1NM-SETTINGS-NMCLI(5) Configuration NM-SETTINGS-NMCLI(5)
2
6 nm-settings-nmcli - Description of settings and properties of
7 NetworkManager connection profiles for nmcli
8
10 NetworkManager is based on a concept of connection profiles, sometimes
11 referred to as connections only. These connection profiles contain a
12 network configuration. When NetworkManager activates a connection
13 profile on a network device the configuration will be applied and an
14 active network connection will be established. Users are free to create
15 as many connection profiles as they see fit. Thus they are flexible in
16 having various network configurations for different networking needs.
17 NetworkManager provides an API for configuring connection profiles, for
19 activating them to configure the network, and inspecting the current
20 network configuration. The command line tool nmcli is a client
21 application to NetworkManager that uses this API. See nmcli(1) for
22 details.
23 With commands like nmcli connection add, nmcli connection modify and
25 nmcli connection show, connection profiles can be created, modified and
26 inspected. A profile consists of properties. On D-Bus this follows the
27 format as described by nm-settings-dbus(5), while this manual page
28 describes the settings format how they are expected by nmcli.
29 The settings and properties shown in tables below list all available
31 connection configuration options. However, note that not all settings
32 are applicable to all connection types. nmcli connection editor has
33 also a built-in describe command that can display description of
34 particular settings and properties of this page.
35 The setting and property can be abbreviated provided they are unique.
37 The list below also shows aliases that can be used unqualified instead
38 of the full name. For example connection.interface-name and ifname
39 refer to the same property.
40 connection setting
42 General Connection Profile Settings.
43 Properties:
45 connection.auth-retries
47 The number of retries for the authentication. Zero means to try
48 indefinitely; -1 means to use a global default. If the global
49 default is not set, the authentication retries for 3 times before
50 failing the connection.
51 Currently, this only applies to 802-1x authentication.
53 Format: int32
55 connection.autoconnect
57 Alias: autoconnect
58 Whether or not the connection should be automatically connected by
60 NetworkManager when the resources for the connection are available.
61 TRUE to automatically activate the connection, FALSE to require
62 manual intervention to activate the connection.
63 Autoconnect happens when the circumstances are suitable. That means
65 for example that the device is currently managed and not active.
66 Autoconnect thus never replaces or competes with an already active
67 profile.
68 Note that autoconnect is not implemented for VPN profiles. See
70 "secondaries" as an alternative to automatically connect VPN
71 profiles.
72 If multiple profiles are ready to autoconnect on the same device,
74 the one with the better "connection.autoconnect-priority" is
75 chosen. If the priorities are equal, then the most recently
76 connected profile is activated. If the profiles were not connected
77 earlier or their "connection.timestamp" is identical, the choice is
78 undefined.
79 Depending on "connection.multi-connect", a profile can
81 (auto)connect only once at a time or multiple times.
82 Format: boolean
84 connection.autoconnect-priority
86 The autoconnect priority in range -999 to 999. If the connection is
87 set to autoconnect, connections with higher priority will be
88 preferred. The higher number means higher priority. Defaults to 0.
89 Note that this property only matters if there are more than one
90 candidate profile to select for autoconnect. In case of equal
91 priority, the profile used most recently is chosen.
92 Format: int32
94 connection.autoconnect-retries
96 The number of times a connection should be tried when
97 autoactivating before giving up. Zero means forever, -1 means the
98 global default (4 times if not overridden). Setting this to 1 means
99 to try activation only once before blocking autoconnect. Note that
100 after a timeout, NetworkManager will try to autoconnect again.
101 Format: int32
103 connection.autoconnect-slaves
105 Whether or not slaves of this connection should be automatically
106 brought up when NetworkManager activates this connection. This only
107 has a real effect for master connections. The properties
108 "autoconnect", "autoconnect-priority" and "autoconnect-retries" are
109 unrelated to this setting. The permitted values are: 0: leave slave
110 connections untouched, 1: activate all the slave connections with
111 this connection, -1: default. If -1 (default) is set, global
112 connection.autoconnect-slaves is read to determine the real value.
113 If it is default as well, this fallbacks to 0.
114 Format: NMSettingConnectionAutoconnectSlaves (int32)
116 connection.dns-over-tls
118 Whether DNSOverTls (dns-over-tls) is enabled for the connection.
119 DNSOverTls is a technology which uses TLS to encrypt dns traffic.
120 The permitted values are: "yes" (2) use DNSOverTls and disabled
122 fallback, "opportunistic" (1) use DNSOverTls but allow fallback to
123 unencrypted resolution, "no" (0) don't ever use DNSOverTls. If
124 unspecified "default" depends on the plugin used. Systemd-resolved
125 uses global setting.
126 This feature requires a plugin which supports DNSOverTls.
128 Otherwise, the setting has no effect. One such plugin is
129 dns-systemd-resolved.
130 Format: int32
132 connection.gateway-ping-timeout
134 If greater than zero, delay success of IP addressing until either
135 the timeout is reached, or an IP gateway replies to a ping.
136 Format: uint32
138 connection.id
140 Alias: con-name
141 A human readable unique identifier for the connection, like "Work
143 Wi-Fi" or "T-Mobile 3G".
144 Format: string
146 connection.interface-name
148 Alias: ifname
149 The name of the network interface this connection is bound to. If
151 not set, then the connection can be attached to any interface of
152 the appropriate type (subject to restrictions imposed by other
153 settings).
154 For software devices this specifies the name of the created device.
156 For connection types where interface names cannot easily be made
158 persistent (e.g. mobile broadband or USB Ethernet), this property
159 should not be used. Setting this property restricts the interfaces
160 a connection can be used with, and if interface names change or are
161 reordered the connection may be applied to the wrong interface.
162 Format: string
164 connection.lldp
166 Whether LLDP is enabled for the connection.
167 Format: int32
169 connection.llmnr
171 Whether Link-Local Multicast Name Resolution (LLMNR) is enabled for
172 the connection. LLMNR is a protocol based on the Domain Name System
173 (DNS) packet format that allows both IPv4 and IPv6 hosts to perform
174 name resolution for hosts on the same local link.
175 The permitted values are: "yes" (2) register hostname and resolving
177 for the connection, "no" (0) disable LLMNR for the interface,
178 "resolve" (1) do not register hostname but allow resolving of LLMNR
179 host names If unspecified, "default" ultimately depends on the DNS
180 plugin (which for systemd-resolved currently means "yes").
181 This feature requires a plugin which supports LLMNR. Otherwise, the
183 setting has no effect. One such plugin is dns-systemd-resolved.
184 Format: int32
186 connection.master
188 Alias: master
189 Interface name of the master device or UUID of the master
191 connection.
192 Format: string
194 connection.mdns
196 Whether mDNS is enabled for the connection.
197 The permitted values are: "yes" (2) register hostname and resolving
199 for the connection, "no" (0) disable mDNS for the interface,
200 "resolve" (1) do not register hostname but allow resolving of mDNS
201 host names and "default" (-1) to allow lookup of a global default
202 in NetworkManager.conf. If unspecified, "default" ultimately
203 depends on the DNS plugin (which for systemd-resolved currently
204 means "no").
205 This feature requires a plugin which supports mDNS. Otherwise, the
207 setting has no effect. One such plugin is dns-systemd-resolved.
208 Format: int32
210 connection.metered
212 Whether the connection is metered.
213 When updating this property on a currently activated connection,
215 the change takes effect immediately.
216 Format: NMMetered (int32)
218 connection.mptcp-flags
220 Whether to configure MPTCP endpoints and the address flags. If
221 MPTCP is enabled in NetworkManager, it will configure the addresses
222 of the interface as MPTCP endpoints. Note that IPv4 loopback
223 addresses (127.0.0.0/8), IPv4 link local addresses
224 (169.254.0.0/16), the IPv6 loopback address (::1), IPv6 link local
225 addresses (fe80::/10), IPv6 unique local addresses (ULA, fc00::/7)
226 and IPv6 privacy extension addresses (rfc3041, ipv6.ip6-privacy)
227 will be excluded from being configured as endpoints.
228 If "disabled" (0x1), MPTCP handling for the interface is disabled
230 and no endpoints are registered.
231 The "enabled" (0x2) flag means that MPTCP handling is enabled. This
233 flag can also be implied from the presence of other flags.
234 Even when enabled, MPTCP handling will by default still be disabled
236 unless "/proc/sys/net/mptcp/enabled" sysctl is on. NetworkManager
237 does not change the sysctl and this is up to the administrator or
238 distribution. To configure endpoints even if the sysctl is
239 disabled, "also-without-sysctl" (0x4) flag can be used. In that
240 case, NetworkManager doesn't look at the sysctl and configures
241 endpoints regardless.
242 Even when enabled, NetworkManager will only configure MPTCP
244 endpoints for a certain address family, if there is a unicast
245 default route (0.0.0.0/0 or ::/0) in the main routing table. The
246 flag "also-without-default-route" (0x8) can override that.
247 When MPTCP handling is enabled then endpoints are configured with
249 the specified address flags "signal" (0x10), "subflow" (0x20),
250 "backup" (0x40), "fullmesh" (0x80). See ip-mptcp(8) manual for
251 additional information about the flags.
252 If the flags are zero (0x0), the global connection default from
254 NetworkManager.conf is honored. If still unspecified, the fallback
255 is "enabled,subflow". Note that this means that MPTCP is by default
256 done depending on the "/proc/sys/net/mptcp/enabled" sysctl.
257 NetworkManager does not change the MPTCP limits nor enable MPTCP
259 via "/proc/sys/net/mptcp/enabled". That is a host configuration
260 which the admin can change via sysctl and ip-mptcp.
261 Strict reverse path filtering (rp_filter) breaks many MPTCP use
263 cases, so when MPTCP handling for IPv4 addresses on the interface
264 is enabled, NetworkManager would loosen the strict reverse path
265 filtering (1) to the loose setting (2).
266 Format: uint32
268 connection.mud-url
270 If configured, set to a Manufacturer Usage Description (MUD) URL
271 that points to manufacturer-recommended network policies for IoT
272 devices. It is transmitted as a DHCPv4 or DHCPv6 option. The value
273 must be a valid URL starting with "https://".
274 The special value "none" is allowed to indicate that no MUD URL is
276 used.
277 If the per-profile value is unspecified (the default), a global
279 connection default gets consulted. If still unspecified, the
280 ultimate default is "none".
281 Format: string
283 connection.multi-connect
285 Specifies whether the profile can be active multiple times at a
286 particular moment. The value is of type NMConnectionMultiConnect.
287 Format: int32
289 connection.permissions
291 An array of strings defining what access a given user has to this
292 connection. If this is NULL or empty, all users are allowed to
293 access this connection; otherwise users are allowed if and only if
294 they are in this list. When this is not empty, the connection can
295 be active only when one of the specified users is logged into an
296 active session. Each entry is of the form "[type]:[id]:[reserved]";
297 for example, "user:dcbw:blah".
298 At this time only the "user" [type] is allowed. Any other values
300 are ignored and reserved for future use. [id] is the username that
301 this permission refers to, which may not contain the ":" character.
