicast-query-interval
1098           Interval (in deciseconds) between queries sent by the bridge after
1099           the end of the startup phase.
1100
1101           Format: uint64
1102
1103       multicast-query-response-interval
1104           Set the Max Response Time/Max Response Delay (in deciseconds) for
1105           IGMP/MLD queries sent by the bridge.
1106
1107           Format: uint64
1108
1109       multicast-query-use-ifaddr
1110           If enabled the bridge's own IP address is used as the source
1111           address for IGMP queries otherwise the default of 0.0.0.0 is used.
1112
1113           Format: boolean
1114
1115       multicast-router
1116           Sets bridge's multicast router. Multicast-snooping must be enabled
1117           for this option to work.
1118
1119           Supported values are: 'auto', 'disabled', 'enabled' to which kernel
1120           assigns the numbers 1, 0, and 2, respectively. If not specified the
1121           default value is 'auto' (1).
1122
1123           Format: string
1124
1125       multicast-snooping
1126           Alias: multicast-snooping
1127
1128           Controls whether IGMP snooping is enabled for this bridge. Note
1129           that if snooping was automatically disabled due to hash collisions,
1130           the system may refuse to enable the feature until the collisions
1131           are resolved.
1132
1133           Format: boolean
1134
1135       multicast-startup-query-count
1136           Set the number of IGMP queries to send during startup phase.
1137
1138           Format: uint32
1139
1140       multicast-startup-query-interval
1141           Sets the time (in deciseconds) between queries sent out at startup
1142           to determine membership information.
1143
1144           Format: uint64
1145
1146       priority
1147           Alias: priority
1148
1149           Sets the Spanning Tree Protocol (STP) priority for this bridge.
1150           Lower values are "better"; the lowest priority bridge will be
1151           elected the root bridge.
1152
1153           Format: uint32
1154
1155       stp
1156           Alias: stp
1157
1158           Controls whether Spanning Tree Protocol (STP) is enabled for this
1159           bridge.
1160
1161           Format: boolean
1162
1163       vlan-default-pvid
1164           The default PVID for the ports of the bridge, that is the VLAN id
1165           assigned to incoming untagged frames.
1166
1167           Format: uint32
1168
1169       vlan-filtering
1170           Control whether VLAN filtering is enabled on the bridge.
1171
1172           Format: boolean
1173
1174       vlan-protocol
1175           If specified, the protocol used for VLAN filtering.
1176
1177           Supported values are: '802.1Q', '802.1ad'. If not specified the
1178           default value is '802.1Q'.
1179
1180           Format: string
1181
1182       vlan-stats-enabled
1183           Controls whether per-VLAN stats accounting is enabled.
1184
1185           Format: boolean
1186
1187       vlans
1188           Array of bridge VLAN objects. In addition to the VLANs specified
1189           here, the bridge will also have the default-pvid VLAN configured by
1190           the bridge.vlan-default-pvid property.
1191
1192           In nmcli the VLAN list can be specified with the following syntax:
1193
1194           $vid [pvid] [untagged] [, $vid [pvid] [untagged]]...
1195
1196           where $vid is either a single id between 1 and 4094 or a range,
1197           represented as a couple of ids separated by a dash.
1198
1199           Format: array of vardict
1200
1201   bridge-port setting
1202       Bridge Port Settings.
1203
1204       Properties:
1205
1206       hairpin-mode
1207           Alias: hairpin
1208
1209           Enables or disables "hairpin mode" for the port, which allows
1210           frames to be sent back out through the port the frame was received
1211           on.
1212
1213           Format: boolean
1214
1215       path-cost
1216           Alias: path-cost
1217
1218           The Spanning Tree Protocol (STP) port cost for destinations via
1219           this port.
1220
1221           Format: uint32
1222
1223       priority
1224           Alias: priority
1225
1226           The Spanning Tree Protocol (STP) priority of this bridge port.
1227
1228           Format: uint32
1229
1230       vlans
1231           Array of bridge VLAN objects. In addition to the VLANs specified
1232           here, the port will also have the default-pvid VLAN configured on
1233           the bridge by the bridge.vlan-default-pvid property.
1234
1235           In nmcli the VLAN list can be specified with the following syntax:
1236
1237           $vid [pvid] [untagged] [, $vid [pvid] [untagged]]...
1238
1239           where $vid is either a single id between 1 and 4094 or a range,
1240           represented as a couple of ids separated by a dash.
1241
1242           Format: array of vardict
1243
1244   cdma setting
1245       CDMA-based Mobile Broadband Settings.
1246
1247       Properties:
1248
1249       mtu
1250           If non-zero, only transmit packets of the specified size or
1251           smaller, breaking larger packets up into multiple frames.
1252
1253           Format: uint32
1254
1255       number
1256           The number to dial to establish the connection to the CDMA-based
1257           mobile broadband network, if any. If not specified, the default
1258           number (#777) is used when required.
1259
1260           Format: string
1261
1262       password
1263           Alias: password
1264
1265           The password used to authenticate with the network, if required.
1266           Many providers do not require a password, or accept any password.
1267           But if a password is required, it is specified here.
1268
1269           Format: string
1270
1271       password-flags
1272           Flags indicating how to handle the "password" property.
1273
1274           Format: NMSettingSecretFlags (uint32)
1275
1276       username
1277           Alias: user
1278
1279           The username used to authenticate with the network, if required.
1280           Many providers do not require a username, or accept any username.
1281           But if a username is required, it is specified here.
1282
1283           Format: string
1284
1285   dcb setting
1286       Data Center Bridging Settings.
1287
1288       Properties:
1289
1290       app-fcoe-flags
1291           Specifies the NMSettingDcbFlags for the DCB FCoE application. Flags
1292           may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1293           NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1294           NM_SETTING_DCB_FLAG_WILLING (0x4).
1295
1296           Format: NMSettingDcbFlags (uint32)
1297
1298       app-fcoe-mode
1299           The FCoE controller mode; either "fabric" or "vn2vn".
1300
1301           Since 1.34, NULL is the default and means "fabric". Before 1.34,
1302           NULL was rejected as invalid and the default was "fabric".
1303
1304           Format: string
1305
1306       app-fcoe-priority
1307           The highest User Priority (0 - 7) which FCoE frames should use, or
1308           -1 for default priority. Only used when the "app-fcoe-flags"
1309           property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1310
1311           Format: int32
1312
1313       app-fip-flags
1314           Specifies the NMSettingDcbFlags for the DCB FIP application. Flags
1315           may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1316           NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1317           NM_SETTING_DCB_FLAG_WILLING (0x4).
1318
1319           Format: NMSettingDcbFlags (uint32)
1320
1321       app-fip-priority
1322           The highest User Priority (0 - 7) which FIP frames should use, or
1323           -1 for default priority. Only used when the "app-fip-flags"
1324           property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1325
1326           Format: int32
1327
1328       app-iscsi-flags
1329           Specifies the NMSettingDcbFlags for the DCB iSCSI application.
1330           Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1331           NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1332           NM_SETTING_DCB_FLAG_WILLING (0x4).
1333
1334           Format: NMSettingDcbFlags (uint32)
1335
1336       app-iscsi-priority
1337           The highest User Priority (0 - 7) which iSCSI frames should use, or
1338           -1 for default priority. Only used when the "app-iscsi-flags"
1339           property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1340
1341           Format: int32
1342
1343       priority-bandwidth
1344           An array of 8 uint values, where the array index corresponds to the
1345           User Priority (0 - 7) and the value indicates the percentage of
1346           bandwidth of the priority's assigned group that the priority may
1347           use. The sum of all percentages for priorities which belong to the
1348           same group must total 100 percents.
1349
1350           Format: array of uint32
1351
1352       priority-flow-control
1353           An array of 8 boolean values, where the array index corresponds to
1354           the User Priority (0 - 7) and the value indicates whether or not
1355           the corresponding priority should transmit priority pause.
1356
1357           Format: array of uint32
1358
1359       priority-flow-control-flags
1360           Specifies the NMSettingDcbFlags for DCB Priority Flow Control
1361           (PFC). Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE
1362           (0x1), NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1363           NM_SETTING_DCB_FLAG_WILLING (0x4).
1364
1365           Format: NMSettingDcbFlags (uint32)
1366
1367       priority-group-bandwidth
1368           An array of 8 uint values, where the array index corresponds to the
1369           Priority Group ID (0 - 7) and the value indicates the percentage of
1370           link bandwidth allocated to that group. Allowed values are 0 - 100,
1371           and the sum of all values must total 100 percents.
1372
1373           Format: array of uint32
1374
1375       priority-group-flags
1376           Specifies the NMSettingDcbFlags for DCB Priority Groups. Flags may
1377           be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1378           NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1379           NM_SETTING_DCB_FLAG_WILLING (0x4).
1380
1381           Format: NMSettingDcbFlags (uint32)
1382
1383       priority-group-id
1384           An array of 8 uint values, where the array index corresponds to the
1385           User Priority (0 - 7) and the value indicates the Priority Group
1386           ID. Allowed Priority Group ID values are 0 - 7 or 15 for the
1387           unrestricted group.
1388
1389           Format: array of uint32
1390
1391       priority-strict-bandwidth
1392           An array of 8 boolean values, where the array index corresponds to
1393           the User Priority (0 - 7) and the value indicates whether or not
1394           the priority may use all of the bandwidth allocated to its assigned
1395           group.
1396
1397           Format: array of uint32
1398
1399       priority-traffic-class
1400           An array of 8 uint values, where the array index corresponds to the
1401           User Priority (0 - 7) and the value indicates the traffic class (0
1402           - 7) to which the priority is mapped.
1403
1404           Format: array of uint32
1405
1406   ethtool setting
1407       Ethtool Ethernet Settings.
1408
1409       Properties:
1410
1411       coalesce-adaptive-rx
1412
1413       coalesce-adaptive-tx
1414
1415       coalesce-pkt-rate-high
1416
1417       coalesce-pkt-rate-low
1418
1419       coalesce-rx-frames
1420
1421       coalesce-rx-frames-high
1422
1423       coalesce-rx-frames-irq
1424
1425       coalesce-rx-frames-low
1426
1427       coalesce-rx-usecs
1428
1429       coalesce-rx-usecs-high
1430
1431       coalesce-rx-usecs-irq
1432
1433       coalesce-rx-usecs-low
1434
1435       coalesce-sample-interval
1436
1437       coalesce-stats-block-usecs
1438
1439       coalesce-tx-frames
1440
1441       coalesce-tx-frames-high
1442
1443       coalesce-tx-frames-irq
1444
1445       coalesce-tx-frames-low
1446
1447       coalesce-tx-usecs
1448
1449       coalesce-tx-usecs-high
1450
1451       coalesce-tx-usecs-irq
1452
1453       coalesce-tx-usecs-low
1454
1455       feature-esp-hw-offload
1456
1457       feature-esp-tx-csum-hw-offload
1458
1459       feature-fcoe-mtu
1460
1461       feature-gro
1462
1463       feature-gso
1464
1465       feature-highdma
1466
1467       feature-hw-tc-offload
1468
1469       feature-l2-fwd-offload
1470
1471       feature-loopback
1472
1473       feature-lro
1474
1475       feature-macsec-hw-offload
1476
1477       feature-ntuple
1478
1479       feature-rx
1480
1481       feature-rx-all
1482
1483       feature-rx-fcs
1484
1485       feature-rx-gro-hw
1486
1487       feature-rx-gro-list
1488
1489       feature-rx-udp-gro-forwarding
1490
1491       feature-rx-udp_tunnel-port-offload
1492
1493       feature-rx-vlan-filter
1494
1495       feature-rx-vlan-stag-filter
1496
1497       feature-rx-vlan-stag-hw-parse
1498
1499       feature-rxhash
1500
1501       feature-rxvlan
1502
1503       feature-sg
1504
1505       feature-tls-hw-record
1506
1507       feature-tls-hw-rx-offload
1508
1509       feature-tls-hw-tx-offload
1510
1511       feature-tso
1512
1513       feature-tx
1514
1515       feature-tx-checksum-fcoe-crc
1516
1517       feature-tx-checksum-ip-generic
1518
1519       feature-tx-checksum-ipv4
1520
1521       feature-tx-checksum-ipv6
1522
1523       feature-tx-checksum-sctp
1524
1525       feature-tx-esp-segmentation
1526
1527       feature-tx-fcoe-segmentation
1528
1529       feature-tx-gre-csum-segmentation
1530
1531       feature-tx-gre-segmentation
1532
1533       feature-tx-gso-list
1534
1535       feature-tx-gso-partial
1536
1537       feature-tx-gso-robust
1538
1539       feature-tx-ipxip4-segmentation
1540
1541       feature-tx-ipxip6-segmentation
1542
1543       feature-tx-nocache-copy
1544
1545       feature-tx-scatter-gather
1546
1547       feature-tx-scatter-gather-fraglist
1548
1549       feature-tx-sctp-segmentation
1550
1551       feature-tx-tcp-ecn-segmentation
1552
1553       feature-tx-tcp-mangleid-segmentation
1554
1555       feature-tx-tcp-segmentation
1556
1557       feature-tx-tcp6-segmentation
1558
1559       feature-tx-tunnel-remcsum-segmentation
1560
1561       feature-tx-udp-segmentation
1562
1563       feature-tx-udp_tnl-csum-segmentation
1564
1565       feature-tx-udp_tnl-segmentation
1566
1567       feature-tx-vlan-stag-hw-insert
1568
1569       feature-txvlan
1570
1571       pause-autoneg
1572
1573       pause-rx
1574
1575       pause-tx
1576
1577       ring-rx
1578
1579       ring-rx-jumbo
1580
1581       ring-rx-mini
1582
1583       ring-tx
1584
1585   gsm setting
1586       GSM-based Mobile Broadband Settings.
1587
1588       Properties:
1589
1590       apn
1591           Alias: apn
1592
1593           The GPRS Access Point Name specifying the APN used when
1594           establishing a data session with the GSM-based network. The APN
1595           often determines how the user will be billed for their network
1596           usage and whether the user has access to the Internet or just a
1597           provider-specific walled-garden, so it is important to use the
1598           correct APN for the user's mobile broadband plan. The APN may only
1599           be composed of the characters a-z, 0-9, ., and - per GSM 03.60
1600           Section 14.9.
1601
1602           Format: string
1603
1604       auto-config
1605           When TRUE, the settings such as APN, username, or password will
1606           default to values that match the network the modem will register to
1607           in the Mobile Broadband Provider database.
1608
1609           Format: boolean
1610
1611       device-id
1612           The device unique identifier (as given by the WWAN management
1613           service) which this connection applies to. If given, the connection
1614           will only apply to the specified device.
1615
1616           Format: string
1617
1618       home-only
1619           When TRUE, only connections to the home network will be allowed.
1620           Connections to roaming networks will not be made.
1621
1622           Format: boolean
1623
1624       mtu
1625           If non-zero, only transmit packets of the specified size or
1626           smaller, breaking larger packets up into multiple frames.
1627
1628           Format: uint32
1629
1630       network-id
1631           The Network ID (GSM LAI format, ie MCC-MNC) to force specific
1632           network registration. If the Network ID is specified,
1633           NetworkManager will attempt to force the device to register only on
1634           the specified network. This can be used to ensure that the device
1635           does not roam when direct roaming control of the device is not
1636           otherwise possible.
1637
1638           Format: string
1639
1640       number
1641           Legacy setting that used to help establishing PPP data sessions for
1642           GSM-based modems. Deprecated: 1
1643
1644           Format: string
1645
1646       password
1647           Alias: password
1648
1649           The password used to authenticate with the network, if required.
1650           Many providers do not require a password, or accept any password.
1651           But if a password is required, it is specified here.
1652
1653           Format: string
1654
1655       password-flags
1656           Flags indicating how to handle the "password" property.
1657
1658           Format: NMSettingSecretFlags (uint32)
1659
1660       pin
1661           If the SIM is locked with a PIN it must be unlocked before any
1662           other operations are requested. Specify the PIN here to allow
1663           operation of the device.
1664
1665           Format: string
1666
1667       pin-flags
1668           Flags indicating how to handle the "pin" property.
1669
1670           Format: NMSettingSecretFlags (uint32)
1671
1672       sim-id
1673           The SIM card unique identifier (as given by the WWAN management
1674           service) which this connection applies to. If given, the connection
1675           will apply to any device also allowed by "device-id" which contains
1676           a SIM card matching the given identifier.
1677
1678           Format: string
1679
1680       sim-operator-id
1681           A MCC/MNC string like "310260" or "21601" identifying the specific
1682           mobile network operator which this connection applies to. If given,
1683           the connection will apply to any device also allowed by "device-id"
1684           and "sim-id" which contains a SIM card provisioned by the given
1685           operator.
1686
1687           Format: string
1688
1689       username
1690           Alias: user
1691
1692           The username used to authenticate with the network, if required.
1693           Many providers do not require a username, or accept any username.
1694           But if a username is required, it is specified here.
1695
1696           Format: string
1697
1698   infiniband setting
1699       Infiniband Settings.
1700
1701       Properties:
1702
1703       mac-address
1704           Alias: mac
1705
1706           If specified, this connection will only apply to the IPoIB device
1707           whose permanent MAC address matches. This property does not change
1708           the MAC address of the device (i.e. MAC spoofing).
1709
1710           Format: byte array
1711
1712       mtu
1713           Alias: mtu
1714
1715           If non-zero, only transmit packets of the specified size or
1716           smaller, breaking larger packets up into multiple frames.
1717
1718           Format: uint32
1719
1720       p-key
1721           Alias: p-key
1722
1723           The InfiniBand P_Key to use for this device. A value of -1 means to
1724           use the default P_Key (aka "the P_Key at index 0"). Otherwise, it
1725           is a 16-bit unsigned integer, whose high bit is set if it is a
1726           "full membership" P_Key.
1727
1728           Format: int32
1729
1730       parent
1731           Alias: parent
1732
1733           The interface name of the parent device of this device. Normally
1734           NULL, but if the "p_key" property is set, then you must specify the
1735           base device by setting either this property or "mac-address".
1736
1737           Format: string
1738
1739       transport-mode
1740           Alias: transport-mode
1741
1742           The IP-over-InfiniBand transport mode. Either "datagram" or
1743           "connected".
1744
1745           Format: string
1746
1747   ipv4 setting
1748       IPv4 Settings.
1749
1750       Properties:
1751
1752       addresses
1753           Alias: ip4
1754
1755           Array of IP addresses.
1756
1757           Format: a comma separated list of addresses
1758
1759       dad-timeout
1760           Timeout in milliseconds used to check for the presence of duplicate
1761           IP addresses on the network. If an address conflict is detected,
1762           the activation will fail. A zero value means that no duplicate
1763           address detection is performed, -1 means the default value (either
1764           configuration ipvx.dad-timeout override or zero). A value greater
1765           than zero is a timeout in milliseconds.
1766
1767           The property is currently implemented only for IPv4.
1768
1769           Format: int32
1770
1771       dhcp-client-id
1772           A string sent to the DHCP server to identify the local machine
1773           which the DHCP server may use to customize the DHCP lease and
1774           options. When the property is a hex string ('aa:bb:cc') it is
1775           interpreted as a binary client ID, in which case the first byte is
1776           assumed to be the 'type' field as per RFC 2132 section 9.14 and the
1777           remaining bytes may be an hardware address (e.g.
1778           '01:xx:xx:xx:xx:xx:xx' where 1 is the Ethernet ARP type and the
1779           rest is a MAC address). If the property is not a hex string it is
1780           considered as a non-hardware-address client ID and the 'type' field
1781           is set to 0.
1782
1783           The special values "mac" and "perm-mac" are supported, which use
1784           the current or permanent MAC address of the device to generate a
1785           client identifier with type ethernet (01). Currently, these options
1786           only work for ethernet type of links.
1787
1788           The special value "ipv6-duid" uses the DUID from "ipv6.dhcp-duid"
1789           property as an RFC4361-compliant client identifier. As IAID it uses
1790           "ipv4.dhcp-iaid" and falls back to "ipv6.dhcp-iaid" if unset.
1791
1792           The special value "duid" generates a RFC4361-compliant client
1793           identifier based on "ipv4.dhcp-iaid" and uses a DUID generated by
1794           hashing /etc/machine-id.
1795
1796           The special value "stable" is supported to generate a type 0 client
1797           identifier based on the stable-id (see connection.stable-id) and a
1798           per-host key. If you set the stable-id, you may want to include the
1799           "${DEVICE}" or "${MAC}" specifier to get a per-device key.
1800
1801           If unset, a globally configured default is used. If still unset,
1802           the default depends on the DHCP plugin.
1803
1804           Format: string
1805
1806       dhcp-fqdn
1807           If the "dhcp-send-hostname" property is TRUE, then the specified
1808           FQDN will be sent to the DHCP server when acquiring a lease. This
1809           property and "dhcp-hostname" are mutually exclusive and cannot be
1810           set at the same time.
1811
1812           Format: string
1813
1814       dhcp-hostname
1815           If the "dhcp-send-hostname" property is TRUE, then the specified
1816           name will be sent to the DHCP server when acquiring a lease. This
1817           property and "dhcp-fqdn" are mutually exclusive and cannot be set
1818           at the same time.
1819
1820           Format: string
1821
1822       dhcp-hostname-flags
1823           Flags for the DHCP hostname and FQDN.
1824
1825           Currently, this property only includes flags to control the FQDN
1826           flags set in the DHCP FQDN option. Supported FQDN flags are
1827           NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1828           NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
1829           NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is
1830           set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the
1831           DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag
1832           is set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set,
1833           the standard FQDN flags are set in the request:
1834           NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1835           NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
1836           NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6.
1837
1838           When this property is set to the default value
1839           NM_DHCP_HOSTNAME_FLAG_NONE (0x0), a global default is looked up in
1840           NetworkManager configuration. If that value is unset or also
1841           NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
1842           described above are sent in the DHCP requests.
1843
1844           Format: uint32
1845
1846       dhcp-iaid
1847           A string containing the "Identity Association Identifier" (IAID)
1848           used by the DHCP client. The property is a 32-bit decimal value or
1849           a special value among "mac", "perm-mac", "ifname" and "stable".
1850           When set to "mac" (or "perm-mac"), the last 4 bytes of the current
1851           (or permanent) MAC address are used as IAID. When set to "ifname",
1852           the IAID is computed by hashing the interface name. The special
1853           value "stable" can be used to generate an IAID based on the
1854           stable-id (see connection.stable-id), a per-host key and the
1855           interface name. When the property is unset, the value from global
1856           configuration is used; if no global default is set then the IAID is
1857           assumed to be "ifname". Note that at the moment this property is
1858           ignored for IPv6 by dhclient, which always derives the IAID from
1859           the MAC address.
1860
1861           Format: string
1862
1863       dhcp-reject-servers
1864           Array of servers from which DHCP offers must be rejected. This
1865           property is useful to avoid getting a lease from misconfigured or
1866           rogue servers.
1867
1868           For DHCPv4, each element must be an IPv4 address, optionally
1869           followed by a slash and a prefix length (e.g. "192.168.122.0/24").
1870
1871           This property is currently not implemented for DHCPv6.
1872
1873           Format: array of string
1874
1875       dhcp-send-hostname
1876           If TRUE, a hostname is sent to the DHCP server when acquiring a
1877           lease. Some DHCP servers use this hostname to update DNS databases,
1878           essentially providing a static hostname for the computer. If the
1879           "dhcp-hostname" property is NULL and this property is TRUE, the
1880           current persistent hostname of the computer is sent.
1881
1882           Format: boolean
1883
1884       dhcp-timeout
1885           A timeout for a DHCP transaction in seconds. If zero (the default),
1886           a globally configured default is used. If still unspecified, a
1887           device specific timeout is used (usually 45 seconds).
1888
1889           Set to 2147483647 (MAXINT32) for infinity.
1890
1891           Format: int32
1892
1893       dhcp-vendor-class-identifier
1894           The Vendor Class Identifier DHCP option (60). Special characters in
1895           the data string may be escaped using C-style escapes, nevertheless
1896           this property cannot contain nul bytes. If the per-profile value is
1897           unspecified (the default), a global connection default gets
1898           consulted. If still unspecified, the DHCP option is not sent to the
1899           server.
1900
1901           Format: string
1902
1903       dns
1904           Array of IP addresses of DNS servers.
1905
1906           Format: array of uint32
1907
1908       dns-options
1909           Array of DNS options as described in man 5 resolv.conf.
1910
1911           NULL means that the options are unset and left at the default. In
1912           this case NetworkManager will use default options. This is distinct
1913           from an empty list of properties.
1914
1915           The currently supported options are "attempts", "debug", "edns0",
1916           "inet6", "ip6-bytestring", "ip6-dotint", "ndots", "no-check-names",
1917           "no-ip6-dotint", "no-reload", "no-tld-query", "rotate",
1918           "single-request", "single-request-reopen", "timeout", "trust-ad",
1919           "use-vc".
1920
1921           The "trust-ad" setting is only honored if the profile contributes
1922           name servers to resolv.conf, and if all contributing profiles have
1923           "trust-ad" enabled.
1924
1925           When using a caching DNS plugin (dnsmasq or systemd-resolved in
1926           NetworkManager.conf) then "edns0" and "trust-ad" are automatically
1927           added.
1928
1929           Format: array of string
1930
1931       dns-priority
1932           DNS servers priority.
1933
1934           The relative priority for DNS servers specified by this setting. A
1935           lower numerical value is better (higher priority).
1936
1937           Negative values have the special effect of excluding other
1938           configurations with a greater numerical priority value; so in
1939           presence of at least one negative priority, only DNS servers from
1940           connections with the lowest priority value will be used. To avoid
1941           all DNS leaks, set the priority of the profile that should be used
1942           to the most negative value of all active connections profiles.
1943
1944           Zero selects a globally configured default value. If the latter is
1945           missing or zero too, it defaults to 50 for VPNs (including
1946           WireGuard) and 100 for other connections.
1947
1948           Note that the priority is to order DNS settings for multiple active
1949           connections. It does not disambiguate multiple DNS servers within
1950           the same connection profile.
1951
1952           When multiple devices have configurations with the same priority,
1953           VPNs will be considered first, then devices with the best (lowest
1954           metric) default route and then all other devices.
1955
1956           When using dns=default, servers with higher priority will be on top
1957           of resolv.conf. To prioritize a given server over another one
1958           within the same connection, just specify them in the desired order.
1959           Note that commonly the resolver tries name servers in
1960           /etc/resolv.conf in the order listed, proceeding with the next
1961           server in the list on failure. See for example the "rotate" option
1962           of the dns-options setting. If there are any negative DNS
1963           priorities, then only name servers from the devices with that
1964           lowest priority will be considered.
1965
1966           When using a DNS resolver that supports Conditional Forwarding or
1967           Split DNS (with dns=dnsmasq or dns=systemd-resolved settings), each
1968           connection is used to query domains in its search list. The search
1969           domains determine which name servers to ask, and the DNS priority
1970           is used to prioritize name servers based on the domain. Queries for
1971           domains not present in any search list are routed through
1972           connections having the '~.' special wildcard domain, which is added
1973           automatically to connections with the default route (or can be
1974           added manually). When multiple connections specify the same domain,
1975           the one with the best priority (lowest numerical value) wins. If a
1976           sub domain is configured on another interface it will be accepted
1977           regardless the priority, unless parent domain on the other
1978           interface has a negative priority, which causes the sub domain to
1979           be shadowed. With Split DNS one can avoid undesired DNS leaks by
1980           properly configuring DNS priorities and the search domains, so that
1981           only name servers of the desired interface are configured.
1982
1983           Format: int32
1984
1985       dns-search
1986           List of DNS search domains. Domains starting with a tilde ('~') are
1987           considered 'routing' domains and are used only to decide the
1988           interface over which a query must be forwarded; they are not used
1989           to complete unqualified host names.
1990
1991           When using a DNS plugin that supports Conditional Forwarding or
1992           Split DNS, then the search domains specify which name servers to
1993           query. This makes the behavior different from running with plain
1994           /etc/resolv.conf. For more information see also the dns-priority
1995           setting.
1996
1997           When set on a profile that also enabled DHCP, the DNS search list
1998           received automatically (option 119 for DHCPv4 and option 24 for
1999           DHCPv6) gets merged with the manual list. This can be prevented by
2000           setting "ignore-auto-dns". Note that if no DNS searches are
2001           configured, the fallback will be derived from the domain from DHCP
2002           (option 15).
2003
2004           Format: array of string
2005
2006       gateway
2007           Alias: gw4
2008
2009           The gateway associated with this configuration. This is only
2010           meaningful if "addresses" is also set.
2011
2012           Setting the gateway causes NetworkManager to configure a standard
2013           default route with the gateway as next hop. This is ignored if
2014           "never-default" is set. An alternative is to configure the default
2015           route explicitly with a manual route and /0 as prefix length.
2016
2017           Note that the gateway usually conflicts with routing that
2018           NetworkManager configures for WireGuard interfaces, so usually it
2019           should not be set in that case. See "ip4-auto-default-route".
2020
2021           Format: string
2022
2023       ignore-auto-dns
2024           When "method" is set to "auto" and this property to TRUE,
2025           automatically configured name servers and search domains are
2026           ignored and only name servers and search domains specified in the
2027           "dns" and "dns-search" properties, if any, are used.
2028
2029           Format: boolean
2030
2031       ignore-auto-routes
2032           When "method" is set to "auto" and this property to TRUE,
2033           automatically configured routes are ignored and only routes
2034           specified in the "routes" property, if any, are used.
2035
2036           Format: boolean
2037
2038       link-local
2039           Enable and disable the IPv4 link-local configuration independently
2040           of the ipv4.method configuration. This allows a link-local address
2041           (169.254.x.y/16) to be obtained in addition to other addresses,
2042           such as those manually configured or obtained from a DHCP server.
2043
2044           When set to "auto", the value is dependent on "ipv4.method". When
2045           set to "default", it honors the global connection default, before
2046           falling back to "auto". Note that if "ipv4.method" is "disabled",
2047           then link local addressing is always disabled too. The default is
2048           "default".
2049
2050           Format: int32
2051
2052       may-fail
2053           If TRUE, allow overall network configuration to proceed even if the
2054           configuration specified by this property times out. Note that at
2055           least one IP configuration must succeed or overall network
2056           configuration will still fail. For example, in IPv6-only networks,
2057           setting this property to TRUE on the NMSettingIP4Config allows the
2058           overall network configuration to succeed if IPv4 configuration
2059           fails but IPv6 configuration completes successfully.
2060
2061           Format: boolean
2062
2063       method
2064           IP configuration method.
2065
2066           NMSettingIP4Config and NMSettingIP6Config both support "disabled",
2067           "auto", "manual", and "link-local". See the subclass-specific
2068           documentation for other values.
2069
2070           In general, for the "auto" method, properties such as "dns" and
2071           "routes" specify information that is added on to the information
2072           returned from automatic configuration. The "ignore-auto-routes" and
2073           "ignore-auto-dns" properties modify this behavior.
2074
2075           For methods that imply no upstream network, such as "shared" or
2076           "link-local", these properties must be empty.
2077
2078           For IPv4 method "shared", the IP subnet can be configured by adding
2079           one manual IPv4 address or otherwise 10.42.x.0/24 is chosen. Note
2080           that the shared method must be configured on the interface which
2081           shares the internet to a subnet, not on the uplink which is shared.
2082
2083           Format: string
2084
2085       never-default
2086           If TRUE, this connection will never be the default connection for
2087           this IP type, meaning it will never be assigned the default route
2088           by NetworkManager.
2089
2090           Format: boolean
2091
2092       required-timeout
2093           The minimum time interval in milliseconds for which dynamic IP
2094           configuration should be tried before the connection succeeds.
2095
2096           This property is useful for example if both IPv4 and IPv6 are
2097           enabled and are allowed to fail. Normally the connection succeeds
2098           as soon as one of the two address families completes; by setting a
2099           required timeout for e.g. IPv4, one can ensure that even if IP6
2100           succeeds earlier than IPv4, NetworkManager waits some time for IPv4
2101           before the connection becomes active.
2102
2103           Note that if "may-fail" is FALSE for the same address family, this
2104           property has no effect as NetworkManager needs to wait for the full
2105           DHCP timeout.
2106
2107           A zero value means that no required timeout is present, -1 means
2108           the default value (either configuration ipvx.required-timeout
2109           override or zero).