302 Any [reserved] information present must be ignored and is reserved
303 for future use. All of [type], [id], and [reserved] must be valid
304 UTF-8.
305 Format: array of string
307 connection.secondaries
309 List of connection UUIDs that should be activated when the base
310 connection itself is activated. Currently, only VPN connections are
311 supported.
312 Format: array of string
314 connection.slave-type
316 Alias: slave-type
317 Setting name of the device type of this slave's master connection
319 (eg, "bond"), or NULL if this connection is not a slave.
320 Format: string
322 connection.stable-id
324 This represents the identity of the connection used for various
325 purposes. It allows to configure multiple profiles to share the
326 identity. Also, the stable-id can contain placeholders that are
327 substituted dynamically and deterministically depending on the
328 context.
329 The stable-id is used for generating IPv6 stable private addresses
331 with ipv6.addr-gen-mode=stable-privacy. It is also used to seed the
332 generated cloned MAC address for ethernet.cloned-mac-address=stable
333 and wifi.cloned-mac-address=stable. It is also used to derive the
334 DHCP client identifier with ipv4.dhcp-client-id=stable, the DHCPv6
335 DUID with ipv6.dhcp-duid=stable-[llt,ll,uuid] and the DHCP IAID
336 with ipv4.iaid=stable and ipv6.iaid=stable.
337 Note that depending on the context where it is used, other
339 parameters are also seeded into the generation algorithm. For
340 example, a per-host key is commonly also included, so that
341 different systems end up generating different IDs. Or with
342 ipv6.addr-gen-mode=stable-privacy, also the device's name is
343 included, so that different interfaces yield different addresses.
344 The per-host key is the identity of your machine and stored in
345 /var/lib/NetworkManager/secret_key. See NetworkManager(8) manual
346 about the secret-key and the host identity.
347 The '$' character is treated special to perform dynamic
349 substitutions at activation time. Currently, supported are
350 "${CONNECTION}", "${DEVICE}", "${MAC}", "${BOOT}", "${RANDOM}".
351 These effectively create unique IDs per-connection, per-device,
352 per-boot, or every time. The "${CONNECTION}" uses the profile's
353 connection.uuid, the "${DEVICE}" uses the interface name of the
354 device and "${MAC}" the permanent MAC address of the device. Any
355 unrecognized patterns following '$' are treated verbatim, however
356 are reserved for future use. You are thus advised to avoid '$' or
357 escape it as "$$". For example, set it to
358 "${CONNECTION}-${BOOT}-${DEVICE}" to create a unique id for this
359 connection that changes with every reboot and differs depending on
360 the interface where the profile activates.
361 If the value is unset, a global connection default is consulted. If
363 the value is still unset, the default is "default${CONNECTION}" go
364 generate an ID unique per connection profile.
365 Format: string
367 connection.timestamp
369 The time, in seconds since the Unix Epoch, that the connection was
370 last _successfully_ fully activated.
371 NetworkManager updates the connection timestamp periodically when
373 the connection is active to ensure that an active connection has
374 the latest timestamp. The property is only meant for reading
375 (changes to this property will not be preserved).
376 Format: uint64
378 connection.type
380 Alias: type
381 Base type of the connection. For hardware-dependent connections,
383 should contain the setting name of the hardware-type specific
384 setting (ie, "802-3-ethernet" or "802-11-wireless" or "bluetooth",
385 etc), and for non-hardware dependent connections like VPN or
386 otherwise, should contain the setting name of that setting type
387 (ie, "vpn" or "bridge", etc).
388 Format: string
390 connection.uuid
392 The connection.uuid is the real identifier of a profile. It cannot
393 change and it must be unique. It is therefore often best to refer
394 to a profile by UUID, for example with `nmcli connection up uuid
395 $UUID`.
396 The UUID cannot be changed, except in offline mode. In that case,
398 the special values "new", "generate" and "" are allowed to generate
399 a new random UUID.
400 Format: a valid RFC4122 universally unique identifier (UUID).
402 connection.wait-activation-delay
404 Time in milliseconds to wait for connection to be considered
405 activated. The wait will start after the pre-up dispatcher event.
406 The value 0 means no wait time. The default value is -1, which
408 currently has the same meaning as no wait time.
409 Format: int32
411 connection.wait-device-timeout
413 Timeout in milliseconds to wait for device at startup. During boot,
414 devices may take a while to be detected by the driver. This
415 property will cause to delay NetworkManager-wait-online.service and
416 nm-online to give the device a chance to appear. This works by
417 waiting for the given timeout until a compatible device for the
418 profile is available and managed.
419 The value 0 means no wait time. The default value is -1, which
421 currently has the same meaning as no wait time.
422 Format: int32
424 connection.zone
426 The trust level of a the connection. Free form case-insensitive
427 string (for example "Home", "Work", "Public"). NULL or unspecified
428 zone means the connection will be placed in the default zone as
429 defined by the firewall.
430 When updating this property on a currently activated connection,
432 the change takes effect immediately.
433 Format: string
435 6lowpan setting
437 6LoWPAN Settings.
438 Properties:
440 6lowpan.parent
442 Alias: dev
443 If given, specifies the parent interface name or parent connection
445 UUID from which this 6LowPAN interface should be created.
446 Format: string
448 802-1x setting
450 IEEE 802.1x Authentication Settings.
451 Properties:
453 802-1x.altsubject-matches
455 List of strings to be matched against the altSubjectName of the
456 certificate presented by the authentication server. If the list is
457 empty, no verification of the server certificate's altSubjectName
458 is performed.
459 Format: array of string
461 802-1x.anonymous-identity
463 Anonymous identity string for EAP authentication methods. Used as
464 the unencrypted identity with EAP types that support different
465 tunneled identity like EAP-TTLS.
466 Format: string
468 802-1x.auth-timeout
470 A timeout for the authentication. Zero means the global default; if
471 the global default is not set, the authentication timeout is 25
472 seconds.
473 Format: int32
475 802-1x.ca-cert
477 Contains the CA certificate if used by the EAP method specified in
478 the "eap" property.
479 Certificate data is specified using a "scheme"; three are currently
481 supported: blob, path and pkcs#11 URL. When using the blob scheme
482 this property should be set to the certificate's DER encoded data.
483 When using the path scheme, this property should be set to the full
484 UTF-8 encoded path of the certificate, prefixed with the string
485 "file://" and ending with a terminating NUL byte. This property can
486 be unset even if the EAP method supports CA certificates, but this
487 allows man-in-the-middle attacks and is NOT recommended.
488 Note that enabling NMSetting8021x:system-ca-certs will override
490 this setting to use the built-in path, if the built-in path is not
491 a directory.
492 Format: byte array
494 802-1x.ca-cert-password
496 The password used to access the CA certificate stored in "ca-cert"
497 property. Only makes sense if the certificate is stored on a
498 PKCS#11 token that requires a login.
499 Format: string
501 802-1x.ca-cert-password-flags
503 Flags indicating how to handle the "ca-cert-password" property.
504 See the section called “Secret flag types:” for flag values.
506 Format: NMSettingSecretFlags (uint32)
508 802-1x.ca-path
510 UTF-8 encoded path to a directory containing PEM or DER formatted
511 certificates to be added to the verification chain in addition to
512 the certificate specified in the "ca-cert" property.
513 If NMSetting8021x:system-ca-certs is enabled and the built-in CA
515 path is an existing directory, then this setting is ignored.
516 Format: string
518 802-1x.client-cert
520 Contains the client certificate if used by the EAP method specified
521 in the "eap" property.
522 Certificate data is specified using a "scheme"; two are currently
524 supported: blob and path. When using the blob scheme (which is
525 backwards compatible with NM 0.7.x) this property should be set to
526 the certificate's DER encoded data. When using the path scheme,
527 this property should be set to the full UTF-8 encoded path of the
528 certificate, prefixed with the string "file://" and ending with a
529 terminating NUL byte.
530 Format: byte array
532 802-1x.client-cert-password
534 The password used to access the client certificate stored in
535 "client-cert" property. Only makes sense if the certificate is
536 stored on a PKCS#11 token that requires a login.
537 Format: string
539 802-1x.client-cert-password-flags
541 Flags indicating how to handle the "client-cert-password" property.
542 See the section called “Secret flag types:” for flag values.
544 Format: NMSettingSecretFlags (uint32)
546 802-1x.domain-match
548 Constraint for server domain name. If set, this list of FQDNs is
549 used as a match requirement for dNSName element(s) of the
550 certificate presented by the authentication server. If a matching
551 dNSName is found, this constraint is met. If no dNSName values are
552 present, this constraint is matched against SubjectName CN using
553 the same comparison. Multiple valid FQDNs can be passed as a ";"
554 delimited list.
555 Format: string
557 802-1x.domain-suffix-match
559 Constraint for server domain name. If set, this FQDN is used as a
560 suffix match requirement for dNSName element(s) of the certificate
561 presented by the authentication server. If a matching dNSName is
562 found, this constraint is met. If no dNSName values are present,
563 this constraint is matched against SubjectName CN using same suffix
564 match comparison. Since version 1.24, multiple valid FQDNs can be
565 passed as a ";" delimited list.
566 Format: string
568 802-1x.eap
570 The allowed EAP method to be used when authenticating to the
571 network with 802.1x. Valid methods are: "leap", "md5", "tls",
572 "peap", "ttls", "pwd", and "fast". Each method requires different
573 configuration using the properties of this setting; refer to
574 wpa_supplicant documentation for the allowed combinations.
575 Format: array of string
577 802-1x.identity
579 Identity string for EAP authentication methods. Often the user's
580 user or login name.
581 Format: string
583 802-1x.optional
585 Whether the 802.1X authentication is optional. If TRUE, the
586 activation will continue even after a timeout or an authentication
587 failure. Setting the property to TRUE is currently allowed only for
588 Ethernet connections. If set to FALSE, the activation can continue
589 only after a successful authentication.
590 Format: boolean
592 802-1x.pac-file
594 UTF-8 encoded file path containing PAC for EAP-FAST.
595 Format: string
597 802-1x.password
599 UTF-8 encoded password used for EAP authentication methods. If both
600 the "password" property and the "password-raw" property are
601 specified, "password" is preferred.
602 Format: string
604 802-1x.password-flags
606 Flags indicating how to handle the "password" property.
607 See the section called “Secret flag types:” for flag values.
609 Format: NMSettingSecretFlags (uint32)
611 802-1x.password-raw
613 Password used for EAP authentication methods, given as a byte array
614 to allow passwords in other encodings than UTF-8 to be used. If
615 both the "password" property and the "password-raw" property are
616 specified, "password" is preferred.
617 Format: byte array
619 802-1x.password-raw-flags
621 Flags indicating how to handle the "password-raw" property.
622 See the section called “Secret flag types:” for flag values.
624 Format: NMSettingSecretFlags (uint32)
626 802-1x.phase1-auth-flags
628 Specifies authentication flags to use in "phase 1" outer
629 authentication using NMSetting8021xAuthFlags options. The
630 individual TLS versions can be explicitly disabled. TLS time checks
631 can be also disabled. If a certain TLS disable flag is not set, it
632 is up to the supplicant to allow or forbid it. The TLS options map
633 to tls_disable_tlsv1_x and tls_disable_time_checks settings. See
634 the wpa_supplicant documentation for more details.