2110
2111           Format: int32
2112
2113       route-metric
2114           The default metric for routes that don't explicitly specify a
2115           metric. The default value -1 means that the metric is chosen
2116           automatically based on the device type. The metric applies to
2117           dynamic routes, manual (static) routes that don't have an explicit
2118           metric setting, address prefix routes, and the default route. Note
2119           that for IPv6, the kernel accepts zero (0) but coerces it to 1024
2120           (user default). Hence, setting this property to zero effectively
2121           mean setting it to 1024. For IPv4, zero is a regular value for the
2122           metric.
2123
2124           Format: int64
2125
2126       route-table
2127           Enable policy routing (source routing) and set the routing table
2128           used when adding routes.
2129
2130           This affects all routes, including device-routes, IPv4LL, DHCP,
2131           SLAAC, default-routes and static routes. But note that static
2132           routes can individually overwrite the setting by explicitly
2133           specifying a non-zero routing table.
2134
2135           If the table setting is left at zero, it is eligible to be
2136           overwritten via global configuration. If the property is zero even
2137           after applying the global configuration value, policy routing is
2138           disabled for the address family of this connection.
2139
2140           Policy routing disabled means that NetworkManager will add all
2141           routes to the main table (except static routes that explicitly
2142           configure a different table). Additionally, NetworkManager will not
2143           delete any extraneous routes from tables except the main table.
2144           This is to preserve backward compatibility for users who manage
2145           routing tables outside of NetworkManager.
2146
2147           Format: uint32
2148
2149       routes
2150           A list of IPv4 destination addresses, prefix length, optional IPv4
2151           next hop addresses, optional route metric, optional attribute. The
2152           valid syntax is: "ip[/prefix] [next-hop] [metric]
2153           [attribute=val]...[,ip[/prefix]...]". For example "192.0.2.0/24
2154           10.1.1.1 77, 198.51.100.0/24".
2155
2156           Various attributes are supported:
2157
2158           •   "advmss" - an unsigned 32 bit integer.
2159
2160           •   "cwnd" - an unsigned 32 bit integer.
2161
2162           •   "initcwnd" - an unsigned 32 bit integer.
2163
2164           •   "initrwnd" - an unsigned 32 bit integer.
2165
2166           •   "lock-advmss" - a boolean value.
2167
2168           •   "lock-cwnd" - a boolean value.
2169
2170           •   "lock-initcwnd" - a boolean value.
2171
2172           •   "lock-initrwnd" - a boolean value.
2173
2174           •   "lock-mtu" - a boolean value.
2175
2176           •   "lock-window" - a boolean value.
2177
2178           •   "mtu" - an unsigned 32 bit integer.
2179
2180           •   "onlink" - a boolean value.
2181
2182           •   "quickack" - a boolean value.
2183
2184           •   "rto_min" - an unsigned 32 bit integer. The value is in
2185               milliseconds.
2186
2187           •   "scope" - an unsigned 8 bit integer. IPv4 only.
2188
2189           •   "src" - an IPv4 address.
2190
2191           •   "table" - an unsigned 32 bit integer. The default depends on
2192               ipv4.route-table.
2193
2194           •   "tos" - an unsigned 8 bit integer. IPv4 only.
2195
2196           •   "type" - one of unicast, local, blackhole, unavailable,
2197               prohibit, throw. The default is unicast.
2198
2199           •   "window" - an unsigned 32 bit integer.
2200
2201           For details see also `man ip-route`.
2202
2203           Format: a comma separated list of routes
2204
2205       routing-rules
2206           A comma separated list of routing rules for policy routing. The
2207           format is based on ip rule add syntax and mostly compatible. One
2208           difference is that routing rules in NetworkManager always need a
2209           fixed priority.
2210
2211           Example: priority 5 from 192.167.4.0/24 table 45
2212
2213           Format: a comma separated list of routing rules
2214
2215   ipv6 setting
2216       IPv6 Settings.
2217
2218       Properties:
2219
2220       addr-gen-mode
2221           Configure method for creating the address for use with RFC4862 IPv6
2222           Stateless Address Autoconfiguration. The permitted values are:
2223           NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_EUI64 (0),
2224           NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_STABLE_PRIVACY (1).
2225           NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_DEFAULT_OR_EUI64 (2) or
2226           NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_DEFAULT (3).
2227
2228           If the property is set to EUI64, the addresses will be generated
2229           using the interface tokens derived from hardware address. This
2230           makes the host part of the address to stay constant, making it
2231           possible to track host's presence when it changes networks. The
2232           address changes when the interface hardware is replaced.
2233
2234           The value of stable-privacy enables use of cryptographically secure
2235           hash of a secret host-specific key along with the connection's
2236           stable-id and the network address as specified by RFC7217. This
2237           makes it impossible to use the address track host's presence, and
2238           makes the address stable when the network interface hardware is
2239           replaced.
2240
2241           The special values "default" and "default-or-eui64" will fallback
2242           to the global connection default in as documented in
2243           NetworkManager.conf(5) manual. If the global default is not
2244           specified, the fallback value is "stable-privacy" or "eui64",
2245           respectively.
2246
2247           For libnm, the property defaults to "default" since 1.40.
2248           Previously it defaulted to "stable-privacy". On D-Bus, the absence
2249           of an addr-gen-mode setting equals "default". For keyfile plugin,
2250           the absence of the setting on disk means "default-or-eui64" so that
2251           the property doesn't change on upgrade from older versions.
2252
2253           Note that this setting is distinct from the Privacy Extensions as
2254           configured by "ip6-privacy" property and it does not affect the
2255           temporary addresses configured with this option.
2256
2257           Format: int32
2258
2259       addresses
2260           Alias: ip6
2261
2262           Array of IP addresses.
2263
2264           Format: a comma separated list of addresses
2265
2266       dhcp-duid
2267           A string containing the DHCPv6 Unique Identifier (DUID) used by the
2268           dhcp client to identify itself to DHCPv6 servers (RFC 3315). The
2269           DUID is carried in the Client Identifier option. If the property is
2270           a hex string ('aa:bb:cc') it is interpreted as a binary DUID and
2271           filled as an opaque value in the Client Identifier option.
2272
2273           The special value "lease" will retrieve the DUID previously used
2274           from the lease file belonging to the connection. If no DUID is
2275           found and "dhclient" is the configured dhcp client, the DUID is
2276           searched in the system-wide dhclient lease file. If still no DUID
2277           is found, or another dhcp client is used, a global and permanent
2278           DUID-UUID (RFC 6355) will be generated based on the machine-id.
2279
2280           The special values "llt" and "ll" will generate a DUID of type LLT
2281           or LL (see RFC 3315) based on the current MAC address of the
2282           device. In order to try providing a stable DUID-LLT, the time field
2283           will contain a constant timestamp that is used globally (for all
2284           profiles) and persisted to disk.
2285
2286           The special values "stable-llt", "stable-ll" and "stable-uuid" will
2287           generate a DUID of the corresponding type, derived from the
2288           connection's stable-id and a per-host unique key. You may want to
2289           include the "${DEVICE}" or "${MAC}" specifier in the stable-id, in
2290           case this profile gets activated on multiple devices. So, the
2291           link-layer address of "stable-ll" and "stable-llt" will be a
2292           generated address derived from the stable id. The DUID-LLT time
2293           value in the "stable-llt" option will be picked among a static
2294           timespan of three years (the upper bound of the interval is the
2295           same constant timestamp used in "llt").
2296
2297           When the property is unset, the global value provided for
2298           "ipv6.dhcp-duid" is used. If no global value is provided, the
2299           default "lease" value is assumed.
2300
2301           Format: string
2302
2303       dhcp-hostname
2304           If the "dhcp-send-hostname" property is TRUE, then the specified
2305           name will be sent to the DHCP server when acquiring a lease. This
2306           property and "dhcp-fqdn" are mutually exclusive and cannot be set
2307           at the same time.
2308
2309           Format: string
2310
2311       dhcp-hostname-flags
2312           Flags for the DHCP hostname and FQDN.
2313
2314           Currently, this property only includes flags to control the FQDN
2315           flags set in the DHCP FQDN option. Supported FQDN flags are
2316           NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
2317           NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
2318           NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is
2319           set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the
2320           DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag
2321           is set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set,
2322           the standard FQDN flags are set in the request:
2323           NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
2324           NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
2325           NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6.
2326
2327           When this property is set to the default value
2328           NM_DHCP_HOSTNAME_FLAG_NONE (0x0), a global default is looked up in
2329           NetworkManager configuration. If that value is unset or also
2330           NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
2331           described above are sent in the DHCP requests.
2332
2333           Format: uint32
2334
2335       dhcp-iaid
2336           A string containing the "Identity Association Identifier" (IAID)
2337           used by the DHCP client. The property is a 32-bit decimal value or
2338           a special value among "mac", "perm-mac", "ifname" and "stable".
2339           When set to "mac" (or "perm-mac"), the last 4 bytes of the current
2340           (or permanent) MAC address are used as IAID. When set to "ifname",
2341           the IAID is computed by hashing the interface name. The special
2342           value "stable" can be used to generate an IAID based on the
2343           stable-id (see connection.stable-id), a per-host key and the
2344           interface name. When the property is unset, the value from global
2345           configuration is used; if no global default is set then the IAID is
2346           assumed to be "ifname". Note that at the moment this property is
2347           ignored for IPv6 by dhclient, which always derives the IAID from
2348           the MAC address.
2349
2350           Format: string
2351
2352       dhcp-send-hostname
2353           If TRUE, a hostname is sent to the DHCP server when acquiring a
2354           lease. Some DHCP servers use this hostname to update DNS databases,
2355           essentially providing a static hostname for the computer. If the
2356           "dhcp-hostname" property is NULL and this property is TRUE, the
2357           current persistent hostname of the computer is sent.
2358
2359           Format: boolean
2360
2361       dhcp-timeout
2362           A timeout for a DHCP transaction in seconds. If zero (the default),
2363           a globally configured default is used. If still unspecified, a
2364           device specific timeout is used (usually 45 seconds).
2365
2366           Set to 2147483647 (MAXINT32) for infinity.
2367
2368           Format: int32
2369
2370       dns
2371           Array of IP addresses of DNS servers.
2372
2373           Format: array of byte array
2374
2375       dns-options
2376           Array of DNS options as described in man 5 resolv.conf.
2377
2378           NULL means that the options are unset and left at the default. In
2379           this case NetworkManager will use default options. This is distinct
2380           from an empty list of properties.
2381
2382           The currently supported options are "attempts", "debug", "edns0",
2383           "inet6", "ip6-bytestring", "ip6-dotint", "ndots", "no-check-names",
2384           "no-ip6-dotint", "no-reload", "no-tld-query", "rotate",
2385           "single-request", "single-request-reopen", "timeout", "trust-ad",
2386           "use-vc".
2387
2388           The "trust-ad" setting is only honored if the profile contributes
2389           name servers to resolv.conf, and if all contributing profiles have
2390           "trust-ad" enabled.
2391
2392           When using a caching DNS plugin (dnsmasq or systemd-resolved in
2393           NetworkManager.conf) then "edns0" and "trust-ad" are automatically
2394           added.
2395
2396           Format: array of string
2397
2398       dns-priority
2399           DNS servers priority.
2400
2401           The relative priority for DNS servers specified by this setting. A
2402           lower numerical value is better (higher priority).
2403
2404           Negative values have the special effect of excluding other
2405           configurations with a greater numerical priority value; so in
2406           presence of at least one negative priority, only DNS servers from
2407           connections with the lowest priority value will be used. To avoid
2408           all DNS leaks, set the priority of the profile that should be used
2409           to the most negative value of all active connections profiles.
2410
2411           Zero selects a globally configured default value. If the latter is
2412           missing or zero too, it defaults to 50 for VPNs (including
2413           WireGuard) and 100 for other connections.
2414
2415           Note that the priority is to order DNS settings for multiple active
2416           connections. It does not disambiguate multiple DNS servers within
2417           the same connection profile.
2418
2419           When multiple devices have configurations with the same priority,
2420           VPNs will be considered first, then devices with the best (lowest
2421           metric) default route and then all other devices.
2422
2423           When using dns=default, servers with higher priority will be on top
2424           of resolv.conf. To prioritize a given server over another one
2425           within the same connection, just specify them in the desired order.
2426           Note that commonly the resolver tries name servers in
2427           /etc/resolv.conf in the order listed, proceeding with the next
2428           server in the list on failure. See for example the "rotate" option
2429           of the dns-options setting. If there are any negative DNS
2430           priorities, then only name servers from the devices with that
2431           lowest priority will be considered.
2432
2433           When using a DNS resolver that supports Conditional Forwarding or
2434           Split DNS (with dns=dnsmasq or dns=systemd-resolved settings), each
2435           connection is used to query domains in its search list. The search
2436           domains determine which name servers to ask, and the DNS priority
2437           is used to prioritize name servers based on the domain. Queries for
2438           domains not present in any search list are routed through
2439           connections having the '~.' special wildcard domain, which is added
2440           automatically to connections with the default route (or can be
2441           added manually). When multiple connections specify the same domain,
2442           the one with the best priority (lowest numerical value) wins. If a
2443           sub domain is configured on another interface it will be accepted
2444           regardless the priority, unless parent domain on the other
2445           interface has a negative priority, which causes the sub domain to
2446           be shadowed. With Split DNS one can avoid undesired DNS leaks by
2447           properly configuring DNS priorities and the search domains, so that
2448           only name servers of the desired interface are configured.
2449
2450           Format: int32
2451
2452       dns-search
2453           List of DNS search domains. Domains starting with a tilde ('~') are
2454           considered 'routing' domains and are used only to decide the
2455           interface over which a query must be forwarded; they are not used
2456           to complete unqualified host names.
2457
2458           When using a DNS plugin that supports Conditional Forwarding or
2459           Split DNS, then the search domains specify which name servers to
2460           query. This makes the behavior different from running with plain
2461           /etc/resolv.conf. For more information see also the dns-priority
2462           setting.
2463
2464           When set on a profile that also enabled DHCP, the DNS search list
2465           received automatically (option 119 for DHCPv4 and option 24 for
2466           DHCPv6) gets merged with the manual list. This can be prevented by
2467           setting "ignore-auto-dns". Note that if no DNS searches are
2468           configured, the fallback will be derived from the domain from DHCP
2469           (option 15).
2470
2471           Format: array of string
2472
2473       gateway
2474           Alias: gw6
2475
2476           The gateway associated with this configuration. This is only
2477           meaningful if "addresses" is also set.
2478
2479           Setting the gateway causes NetworkManager to configure a standard
2480           default route with the gateway as next hop. This is ignored if
2481           "never-default" is set. An alternative is to configure the default
2482           route explicitly with a manual route and /0 as prefix length.
2483
2484           Note that the gateway usually conflicts with routing that
2485           NetworkManager configures for WireGuard interfaces, so usually it
2486           should not be set in that case. See "ip4-auto-default-route".
2487
2488           Format: string
2489
2490       ignore-auto-dns
2491           When "method" is set to "auto" and this property to TRUE,
2492           automatically configured name servers and search domains are
2493           ignored and only name servers and search domains specified in the
2494           "dns" and "dns-search" properties, if any, are used.
2495
2496           Format: boolean
2497
2498       ignore-auto-routes
2499           When "method" is set to "auto" and this property to TRUE,
2500           automatically configured routes are ignored and only routes
2501           specified in the "routes" property, if any, are used.
2502
2503           Format: boolean
2504
2505       ip6-privacy
2506           Configure IPv6 Privacy Extensions for SLAAC, described in RFC4941.
2507           If enabled, it makes the kernel generate a temporary IPv6 address
2508           in addition to the public one generated from MAC address via
2509           modified EUI-64. This enhances privacy, but could cause problems in
2510           some applications, on the other hand. The permitted values are: -1:
2511           unknown, 0: disabled, 1: enabled (prefer public address), 2:
2512           enabled (prefer temporary addresses).
2513
2514           Having a per-connection setting set to "-1" (unknown) means
2515           fallback to global configuration "ipv6.ip6-privacy".
2516
2517           If also global configuration is unspecified or set to "-1",
2518           fallback to read "/proc/sys/net/ipv6/conf/default/use_tempaddr".
2519
2520           Note that this setting is distinct from the Stable Privacy
2521           addresses that can be enabled with the "addr-gen-mode" property's
2522           "stable-privacy" setting as another way of avoiding host tracking
2523           with IPv6 addresses.
2524
2525           Format: NMSettingIP6ConfigPrivacy (int32)
2526
2527       may-fail
2528           If TRUE, allow overall network configuration to proceed even if the
2529           configuration specified by this property times out. Note that at
2530           least one IP configuration must succeed or overall network
2531           configuration will still fail. For example, in IPv6-only networks,
2532           setting this property to TRUE on the NMSettingIP4Config allows the
2533           overall network configuration to succeed if IPv4 configuration
2534           fails but IPv6 configuration completes successfully.
2535
2536           Format: boolean
2537
2538       method
2539           IP configuration method.
2540
2541           NMSettingIP4Config and NMSettingIP6Config both support "disabled",
2542           "auto", "manual", and "link-local". See the subclass-specific
2543           documentation for other values.
2544
2545           In general, for the "auto" method, properties such as "dns" and
2546           "routes" specify information that is added on to the information
2547           returned from automatic configuration. The "ignore-auto-routes" and
2548           "ignore-auto-dns" properties modify this behavior.
2549
2550           For methods that imply no upstream network, such as "shared" or
2551           "link-local", these properties must be empty.
2552
2553           For IPv4 method "shared", the IP subnet can be configured by adding
2554           one manual IPv4 address or otherwise 10.42.x.0/24 is chosen. Note
2555           that the shared method must be configured on the interface which
2556           shares the internet to a subnet, not on the uplink which is shared.
2557
2558           Format: string
2559
2560       mtu
2561           Maximum transmission unit size, in bytes. If zero (the default),
2562           the MTU is set automatically from router advertisements or is left
2563           equal to the link-layer MTU. If greater than the link-layer MTU, or
2564           greater than zero but less than the minimum IPv6 MTU of 1280, this
2565           value has no effect.
2566
2567           Format: uint32
2568
2569       never-default
2570           If TRUE, this connection will never be the default connection for
2571           this IP type, meaning it will never be assigned the default route
2572           by NetworkManager.
2573
2574           Format: boolean
2575
2576       ra-timeout
2577           A timeout for waiting Router Advertisements in seconds. If zero
2578           (the default), a globally configured default is used. If still
2579           unspecified, the timeout depends on the sysctl settings of the
2580           device.
2581
2582           Set to 2147483647 (MAXINT32) for infinity.
2583
2584           Format: int32
2585
2586       required-timeout
2587           The minimum time interval in milliseconds for which dynamic IP
2588           configuration should be tried before the connection succeeds.
2589
2590           This property is useful for example if both IPv4 and IPv6 are
2591           enabled and are allowed to fail. Normally the connection succeeds
2592           as soon as one of the two address families completes; by setting a
2593           required timeout for e.g. IPv4, one can ensure that even if IP6
2594           succeeds earlier than IPv4, NetworkManager waits some time for IPv4
2595           before the connection becomes active.
2596
2597           Note that if "may-fail" is FALSE for the same address family, this
2598           property has no effect as NetworkManager needs to wait for the full
2599           DHCP timeout.
2600
2601           A zero value means that no required timeout is present, -1 means
2602           the default value (either configuration ipvx.required-timeout
2603           override or zero).
2604
2605           Format: int32
2606
2607       route-metric
2608           The default metric for routes that don't explicitly specify a
2609           metric. The default value -1 means that the metric is chosen
2610           automatically based on the device type. The metric applies to
2611           dynamic routes, manual (static) routes that don't have an explicit
2612           metric setting, address prefix routes, and the default route. Note
2613           that for IPv6, the kernel accepts zero (0) but coerces it to 1024
2614           (user default). Hence, setting this property to zero effectively
2615           mean setting it to 1024. For IPv4, zero is a regular value for the
2616           metric.
2617
2618           Format: int64
2619
2620       route-table
2621           Enable policy routing (source routing) and set the routing table
2622           used when adding routes.
2623
2624           This affects all routes, including device-routes, IPv4LL, DHCP,
2625           SLAAC, default-routes and static routes. But note that static
2626           routes can individually overwrite the setting by explicitly
2627           specifying a non-zero routing table.
2628
2629           If the table setting is left at zero, it is eligible to be
2630           overwritten via global configuration. If the property is zero even
2631           after applying the global configuration value, policy routing is
2632           disabled for the address family of this connection.
2633
2634           Policy routing disabled means that NetworkManager will add all
2635           routes to the main table (except static routes that explicitly
2636           configure a different table). Additionally, NetworkManager will not
2637           delete any extraneous routes from tables except the main table.
2638           This is to preserve backward compatibility for users who manage
2639           routing tables outside of NetworkManager.
2640
2641           Format: uint32
2642
2643       routes
2644           A list of IPv6 destination addresses, prefix length, optional IPv6
2645           next hop addresses, optional route metric, optional attribute. The
2646           valid syntax is: "ip[/prefix] [next-hop] [metric]
2647           [attribute=val]...[,ip[/prefix]...]".
2648
2649           Various attributes are supported:
2650
2651           •   "advmss" - an unsigned 32 bit integer.
2652
2653           •   "cwnd" - an unsigned 32 bit integer.
2654
2655           •   "from" - an IPv6 address with optional prefix. IPv6 only.
2656
2657           •   "initcwnd" - an unsigned 32 bit integer.
2658
2659           •   "initrwnd" - an unsigned 32 bit integer.
2660
2661           •   "lock-advmss" - a boolean value.
2662
2663           •   "lock-cwnd" - a boolean value.
2664
2665           •   "lock-initcwnd" - a boolean value.
2666
2667           •   "lock-initrwnd" - a boolean value.
2668
2669           •   "lock-mtu" - a boolean value.
2670
2671           •   "lock-window" - a boolean value.
2672
2673           •   "mtu" - an unsigned 32 bit integer.
2674
2675           •   "onlink" - a boolean value.
2676
2677           •   "quickack" - a boolean value.
2678
2679           •   "rto_min" - an unsigned 32 bit integer. The value is in
2680               milliseconds.
2681
2682           •   "src" - an IPv6 address.
2683
2684           •   "table" - an unsigned 32 bit integer. The default depends on
2685               ipv6.route-table.
2686
2687           •   "type" - one of unicast, local, blackhole, unavailable,
2688               prohibit, throw. The default is unicast.
2689
2690           •   "window" - an unsigned 32 bit integer.
2691
2692           For details see also `man ip-route`.
2693
2694           Format: a comma separated list of routes
2695
2696       routing-rules
2697           A comma separated list of routing rules for policy routing. The
2698           format is based on ip rule add syntax and mostly compatible. One
2699           difference is that routing rules in NetworkManager always need a
2700           fixed priority.
2701
2702           Example: priority 5 from 1:2:3::5/128 table 45
2703
2704           Format: a comma separated list of routing rules
2705
2706       token
2707           Configure the token for
2708           draft-chown-6man-tokenised-ipv6-identifiers-02 IPv6 tokenized
2709           interface identifiers. Useful with eui64 addr-gen-mode.
2710
2711           Format: string
2712
2713   ip-tunnel setting
2714       IP Tunneling Settings.
2715
2716       Properties:
2717
2718       encapsulation-limit
2719           How many additional levels of encapsulation are permitted to be
2720           prepended to packets. This property applies only to IPv6 tunnels.
2721
2722           Format: uint32
2723
2724       flags
2725           Tunnel flags. Currently, the following values are supported:
2726           NM_IP_TUNNEL_FLAG_IP6_IGN_ENCAP_LIMIT (0x1),
2727           NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_TCLASS (0x2),
2728           NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FLOWLABEL (0x4),
2729           NM_IP_TUNNEL_FLAG_IP6_MIP6_DEV (0x8),
2730           NM_IP_TUNNEL_FLAG_IP6_RCV_DSCP_COPY (0x10),
2731           NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FWMARK (0x20). They are valid only
2732           for IPv6 tunnels.
2733
2734           Format: uint32
2735
2736       flow-label
2737           The flow label to assign to tunnel packets. This property applies
2738           only to IPv6 tunnels.
2739
2740           Format: uint32
2741
2742       input-key
2743           The key used for tunnel input packets; the property is valid only
2744           for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
2745
2746           Format: string
2747
2748       local
2749           Alias: local
2750
2751           The local endpoint of the tunnel; the value can be empty, otherwise
2752           it must contain an IPv4 or IPv6 address.
2753
2754           Format: string
2755
2756       mode
2757           Alias: mode
2758
2759           The tunneling mode, for example NM_IP_TUNNEL_MODE_IPIP (1) or
2760           NM_IP_TUNNEL_MODE_GRE (2).
2761
2762           Format: uint32
2763
2764       mtu
2765           If non-zero, only transmit packets of the specified size or
2766           smaller, breaking larger packets up into multiple fragments.
2767
2768           Format: uint32
2769
2770       output-key
2771           The key used for tunnel output packets; the property is valid only
2772           for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
2773
2774           Format: string
2775
2776       parent
2777           Alias: dev
2778
2779           If given, specifies the parent interface name or parent connection
2780           UUID the new device will be bound to so that tunneled packets will
2781           only be routed via that interface.
2782
2783           Format: string
2784
2785       path-mtu-discovery
2786           Whether to enable Path MTU Discovery on this tunnel.
2787
2788           Format: boolean
2789
2790       remote
2791           Alias: remote
2792
2793           The remote endpoint of the tunnel; the value must contain an IPv4
2794           or IPv6 address.
2795
2796           Format: string
2797
2798       tos
2799           The type of service (IPv4) or traffic class (IPv6) field to be set
2800           on tunneled packets.
2801
2802           Format: uint32
2803
2804       ttl
2805           The TTL to assign to tunneled packets. 0 is a special value meaning
2806           that packets inherit the TTL value.
2807
2808           Format: uint32
2809
2810   macsec setting
2811       MACSec Settings.
2812
2813       Properties:
2814
2815       encrypt
2816           Alias: encrypt
2817
2818           Whether the transmitted traffic must be encrypted.
2819
2820           Format: boolean
2821
2822       mka-cak
2823           Alias: cak
2824
2825           The pre-shared CAK (Connectivity Association Key) for MACsec Key
2826           Agreement. Must be a string of 32 hexadecimal characters.
2827
2828           Format: string
2829
2830       mka-cak-flags
2831           Flags indicating how to handle the "mka-cak" property.
2832
2833           Format: NMSettingSecretFlags (uint32)
2834
2835       mka-ckn
2836           Alias: ckn
2837
2838           The pre-shared CKN (Connectivity-association Key Name) for MACsec
2839           Key Agreement. Must be a string of hexadecimal characters with a
2840           even length between 2 and 64.
2841
2842           Format: string
2843
2844       mode
2845           Alias: mode
2846
2847           Specifies how the CAK (Connectivity Association Key) for MKA
2848           (MACsec Key Agreement) is obtained.
2849
2850           Format: int32
2851
2852       parent
2853           Alias: dev
2854
2855           If given, specifies the parent interface name or parent connection
2856           UUID from which this MACSEC interface should be created. If this
2857           property is not specified, the connection must contain an
2858           "802-3-ethernet" setting with a "mac-address" property.
2859
2860           Format: string
2861
2862       port
2863           Alias: port
2864
2865           The port component of the SCI (Secure Channel Identifier), between
2866           1 and 65534.
2867
2868           Format: int32
2869
2870       send-sci
2871           Specifies whether the SCI (Secure Channel Identifier) is included
2872           in every packet.
2873
2874           Format: boolean
2875
2876       validation
2877           Specifies the validation mode for incoming frames.
2878
2879           Format: int32
2880
2881   macvlan setting
2882       MAC VLAN Settings.
2883
2884       Properties:
2885
2886       mode
2887           Alias: mode
2888
2889           The macvlan mode, which specifies the communication mechanism
2890           between multiple macvlans on the same lower device.
2891
2892           Format: uint32
2893
2894       parent
2895           Alias: dev
2896
2897           If given, specifies the parent interface name or parent connection
2898           UUID from which this MAC-VLAN interface should be created. If this
2899           property is not specified, the connection must contain an
2900           "802-3-ethernet" setting with a "mac-address" property.
2901
2902           Format: string
2903
2904       promiscuous
2905           Whether the interface should be put in promiscuous mode.
2906
2907           Format: boolean
2908
2909       tap
2910           Alias: tap
2911
2912           Whether the interface should be a MACVTAP.
2913
2914           Format: boolean
2915
2916   match setting
2917       Match settings.
2918
2919       Properties:
2920
2921       driver
2922           A list of driver names to match. Each element is a shell wildcard
2923           pattern.
2924
2925           See NMSettingMatch:interface-name for how special characters '|',
2926           '&', '!' and '\\' are used for optional and mandatory matches and
2927           inverting the pattern.
2928
2929           Format: array of string
2930
2931       interface-name
2932           A list of interface names to match. Each element is a shell
2933           wildcard pattern.
2934
2935           An element can be prefixed with a pipe symbol (|) or an ampersand
2936           (&). The former means that the element is optional and the latter
2937           means that it is mandatory. If there are any optional elements,
2938           than the match evaluates to true if at least one of the optional
2939           element matches (logical OR). If there are any mandatory elements,
2940           then they all must match (logical AND). By default, an element is
2941           optional. This means that an element "foo" behaves the same as
2942           "|foo". An element can also be inverted with exclamation mark (!)
2943           between the pipe symbol (or the ampersand) and before the pattern.
2944           Note that "!foo" is a shortcut for the mandatory match "&!foo".
2945           Finally, a backslash can be used at the beginning of the element
2946           (after the optional special characters) to escape the start of the
2947           pattern. For example, "&\\!a" is an mandatory match for literally
2948           "!a".
2949
2950           Format: array of string
2951
2952       kernel-command-line
2953           A list of kernel command line arguments to match. This may be used
2954           to check whether a specific kernel command line option is set (or
2955           unset, if prefixed with the exclamation mark). The argument must
2956           either be a single word, or an assignment (i.e. two words, joined
2957           by "="). In the former case the kernel command line is searched for
2958           the word appearing as is, or as left hand side of an assignment. In
2959           the latter case, the exact assignment is looked for with right and
2960           left hand side matching. Wildcard patterns are not supported.
2961
2962           See NMSettingMatch:interface-name for how special characters '|',
2963           '&', '!' and '\\' are used for optional and mandatory matches and
2964           inverting the match.
2965
2966           Format: array of string
2967
2968       path
2969           A list of paths to match against the ID_PATH udev property of
2970           devices. ID_PATH represents the topological persistent path of a
2971           device. It typically contains a subsystem string (pci, usb,
2972           platform, etc.) and a subsystem-specific identifier.
2973
2974           For PCI devices the path has the form
2975           "pci-$domain:$bus:$device.$function", where each variable is an
2976           hexadecimal value; for example "pci-0000:0a:00.0".
2977
2978           The path of a device can be obtained with "udevadm info
2979           /sys/class/net/$dev | grep ID_PATH=" or by looking at the "path"
2980           property exported by NetworkManager ("nmcli -f general.path device
2981           show $dev").
2982
2983           Each element of the list is a shell wildcard pattern.
2984
2985           See NMSettingMatch:interface-name for how special characters '|',
2986           '&', '!' and '\\' are used for optional and mandatory matches and
2987           inverting the pattern.
2988
2989           Format: array of string
2990
2991   802-11-olpc-mesh setting
2992       Alias: olpc-mesh
2993
2994       OLPC Wireless Mesh Settings.
2995
2996       Properties:
2997
2998       channel
2999           Alias: channel
3000
3001           Channel on which the mesh network to join is located.
3002
3003           Format: uint32
3004
3005       dhcp-anycast-address
3006           Alias: dhcp-anycast
3007
3008           Anycast DHCP MAC address used when requesting an IP address via
3009           DHCP. The specific anycast address used determines which DHCP
3010           server class answers the request.