635 Format: uint32
637 802-1x.phase1-fast-provisioning
639 Enables or disables in-line provisioning of EAP-FAST credentials
640 when FAST is specified as the EAP method in the "eap" property.
641 Recognized values are "0" (disabled), "1" (allow unauthenticated
642 provisioning), "2" (allow authenticated provisioning), and "3"
643 (allow both authenticated and unauthenticated provisioning). See
644 the wpa_supplicant documentation for more details.
645 Format: string
647 802-1x.phase1-peaplabel
649 Forces use of the new PEAP label during key derivation. Some RADIUS
650 servers may require forcing the new PEAP label to interoperate with
651 PEAPv1. Set to "1" to force use of the new PEAP label. See the
652 wpa_supplicant documentation for more details.
653 Format: string
655 802-1x.phase1-peapver
657 Forces which PEAP version is used when PEAP is set as the EAP
658 method in the "eap" property. When unset, the version reported by
659 the server will be used. Sometimes when using older RADIUS servers,
660 it is necessary to force the client to use a particular PEAP
661 version. To do so, this property may be set to "0" or "1" to force
662 that specific PEAP version.
663 Format: string
665 802-1x.phase2-altsubject-matches
667 List of strings to be matched against the altSubjectName of the
668 certificate presented by the authentication server during the inner
669 "phase 2" authentication. If the list is empty, no verification of
670 the server certificate's altSubjectName is performed.
671 Format: array of string
673 802-1x.phase2-auth
675 Specifies the allowed "phase 2" inner authentication method when an
676 EAP method that uses an inner TLS tunnel is specified in the "eap"
677 property. For TTLS this property selects one of the supported
678 non-EAP inner methods: "pap", "chap", "mschap", "mschapv2" while
679 "phase2-autheap" selects an EAP inner method. For PEAP this selects
680 an inner EAP method, one of: "gtc", "otp", "md5" and "tls". Each
681 "phase 2" inner method requires specific parameters for successful
682 authentication; see the wpa_supplicant documentation for more
683 details. Both "phase2-auth" and "phase2-autheap" cannot be
684 specified.
685 Format: string
687 802-1x.phase2-autheap
689 Specifies the allowed "phase 2" inner EAP-based authentication
690 method when TTLS is specified in the "eap" property. Recognized
691 EAP-based "phase 2" methods are "md5", "mschapv2", "otp", "gtc",
692 and "tls". Each "phase 2" inner method requires specific parameters
693 for successful authentication; see the wpa_supplicant documentation
694 for more details.
695 Format: string
697 802-1x.phase2-ca-cert
699 Contains the "phase 2" CA certificate if used by the EAP method
700 specified in the "phase2-auth" or "phase2-autheap" properties.
701 Certificate data is specified using a "scheme"; three are currently
703 supported: blob, path and pkcs#11 URL. When using the blob scheme
704 this property should be set to the certificate's DER encoded data.
705 When using the path scheme, this property should be set to the full
706 UTF-8 encoded path of the certificate, prefixed with the string
707 "file://" and ending with a terminating NUL byte. This property can
708 be unset even if the EAP method supports CA certificates, but this
709 allows man-in-the-middle attacks and is NOT recommended.
710 Note that enabling NMSetting8021x:system-ca-certs will override
712 this setting to use the built-in path, if the built-in path is not
713 a directory.
714 Format: byte array
716 802-1x.phase2-ca-cert-password
718 The password used to access the "phase2" CA certificate stored in
719 "phase2-ca-cert" property. Only makes sense if the certificate is
720 stored on a PKCS#11 token that requires a login.
721 Format: string
723 802-1x.phase2-ca-cert-password-flags
725 Flags indicating how to handle the "phase2-ca-cert-password"
726 property.
727 See the section called “Secret flag types:” for flag values.
729 Format: NMSettingSecretFlags (uint32)
731 802-1x.phase2-ca-path
733 UTF-8 encoded path to a directory containing PEM or DER formatted
734 certificates to be added to the verification chain in addition to
735 the certificate specified in the "phase2-ca-cert" property.
736 If NMSetting8021x:system-ca-certs is enabled and the built-in CA
738 path is an existing directory, then this setting is ignored.
739 Format: string
741 802-1x.phase2-client-cert
743 Contains the "phase 2" client certificate if used by the EAP method
744 specified in the "phase2-auth" or "phase2-autheap" properties.
745 Certificate data is specified using a "scheme"; two are currently
747 supported: blob and path. When using the blob scheme (which is
748 backwards compatible with NM 0.7.x) this property should be set to
749 the certificate's DER encoded data. When using the path scheme,
750 this property should be set to the full UTF-8 encoded path of the
751 certificate, prefixed with the string "file://" and ending with a
752 terminating NUL byte. This property can be unset even if the EAP
753 method supports CA certificates, but this allows man-in-the-middle
754 attacks and is NOT recommended.
755 Format: byte array
757 802-1x.phase2-client-cert-password
759 The password used to access the "phase2" client certificate stored
760 in "phase2-client-cert" property. Only makes sense if the
761 certificate is stored on a PKCS#11 token that requires a login.
762 Format: string
764 802-1x.phase2-client-cert-password-flags
766 Flags indicating how to handle the "phase2-client-cert-password"
767 property.
768 See the section called “Secret flag types:” for flag values.
770 Format: NMSettingSecretFlags (uint32)
772 802-1x.phase2-domain-match
774 Constraint for server domain name. If set, this list of FQDNs is
775 used as a match requirement for dNSName element(s) of the
776 certificate presented by the authentication server during the inner
777 "phase 2" authentication. If a matching dNSName is found, this
778 constraint is met. If no dNSName values are present, this
779 constraint is matched against SubjectName CN using the same
780 comparison. Multiple valid FQDNs can be passed as a ";" delimited
781 list.
782 Format: string
784 802-1x.phase2-domain-suffix-match
786 Constraint for server domain name. If set, this FQDN is used as a
787 suffix match requirement for dNSName element(s) of the certificate
788 presented by the authentication server during the inner "phase 2"
789 authentication. If a matching dNSName is found, this constraint is
790 met. If no dNSName values are present, this constraint is matched
791 against SubjectName CN using same suffix match comparison. Since
792 version 1.24, multiple valid FQDNs can be passed as a ";" delimited
793 list.
794 Format: string
796 802-1x.phase2-private-key
798 Contains the "phase 2" inner private key when the "phase2-auth" or
799 "phase2-autheap" property is set to "tls".
800 Key data is specified using a "scheme"; two are currently
802 supported: blob and path. When using the blob scheme and private
803 keys, this property should be set to the key's encrypted PEM
804 encoded data. When using private keys with the path scheme, this
805 property should be set to the full UTF-8 encoded path of the key,
806 prefixed with the string "file://" and ending with a terminating
807 NUL byte. When using PKCS#12 format private keys and the blob
808 scheme, this property should be set to the PKCS#12 data and the
809 "phase2-private-key-password" property must be set to password used
810 to decrypt the PKCS#12 certificate and key. When using PKCS#12
811 files and the path scheme, this property should be set to the full
812 UTF-8 encoded path of the key, prefixed with the string "file://"
813 and ending with a terminating NUL byte, and as with the blob scheme
814 the "phase2-private-key-password" property must be set to the
815 password used to decode the PKCS#12 private key and certificate.
816 Format: byte array
818 802-1x.phase2-private-key-password
820 The password used to decrypt the "phase 2" private key specified in
821 the "phase2-private-key" property when the private key either uses
822 the path scheme, or is a PKCS#12 format key.
823 Format: string
825 802-1x.phase2-private-key-password-flags
827 Flags indicating how to handle the "phase2-private-key-password"
828 property.
829 See the section called “Secret flag types:” for flag values.
831 Format: NMSettingSecretFlags (uint32)
833 802-1x.phase2-subject-match
835 Substring to be matched against the subject of the certificate
836 presented by the authentication server during the inner "phase 2"
837 authentication. When unset, no verification of the authentication
838 server certificate's subject is performed. This property provides
839 little security, if any, and should not be used.
840 This property is deprecated since version 1.2. Use
842 "phase2-domain-suffix-match" instead.
843 Format: string
845 802-1x.pin
847 PIN used for EAP authentication methods.
848 Format: string
850 802-1x.pin-flags
852 Flags indicating how to handle the "pin" property.
853 See the section called “Secret flag types:” for flag values.
855 Format: NMSettingSecretFlags (uint32)
857 802-1x.private-key
859 Contains the private key when the "eap" property is set to "tls".
860 Key data is specified using a "scheme"; two are currently
862 supported: blob and path. When using the blob scheme and private
863 keys, this property should be set to the key's encrypted PEM
864 encoded data. When using private keys with the path scheme, this
865 property should be set to the full UTF-8 encoded path of the key,
866 prefixed with the string "file://" and ending with a terminating
867 NUL byte. When using PKCS#12 format private keys and the blob
868 scheme, this property should be set to the PKCS#12 data and the
869 "private-key-password" property must be set to password used to
870 decrypt the PKCS#12 certificate and key. When using PKCS#12 files
871 and the path scheme, this property should be set to the full UTF-8
872 encoded path of the key, prefixed with the string "file://" and
873 ending with a terminating NUL byte, and as with the blob scheme the
874 "private-key-password" property must be set to the password used to
875 decode the PKCS#12 private key and certificate.
876 WARNING: "private-key" is not a "secret" property, and thus
878 unencrypted private key data using the BLOB scheme may be readable
879 by unprivileged users. Private keys should always be encrypted with
880 a private key password to prevent unauthorized access to
881 unencrypted private key data.
882 Format: byte array
884 802-1x.private-key-password
886 The password used to decrypt the private key specified in the
887 "private-key" property when the private key either uses the path
888 scheme, or if the private key is a PKCS#12 format key.
889 Format: string
891 802-1x.private-key-password-flags
893 Flags indicating how to handle the "private-key-password" property.
894 See the section called “Secret flag types:” for flag values.
896 Format: NMSettingSecretFlags (uint32)
898 802-1x.subject-match
900 Substring to be matched against the subject of the certificate
901 presented by the authentication server. When unset, no verification
902 of the authentication server certificate's subject is performed.
903 This property provides little security, if any, and should not be
904 used.
905 This property is deprecated since version 1.2. Use
907 "phase2-domain-suffix-match" instead.
908 Format: string
910 802-1x.system-ca-certs
912 When TRUE, overrides the "ca-path" and "phase2-ca-path" properties
913 using the system CA directory specified at configure time with the
914 --system-ca-path switch. The certificates in this directory are
915 added to the verification chain in addition to any certificates
916 specified by the "ca-cert" and "phase2-ca-cert" properties. If the
917 path provided with --system-ca-path is rather a file name (bundle
918 of trusted CA certificates), it overrides "ca-cert" and
919 "phase2-ca-cert" properties instead (sets ca_cert/ca_cert2 options
920 for wpa_supplicant).
921 Format: boolean
923 adsl setting
925 ADSL Settings.
926 Properties:
928 adsl.encapsulation
930 Alias: encapsulation
931 Encapsulation of ADSL connection. Can be "vcmux" or "llc".
933 Format: string
935 adsl.password
937 Alias: password
938 Password used to authenticate with the ADSL service.
940 Format: string
942 adsl.password-flags
944 Flags indicating how to handle the "password" property.
945 See the section called “Secret flag types:” for flag values.
947 Format: NMSettingSecretFlags (uint32)
949 adsl.protocol
951 Alias: protocol
952 ADSL connection protocol. Can be "pppoa", "pppoe" or "ipoatm".
954 Format: string
956 adsl.username
958 Alias: username
959 Username used to authenticate with the ADSL service.
961 Format: string
963 adsl.vci
965 VCI of ADSL connection
966 Format: uint32
968 adsl.vpi
970 VPI of ADSL connection
971 Format: uint32
973 bluetooth setting
975 Bluetooth Settings.
976 Properties:
978 bluetooth.bdaddr
980 Alias: addr
981 The Bluetooth address of the device.
983 Format: byte array
985 bluetooth.type
987 Alias: bt-type
988 Either "dun" for Dial-Up Networking connections or "panu" for
990 Personal Area Networking connections to devices supporting the NAP
991 profile.
992 Format: string
994 bond setting
996 Bonding Settings.
997 Properties:
999 bond.options
1001 Dictionary of key/value pairs of bonding options. Both keys and
1002 values must be strings. Option names must contain only alphanumeric
1003 characters (ie, [a-zA-Z0-9]).
1004 Format: dict of string to string
1006 bridge setting
1008 Bridging Settings.
1009 Properties:
1011 bridge.ageing-time
1013 Alias: ageing-time
1014 The Ethernet MAC address aging time, in seconds.
1016 Format: uint32
1018 bridge.forward-delay
1020 Alias: forward-delay
1021 The Spanning Tree Protocol (STP) forwarding delay, in seconds.
1023 Format: uint32
1025 bridge.group-address
1027 If specified, The MAC address of the multicast group this bridge
1028 uses for STP.
1029 The address must be a link-local address in standard Ethernet MAC
1031 address format, ie an address of the form 01:80:C2:00:00:0X, with X
1032 in [0, 4..F]. If not specified the default value is
1033 01:80:C2:00:00:00.
1034 Format: byte array
1036 bridge.group-forward-mask
1038 Alias: group-forward-mask
1039 A mask of group addresses to forward. Usually, group addresses in
1041 the range from 01:80:C2:00:00:00 to 01:80:C2:00:00:0F are not
1042 forwarded according to standards. This property is a mask of 16
1043 bits, each corresponding to a group address in that range that must
1044 be forwarded. The mask can't have bits 0, 1 or 2 set because they
1045 are used for STP, MAC pause frames and LACP.
1046 Format: uint32
1048 bridge.hello-time
1050 Alias: hello-time
1051 The Spanning Tree Protocol (STP) hello time, in seconds.
1053 Format: uint32
1055 bridge.mac-address
1057 Alias: mac
1058 If specified, the MAC address of bridge. When creating a new
1060 bridge, this MAC address will be set.
1061 If this field is left unspecified, the
1063 "ethernet.cloned-mac-address" is referred instead to generate the
1064 initial MAC address. Note that setting
1065 "ethernet.cloned-mac-address" anyway overwrites the MAC address of
1066 the bridge later while activating the bridge.
1067 This property is deprecated since version 1.12. Use the
1069 "cloned-mac-address" property instead.
1070 Format: byte array
1072 bridge.max-age
1074 Alias: max-age
1075 The Spanning Tree Protocol (STP) maximum message age, in seconds.
1077 Format: uint32
1079 bridge.multicast-hash-max
1081 Set maximum size of multicast hash table (value must be a power of
1082 2).
1083 Format: uint32
1085 bridge.multicast-last-member-count
1087 Set the number of queries the bridge will send before stopping
1088 forwarding a multicast group after a "leave" message has been
1089 received.
1090 Format: uint32
1092 bridge.multicast-last-member-interval
1094 Set interval (in deciseconds) between queries to find remaining
1095 members of a group, after a "leave" message is received.
1096 Format: uint64
1098 bridge.multicast-membership-interval
1100 Set delay (in deciseconds) after which the bridge will leave a
1101 group, if no membership reports for this group are received.
1102 Format: uint64
1104 bridge.multicast-querier
1106 Enable or disable sending of multicast queries by the bridge. If
1107 not specified the option is disabled.
1108 Format: boolean
1110 bridge.multicast-querier-interval
1112 If no queries are seen after this delay (in deciseconds) has
1113 passed, the bridge will start to send its own queries.
1114 Format: uint64
1116 bridge.multicast-query-interval
1118 Interval (in deciseconds) between queries sent by the bridge after
1119 the end of the startup phase.
1120 Format: uint64
1122 bridge.multicast-query-response-interval
1124 Set the Max Response Time/Max Response Delay (in deciseconds) for
1125 IGMP/MLD queries sent by the bridge.
1126 Format: uint64
1128 bridge.multicast-query-use-ifaddr
1130 If enabled the bridge's own IP address is used as the source
1131 address for IGMP queries otherwise the default of 0.0.0.0 is used.
1132 Format: boolean
1134 bridge.multicast-router
1136 Sets bridge's multicast router. Multicast-snooping must be enabled
1137 for this option to work.
1138 Supported values are: 'auto', 'disabled', 'enabled' to which kernel
1140 assigns the numbers 1, 0, and 2, respectively. If not specified the
1141 default value is 'auto' (1).
1142 Format: string
1144 bridge.multicast-snooping
1146 Alias: multicast-snooping
1147 Controls whether IGMP snooping is enabled for this bridge. Note
1149 that if snooping was automatically disabled due to hash collisions,
1150 the system may refuse to enable the feature until the collisions
1151 are resolved.
1152 Format: boolean
1154 bridge.multicast-startup-query-count
1156 Set the number of IGMP queries to send during startup phase.
1157 Format: uint32
1159 bridge.multicast-startup-query-interval
1161 Sets the time (in deciseconds) between queries sent out at startup
1162 to determine membership information.
1163 Format: uint64
1165 bridge.priority
1167 Alias: priority
1168 Sets the Spanning Tree Protocol (STP) priority for this bridge.
1170 Lower values are "better"; the lowest priority bridge will be
1171 elected the root bridge.
1172 Format: uint32
1174 bridge.stp
1176 Alias: stp
1177 Controls whether Spanning Tree Protocol (STP) is enabled for this
1179 bridge.
1180 Format: boolean
1182 bridge.vlan-default-pvid
1184 The default PVID for the ports of the bridge, that is the VLAN id
1185 assigned to incoming untagged frames.
1186 Format: uint32
1188 bridge.vlan-filtering
1190 Control whether VLAN filtering is enabled on the bridge.
1191 Format: boolean
1193 bridge.vlan-protocol
1195 If specified, the protocol used for VLAN filtering.
1196 Supported values are: '802.1Q', '802.1ad'. If not specified the
1198 default value is '802.1Q'.
1199 Format: string
1201 bridge.vlan-stats-enabled
1203 Controls whether per-VLAN stats accounting is enabled.
1204 Format: boolean
1206 bridge.vlans
1208 Array of bridge VLAN objects. In addition to the VLANs specified
1209 here, the bridge will also have the default-pvid VLAN configured by
1210 the bridge.vlan-default-pvid property.
1211 In nmcli the VLAN list can be specified with the following syntax:
1213 $vid [pvid] [untagged] [, $vid [pvid] [untagged]]...
1215 where $vid is either a single id between 1 and 4094 or a range,
1217 represented as a couple of ids separated by a dash.
1218 Format: array of vardict
1220 bridge-port setting
1222 Bridge Port Settings.
1223 Properties:
1225 bridge-port.hairpin-mode
1227 Alias: hairpin
1228 Enables or disables "hairpin mode" for the port, which allows
1230 frames to be sent back out through the port the frame was received
1231 on.
1232 Format: boolean
1234 bridge-port.path-cost
1236 Alias: path-cost
1237 The Spanning Tree Protocol (STP) port cost for destinations via
1239 this port.
1240 Format: uint32
1242 bridge-port.priority
1244 Alias: priority
1245 The Spanning Tree Protocol (STP) priority of this bridge port.
1247 Format: uint32
1249 bridge-port.vlans
1251 Array of bridge VLAN objects. In addition to the VLANs specified
1252 here, the port will also have the default-pvid VLAN configured on
1253 the bridge by the bridge.vlan-default-pvid property.
1254 In nmcli the VLAN list can be specified with the following syntax:
1256 $vid [pvid] [untagged] [, $vid [pvid] [untagged]]...
1258 where $vid is either a single id between 1 and 4094 or a range,
1260 represented as a couple of ids separated by a dash.
1261 Format: array of vardict
1263 cdma setting
1265 CDMA-based Mobile Broadband Settings.
1266 Properties:
1268 cdma.mtu
1270 If non-zero, only transmit packets of the specified size or
1271 smaller, breaking larger packets up into multiple frames.
1272 Format: uint32
1274 cdma.number
1276 The number to dial to establish the connection to the CDMA-based
1277 mobile broadband network, if any. If not specified, the default
1278 number (#777) is used when required.
1279 Format: string
1281 cdma.password
1283 Alias: password
1284 The password used to authenticate with the network, if required.
1286 Many providers do not require a password, or accept any password.
1287 But if a password is required, it is specified here.
1288 Format: string
1290 cdma.password-flags
1292 Flags indicating how to handle the "password" property.
1293 See the section called “Secret flag types:” for flag values.
1295 Format: NMSettingSecretFlags (uint32)
1297 cdma.username
1299 Alias: user
1300 The username used to authenticate with the network, if required.
1302 Many providers do not require a username, or accept any username.
1303 But if a username is required, it is specified here.
1304 Format: string
1306 dcb setting
1308 Data Center Bridging Settings.
1309 Properties:
1311 dcb.app-fcoe-flags
1313 Specifies the NMSettingDcbFlags for the DCB FCoE application. Flags
1314 may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1315 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1316 NM_SETTING_DCB_FLAG_WILLING (0x4).
1317 Format: NMSettingDcbFlags (uint32)
1319 dcb.app-fcoe-mode
1321 The FCoE controller mode; either "fabric" or "vn2vn".
1322 Since 1.34, NULL is the default and means "fabric". Before 1.34,
1324 NULL was rejected as invalid and the default was "fabric".
1325 Format: string
1327 dcb.app-fcoe-priority
1329 The highest User Priority (0 - 7) which FCoE frames should use, or
1330 -1 for default priority. Only used when the "app-fcoe-flags"
1331 property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1332 Format: int32
1334 dcb.app-fip-flags
1336 Specifies the NMSettingDcbFlags for the DCB FIP application. Flags
1337 may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1338 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1339 NM_SETTING_DCB_FLAG_WILLING (0x4).