3011
3012           This is currently only implemented by dhclient DHCP plugin.
3013
3014           Format: byte array
3015
3016       ssid
3017           Alias: ssid
3018
3019           SSID of the mesh network to join.
3020
3021           Format: byte array
3022
3023   ovs-bridge setting
3024       OvsBridge Link Settings.
3025
3026       Properties:
3027
3028       datapath-type
3029           The data path type. One of "system", "netdev" or empty.
3030
3031           Format: string
3032
3033       fail-mode
3034           The bridge failure mode. One of "secure", "standalone" or empty.
3035
3036           Format: string
3037
3038       mcast-snooping-enable
3039           Enable or disable multicast snooping.
3040
3041           Format: boolean
3042
3043       rstp-enable
3044           Enable or disable RSTP.
3045
3046           Format: boolean
3047
3048       stp-enable
3049           Enable or disable STP.
3050
3051           Format: boolean
3052
3053   ovs-dpdk setting
3054       OvsDpdk Link Settings.
3055
3056       Properties:
3057
3058       devargs
3059           Open vSwitch DPDK device arguments.
3060
3061           Format: string
3062
3063       n-rxq
3064           Open vSwitch DPDK number of rx queues. Defaults to zero which means
3065           to leave the parameter in OVS unspecified and effectively
3066           configures one queue.
3067
3068           Format: uint32
3069
3070   ovs-interface setting
3071       Open vSwitch Interface Settings.
3072
3073       Properties:
3074
3075       type
3076           The interface type. Either "internal", "system", "patch", "dpdk",
3077           or empty.
3078
3079           Format: string
3080
3081   ovs-patch setting
3082       OvsPatch Link Settings.
3083
3084       Properties:
3085
3086       peer
3087           Specifies the name of the interface for the other side of the
3088           patch. The patch on the other side must also set this interface as
3089           peer.
3090
3091           Format: string
3092
3093   ovs-port setting
3094       OvsPort Link Settings.
3095
3096       Properties:
3097
3098       bond-downdelay
3099           The time port must be inactive in order to be considered down.
3100
3101           Format: uint32
3102
3103       bond-mode
3104           Bonding mode. One of "active-backup", "balance-slb", or
3105           "balance-tcp".
3106
3107           Format: string
3108
3109       bond-updelay
3110           The time port must be active before it starts forwarding traffic.
3111
3112           Format: uint32
3113
3114       lacp
3115           LACP mode. One of "active", "off", or "passive".
3116
3117           Format: string
3118
3119       tag
3120           The VLAN tag in the range 0-4095.
3121
3122           Format: uint32
3123
3124       vlan-mode
3125           The VLAN mode. One of "access", "native-tagged", "native-untagged",
3126           "trunk" or unset.
3127
3128           Format: string
3129
3130   ppp setting
3131       Point-to-Point Protocol Settings.
3132
3133       Properties:
3134
3135       baud
3136           If non-zero, instruct pppd to set the serial port to the specified
3137           baudrate. This value should normally be left as 0 to automatically
3138           choose the speed.
3139
3140           Format: uint32
3141
3142       crtscts
3143           If TRUE, specify that pppd should set the serial port to use
3144           hardware flow control with RTS and CTS signals. This value should
3145           normally be set to FALSE.
3146
3147           Format: boolean
3148
3149       lcp-echo-failure
3150           If non-zero, instruct pppd to presume the connection to the peer
3151           has failed if the specified number of LCP echo-requests go
3152           unanswered by the peer. The "lcp-echo-interval" property must also
3153           be set to a non-zero value if this property is used.
3154
3155           Format: uint32
3156
3157       lcp-echo-interval
3158           If non-zero, instruct pppd to send an LCP echo-request frame to the
3159           peer every n seconds (where n is the specified value). Note that
3160           some PPP peers will respond to echo requests and some will not, and
3161           it is not possible to autodetect this.
3162
3163           Format: uint32
3164
3165       mppe-stateful
3166           If TRUE, stateful MPPE is used. See pppd documentation for more
3167           information on stateful MPPE.
3168
3169           Format: boolean
3170
3171       mru
3172           If non-zero, instruct pppd to request that the peer send packets no
3173           larger than the specified size. If non-zero, the MRU should be
3174           between 128 and 16384.
3175
3176           Format: uint32
3177
3178       mtu
3179           If non-zero, instruct pppd to send packets no larger than the
3180           specified size.
3181
3182           Format: uint32
3183
3184       no-vj-comp
3185           If TRUE, Van Jacobsen TCP header compression will not be requested.
3186
3187           Format: boolean
3188
3189       noauth
3190           If TRUE, do not require the other side (usually the PPP server) to
3191           authenticate itself to the client. If FALSE, require authentication
3192           from the remote side. In almost all cases, this should be TRUE.
3193
3194           Format: boolean
3195
3196       nobsdcomp
3197           If TRUE, BSD compression will not be requested.
3198
3199           Format: boolean
3200
3201       nodeflate
3202           If TRUE, "deflate" compression will not be requested.
3203
3204           Format: boolean
3205
3206       refuse-chap
3207           If TRUE, the CHAP authentication method will not be used.
3208
3209           Format: boolean
3210
3211       refuse-eap
3212           If TRUE, the EAP authentication method will not be used.
3213
3214           Format: boolean
3215
3216       refuse-mschap
3217           If TRUE, the MSCHAP authentication method will not be used.
3218
3219           Format: boolean
3220
3221       refuse-mschapv2
3222           If TRUE, the MSCHAPv2 authentication method will not be used.
3223
3224           Format: boolean
3225
3226       refuse-pap
3227           If TRUE, the PAP authentication method will not be used.
3228
3229           Format: boolean
3230
3231       require-mppe
3232           If TRUE, MPPE (Microsoft Point-to-Point Encryption) will be
3233           required for the PPP session. If either 64-bit or 128-bit MPPE is
3234           not available the session will fail. Note that MPPE is not used on
3235           mobile broadband connections.
3236
3237           Format: boolean
3238
3239       require-mppe-128
3240           If TRUE, 128-bit MPPE (Microsoft Point-to-Point Encryption) will be
3241           required for the PPP session, and the "require-mppe" property must
3242           also be set to TRUE. If 128-bit MPPE is not available the session
3243           will fail.
3244
3245           Format: boolean
3246
3247   pppoe setting
3248       PPP-over-Ethernet Settings.
3249
3250       Properties:
3251
3252       parent
3253           Alias: parent
3254
3255           If given, specifies the parent interface name on which this PPPoE
3256           connection should be created. If this property is not specified,
3257           the connection is activated on the interface specified in
3258           "interface-name" of NMSettingConnection.
3259
3260           Format: string
3261
3262       password
3263           Alias: password
3264
3265           Password used to authenticate with the PPPoE service.
3266
3267           Format: string
3268
3269       password-flags
3270           Flags indicating how to handle the "password" property.
3271
3272           Format: NMSettingSecretFlags (uint32)
3273
3274       service
3275           Alias: service
3276
3277           If specified, instruct PPPoE to only initiate sessions with access
3278           concentrators that provide the specified service. For most
3279           providers, this should be left blank. It is only required if there
3280           are multiple access concentrators or a specific service is known to
3281           be required.
3282
3283           Format: string
3284
3285       username
3286           Alias: username
3287
3288           Username used to authenticate with the PPPoE service.
3289
3290           Format: string
3291
3292   proxy setting
3293       WWW Proxy Settings.
3294
3295       Properties:
3296
3297       browser-only
3298           Alias: browser-only
3299
3300           Whether the proxy configuration is for browser only.
3301
3302           Format: boolean
3303
3304       method
3305           Alias: method
3306
3307           Method for proxy configuration, Default is
3308           NM_SETTING_PROXY_METHOD_NONE (0)
3309
3310           Format: int32
3311
3312       pac-script
3313           Alias: pac-script
3314
3315           PAC script for the connection. This is an UTF-8 encoded javascript
3316           code that defines a FindProxyForURL() function.
3317
3318           Format: string
3319
3320       pac-url
3321           Alias: pac-url
3322
3323           PAC URL for obtaining PAC file.
3324
3325           Format: string
3326
3327   serial setting
3328       Serial Link Settings.
3329
3330       Properties:
3331
3332       baud
3333           Speed to use for communication over the serial port. Note that this
3334           value usually has no effect for mobile broadband modems as they
3335           generally ignore speed settings and use the highest available
3336           speed.
3337
3338           Format: uint32
3339
3340       bits
3341           Byte-width of the serial communication. The 8 in "8n1" for example.
3342
3343           Format: uint32
3344
3345       parity
3346           Parity setting of the serial port.
3347
3348           Format: NMSettingSerialParity (byte)
3349
3350       send-delay
3351           Time to delay between each byte sent to the modem, in microseconds.
3352
3353           Format: uint64
3354
3355       stopbits
3356           Number of stop bits for communication on the serial port. Either 1
3357           or 2. The 1 in "8n1" for example.
3358
3359           Format: uint32
3360
3361   sriov setting
3362       SR-IOV settings.
3363
3364       Properties:
3365
3366       autoprobe-drivers
3367           Whether to autoprobe virtual functions by a compatible driver.
3368
3369           If set to NM_TERNARY_TRUE (1), the kernel will try to bind VFs to a
3370           compatible driver and if this succeeds a new network interface will
3371           be instantiated for each VF.
3372
3373           If set to NM_TERNARY_FALSE (0), VFs will not be claimed and no
3374           network interfaces will be created for them.
3375
3376           When set to NM_TERNARY_DEFAULT (-1), the global default is used; in
3377           case the global default is unspecified it is assumed to be
3378           NM_TERNARY_TRUE (1).
3379
3380           Format: NMTernary (int32)
3381
3382       total-vfs
3383           The total number of virtual functions to create.
3384
3385           Note that when the sriov setting is present NetworkManager enforces
3386           the number of virtual functions on the interface (also when it is
3387           zero) during activation and resets it upon deactivation. To prevent
3388           any changes to SR-IOV parameters don't add a sriov setting to the
3389           connection.
3390
3391           Format: uint32
3392
3393       vfs
3394           Array of virtual function descriptors.
3395
3396           Each VF descriptor is a dictionary mapping attribute names to
3397           GVariant values. The 'index' entry is mandatory for each VF.
3398
3399           When represented as string a VF is in the form:
3400
3401           "INDEX [ATTR=VALUE[ ATTR=VALUE]...]".
3402
3403           for example:
3404
3405           "2 mac=00:11:22:33:44:55 spoof-check=true".
3406
3407           Multiple VFs can be specified using a comma as separator.
3408           Currently, the following attributes are supported: mac,
3409           spoof-check, trust, min-tx-rate, max-tx-rate, vlans.
3410
3411           The "vlans" attribute is represented as a semicolon-separated list
3412           of VLAN descriptors, where each descriptor has the form
3413
3414           "ID[.PRIORITY[.PROTO]]".
3415
3416           PROTO can be either 'q' for 802.1Q (the default) or 'ad' for
3417           802.1ad.
3418
3419           Format: array of vardict
3420
3421   tc setting
3422       Linux Traffic Control Settings.
3423
3424       Properties:
3425
3426       qdiscs
3427           Array of TC queueing disciplines. qdisc is a basic block in the
3428           Linux traffic control subsystem
3429
3430           Each qdisc can be specified by the following attributes:
3431
3432           handle HANDLE
3433               specifies the qdisc handle. A qdisc, which potentially can have
3434               children, gets assigned a major number, called a 'handle',
3435               leaving the minor number namespace available for classes. The
3436               handle is expressed as '10:'. It is customary to explicitly
3437               assign a handle to qdiscs expected to have children.
3438
3439           parent HANDLE
3440               specifies the handle of the parent qdisc the current qdisc must
3441               be attached to.
3442
3443           root
3444               specifies that the qdisc is attached to the root of device.
3445
3446           KIND
3447               this is the qdisc kind. NetworkManager currently supports the
3448               following kinds: fq_codel, sfq, tbf. Each qdisc kind has a
3449               different set of parameters, described below. There are also
3450               some kinds like pfifo, pfifo_fast, prio supported by
3451               NetworkManager but their parameters are not supported by
3452               NetworkManager.
3453
3454           Parameters for 'fq_codel':
3455
3456           limit U32
3457               the hard limit on the real queue size. When this limit is
3458               reached, incoming packets are dropped. Default is 10240
3459               packets.
3460
3461           memory_limit U32
3462               sets a limit on the total number of bytes that can be queued in
3463               this FQ-CoDel instance. The lower of the packet limit of the
3464               limit parameter and the memory limit will be enforced. Default
3465               is 32 MB.
3466
3467           flows U32
3468               the number of flows into which the incoming packets are
3469               classified. Due to the stochastic nature of hashing, multiple
3470               flows may end up being hashed into the same slot. Newer flows
3471               have priority over older ones. This parameter can be set only
3472               at load time since memory has to be allocated for the hash
3473               table. Default value is 1024.
3474
3475           target U32
3476               the acceptable minimum standing/persistent queue delay. This
3477               minimum delay is identified by tracking the local minimum queue
3478               delay that packets experience. The unit of measurement is
3479               microsecond(us). Default value is 5ms.
3480
3481           interval U32
3482               used to ensure that the measured minimum delay does not become
3483               too stale. The minimum delay must be experienced in the last
3484               epoch of length .B interval. It should be set on the order of
3485               the worst-case RTT through the bottleneck to give endpoints
3486               sufficient time to react. Default value is 100ms.
3487
3488           quantum U32
3489               the number of bytes used as 'deficit' in the fair queuing
3490               algorithm. Default is set to 1514 bytes which corresponds to
3491               the Ethernet MTU plus the hardware header length of 14 bytes.
3492
3493           ecn BOOL
3494               can be used to mark packets instead of dropping them. ecn is
3495               turned on by default.
3496
3497           ce_threshold U32
3498               sets a threshold above which all packets are marked with ECN
3499               Congestion Experienced. This is useful for DCTCP-style
3500               congestion control algorithms that require marking at very
3501               shallow queueing thresholds.
3502
3503           Parameters for 'sfq':
3504
3505           divisor U32
3506               can be used to set a different hash table size, available from
3507               kernel 2.6.39 onwards. The specified divisor must be a power of
3508               two and cannot be larger than 65536. Default value: 1024.
3509
3510           limit U32
3511               Upper limit of the SFQ. Can be used to reduce the default
3512               length of 127 packets.
3513
3514           depth U32
3515               Limit of packets per flow. Default to 127 and can be lowered.
3516
3517           perturb_period U32
3518               Interval in seconds for queue algorithm perturbation. Defaults
3519               to 0, which means that no perturbation occurs. Do not set too
3520               low for each perturbation may cause some packet reordering or
3521               losses. Advised value: 60 This value has no effect when
3522               external flow classification is used. Its better to increase
3523               divisor value to lower risk of hash collisions.
3524
3525           quantum U32
3526               Amount of bytes a flow is allowed to dequeue during a round of
3527               the round robin process. Defaults to the MTU of the interface
3528               which is also the advised value and the minimum value.
3529
3530           flows U32
3531               Default value is 127.
3532
3533           Parameters for 'tbf':
3534
3535           rate U64
3536               Bandwidth or rate. These parameters accept a floating point
3537               number, possibly followed by either a unit (both SI and IEC
3538               units supported), or a float followed by a percent character to
3539               specify the rate as a percentage of the device's speed.
3540
3541           burst U32
3542               Also known as buffer or maxburst. Size of the bucket, in bytes.
3543               This is the maximum amount of bytes that tokens can be
3544               available for instantaneously. In general, larger shaping rates
3545               require a larger buffer. For 10mbit/s on Intel, you need at
3546               least 10kbyte buffer if you want to reach your configured rate!
3547
3548               If your buffer is too small, packets may be dropped because
3549               more tokens arrive per timer tick than fit in your bucket. The
3550               minimum buffer size can be calculated by dividing the rate by
3551               HZ.
3552
3553               Token usage calculations are performed using a table which by
3554               default has a resolution of 8 packets. This resolution can be
3555               changed by specifying the cell size with the burst. For
3556               example, to specify a 6000 byte buffer with a 16 byte cell
3557               size, set a burst of 6000/16. You will probably never have to
3558               set this. Must be an integral power of 2.
3559
3560           limit U32
3561               Limit is the number of bytes that can be queued waiting for
3562               tokens to become available.
3563
3564           latency U32
3565               specifies the maximum amount of time a packet can sit in the
3566               TBF. The latency calculation takes into account the size of the
3567               bucket, the rate and possibly the peakrate (if set). The
3568               latency and limit are mutually exclusive.
3569
3570           Format: GPtrArray(NMTCQdisc)
3571
3572       tfilters
3573           Array of TC traffic filters. Traffic control can manage the packet
3574           content during classification by using filters.
3575
3576           Each tfilters can be specified by the following attributes:
3577
3578           handle HANDLE
3579               specifies the tfilters handle. A filter is used by a classful
3580               qdisc to determine in which class a packet will be enqueued. It
3581               is important to notice that filters reside within qdiscs.
3582               Therefore, see qdiscs handle for detailed information.
3583
3584           parent HANDLE
3585               specifies the handle of the parent qdisc the current qdisc must
3586               be attached to.
3587
3588           root
3589               specifies that the qdisc is attached to the root of device.
3590
3591           KIND
3592               this is the tfilters kind. NetworkManager currently supports
3593               following kinds: mirred, simple. Each filter kind has a
3594               different set of actions, described below. There are also some
3595               other kinds like matchall, basic, u32 supported by
3596               NetworkManager.
3597
3598           Actions for 'mirred':
3599
3600           egress bool
3601               Define whether the packet should exit from the interface.
3602
3603           ingress bool
3604               Define whether the packet should come into the interface.
3605
3606           mirror bool
3607               Define whether the packet should be copied to the destination
3608               space.
3609
3610           redirect bool
3611               Define whether the packet should be moved to the destination
3612               space.
3613
3614           Action for 'simple':
3615
3616           sdata char[32]
3617               The actual string to print.
3618
3619           Format: GPtrArray(NMTCTfilter)
3620
3621   team setting
3622       Teaming Settings.
3623
3624       Properties:
3625
3626       config
3627           Alias: config
3628
3629           The JSON configuration for the team network interface. The property
3630           should contain raw JSON configuration data suitable for teamd,
3631           because the value is passed directly to teamd. If not specified,
3632           the default configuration is used. See man teamd.conf for the
3633           format details.
3634
3635           Format: string
3636
3637       link-watchers
3638           Link watchers configuration for the connection: each link watcher
3639           is defined by a dictionary, whose keys depend upon the selected
3640           link watcher. Available link watchers are 'ethtool', 'nsna_ping'
3641           and 'arp_ping' and it is specified in the dictionary with the key
3642           'name'. Available keys are: ethtool: 'delay-up', 'delay-down',
3643           'init-wait'; nsna_ping: 'init-wait', 'interval', 'missed-max',
3644           'target-host'; arp_ping: all the ones in nsna_ping and
3645           'source-host', 'validate-active', 'validate-inactive',
3646           'send-always'. See teamd.conf man for more details.
3647
3648           Format: array of vardict
3649
3650       mcast-rejoin-count
3651           Corresponds to the teamd mcast_rejoin.count.
3652
3653           Format: int32
3654
3655       mcast-rejoin-interval
3656           Corresponds to the teamd mcast_rejoin.interval.
3657
3658           Format: int32
3659
3660       notify-peers-count
3661           Corresponds to the teamd notify_peers.count.
3662
3663           Format: int32
3664
3665       notify-peers-interval
3666           Corresponds to the teamd notify_peers.interval.
3667
3668           Format: int32
3669
3670       runner
3671           Corresponds to the teamd runner.name. Permitted values are:
3672           "roundrobin", "broadcast", "activebackup", "loadbalance", "lacp",
3673           "random".
3674
3675           Format: string
3676
3677       runner-active
3678           Corresponds to the teamd runner.active.
3679
3680           Format: boolean
3681
3682       runner-agg-select-policy
3683           Corresponds to the teamd runner.agg_select_policy.
3684
3685           Format: string
3686
3687       runner-fast-rate
3688           Corresponds to the teamd runner.fast_rate.
3689
3690           Format: boolean
3691
3692       runner-hwaddr-policy
3693           Corresponds to the teamd runner.hwaddr_policy.
3694
3695           Format: string
3696
3697       runner-min-ports
3698           Corresponds to the teamd runner.min_ports.
3699
3700           Format: int32
3701
3702       runner-sys-prio
3703           Corresponds to the teamd runner.sys_prio.
3704
3705           Format: int32
3706
3707       runner-tx-balancer
3708           Corresponds to the teamd runner.tx_balancer.name.
3709
3710           Format: string
3711
3712       runner-tx-balancer-interval
3713           Corresponds to the teamd runner.tx_balancer.interval.
3714
3715           Format: int32
3716
3717       runner-tx-hash
3718           Corresponds to the teamd runner.tx_hash.
3719
3720           Format: array of string
3721
3722   team-port setting
3723       Team Port Settings.
3724
3725       Properties:
3726
3727       config
3728           Alias: config
3729
3730           The JSON configuration for the team port. The property should
3731           contain raw JSON configuration data suitable for teamd, because the
3732           value is passed directly to teamd. If not specified, the default
3733           configuration is used. See man teamd.conf for the format details.
3734
3735           Format: string
3736
3737       lacp-key
3738           Corresponds to the teamd ports.PORTIFNAME.lacp_key.
3739
3740           Format: int32
3741
3742       lacp-prio
3743           Corresponds to the teamd ports.PORTIFNAME.lacp_prio.
3744
3745           Format: int32
3746
3747       link-watchers
3748           Link watchers configuration for the connection: each link watcher
3749           is defined by a dictionary, whose keys depend upon the selected
3750           link watcher. Available link watchers are 'ethtool', 'nsna_ping'
3751           and 'arp_ping' and it is specified in the dictionary with the key
3752           'name'. Available keys are: ethtool: 'delay-up', 'delay-down',
3753           'init-wait'; nsna_ping: 'init-wait', 'interval', 'missed-max',
3754           'target-host'; arp_ping: all the ones in nsna_ping and
3755           'source-host', 'validate-active', 'validate-inactive',
3756           'send-always'. See teamd.conf man for more details.
3757
3758           Format: array of vardict
3759
3760       prio
3761           Corresponds to the teamd ports.PORTIFNAME.prio.
3762
3763           Format: int32
3764
3765       queue-id
3766           Corresponds to the teamd ports.PORTIFNAME.queue_id. When set to -1
3767           means the parameter is skipped from the json config.
3768
3769           Format: int32
3770
3771       sticky
3772           Corresponds to the teamd ports.PORTIFNAME.sticky.
3773
3774           Format: boolean
3775
3776   tun setting
3777       Tunnel Settings.
3778
3779       Properties:
3780
3781       group
3782           Alias: group
3783
3784           The group ID which will own the device. If set to NULL everyone
3785           will be able to use the device.
3786
3787           Format: string
3788
3789       mode
3790           Alias: mode
3791
3792           The operating mode of the virtual device. Allowed values are
3793           NM_SETTING_TUN_MODE_TUN (1) to create a layer 3 device and
3794           NM_SETTING_TUN_MODE_TAP (2) to create an Ethernet-like layer 2 one.
3795
3796           Format: uint32
3797
3798       multi-queue
3799           Alias: multi-queue
3800
3801           If the property is set to TRUE, the interface will support multiple
3802           file descriptors (queues) to parallelize packet sending or
3803           receiving. Otherwise, the interface will only support a single
3804           queue.
3805
3806           Format: boolean
3807
3808       owner
3809           Alias: owner
3810
3811           The user ID which will own the device. If set to NULL everyone will
3812           be able to use the device.
3813
3814           Format: string
3815
3816       pi
3817           Alias: pi
3818
3819           If TRUE the interface will prepend a 4 byte header describing the
3820           physical interface to the packets.
3821
3822           Format: boolean
3823
3824       vnet-hdr
3825           Alias: vnet-hdr
3826
3827           If TRUE the IFF_VNET_HDR the tunnel packets will include a virtio
3828           network header.
3829
3830           Format: boolean
3831
3832   vlan setting
3833       VLAN Settings.
3834
3835       Properties:
3836
3837       egress-priority-map
3838           Alias: egress
3839
3840           For outgoing packets, a list of mappings from Linux SKB priorities
3841           to 802.1p priorities. The mapping is given in the format "from:to"
3842           where both "from" and "to" are unsigned integers, ie "7:3".
3843
3844           Format: array of string
3845
3846       flags
3847           Alias: flags
3848
3849           One or more flags which control the behavior and features of the
3850           VLAN interface. Flags include NM_VLAN_FLAG_REORDER_HEADERS (0x1)
3851           (reordering of output packet headers), NM_VLAN_FLAG_GVRP (0x2) (use
3852           of the GVRP protocol), and NM_VLAN_FLAG_LOOSE_BINDING (0x4) (loose
3853           binding of the interface to its master device's operating state).
3854           NM_VLAN_FLAG_MVRP (0x8) (use of the MVRP protocol).
3855
3856           The default value of this property is NM_VLAN_FLAG_REORDER_HEADERS,
3857           but it used to be 0. To preserve backward compatibility, the
3858           default-value in the D-Bus API continues to be 0 and a missing
3859           property on D-Bus is still considered as 0.
3860
3861           Format: NMVlanFlags (uint32)
3862
3863       id
3864           Alias: id
3865
3866           The VLAN identifier that the interface created by this connection
3867           should be assigned. The valid range is from 0 to 4094, without the
3868           reserved id 4095.
3869
3870           Format: uint32
3871
3872       ingress-priority-map
3873           Alias: ingress
3874
3875           For incoming packets, a list of mappings from 802.1p priorities to
3876           Linux SKB priorities. The mapping is given in the format "from:to"
3877           where both "from" and "to" are unsigned integers, ie "7:3".
3878
3879           Format: array of string
3880
3881       parent
3882           Alias: dev
3883
3884           If given, specifies the parent interface name or parent connection
3885           UUID from which this VLAN interface should be created. If this
3886           property is not specified, the connection must contain an
3887           "802-3-ethernet" setting with a "mac-address" property.
3888
3889           Format: string
3890
3891   vpn setting
3892       VPN Settings.
3893
3894       Properties:
3895
3896       data
3897           Dictionary of key/value pairs of VPN plugin specific data. Both
3898           keys and values must be strings.
3899
3900           Format: dict of string to string
3901
3902       persistent
3903           If the VPN service supports persistence, and this property is TRUE,
3904           the VPN will attempt to stay connected across link changes and
3905           outages, until explicitly disconnected.
3906
3907           Format: boolean
3908
3909       secrets
3910           Dictionary of key/value pairs of VPN plugin specific secrets like
3911           passwords or private keys. Both keys and values must be strings.
3912
3913           Format: dict of string to string
3914
3915       service-type
3916           Alias: vpn-type
3917
3918           D-Bus service name of the VPN plugin that this setting uses to
3919           connect to its network. i.e. org.freedesktop.NetworkManager.vpnc
3920           for the vpnc plugin.
3921
3922           Format: string
3923
3924       timeout
3925           Timeout for the VPN service to establish the connection. Some
3926           services may take quite a long time to connect. Value of 0 means a
3927           default timeout, which is 60 seconds (unless overridden by
3928           vpn.timeout in configuration file). Values greater than zero mean
3929           timeout in seconds.
3930
3931           Format: uint32
3932
3933       user-name
3934           Alias: user
3935
3936           If the VPN connection requires a user name for authentication, that
3937           name should be provided here. If the connection is available to
3938           more than one user, and the VPN requires each user to supply a
3939           different name, then leave this property empty. If this property is
3940           empty, NetworkManager will automatically supply the username of the
3941           user which requested the VPN connection.
3942
3943           Format: string
3944
3945   vrf setting
3946       VRF settings.
3947
3948       Properties:
3949
3950       table
3951           Alias: table
3952
3953           The routing table for this VRF.
3954
3955           Format: uint32
3956
3957   vxlan setting
3958       VXLAN Settings.
3959
3960       Properties:
3961
3962       ageing
3963           Specifies the lifetime in seconds of FDB entries learnt by the
3964           kernel.
3965
3966           Format: uint32
3967
3968       destination-port
3969           Alias: destination-port
3970
3971           Specifies the UDP destination port to communicate to the remote
3972           VXLAN tunnel endpoint.
3973
3974           Format: uint32
3975
3976       id
3977           Alias: id
3978
3979           Specifies the VXLAN Network Identifier (or VXLAN Segment
3980           Identifier) to use.
3981
3982           Format: uint32
3983
3984       l2-miss
3985           Specifies whether netlink LL ADDR miss notifications are generated.
3986
3987           Format: boolean
3988
3989       l3-miss
3990           Specifies whether netlink IP ADDR miss notifications are generated.
3991
3992           Format: boolean
3993
3994       learning
3995           Specifies whether unknown source link layer addresses and IP
3996           addresses are entered into the VXLAN device forwarding database.
3997
3998           Format: boolean
3999
4000       limit
4001           Specifies the maximum number of FDB entries. A value of zero means
4002           that the kernel will store unlimited entries.
4003
4004           Format: uint32
4005
4006       local
4007           Alias: local
4008
4009           If given, specifies the source IP address to use in outgoing
4010           packets.
4011
4012           Format: string
4013
4014       parent
4015           Alias: dev
4016
4017           If given, specifies the parent interface name or parent connection
4018           UUID.
4019
4020           Format: string
4021
4022       proxy
4023           Specifies whether ARP proxy is turned on.
4024
4025           Format: boolean
4026
4027       remote
4028           Alias: remote
4029
4030           Specifies the unicast destination IP address to use in outgoing
4031           packets when the destination link layer address is not known in the
4032           VXLAN device forwarding database, or the multicast IP address to
4033           join.
4034
4035           Format: string
4036
4037       rsc
4038           Specifies whether route short circuit is turned on.
4039
4040           Format: boolean
4041
4042       source-port-max
4043           Alias: source-port-max
4044
4045           Specifies the maximum UDP source port to communicate to the remote
4046           VXLAN tunnel endpoint.
4047
4048           Format: uint32
4049
4050       source-port-min
4051           Alias: source-port-min
4052
4053           Specifies the minimum UDP source port to communicate to the remote
4054           VXLAN tunnel endpoint.
4055
4056           Format: uint32
4057
4058       tos
4059           Specifies the TOS value to use in outgoing packets.
4060
4061           Format: uint32
4062
4063       ttl
4064           Specifies the time-to-live value to use in outgoing packets.
4065
4066           Format: uint32
4067
4068   wifi-p2p setting
4069       Wi-Fi P2P Settings.
4070
4071       Properties:
4072
4073       peer
4074           Alias: peer
4075
4076           The P2P device that should be connected to. Currently, this is the
4077           only way to create or join a group.
4078
4079           Format: string
4080
4081       wfd-ies
4082           The Wi-Fi Display (WFD) Information Elements (IEs) to set.
4083
4084           Wi-Fi Display requires a protocol specific information element to
4085           be set in certain Wi-Fi frames. These can be specified here for the
4086           purpose of establishing a connection. This setting is only useful
4087           when implementing a Wi-Fi Display client.
4088
4089           Format: byte array
4090
4091       wps-method
4092           Flags indicating which mode of WPS is to be used.
4093
4094           There's little point in changing the default setting as
4095           NetworkManager will automatically determine the best method to use.
4096
4097           Format: uint32
4098
4099   wimax setting
4100       WiMax Settings.
4101
4102       Properties:
4103
4104       mac-address
4105           Alias: mac
4106
4107           If specified, this connection will only apply to the WiMAX device
4108           whose MAC address matches. This property does not change the MAC
4109           address of the device (known as MAC spoofing). Deprecated: 1
4110
4111           Format: byte array
4112
4113       network-name
4114           Alias: nsp
4115
4116           Network Service Provider (NSP) name of the WiMAX network this
4117           connection should use. Deprecated: 1
4118
4119           Format: string
4120
4121   802-3-ethernet setting
4122       Alias: ethernet
4123
4124       Wired Ethernet Settings.
4125
4126       Properties:
4127
4128       accept-all-mac-addresses
4129           When TRUE, setup the interface to accept packets for all MAC
4130           addresses. This is enabling the kernel interface flag IFF_PROMISC.
4131           When FALSE, the interface will only accept the packets with the
4132           interface destination mac address or broadcast.
4133
4134           Format: NMTernary (int32)
4135
4136       auto-negotiate
4137           When TRUE, enforce auto-negotiation of speed and duplex mode. If
4138           "speed" and "duplex" properties are both specified, only that
4139           single mode will be advertised and accepted during the link
4140           auto-negotiation process: this works only for BASE-T 802.3
4141           specifications and is useful for enforcing gigabits modes, as in
4142           these cases link negotiation is mandatory. When FALSE, "speed" and
4143           "duplex" properties should be both set or link configuration will
4144           be skipped.