1340 Format: NMSettingDcbFlags (uint32)
1342 dcb.app-fip-priority
1344 The highest User Priority (0 - 7) which FIP frames should use, or
1345 -1 for default priority. Only used when the "app-fip-flags"
1346 property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1347 Format: int32
1349 dcb.app-iscsi-flags
1351 Specifies the NMSettingDcbFlags for the DCB iSCSI application.
1352 Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1353 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1354 NM_SETTING_DCB_FLAG_WILLING (0x4).
1355 Format: NMSettingDcbFlags (uint32)
1357 dcb.app-iscsi-priority
1359 The highest User Priority (0 - 7) which iSCSI frames should use, or
1360 -1 for default priority. Only used when the "app-iscsi-flags"
1361 property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
1362 Format: int32
1364 dcb.priority-bandwidth
1366 An array of 8 uint values, where the array index corresponds to the
1367 User Priority (0 - 7) and the value indicates the percentage of
1368 bandwidth of the priority's assigned group that the priority may
1369 use. The sum of all percentages for priorities which belong to the
1370 same group must total 100 percents.
1371 Format: array of uint32
1373 dcb.priority-flow-control
1375 An array of 8 boolean values, where the array index corresponds to
1376 the User Priority (0 - 7) and the value indicates whether or not
1377 the corresponding priority should transmit priority pause.
1378 Format: array of uint32
1380 dcb.priority-flow-control-flags
1382 Specifies the NMSettingDcbFlags for DCB Priority Flow Control
1383 (PFC). Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE
1384 (0x1), NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1385 NM_SETTING_DCB_FLAG_WILLING (0x4).
1386 Format: NMSettingDcbFlags (uint32)
1388 dcb.priority-group-bandwidth
1390 An array of 8 uint values, where the array index corresponds to the
1391 Priority Group ID (0 - 7) and the value indicates the percentage of
1392 link bandwidth allocated to that group. Allowed values are 0 - 100,
1393 and the sum of all values must total 100 percents.
1394 Format: array of uint32
1396 dcb.priority-group-flags
1398 Specifies the NMSettingDcbFlags for DCB Priority Groups. Flags may
1399 be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
1400 NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and
1401 NM_SETTING_DCB_FLAG_WILLING (0x4).
1402 Format: NMSettingDcbFlags (uint32)
1404 dcb.priority-group-id
1406 An array of 8 uint values, where the array index corresponds to the
1407 User Priority (0 - 7) and the value indicates the Priority Group
1408 ID. Allowed Priority Group ID values are 0 - 7 or 15 for the
1409 unrestricted group.
1410 Format: array of uint32
1412 dcb.priority-strict-bandwidth
1414 An array of 8 boolean values, where the array index corresponds to
1415 the User Priority (0 - 7) and the value indicates whether or not
1416 the priority may use all of the bandwidth allocated to its assigned
1417 group.
1418 Format: array of uint32
1420 dcb.priority-traffic-class
1422 An array of 8 uint values, where the array index corresponds to the
1423 User Priority (0 - 7) and the value indicates the traffic class (0
1424 - 7) to which the priority is mapped.
1425 Format: array of uint32
1427 ethtool setting
1429 Ethtool Ethernet Settings.
1430 Properties:
1432 ethtool.coalesce-adaptive-rx
1434 ethtool.coalesce-adaptive-tx
1436 ethtool.coalesce-pkt-rate-high
1438 ethtool.coalesce-pkt-rate-low
1440 ethtool.coalesce-rx-frames
1442 ethtool.coalesce-rx-frames-high
1444 ethtool.coalesce-rx-frames-irq
1446 ethtool.coalesce-rx-frames-low
1448 ethtool.coalesce-rx-usecs
1450 ethtool.coalesce-rx-usecs-high
1452 ethtool.coalesce-rx-usecs-irq
1454 ethtool.coalesce-rx-usecs-low
1456 ethtool.coalesce-sample-interval
1458 ethtool.coalesce-stats-block-usecs
1460 ethtool.coalesce-tx-frames
1462 ethtool.coalesce-tx-frames-high
1464 ethtool.coalesce-tx-frames-irq
1466 ethtool.coalesce-tx-frames-low
1468 ethtool.coalesce-tx-usecs
1470 ethtool.coalesce-tx-usecs-high
1472 ethtool.coalesce-tx-usecs-irq
1474 ethtool.coalesce-tx-usecs-low
1476 ethtool.feature-esp-hw-offload
1478 ethtool.feature-esp-tx-csum-hw-offload
1480 ethtool.feature-fcoe-mtu
1482 ethtool.feature-gro
1484 ethtool.feature-gso
1486 ethtool.feature-highdma
1488 ethtool.feature-hw-tc-offload
1490 ethtool.feature-l2-fwd-offload
1492 ethtool.feature-loopback
1494 ethtool.feature-lro
1496 ethtool.feature-macsec-hw-offload
1498 ethtool.feature-ntuple
1500 ethtool.feature-rx
1502 ethtool.feature-rx-all
1504 ethtool.feature-rx-fcs
1506 ethtool.feature-rx-gro-hw
1508 ethtool.feature-rx-gro-list
1510 ethtool.feature-rx-udp-gro-forwarding
1512 ethtool.feature-rx-udp_tunnel-port-offload
1514 ethtool.feature-rx-vlan-filter
1516 ethtool.feature-rx-vlan-stag-filter
1518 ethtool.feature-rx-vlan-stag-hw-parse
1520 ethtool.feature-rxhash
1522 ethtool.feature-rxvlan
1524 ethtool.feature-sg
1526 ethtool.feature-tls-hw-record
1528 ethtool.feature-tls-hw-rx-offload
1530 ethtool.feature-tls-hw-tx-offload
1532 ethtool.feature-tso
1534 ethtool.feature-tx
1536 ethtool.feature-tx-checksum-fcoe-crc
1538 ethtool.feature-tx-checksum-ip-generic
1540 ethtool.feature-tx-checksum-ipv4
1542 ethtool.feature-tx-checksum-ipv6
1544 ethtool.feature-tx-checksum-sctp
1546 ethtool.feature-tx-esp-segmentation
1548 ethtool.feature-tx-fcoe-segmentation
1550 ethtool.feature-tx-gre-csum-segmentation
1552 ethtool.feature-tx-gre-segmentation
1554 ethtool.feature-tx-gso-list
1556 ethtool.feature-tx-gso-partial
1558 ethtool.feature-tx-gso-robust
1560 ethtool.feature-tx-ipxip4-segmentation
1562 ethtool.feature-tx-ipxip6-segmentation
1564 ethtool.feature-tx-nocache-copy
1566 ethtool.feature-tx-scatter-gather
1568 ethtool.feature-tx-scatter-gather-fraglist
1570 ethtool.feature-tx-sctp-segmentation
1572 ethtool.feature-tx-tcp-ecn-segmentation
1574 ethtool.feature-tx-tcp-mangleid-segmentation
1576 ethtool.feature-tx-tcp-segmentation
1578 ethtool.feature-tx-tcp6-segmentation
1580 ethtool.feature-tx-tunnel-remcsum-segmentation
1582 ethtool.feature-tx-udp-segmentation
1584 ethtool.feature-tx-udp_tnl-csum-segmentation
1586 ethtool.feature-tx-udp_tnl-segmentation
1588 ethtool.feature-tx-vlan-stag-hw-insert
1590 ethtool.feature-txvlan
1592 ethtool.pause-autoneg
1594 ethtool.pause-rx
1596 ethtool.pause-tx
1598 ethtool.ring-rx
1600 ethtool.ring-rx-jumbo
1602 ethtool.ring-rx-mini
1604 ethtool.ring-tx
1606 gsm setting
1608 GSM-based Mobile Broadband Settings.
1609 Properties:
1611 gsm.apn
1613 Alias: apn
1614 The GPRS Access Point Name specifying the APN used when
1616 establishing a data session with the GSM-based network. The APN
1617 often determines how the user will be billed for their network
1618 usage and whether the user has access to the Internet or just a
1619 provider-specific walled-garden, so it is important to use the
1620 correct APN for the user's mobile broadband plan. The APN may only
1621 be composed of the characters a-z, 0-9, ., and - per GSM 03.60
1622 Section 14.9.
1623 Format: string
1625 gsm.auto-config
1627 When TRUE, the settings such as APN, username, or password will
1628 default to values that match the network the modem will register to
1629 in the Mobile Broadband Provider database.
1630 Format: boolean
1632 gsm.device-id
1634 The device unique identifier (as given by the WWAN management
1635 service) which this connection applies to. If given, the connection
1636 will only apply to the specified device.
1637 Format: string
1639 gsm.home-only
1641 When TRUE, only connections to the home network will be allowed.
1642 Connections to roaming networks will not be made.
1643 Format: boolean
1645 gsm.initial-eps-bearer-apn
1647 For LTE modems, this sets the APN for the initial EPS bearer that
1648 is set up when attaching to the network. Setting this parameter
1649 implies initial-eps-bearer-configure to be TRUE.
1650 Format: string
1652 gsm.initial-eps-bearer-configure
1654 For LTE modems, this setting determines whether the initial EPS
1655 bearer shall be configured when bringing up the connection. It is
1656 inferred TRUE if initial-eps-bearer-apn is set.
1657 Format: boolean
1659 gsm.mtu
1661 If non-zero, only transmit packets of the specified size or
1662 smaller, breaking larger packets up into multiple frames.
1663 Format: uint32
1665 gsm.network-id
1667 The Network ID (GSM LAI format, ie MCC-MNC) to force specific
1668 network registration. If the Network ID is specified,
1669 NetworkManager will attempt to force the device to register only on
1670 the specified network. This can be used to ensure that the device
1671 does not roam when direct roaming control of the device is not
1672 otherwise possible.
1673 Format: string
1675 gsm.number
1677 Legacy setting that used to help establishing PPP data sessions for
1678 GSM-based modems.
1679 This property is deprecated since version 1.16. User-provided
1681 values for this setting are no longer used.
1682 Format: string
1684 gsm.password
1686 Alias: password
1687 The password used to authenticate with the network, if required.
1689 Many providers do not require a password, or accept any password.
1690 But if a password is required, it is specified here.
1691 Format: string
1693 gsm.password-flags
1695 Flags indicating how to handle the "password" property.
1696 See the section called “Secret flag types:” for flag values.
1698 Format: NMSettingSecretFlags (uint32)
1700 gsm.pin
1702 If the SIM is locked with a PIN it must be unlocked before any
1703 other operations are requested. Specify the PIN here to allow
1704 operation of the device.
1705 Format: string
1707 gsm.pin-flags
1709 Flags indicating how to handle the "pin" property.
1710 See the section called “Secret flag types:” for flag values.
1712 Format: NMSettingSecretFlags (uint32)
1714 gsm.sim-id
1716 The SIM card unique identifier (as given by the WWAN management
1717 service) which this connection applies to. If given, the connection
1718 will apply to any device also allowed by "device-id" which contains
1719 a SIM card matching the given identifier.