4145
4146           Format: boolean
4147
4148       cloned-mac-address
4149           Alias: cloned-mac
4150
4151           If specified, request that the device use this MAC address instead.
4152           This is known as MAC cloning or spoofing.
4153
4154           Beside explicitly specifying a MAC address, the special values
4155           "preserve", "permanent", "random" and "stable" are supported.
4156           "preserve" means not to touch the MAC address on activation.
4157           "permanent" means to use the permanent hardware address if the
4158           device has one (otherwise this is treated as "preserve"). "random"
4159           creates a random MAC address on each connect. "stable" creates a
4160           hashed MAC address based on connection.stable-id and a machine
4161           dependent key.
4162
4163           If unspecified, the value can be overwritten via global defaults,
4164           see manual of NetworkManager.conf. If still unspecified, it
4165           defaults to "preserve" (older versions of NetworkManager may use a
4166           different default value).
4167
4168           On D-Bus, this field is expressed as "assigned-mac-address" or the
4169           deprecated "cloned-mac-address".
4170
4171           Format: byte array
4172
4173       duplex
4174           When a value is set, either "half" or "full", configures the device
4175           to use the specified duplex mode. If "auto-negotiate" is "yes" the
4176           specified duplex mode will be the only one advertised during link
4177           negotiation: this works only for BASE-T 802.3 specifications and is
4178           useful for enforcing gigabits modes, as in these cases link
4179           negotiation is mandatory. If the value is unset (the default), the
4180           link configuration will be either skipped (if "auto-negotiate" is
4181           "no", the default) or will be auto-negotiated (if "auto-negotiate"
4182           is "yes") and the local device will advertise all the supported
4183           duplex modes. Must be set together with the "speed" property if
4184           specified. Before specifying a duplex mode be sure your device
4185           supports it.
4186
4187           Format: string
4188
4189       generate-mac-address-mask
4190           With "cloned-mac-address" setting "random" or "stable", by default
4191           all bits of the MAC address are scrambled and a
4192           locally-administered, unicast MAC address is created. This property
4193           allows to specify that certain bits are fixed. Note that the least
4194           significant bit of the first MAC address will always be unset to
4195           create a unicast MAC address.
4196
4197           If the property is NULL, it is eligible to be overwritten by a
4198           default connection setting. If the value is still NULL or an empty
4199           string, the default is to create a locally-administered, unicast
4200           MAC address.
4201
4202           If the value contains one MAC address, this address is used as
4203           mask. The set bits of the mask are to be filled with the current
4204           MAC address of the device, while the unset bits are subject to
4205           randomization. Setting "FE:FF:FF:00:00:00" means to preserve the
4206           OUI of the current MAC address and only randomize the lower 3 bytes
4207           using the "random" or "stable" algorithm.
4208
4209           If the value contains one additional MAC address after the mask,
4210           this address is used instead of the current MAC address to fill the
4211           bits that shall not be randomized. For example, a value of
4212           "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set the OUI of the MAC
4213           address to 68:F7:28, while the lower bits are randomized. A value
4214           of "02:00:00:00:00:00 00:00:00:00:00:00" will create a fully
4215           scrambled globally-administered, burned-in MAC address.
4216
4217           If the value contains more than one additional MAC addresses, one
4218           of them is chosen randomly. For example, "02:00:00:00:00:00
4219           00:00:00:00:00:00 02:00:00:00:00:00" will create a fully scrambled
4220           MAC address, randomly locally or globally administered.
4221
4222           Format: string
4223
4224       mac-address
4225           Alias: mac
4226
4227           If specified, this connection will only apply to the Ethernet
4228           device whose permanent MAC address matches. This property does not
4229           change the MAC address of the device (i.e. MAC spoofing).
4230
4231           Format: byte array
4232
4233       mac-address-blacklist
4234           If specified, this connection will never apply to the Ethernet
4235           device whose permanent MAC address matches an address in the list.
4236           Each MAC address is in the standard hex-digits-and-colons notation
4237           (00:11:22:33:44:55).
4238
4239           Format: array of string
4240
4241       mtu
4242           Alias: mtu
4243
4244           If non-zero, only transmit packets of the specified size or
4245           smaller, breaking larger packets up into multiple Ethernet frames.
4246
4247           Format: uint32
4248
4249       port
4250           Specific port type to use if the device supports multiple
4251           attachment methods. One of "tp" (Twisted Pair), "aui" (Attachment
4252           Unit Interface), "bnc" (Thin Ethernet) or "mii" (Media Independent
4253           Interface). If the device supports only one port type, this setting
4254           is ignored.
4255
4256           Format: string
4257
4258       s390-nettype
4259           s390 network device type; one of "qeth", "lcs", or "ctc",
4260           representing the different types of virtual network devices
4261           available on s390 systems.
4262
4263           Format: string
4264
4265       s390-options
4266           Dictionary of key/value pairs of s390-specific device options. Both
4267           keys and values must be strings. Allowed keys include "portno",
4268           "layer2", "portname", "protocol", among others. Key names must
4269           contain only alphanumeric characters (ie, [a-zA-Z0-9]).
4270
4271           Currently, NetworkManager itself does nothing with this
4272           information. However, s390utils ships a udev rule which parses this
4273           information and applies it to the interface.
4274
4275           Format: dict of string to string
4276
4277       s390-subchannels
4278           Identifies specific subchannels that this network device uses for
4279           communication with z/VM or s390 host. Like the "mac-address"
4280           property for non-z/VM devices, this property can be used to ensure
4281           this connection only applies to the network device that uses these
4282           subchannels. The list should contain exactly 3 strings, and each
4283           string may only be composed of hexadecimal characters and the
4284           period (.) character.
4285
4286           Format: array of string
4287
4288       speed
4289           When a value greater than 0 is set, configures the device to use
4290           the specified speed. If "auto-negotiate" is "yes" the specified
4291           speed will be the only one advertised during link negotiation: this
4292           works only for BASE-T 802.3 specifications and is useful for
4293           enforcing gigabit speeds, as in this case link negotiation is
4294           mandatory. If the value is unset (0, the default), the link
4295           configuration will be either skipped (if "auto-negotiate" is "no",
4296           the default) or will be auto-negotiated (if "auto-negotiate" is
4297           "yes") and the local device will advertise all the supported
4298           speeds. In Mbit/s, ie 100 == 100Mbit/s. Must be set together with
4299           the "duplex" property when non-zero. Before specifying a speed
4300           value be sure your device supports it.
4301
4302           Format: uint32
4303
4304       wake-on-lan
4305           The NMSettingWiredWakeOnLan options to enable. Not all devices
4306           support all options. May be any combination of
4307           NM_SETTING_WIRED_WAKE_ON_LAN_PHY (0x2),
4308           NM_SETTING_WIRED_WAKE_ON_LAN_UNICAST (0x4),
4309           NM_SETTING_WIRED_WAKE_ON_LAN_MULTICAST (0x8),
4310           NM_SETTING_WIRED_WAKE_ON_LAN_BROADCAST (0x10),
4311           NM_SETTING_WIRED_WAKE_ON_LAN_ARP (0x20),
4312           NM_SETTING_WIRED_WAKE_ON_LAN_MAGIC (0x40) or the special values
4313           NM_SETTING_WIRED_WAKE_ON_LAN_DEFAULT (0x1) (to use global settings)
4314           and NM_SETTING_WIRED_WAKE_ON_LAN_IGNORE (0x8000) (to disable
4315           management of Wake-on-LAN in NetworkManager).
4316
4317           Format: uint32
4318
4319       wake-on-lan-password
4320           If specified, the password used with magic-packet-based
4321           Wake-on-LAN, represented as an Ethernet MAC address. If NULL, no
4322           password will be required.
4323
4324           Format: string
4325
4326   wireguard setting
4327       WireGuard Settings.
4328
4329       Properties:
4330
4331       fwmark
4332           The use of fwmark is optional and is by default off. Setting it to
4333           0 disables it. Otherwise, it is a 32-bit fwmark for outgoing
4334           packets.
4335
4336           Note that "ip4-auto-default-route" or "ip6-auto-default-route"
4337           enabled, implies to automatically choose a fwmark.
4338
4339           Format: uint32
4340
4341       ip4-auto-default-route
4342           Whether to enable special handling of the IPv4 default route. If
4343           enabled, the IPv4 default route from wireguard.peer-routes will be
4344           placed to a dedicated routing-table and two policy routing rules
4345           will be added. The fwmark number is also used as routing-table for
4346           the default-route, and if fwmark is zero, an unused fwmark/table is
4347           chosen automatically. This corresponds to what wg-quick does with
4348           Table=auto and what WireGuard calls "Improved Rule-based Routing".
4349
4350           Note that for this automatism to work, you usually don't want to
4351           set ipv4.gateway, because that will result in a conflicting default
4352           route.
4353
4354           Leaving this at the default will enable this option automatically
4355           if ipv4.never-default is not set and there are any peers that use a
4356           default-route as allowed-ips. Since this automatism only makes
4357           sense if you also have a peer with an /0 allowed-ips, it is usually
4358           not necessary to enable this explicitly. However, you can disable
4359           it if you want to configure your own routing and rules.
4360
4361           Format: NMTernary (int32)
4362
4363       ip6-auto-default-route
4364           Like ip4-auto-default-route, but for the IPv6 default route.
4365
4366           Format: NMTernary (int32)
4367
4368       listen-port
4369           The listen-port. If listen-port is not specified, the port will be
4370           chosen randomly when the interface comes up.
4371
4372           Format: uint32
4373
4374       mtu
4375           If non-zero, only transmit packets of the specified size or
4376           smaller, breaking larger packets up into multiple fragments.
4377
4378           If zero a default MTU is used. Note that contrary to wg-quick's MTU
4379           setting, this does not take into account the current routes at the
4380           time of activation.
4381
4382           Format: uint32
4383
4384       peer-routes
4385           Whether to automatically add routes for the AllowedIPs ranges of
4386           the peers. If TRUE (the default), NetworkManager will automatically
4387           add routes in the routing tables according to ipv4.route-table and
4388           ipv6.route-table. Usually you want this automatism enabled. If
4389           FALSE, no such routes are added automatically. In this case, the
4390           user may want to configure static routes in ipv4.routes and
4391           ipv6.routes, respectively.
4392
4393           Note that if the peer's AllowedIPs is "0.0.0.0/0" or "::/0" and the
4394           profile's ipv4.never-default or ipv6.never-default setting is
4395           enabled, the peer route for this peer won't be added automatically.
4396
4397           Format: boolean
4398
4399       private-key
4400           The 256 bit private-key in base64 encoding.
4401
4402           Format: string
4403
4404       private-key-flags
4405           Flags indicating how to handle the "private-key" property.
4406
4407           Format: NMSettingSecretFlags (uint32)
4408
4409   802-11-wireless setting
4410       Alias: wifi
4411
4412       Wi-Fi Settings.
4413
4414       Properties:
4415
4416       ap-isolation
4417           Configures AP isolation, which prevents communication between
4418           wireless devices connected to this AP. This property can be set to
4419           a value different from NM_TERNARY_DEFAULT (-1) only when the
4420           interface is configured in AP mode.
4421
4422           If set to NM_TERNARY_TRUE (1), devices are not able to communicate
4423           with each other. This increases security because it protects
4424           devices against attacks from other clients in the network. At the
4425           same time, it prevents devices to access resources on the same
4426           wireless networks as file shares, printers, etc.
4427
4428           If set to NM_TERNARY_FALSE (0), devices can talk to each other.
4429
4430           When set to NM_TERNARY_DEFAULT (-1), the global default is used; in
4431           case the global default is unspecified it is assumed to be
4432           NM_TERNARY_FALSE (0).
4433
4434           Format: NMTernary (int32)
4435
4436       band
4437           802.11 frequency band of the network. One of "a" for 5GHz 802.11a
4438           or "bg" for 2.4GHz 802.11. This will lock associations to the Wi-Fi
4439           network to the specific band, i.e. if "a" is specified, the device
4440           will not associate with the same network in the 2.4GHz band even if
4441           the network's settings are compatible. This setting depends on
4442           specific driver capability and may not work with all drivers.
4443
4444           Format: string
4445
4446       bssid
4447           If specified, directs the device to only associate with the given
4448           access point. This capability is highly driver dependent and not
4449           supported by all devices. Note: this property does not control the
4450           BSSID used when creating an Ad-Hoc network and is unlikely to in
4451           the future.
4452
4453           Locking a client profile to a certain BSSID will prevent roaming
4454           and also disable background scanning. That can be useful, if there
4455           is only one access point for the SSID.
4456
4457           Format: byte array
4458
4459       channel
4460           Wireless channel to use for the Wi-Fi connection. The device will
4461           only join (or create for Ad-Hoc networks) a Wi-Fi network on the
4462           specified channel. Because channel numbers overlap between bands,
4463           this property also requires the "band" property to be set.
4464
4465           Format: uint32
4466
4467       cloned-mac-address
4468           Alias: cloned-mac
4469
4470           If specified, request that the device use this MAC address instead.
4471           This is known as MAC cloning or spoofing.
4472
4473           Beside explicitly specifying a MAC address, the special values
4474           "preserve", "permanent", "random" and "stable" are supported.
4475           "preserve" means not to touch the MAC address on activation.
4476           "permanent" means to use the permanent hardware address of the
4477           device. "random" creates a random MAC address on each connect.
4478           "stable" creates a hashed MAC address based on connection.stable-id
4479           and a machine dependent key.
4480
4481           If unspecified, the value can be overwritten via global defaults,
4482           see manual of NetworkManager.conf. If still unspecified, it
4483           defaults to "preserve" (older versions of NetworkManager may use a
4484           different default value).
4485
4486           On D-Bus, this field is expressed as "assigned-mac-address" or the
4487           deprecated "cloned-mac-address".
4488
4489           Format: byte array
4490
4491       generate-mac-address-mask
4492           With "cloned-mac-address" setting "random" or "stable", by default
4493           all bits of the MAC address are scrambled and a
4494           locally-administered, unicast MAC address is created. This property
4495           allows to specify that certain bits are fixed. Note that the least
4496           significant bit of the first MAC address will always be unset to
4497           create a unicast MAC address.
4498
4499           If the property is NULL, it is eligible to be overwritten by a
4500           default connection setting. If the value is still NULL or an empty
4501           string, the default is to create a locally-administered, unicast
4502           MAC address.
4503
4504           If the value contains one MAC address, this address is used as
4505           mask. The set bits of the mask are to be filled with the current
4506           MAC address of the device, while the unset bits are subject to
4507           randomization. Setting "FE:FF:FF:00:00:00" means to preserve the
4508           OUI of the current MAC address and only randomize the lower 3 bytes
4509           using the "random" or "stable" algorithm.
4510
4511           If the value contains one additional MAC address after the mask,
4512           this address is used instead of the current MAC address to fill the
4513           bits that shall not be randomized. For example, a value of
4514           "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set the OUI of the MAC
4515           address to 68:F7:28, while the lower bits are randomized. A value
4516           of "02:00:00:00:00:00 00:00:00:00:00:00" will create a fully
4517           scrambled globally-administered, burned-in MAC address.
4518
4519           If the value contains more than one additional MAC addresses, one
4520           of them is chosen randomly. For example, "02:00:00:00:00:00
4521           00:00:00:00:00:00 02:00:00:00:00:00" will create a fully scrambled
4522           MAC address, randomly locally or globally administered.
4523
4524           Format: string
4525
4526       hidden
4527           If TRUE, indicates that the network is a non-broadcasting network
4528           that hides its SSID. This works both in infrastructure and AP mode.
4529
4530           In infrastructure mode, various workarounds are used for a more
4531           reliable discovery of hidden networks, such as probe-scanning the
4532           SSID. However, these workarounds expose inherent insecurities with
4533           hidden SSID networks, and thus hidden SSID networks should be used
4534           with caution.
4535
4536           In AP mode, the created network does not broadcast its SSID.
4537
4538           Note that marking the network as hidden may be a privacy issue for
4539           you (in infrastructure mode) or client stations (in AP mode), as
4540           the explicit probe-scans are distinctly recognizable on the air.
4541
4542           Format: boolean
4543
4544       mac-address
4545           Alias: mac
4546
4547           If specified, this connection will only apply to the Wi-Fi device
4548           whose permanent MAC address matches. This property does not change
4549           the MAC address of the device (i.e. MAC spoofing).