1720 Format: string
1722 gsm.sim-operator-id
1724 A MCC/MNC string like "310260" or "21601" identifying the specific
1725 mobile network operator which this connection applies to. If given,
1726 the connection will apply to any device also allowed by "device-id"
1727 and "sim-id" which contains a SIM card provisioned by the given
1728 operator.
1729 Format: string
1731 gsm.username
1733 Alias: user
1734 The username used to authenticate with the network, if required.
1736 Many providers do not require a username, or accept any username.
1737 But if a username is required, it is specified here.
1738 Format: string
1740 infiniband setting
1742 Infiniband Settings.
1743 Properties:
1745 infiniband.mac-address
1747 Alias: mac
1748 If specified, this connection will only apply to the IPoIB device
1750 whose permanent MAC address matches. This property does not change
1751 the MAC address of the device (i.e. MAC spoofing).
1752 Format: byte array
1754 infiniband.mtu
1756 Alias: mtu
1757 If non-zero, only transmit packets of the specified size or
1759 smaller, breaking larger packets up into multiple frames.
1760 Format: uint32
1762 infiniband.p-key
1764 Alias: p-key
1765 The InfiniBand p-key to use for this device. A value of -1 means to
1767 use the default p-key (aka "the p-key at index 0"). Otherwise, it
1768 is a 16-bit unsigned integer, whose high bit 0x8000 is set if it is
1769 a "full membership" p-key. The values 0 and 0x8000 are not allowed.
1770 With the p-key set, the interface name is always "$parent.$p_key".
1772 Setting "connection.interface-name" to another name is not
1773 supported.
1774 Note that kernel will internally always set the full membership
1776 bit, although the interface name does not reflect that. Usually the
1777 user would want to configure a full membership p-key with 0x8000
1778 flag set.
1779 Format: int32
1781 infiniband.parent
1783 Alias: parent
1784 The interface name of the parent device of this device. Normally
1786 NULL, but if the "p_key" property is set, then you must specify the
1787 base device by setting either this property or "mac-address".
1788 Format: string
1790 infiniband.transport-mode
1792 Alias: transport-mode
1793 The IP-over-InfiniBand transport mode. Either "datagram" or
1795 "connected".
1796 Format: string
1798 ipv4 setting
1800 IPv4 Settings.
1801 Properties:
1803 ipv4.addresses
1805 Alias: ip4
1806 A list of IPv4 addresses and their prefix length. Multiple
1808 addresses can be separated by comma. For example "192.168.1.5/24,
1809 10.1.0.5/24". The addresses are listed in decreasing priority,
1810 meaning the first address will be the primary address.
1811 Format: a comma separated list of addresses
1813 ipv4.auto-route-ext-gw
1815 VPN connections will default to add the route automatically unless
1816 this setting is set to FALSE.
1817 For other connection types, adding such an automatic route is
1819 currently not supported and setting this to TRUE has no effect.
1820 Format: NMTernary (int32)
1822 ipv4.dad-timeout
1824 Timeout in milliseconds used to check for the presence of duplicate
1825 IP addresses on the network. If an address conflict is detected,
1826 the activation will fail. A zero value means that no duplicate
1827 address detection is performed, -1 means the default value (either
1828 configuration ipvx.dad-timeout override or zero). A value greater
1829 than zero is a timeout in milliseconds.
1830 The property is currently implemented only for IPv4.
1832 Format: int32
1834 ipv4.dhcp-client-id
1836 A string sent to the DHCP server to identify the local machine
1837 which the DHCP server may use to customize the DHCP lease and
1838 options. When the property is a hex string ('aa:bb:cc') it is
1839 interpreted as a binary client ID, in which case the first byte is
1840 assumed to be the 'type' field as per RFC 2132 section 9.14 and the
1841 remaining bytes may be an hardware address (e.g.
1842 '01:xx:xx:xx:xx:xx:xx' where 1 is the Ethernet ARP type and the
1843 rest is a MAC address). If the property is not a hex string it is
1844 considered as a non-hardware-address client ID and the 'type' field
1845 is set to 0.
1846 The special values "mac" and "perm-mac" are supported, which use
1848 the current or permanent MAC address of the device to generate a
1849 client identifier with type ethernet (01). Currently, these options
1850 only work for ethernet type of links.
1851 The special value "ipv6-duid" uses the DUID from "ipv6.dhcp-duid"
1853 property as an RFC4361-compliant client identifier. As IAID it uses
1854 "ipv4.dhcp-iaid" and falls back to "ipv6.dhcp-iaid" if unset.
1855 The special value "duid" generates a RFC4361-compliant client
1857 identifier based on "ipv4.dhcp-iaid" and uses a DUID generated by
1858 hashing /etc/machine-id.
1859 The special value "stable" is supported to generate a type 0 client
1861 identifier based on the stable-id (see connection.stable-id) and a
1862 per-host key. If you set the stable-id, you may want to include the
1863 "${DEVICE}" or "${MAC}" specifier to get a per-device key.
1864 If unset, a globally configured default is used. If still unset,
1866 the default depends on the DHCP plugin.
1867 Format: string
1869 ipv4.dhcp-fqdn
1871 If the "dhcp-send-hostname" property is TRUE, then the specified
1872 FQDN will be sent to the DHCP server when acquiring a lease. This
1873 property and "dhcp-hostname" are mutually exclusive and cannot be
1874 set at the same time.
1875 Format: string
1877 ipv4.dhcp-hostname
1879 If the "dhcp-send-hostname" property is TRUE, then the specified
1880 name will be sent to the DHCP server when acquiring a lease. This
1881 property and "dhcp-fqdn" are mutually exclusive and cannot be set
1882 at the same time.
1883 Format: string
1885 ipv4.dhcp-hostname-flags
1887 Flags for the DHCP hostname and FQDN.
1888 Currently, this property only includes flags to control the FQDN
1890 flags set in the DHCP FQDN option. Supported FQDN flags are
1891 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1892 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
1893 NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is
1894 set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the
1895 DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag
1896 is set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set,
1897 the standard FQDN flags are set in the request:
1898 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
1899 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
1900 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6.
1901 When this property is set to the default value
1903 NM_DHCP_HOSTNAME_FLAG_NONE (0x0), a global default is looked up in
1904 NetworkManager configuration. If that value is unset or also
1905 NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
1906 described above are sent in the DHCP requests.
1907 Format: uint32
1909 ipv4.dhcp-iaid
1911 A string containing the "Identity Association Identifier" (IAID)
1912 used by the DHCP client. The string can be a 32-bit number (either
1913 decimal, hexadecimal or as colon separated hexadecimal numbers).
1914 Alternatively it can be set to the special values "mac",
1915 "perm-mac", "ifname" or "stable". When set to "mac" (or
1916 "perm-mac"), the last 4 bytes of the current (or permanent) MAC
1917 address are used as IAID. When set to "ifname", the IAID is
1918 computed by hashing the interface name. The special value "stable"
1919 can be used to generate an IAID based on the stable-id (see
1920 connection.stable-id), a per-host key and the interface name. When
1921 the property is unset, the value from global configuration is used;
1922 if no global default is set then the IAID is assumed to be
1923 "ifname".
1924 For DHCPv4, the IAID is only used with "ipv4.dhcp-client-id" values
1926 "duid" and "ipv6-duid" to generate the client-id.
1927 For DHCPv6, note that at the moment this property is only supported
1929 by the "internal" DHCPv6 plugin. The "dhclient" DHCPv6 plugin
1930 always derives the IAID from the MAC address.
1931 The actually used DHCPv6 IAID for a currently activated interface
1933 is exposed in the lease information of the device.
1934 Format: string
1936 ipv4.dhcp-reject-servers
1938 Array of servers from which DHCP offers must be rejected. This
1939 property is useful to avoid getting a lease from misconfigured or
1940 rogue servers.
1941 For DHCPv4, each element must be an IPv4 address, optionally
1943 followed by a slash and a prefix length (e.g. "192.168.122.0/24").
1944 This property is currently not implemented for DHCPv6.
1946 Format: array of string
1948 ipv4.dhcp-send-hostname
1950 If TRUE, a hostname is sent to the DHCP server when acquiring a
1951 lease. Some DHCP servers use this hostname to update DNS databases,
1952 essentially providing a static hostname for the computer. If the
1953 "dhcp-hostname" property is NULL and this property is TRUE, the
1954 current persistent hostname of the computer is sent.
1955 Format: boolean
1957 ipv4.dhcp-timeout
1959 A timeout for a DHCP transaction in seconds. If zero (the default),
1960 a globally configured default is used. If still unspecified, a
1961 device specific timeout is used (usually 45 seconds).
1962 Set to 2147483647 (MAXINT32) for infinity.
1964 Format: int32
1966 ipv4.dhcp-vendor-class-identifier
1968 The Vendor Class Identifier DHCP option (60). Special characters in
1969 the data string may be escaped using C-style escapes, nevertheless
1970 this property cannot contain nul bytes. If the per-profile value is
1971 unspecified (the default), a global connection default gets
1972 consulted. If still unspecified, the DHCP option is not sent to the
1973 server.
1974 Format: string
1976 ipv4.dns
1978 Array of IP addresses of DNS servers.
1979 For DoT (DNS over TLS), the SNI server name can be specified by
1981 appending "#example.com" to the IP address of the DNS server. This
1982 currently only has effect when using systemd-resolved.
1983 Format: array of uint32
1985 ipv4.dns-options
1987 DNS options for /etc/resolv.conf as described in resolv.conf(5)
1988 manual.
1989 The currently supported options are "attempts", "debug", "edns0",
1991 "ndots", "no-aaaa", "no-check-names", "no-reload", "no-tld-query",
1992 "rotate", "single-request", "single-request-reopen", "timeout",
1993 "trust-ad", "use-vc". See the resolv.conf(5) manual.
1994 Note that there is a distinction between an unset (default) list
1996 and an empty list. In nmcli, to unset the list set the value to "".
1997 To set an empty list, set it to " ". Currently, an unset list has
1998 the same meaning as an empty list. That might change in the future.
1999 The "trust-ad" setting is only honored if the profile contributes
2001 name servers to resolv.conf, and if all contributing profiles have
2002 "trust-ad" enabled.
2003 When using a caching DNS plugin (dnsmasq or systemd-resolved in
2005 NetworkManager.conf) then "edns0" and "trust-ad" are automatically
2006 added.
2007 The valid "ipv4.dns-options" and "ipv6.dns-options" get merged
2009 together.
2010 Format: a comma separated list of DNS options
2012 ipv4.dns-priority
2014 DNS servers priority.
2015 The relative priority for DNS servers specified by this setting. A
2017 lower numerical value is better (higher priority).
2018 Negative values have the special effect of excluding other
2020 configurations with a greater numerical priority value; so in
2021 presence of at least one negative priority, only DNS servers from
2022 connections with the lowest priority value will be used. To avoid
2023 all DNS leaks, set the priority of the profile that should be used
2024 to the most negative value of all active connections profiles.