4550
4551           Format: byte array
4552
4553       mac-address-blacklist
4554           A list of permanent MAC addresses of Wi-Fi devices to which this
4555           connection should never apply. Each MAC address should be given in
4556           the standard hex-digits-and-colons notation (eg
4557           "00:11:22:33:44:55").
4558
4559           Format: array of string
4560
4561       mac-address-randomization
4562           One of NM_SETTING_MAC_RANDOMIZATION_DEFAULT (0) (never randomize
4563           unless the user has set a global default to randomize and the
4564           supplicant supports randomization),
4565           NM_SETTING_MAC_RANDOMIZATION_NEVER (1) (never randomize the MAC
4566           address), or NM_SETTING_MAC_RANDOMIZATION_ALWAYS (2) (always
4567           randomize the MAC address). This property is deprecated for
4568           'cloned-mac-address'. Deprecated: 1
4569
4570           Format: uint32
4571
4572       mode
4573           Alias: mode
4574
4575           Wi-Fi network mode; one of "infrastructure", "mesh", "adhoc" or
4576           "ap". If blank, infrastructure is assumed.
4577
4578           Format: string
4579
4580       mtu
4581           Alias: mtu
4582
4583           If non-zero, only transmit packets of the specified size or
4584           smaller, breaking larger packets up into multiple Ethernet frames.
4585
4586           Format: uint32
4587
4588       powersave
4589           One of NM_SETTING_WIRELESS_POWERSAVE_DISABLE (2) (disable Wi-Fi
4590           power saving), NM_SETTING_WIRELESS_POWERSAVE_ENABLE (3) (enable
4591           Wi-Fi power saving), NM_SETTING_WIRELESS_POWERSAVE_IGNORE (1)
4592           (don't touch currently configure setting) or
4593           NM_SETTING_WIRELESS_POWERSAVE_DEFAULT (0) (use the globally
4594           configured value). All other values are reserved.
4595
4596           Format: uint32
4597
4598       rate
4599           If non-zero, directs the device to only use the specified bitrate
4600           for communication with the access point. Units are in Kb/s, ie 5500
4601           = 5.5 Mbit/s. This property is highly driver dependent and not all
4602           devices support setting a static bitrate.
4603
4604           Format: uint32
4605
4606       seen-bssids
4607           A list of BSSIDs (each BSSID formatted as a MAC address like
4608           "00:11:22:33:44:55") that have been detected as part of the Wi-Fi
4609           network. NetworkManager internally tracks previously seen BSSIDs.
4610           The property is only meant for reading and reflects the BSSID list
4611           of NetworkManager. The changes you make to this property will not
4612           be preserved.
4613
4614           Format: array of string
4615
4616       ssid
4617           Alias: ssid
4618
4619           SSID of the Wi-Fi network. Must be specified.
4620
4621           Format: byte array
4622
4623       tx-power
4624           If non-zero, directs the device to use the specified transmit
4625           power. Units are dBm. This property is highly driver dependent and
4626           not all devices support setting a static transmit power.
4627
4628           Format: uint32
4629
4630       wake-on-wlan
4631           The NMSettingWirelessWakeOnWLan options to enable. Not all devices
4632           support all options. May be any combination of
4633           NM_SETTING_WIRELESS_WAKE_ON_WLAN_ANY (0x2),
4634           NM_SETTING_WIRELESS_WAKE_ON_WLAN_DISCONNECT (0x4),
4635           NM_SETTING_WIRELESS_WAKE_ON_WLAN_MAGIC (0x8),
4636           NM_SETTING_WIRELESS_WAKE_ON_WLAN_GTK_REKEY_FAILURE (0x10),
4637           NM_SETTING_WIRELESS_WAKE_ON_WLAN_EAP_IDENTITY_REQUEST (0x20),
4638           NM_SETTING_WIRELESS_WAKE_ON_WLAN_4WAY_HANDSHAKE (0x40),
4639           NM_SETTING_WIRELESS_WAKE_ON_WLAN_RFKILL_RELEASE (0x80),
4640           NM_SETTING_WIRELESS_WAKE_ON_WLAN_TCP (0x100) or the special values
4641           NM_SETTING_WIRELESS_WAKE_ON_WLAN_DEFAULT (0x1) (to use global
4642           settings) and NM_SETTING_WIRELESS_WAKE_ON_WLAN_IGNORE (0x8000) (to
4643           disable management of Wake-on-LAN in NetworkManager).
4644
4645           Format: uint32
4646
4647   802-11-wireless-security setting
4648       Alias: wifi-sec
4649
4650       Wi-Fi Security Settings.
4651
4652       Properties:
4653
4654       auth-alg
4655           When WEP is used (ie, key-mgmt = "none" or "ieee8021x") indicate
4656           the 802.11 authentication algorithm required by the AP here. One of
4657           "open" for Open System, "shared" for Shared Key, or "leap" for
4658           Cisco LEAP. When using Cisco LEAP (ie, key-mgmt = "ieee8021x" and
4659           auth-alg = "leap") the "leap-username" and "leap-password"
4660           properties must be specified.
4661
4662           Format: string
4663
4664       fils
4665           Indicates whether Fast Initial Link Setup (802.11ai) must be
4666           enabled for the connection. One of
4667           NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) (use global default
4668           value), NM_SETTING_WIRELESS_SECURITY_FILS_DISABLE (1) (disable
4669           FILS), NM_SETTING_WIRELESS_SECURITY_FILS_OPTIONAL (2) (enable FILS
4670           if the supplicant and the access point support it) or
4671           NM_SETTING_WIRELESS_SECURITY_FILS_REQUIRED (3) (enable FILS and
4672           fail if not supported). When set to
4673           NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) and no global default
4674           is set, FILS will be optionally enabled.
4675
4676           Format: int32
4677
4678       group
4679           A list of group/broadcast encryption algorithms which prevents
4680           connections to Wi-Fi networks that do not utilize one of the
4681           algorithms in the list. For maximum compatibility leave this
4682           property empty. Each list element may be one of "wep40", "wep104",
4683           "tkip", or "ccmp".
4684
4685           Format: array of string
4686
4687       key-mgmt
4688           Key management used for the connection. One of "none" (WEP or no
4689           password protection), "ieee8021x" (Dynamic WEP), "owe"
4690           (Opportunistic Wireless Encryption), "wpa-psk" (WPA2 + WPA3
4691           personal), "sae" (WPA3 personal only), "wpa-eap" (WPA2 + WPA3
4692           enterprise) or "wpa-eap-suite-b-192" (WPA3 enterprise only).
4693
4694           This property must be set for any Wi-Fi connection that uses
4695           security.
4696
4697           Format: string
4698
4699       leap-password
4700           The login password for legacy LEAP connections (ie, key-mgmt =
4701           "ieee8021x" and auth-alg = "leap").
4702
4703           Format: string
4704
4705       leap-password-flags
4706           Flags indicating how to handle the "leap-password" property.
4707
4708           Format: NMSettingSecretFlags (uint32)
4709
4710       leap-username
4711           The login username for legacy LEAP connections (ie, key-mgmt =
4712           "ieee8021x" and auth-alg = "leap").
4713
4714           Format: string
4715
4716       pairwise
4717           A list of pairwise encryption algorithms which prevents connections
4718           to Wi-Fi networks that do not utilize one of the algorithms in the
4719           list. For maximum compatibility leave this property empty. Each
4720           list element may be one of "tkip" or "ccmp".
4721
4722           Format: array of string
4723
4724       pmf
4725           Indicates whether Protected Management Frames (802.11w) must be
4726           enabled for the connection. One of
4727           NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) (use global default
4728           value), NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE (1) (disable PMF),
4729           NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL (2) (enable PMF if the
4730           supplicant and the access point support it) or
4731           NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED (3) (enable PMF and fail
4732           if not supported). When set to
4733           NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) and no global default
4734           is set, PMF will be optionally enabled.
4735
4736           Format: int32
4737
4738       proto
4739           List of strings specifying the allowed WPA protocol versions to
4740           use. Each element may be one "wpa" (allow WPA) or "rsn" (allow
4741           WPA2/RSN). If not specified, both WPA and RSN connections are
4742           allowed.
4743
4744           Format: array of string
4745
4746       psk
4747           Pre-Shared-Key for WPA networks. For WPA-PSK, it's either an ASCII
4748           passphrase of 8 to 63 characters that is (as specified in the
4749           802.11i standard) hashed to derive the actual key, or the key in
4750           form of 64 hexadecimal character. The WPA3-Personal networks use a
4751           passphrase of any length for SAE authentication.
4752
4753           Format: string
4754
4755       psk-flags
4756           Flags indicating how to handle the "psk" property.
4757
4758           Format: NMSettingSecretFlags (uint32)
4759
4760       wep-key-flags
4761           Flags indicating how to handle the "wep-key0", "wep-key1",
4762           "wep-key2", and "wep-key3" properties.
4763
4764           Format: NMSettingSecretFlags (uint32)
4765
4766       wep-key-type
4767           Controls the interpretation of WEP keys. Allowed values are
4768           NM_WEP_KEY_TYPE_KEY (1), in which case the key is either a 10- or
4769           26-character hexadecimal string, or a 5- or 13-character ASCII
4770           password; or NM_WEP_KEY_TYPE_PASSPHRASE (2), in which case the
4771           passphrase is provided as a string and will be hashed using the
4772           de-facto MD5 method to derive the actual WEP key.
4773
4774           Format: NMWepKeyType (uint32)
4775
4776       wep-key0
4777           Index 0 WEP key. This is the WEP key used in most networks. See the
4778           "wep-key-type" property for a description of how this key is
4779           interpreted.
4780
4781           Format: string
4782
4783       wep-key1
4784           Index 1 WEP key. This WEP index is not used by most networks. See
4785           the "wep-key-type" property for a description of how this key is
4786           interpreted.
4787
4788           Format: string
4789
4790       wep-key2
4791           Index 2 WEP key. This WEP index is not used by most networks. See
4792           the "wep-key-type" property for a description of how this key is
4793           interpreted.
4794
4795           Format: string
4796
4797       wep-key3
4798           Index 3 WEP key. This WEP index is not used by most networks. See
4799           the "wep-key-type" property for a description of how this key is
4800           interpreted.
4801
4802           Format: string
4803
4804       wep-tx-keyidx
4805           When static WEP is used (ie, key-mgmt = "none") and a non-default
4806           WEP key index is used by the AP, put that WEP key index here. Valid
4807           values are 0 (default key) through 3. Note that some consumer
4808           access points (like the Linksys WRT54G) number the keys 1 - 4.
4809
4810           Format: uint32
4811
4812       wps-method
4813           Flags indicating which mode of WPS is to be used if any.
4814
4815           There's little point in changing the default setting as
4816           NetworkManager will automatically determine whether it's feasible
4817           to start WPS enrollment from the Access Point capabilities.
4818
4819           WPS can be disabled by setting this property to a value of 1.
4820
4821           Format: uint32
4822
4823   wpan setting
4824       IEEE 802.15.4 (WPAN) MAC Settings.
4825
4826       Properties:
4827
4828       channel
4829           Alias: channel
4830
4831           IEEE 802.15.4 channel. A positive integer or -1, meaning "do not
4832           set, use whatever the device is already set to".
4833
4834           Format: int32
4835
4836       mac-address
4837           Alias: mac
4838
4839           If specified, this connection will only apply to the IEEE 802.15.4
4840           (WPAN) MAC layer device whose permanent MAC address matches.
4841
4842           Format: string
4843
4844       page
4845           Alias: page
4846
4847           IEEE 802.15.4 channel page. A positive integer or -1, meaning "do
4848           not set, use whatever the device is already set to".
4849
4850           Format: int32
4851
4852       pan-id
4853           Alias: pan-id
4854
4855           IEEE 802.15.4 Personal Area Network (PAN) identifier.
4856
4857           Format: uint32
4858
4859       short-address
4860           Alias: short-addr
4861
4862           Short IEEE 802.15.4 address to be used within a restricted
4863           environment.
4864
4865           Format: uint32
4866
4867   bond-port setting
4868       Bond Port Settings.
4869
4870       Properties:
4871
4872       queue-id
4873           Alias: queue-id
4874
4875           The queue ID of this bond port. The maximum value of queue ID is
4876           the number of TX queues currently active in device.
4877
4878           Format: uint32
4879
4880   hostname setting
4881       Hostname settings.
4882
4883       Properties:
4884
4885       from-dhcp
4886           Whether the system hostname can be determined from DHCP on this
4887           connection.
4888
4889           When set to NM_TERNARY_DEFAULT (-1), the value from global
4890           configuration is used. If the property doesn't have a value in the
4891           global configuration, NetworkManager assumes the value to be
4892           NM_TERNARY_TRUE (1).
4893
4894           Format: NMTernary (int32)
4895
4896       from-dns-lookup
4897           Whether the system hostname can be determined from reverse DNS
4898           lookup of addresses on this device.
4899
4900           When set to NM_TERNARY_DEFAULT (-1), the value from global
4901           configuration is used. If the property doesn't have a value in the
4902           global configuration, NetworkManager assumes the value to be
4903           NM_TERNARY_TRUE (1).
4904
4905           Format: NMTernary (int32)
4906
4907       only-from-default
4908           If set to NM_TERNARY_TRUE (1), NetworkManager attempts to get the
4909           hostname via DHCPv4/DHCPv6 or reverse DNS lookup on this device
4910           only when the device has the default route for the given address
4911           family (IPv4/IPv6).
4912
4913           If set to NM_TERNARY_FALSE (0), the hostname can be set from this
4914           device even if it doesn't have the default route.
4915
4916           When set to NM_TERNARY_DEFAULT (-1), the value from global
4917           configuration is used. If the property doesn't have a value in the
4918           global configuration, NetworkManager assumes the value to be
4919           NM_TERNARY_FALSE (0).
4920
4921           Format: NMTernary (int32)
4922
4923       priority
4924           The relative priority of this connection to determine the system
4925           hostname. A lower numerical value is better (higher priority). A
4926           connection with higher priority is considered before connections
4927           with lower priority.
4928
4929           If the value is zero, it can be overridden by a global value from
4930           NetworkManager configuration. If the property doesn't have a value
4931           in the global configuration, the value is assumed to be 100.
4932
4933           Negative values have the special effect of excluding other
4934           connections with a greater numerical priority value; so in presence
4935           of at least one negative priority, only connections with the lowest
4936           priority value will be used to determine the hostname.
4937
4938           Format: int32
4939
4940   veth setting
4941       Veth Settings.
4942
4943       Properties:
4944
4945       peer
4946           Alias: peer
4947
4948           This property specifies the peer interface name of the veth. This
4949           property is mandatory.
4950
4951           Format: string
4952
4953   Secret flag types:
4954       Each password or secret property in a setting has an associated flags
4955       property that describes how to handle that secret. The flags property
4956       is a bitfield that contains zero or more of the following values
4957       logically OR-ed together.
4958
4959       •   0x0 (none) - the system is responsible for providing and storing
4960           this secret. This may be required so that secrets are already
4961           available before the user logs in. It also commonly means that the
4962           secret will be stored in plain text on disk, accessible to root
4963           only. For example via the keyfile settings plugin as described in
4964           the "PLUGINS" section in NetworkManager.conf(5).
4965
4966       •   0x1 (agent-owned) - a user-session secret agent is responsible for
4967           providing and storing this secret; when it is required, agents will
4968           be asked to provide it.
4969
4970       •   0x2 (not-saved) - this secret should not be saved but should be
4971           requested from the user each time it is required. This flag should
4972           be used for One-Time-Pad secrets, PIN codes from hardware tokens,
4973           or if the user simply does not want to save the secret.
4974
4975       •   0x4 (not-required) - in some situations it cannot be automatically
4976           determined that a secret is required or not. This flag hints that
4977           the secret is not required and should not be requested from the
4978           user.
4979

FILES

4981       /etc/NetworkManager/system-connections or distro plugin-specific
4982       location
4983

SEE ALSO

4985       nmcli(1), nmcli-examples(7), NetworkManager(8), nm-settings-dbus(5),
4986       nm-settings-keyfile(5), NetworkManager.conf(5)
4987
4988
4989
4990NetworkManager 1.40.10                                    NM-SETTINGS-NMCLI(5)
Impressum