2025 Zero selects a globally configured default value. If the latter is
2027 missing or zero too, it defaults to 50 for VPNs (including
2028 WireGuard) and 100 for other connections.
2029 Note that the priority is to order DNS settings for multiple active
2031 connections. It does not disambiguate multiple DNS servers within
2032 the same connection profile.
2033 When multiple devices have configurations with the same priority,
2035 VPNs will be considered first, then devices with the best (lowest
2036 metric) default route and then all other devices.
2037 When using dns=default, servers with higher priority will be on top
2039 of resolv.conf. To prioritize a given server over another one
2040 within the same connection, just specify them in the desired order.
2041 Note that commonly the resolver tries name servers in
2042 /etc/resolv.conf in the order listed, proceeding with the next
2043 server in the list on failure. See for example the "rotate" option
2044 of the dns-options setting. If there are any negative DNS
2045 priorities, then only name servers from the devices with that
2046 lowest priority will be considered.
2047 When using a DNS resolver that supports Conditional Forwarding or
2049 Split DNS (with dns=dnsmasq or dns=systemd-resolved settings), each
2050 connection is used to query domains in its search list. The search
2051 domains determine which name servers to ask, and the DNS priority
2052 is used to prioritize name servers based on the domain. Queries for
2053 domains not present in any search list are routed through
2054 connections having the '~.' special wildcard domain, which is added
2055 automatically to connections with the default route (or can be
2056 added manually). When multiple connections specify the same domain,
2057 the one with the best priority (lowest numerical value) wins. If a
2058 sub domain is configured on another interface it will be accepted
2059 regardless the priority, unless parent domain on the other
2060 interface has a negative priority, which causes the sub domain to
2061 be shadowed. With Split DNS one can avoid undesired DNS leaks by
2062 properly configuring DNS priorities and the search domains, so that
2063 only name servers of the desired interface are configured.
2064 Format: int32
2066 ipv4.dns-search
2068 List of DNS search domains. Domains starting with a tilde ('~') are
2069 considered 'routing' domains and are used only to decide the
2070 interface over which a query must be forwarded; they are not used
2071 to complete unqualified host names.
2072 When using a DNS plugin that supports Conditional Forwarding or
2074 Split DNS, then the search domains specify which name servers to
2075 query. This makes the behavior different from running with plain
2076 /etc/resolv.conf. For more information see also the dns-priority
2077 setting.
2078 When set on a profile that also enabled DHCP, the DNS search list
2080 received automatically (option 119 for DHCPv4 and option 24 for
2081 DHCPv6) gets merged with the manual list. This can be prevented by
2082 setting "ignore-auto-dns". Note that if no DNS searches are
2083 configured, the fallback will be derived from the domain from DHCP
2084 (option 15).
2085 Format: array of string
2087 ipv4.gateway
2089 Alias: gw4
2090 The gateway associated with this configuration. This is only
2092 meaningful if "addresses" is also set.
2093 Setting the gateway causes NetworkManager to configure a standard
2095 default route with the gateway as next hop. This is ignored if
2096 "never-default" is set. An alternative is to configure the default
2097 route explicitly with a manual route and /0 as prefix length.
2098 Note that the gateway usually conflicts with routing that
2100 NetworkManager configures for WireGuard interfaces, so usually it
2101 should not be set in that case. See "ip4-auto-default-route".
2102 Format: string
2104 ipv4.ignore-auto-dns
2106 When "method" is set to "auto" and this property to TRUE,
2107 automatically configured name servers and search domains are
2108 ignored and only name servers and search domains specified in the
2109 "dns" and "dns-search" properties, if any, are used.
2110 Format: boolean
2112 ipv4.ignore-auto-routes
2114 When "method" is set to "auto" and this property to TRUE,
2115 automatically configured routes are ignored and only routes
2116 specified in the "routes" property, if any, are used.
2117 Format: boolean
2119 ipv4.link-local
2121 Enable and disable the IPv4 link-local configuration independently
2122 of the ipv4.method configuration. This allows a link-local address
2123 (169.254.x.y/16) to be obtained in addition to other addresses,
2124 such as those manually configured or obtained from a DHCP server.
2125 When set to "auto", the value is dependent on "ipv4.method". When
2127 set to "default", it honors the global connection default, before
2128 falling back to "auto". Note that if "ipv4.method" is "disabled",
2129 then link local addressing is always disabled too. The default is
2130 "default".
2131 Format: int32
2133 ipv4.may-fail
2135 If TRUE, allow overall network configuration to proceed even if the
2136 configuration specified by this property times out. Note that at
2137 least one IP configuration must succeed or overall network
2138 configuration will still fail. For example, in IPv6-only networks,
2139 setting this property to TRUE on the NMSettingIP4Config allows the
2140 overall network configuration to succeed if IPv4 configuration
2141 fails but IPv6 configuration completes successfully.
2142 Format: boolean
2144 ipv4.method
2146 Sets the IPv4 connection method. You can set one of the following
2147 values:
2148 • "auto" - Enables automatic IPv4 address assignment from DHCP,
2150 PPP, or similar services.
2151 • "manual" - Enables the configuration of static IPv4 addresses
2153 on the interface. Note that you must set at least one IP
2154 address and subnet mask in the "ipv4.addresses" property.
2155 • "disabled" - Disables the IPv4 protocol in this connection
2157 profile.
2158 • "shared" - Provides network access to other computers. If you
2160 do not specify an IP address and subnet mask in
2161 "ipv4.addresses", NetworkManager assigns 10.42.x.1/24 to the
2162 interface. Additionally, NetworkManager starts a DHCP server
2163 and DNS forwarder. Hosts that connect to this interface will
2164 then receive an IP address from the configured range, and
2165 NetworkManager configures NAT to map client addresses to the
2166 one of the current default network connection.
2167 • "link-local" - Enables link-local addresses according to RFC
2169 3927. NetworkManager assigns a random link-local address from
2170 the 169.254.0.0/16 subnet to the interface.
2171 Format: string
2173 ipv4.never-default
2175 If TRUE, this connection will never be the default connection for
2176 this IP type, meaning it will never be assigned the default route
2177 by NetworkManager.
2178 Format: boolean
2180 ipv4.replace-local-rule
2182 Connections will default to keep the autogenerated priority 0 local
2183 rule unless this setting is set to TRUE.
2184 Format: NMTernary (int32)
2186 ipv4.required-timeout
2188 The minimum time interval in milliseconds for which dynamic IP
2189 configuration should be tried before the connection succeeds.
2190 This property is useful for example if both IPv4 and IPv6 are
2192 enabled and are allowed to fail. Normally the connection succeeds
2193 as soon as one of the two address families completes; by setting a
2194 required timeout for e.g. IPv4, one can ensure that even if IP6
2195 succeeds earlier than IPv4, NetworkManager waits some time for IPv4
2196 before the connection becomes active.
2197 Note that if "may-fail" is FALSE for the same address family, this
2199 property has no effect as NetworkManager needs to wait for the full
2200 DHCP timeout.
2201 A zero value means that no required timeout is present, -1 means
2203 the default value (either configuration ipvx.required-timeout
2204 override or zero).
2205 Format: int32
2207 ipv4.route-metric
2209 The default metric for routes that don't explicitly specify a
2210 metric. The default value -1 means that the metric is chosen
2211 automatically based on the device type. The metric applies to
2212 dynamic routes, manual (static) routes that don't have an explicit
2213 metric setting, address prefix routes, and the default route. Note
2214 that for IPv6, the kernel accepts zero (0) but coerces it to 1024
2215 (user default). Hence, setting this property to zero effectively
2216 mean setting it to 1024. For IPv4, zero is a regular value for the
2217 metric.
2218 Format: int64
2220 ipv4.route-table
2222 Enable policy routing (source routing) and set the routing table
2223 used when adding routes.
2224 This affects all routes, including device-routes, IPv4LL, DHCP,
2226 SLAAC, default-routes and static routes. But note that static
2227 routes can individually overwrite the setting by explicitly
2228 specifying a non-zero routing table.
2229 If the table setting is left at zero, it is eligible to be
2231 overwritten via global configuration. If the property is zero even
2232 after applying the global configuration value, policy routing is
2233 disabled for the address family of this connection.
2234 Policy routing disabled means that NetworkManager will add all
2236 routes to the main table (except static routes that explicitly
2237 configure a different table). Additionally, NetworkManager will not
2238 delete any extraneous routes from tables except the main table.
2239 This is to preserve backward compatibility for users who manage
2240 routing tables outside of NetworkManager.
2241 Format: uint32
2243 ipv4.routes
2245 A list of IPv4 destination addresses, prefix length, optional IPv4
2246 next hop addresses, optional route metric, optional attribute. The
2247 valid syntax is: "ip[/prefix] [next-hop] [metric]
2248 [attribute=val]...[,ip[/prefix]...]". For example "192.0.2.0/24
2249 10.1.1.1 77, 198.51.100.0/24".
2250 Various attributes are supported:
2252 • "advmss" - an unsigned 32 bit integer.
2254 • "cwnd" - an unsigned 32 bit integer.
2256 • "initcwnd" - an unsigned 32 bit integer.
2258 • "initrwnd" - an unsigned 32 bit integer.
2260 • "lock-advmss" - a boolean value.
2262 • "lock-cwnd" - a boolean value.
2264 • "lock-initcwnd" - a boolean value.
2266 • "lock-initrwnd" - a boolean value.
2268 • "lock-mtu" - a boolean value.
2270 • "lock-window" - a boolean value.
2272 • "mtu" - an unsigned 32 bit integer.
2274 • "onlink" - a boolean value. The onlink flag is ignored for IPv4
2276 routes without a gateway. That also means, with a positive
2277 "weight" the route cannot merge with ECMP routes which are
2278 onlink and have a gateway.
2279 • "quickack" - a boolean value.
2281 • "rto_min" - an unsigned 32 bit integer. The value is in
2283 milliseconds.
2284 • "scope" - an unsigned 8 bit integer. IPv4 only.
2286 • "src" - an IPv4 address.
2288 • "table" - an unsigned 32 bit integer. The default depends on
2290 ipv4.route-table.
2291 • "tos" - an unsigned 8 bit integer. IPv4 only.
2293 • "type" - one of unicast, local, blackhole, unreachable,
2295 prohibit, throw. The default is unicast.
2296 • "weight" - an unsigned 32 bit integer ranging from 0 to 256. A
2298 non-zero weight indicates that the IPv4 route is an ECMP IPv4
2299 route. NetworkManager will automatically merge compatible ECMP
2300 routes into multi-hop routes. Setting to zero or omitting the
2301 attribute configures single hop routes that won't get merged.
2302 If the route finds no merge partner, it is configured as single
2303 hop route.
2304 Note that in NetworkManager, currently all nexthops of a ECMP
2306 route must share the same "onlink" flag in order to be
2307 mergable.
2308 • "window" - an unsigned 32 bit integer.
2310 For details see also `man ip-route`.
2312 Format: a comma separated list of routes
2314 ipv4.routing-rules
2316 A comma separated list of routing rules for policy routing. The
2317 format is based on ip rule add syntax and mostly compatible. One
2318 difference is that routing rules in NetworkManager always need a
2319 fixed priority.
2320 Example: priority 5 from 192.167.4.0/24 table 45
2322 Format: a comma separated list of routing rules
2324 ipv6 setting
2326 IPv6 Settings.
2327 Properties:
2329 ipv6.addr-gen-mode
2331 Configure method for creating the IPv6 interface identifer of
2332 addresses with RFC4862 IPv6 Stateless Address Autoconfiguration and
2333 Link Local addresses.
2334 The permitted values are: "eui64" (0), "stable-privacy" (1),
2336 "default" (3) or "default-or-eui64" (2).
2337 If the property is set to "eui64", the addresses will be generated
2339 using the interface token derived from hardware address. This makes
2340 the host part of the address to stay constant, making it possible
2341 to track the host's presence when it changes networks. The address
2342 changes when the interface hardware is replaced. If a duplicate
2343 address is detected, there is also no fallback to generate another
2344 address. When configured, the "ipv6.token" is used instead of the
2345 MAC address to generate addresses for stateless autoconfiguration.
2346 If the property is set to "stable-privacy", the interface
2348 identifier is generated as specified by RFC7217. This works by
2349 hashing a host specific key (see NetworkManager(8) manual), the
2350 interface name, the connection's "connection.stable-id" property
2351 and the address prefix. This improves privacy by making it harder
2352 to use the address to track the host's presence and the address is
2353 stable when the network interface hardware is replaced.
2354 The special values "default" and "default-or-eui64" will fallback
2356 to the global connection default as documented in the
2357 NetworkManager.conf(5) manual. If the global default is not
2358 specified, the fallback value is "stable-privacy" or "eui64",
2359 respectively.
2360 If not specified, when creating a new profile the default is
2362 "default".
2363 Note that this setting is distinct from the Privacy Extensions as
2365 configured by "ip6-privacy" property and it does not affect the
2366 temporary addresses configured with this option.
2367 Format: one of "eui64" (0), "stable-privacy" (1), "default" (3) or
2369 "default-or-eui64" (2)
2370 ipv6.addresses
2372 Alias: ip6
2373 A list of IPv6 addresses and their prefix length. Multiple
2375 addresses can be separated by comma. For example
2376 "2001:db8:85a3::8a2e:370:7334/64, 2001:db8:85a3::5/64". The
2377 addresses are listed in decreasing priority, meaning the first
2378 address will be the primary address. This can make a difference
2379 with IPv6 source address selection (RFC 6724, section 5).
2380 Format: a comma separated list of addresses
2382 ipv6.auto-route-ext-gw
2384 VPN connections will default to add the route automatically unless
2385 this setting is set to FALSE.
2386 For other connection types, adding such an automatic route is
2388 currently not supported and setting this to TRUE has no effect.
2389 Format: NMTernary (int32)
2391 ipv6.dhcp-duid
2393 A string containing the DHCPv6 Unique Identifier (DUID) used by the
2394 dhcp client to identify itself to DHCPv6 servers (RFC 3315). The
2395 DUID is carried in the Client Identifier option. If the property is
2396 a hex string ('aa:bb:cc') it is interpreted as a binary DUID and
2397 filled as an opaque value in the Client Identifier option.
2398 The special value "lease" will retrieve the DUID previously used
2400 from the lease file belonging to the connection. If no DUID is
2401 found and "dhclient" is the configured dhcp client, the DUID is
2402 searched in the system-wide dhclient lease file. If still no DUID
2403 is found, or another dhcp client is used, a global and permanent
2404 DUID-UUID (RFC 6355) will be generated based on the machine-id.
2405 The special values "llt" and "ll" will generate a DUID of type LLT
2407 or LL (see RFC 3315) based on the current MAC address of the
2408 device. In order to try providing a stable DUID-LLT, the time field
2409 will contain a constant timestamp that is used globally (for all
2410 profiles) and persisted to disk.
2411 The special values "stable-llt", "stable-ll" and "stable-uuid" will
2413 generate a DUID of the corresponding type, derived from the
2414 connection's stable-id and a per-host unique key. You may want to
2415 include the "${DEVICE}" or "${MAC}" specifier in the stable-id, in
2416 case this profile gets activated on multiple devices. So, the
2417 link-layer address of "stable-ll" and "stable-llt" will be a
2418 generated address derived from the stable id. The DUID-LLT time
2419 value in the "stable-llt" option will be picked among a static
2420 timespan of three years (the upper bound of the interval is the
2421 same constant timestamp used in "llt").
2422 When the property is unset, the global value provided for
2424 "ipv6.dhcp-duid" is used. If no global value is provided, the
2425 default "lease" value is assumed.
2426 Format: string
2428 ipv6.dhcp-hostname
2430 If the "dhcp-send-hostname" property is TRUE, then the specified
2431 name will be sent to the DHCP server when acquiring a lease. This
2432 property and "dhcp-fqdn" are mutually exclusive and cannot be set
2433 at the same time.
2434 Format: string
2436 ipv6.dhcp-hostname-flags
2438 Flags for the DHCP hostname and FQDN.
2439 Currently, this property only includes flags to control the FQDN
2441 flags set in the DHCP FQDN option. Supported FQDN flags are
2442 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
2443 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
2444 NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is
2445 set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the
2446 DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag
2447 is set and NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set,
2448 the standard FQDN flags are set in the request:
2449 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
2450 NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
2451 NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6.
2452 When this property is set to the default value
2454 NM_DHCP_HOSTNAME_FLAG_NONE (0x0), a global default is looked up in
2455 NetworkManager configuration. If that value is unset or also
2456 NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
2457 described above are sent in the DHCP requests.
2458 Format: uint32
2460 ipv6.dhcp-iaid
2462 A string containing the "Identity Association Identifier" (IAID)
2463 used by the DHCP client. The string can be a 32-bit number (either
2464 decimal, hexadecimal or as colon separated hexadecimal numbers).
2465 Alternatively it can be set to the special values "mac",
2466 "perm-mac", "ifname" or "stable". When set to "mac" (or
2467 "perm-mac"), the last 4 bytes of the current (or permanent) MAC
2468 address are used as IAID. When set to "ifname", the IAID is
2469 computed by hashing the interface name. The special value "stable"
2470 can be used to generate an IAID based on the stable-id (see
2471 connection.stable-id), a per-host key and the interface name. When
2472 the property is unset, the value from global configuration is used;
2473 if no global default is set then the IAID is assumed to be
2474 "ifname".
2475 For DHCPv4, the IAID is only used with "ipv4.dhcp-client-id" values
2477 "duid" and "ipv6-duid" to generate the client-id.
2478 For DHCPv6, note that at the moment this property is only supported
2480 by the "internal" DHCPv6 plugin. The "dhclient" DHCPv6 plugin
2481 always derives the IAID from the MAC address.
2482 The actually used DHCPv6 IAID for a currently activated interface
2484 is exposed in the lease information of the device.
2485 Format: string
2487 ipv6.dhcp-pd-hint
2489 A IPv6 address followed by a slash and a prefix length. If set, the
2490 value is sent to the DHCPv6 server as hint indicating the prefix
2491 delegation (IA_PD) we want to receive. To only hint a prefix length
2492 without prefix, set the address part to the zero address (for
2493 example "::/60").
2494 Format: string
2496 ipv6.dhcp-send-hostname
2498 If TRUE, a hostname is sent to the DHCP server when acquiring a
2499 lease. Some DHCP servers use this hostname to update DNS databases,
2500 essentially providing a static hostname for the computer. If the
2501 "dhcp-hostname" property is NULL and this property is TRUE, the
2502 current persistent hostname of the computer is sent.
2503 Format: boolean
2505 ipv6.dhcp-timeout
2507 A timeout for a DHCP transaction in seconds. If zero (the default),
2508 a globally configured default is used. If still unspecified, a
2509 device specific timeout is used (usually 45 seconds).
2510 Set to 2147483647 (MAXINT32) for infinity.
2512 Format: int32
2514 ipv6.dns
2516 Array of IP addresses of DNS servers.
2517 For DoT (DNS over TLS), the SNI server name can be specified by
2519 appending "#example.com" to the IP address of the DNS server. This
2520 currently only has effect when using systemd-resolved.
2521 Format: array of byte array
2523 ipv6.dns-options
2525 DNS options for /etc/resolv.conf as described in resolv.conf(5)
2526 manual.
2527 The currently supported options are "attempts", "debug", "edns0",
2529 "ndots", "no-aaaa", "no-check-names", "no-reload", "no-tld-query",
2530 "rotate", "single-request", "single-request-reopen", "timeout",
2531 "trust-ad", "use-vc" and "inet6", "ip6-bytestring", "ip6-dotint",
2532 "no-ip6-dotint". See the resolv.conf(5) manual.
2533 Note that there is a distinction between an unset (default) list
2535 and an empty list. In nmcli, to unset the list set the value to "".
2536 To set an empty list, set it to " ". Currently, an unset list has
2537 the same meaning as an empty list. That might change in the future.
2538 The "trust-ad" setting is only honored if the profile contributes
2540 name servers to resolv.conf, and if all contributing profiles have
2541 "trust-ad" enabled.
2542 When using a caching DNS plugin (dnsmasq or systemd-resolved in
2544 NetworkManager.conf) then "edns0" and "trust-ad" are automatically
2545 added.
2546 The valid "ipv4.dns-options" and "ipv6.dns-options" get merged
2548 together.
2549 Format: a comma separated list of DNS options
2551 ipv6.dns-priority
2553 DNS servers priority.
2554 The relative priority for DNS servers specified by this setting. A
2556 lower numerical value is better (higher priority).
2557 Negative values have the special effect of excluding other
2559 configurations with a greater numerical priority value; so in
2560 presence of at least one negative priority, only DNS servers from
2561 connections with the lowest priority value will be used. To avoid
2562 all DNS leaks, set the priority of the profile that should be used
2563 to the most negative value of all active connections profiles.
2564 Zero selects a globally configured default value. If the latter is
2566 missing or zero too, it defaults to 50 for VPNs (including
2567 WireGuard) and 100 for other connections.
2568 Note that the priority is to order DNS settings for multiple active
2570 connections. It does not disambiguate multiple DNS servers within
2571 the same connection profile.
2572 When multiple devices have configurations with the same priority,
2574 VPNs will be considered first, then devices with the best (lowest
2575 metric) default route and then all other devices.
2576 When using dns=default, servers with higher priority will be on top
2578 of resolv.conf. To prioritize a given server over another one
2579 within the same connection, just specify them in the desired order.
2580 Note that commonly the resolver tries name servers in
2581 /etc/resolv.conf in the order listed, proceeding with the next
2582 server in the list on failure. See for example the "rotate" option
2583 of the dns-options setting. If there are any negative DNS
2584 priorities, then only name servers from the devices with that
2585 lowest priority will be considered.
2586 When using a DNS resolver that supports Conditional Forwarding or
2588 Split DNS (with dns=dnsmasq or dns=systemd-resolved settings), each
2589 connection is used to query domains in its search list. The search
2590 domains determine which name servers to ask, and the DNS priority
2591 is used to prioritize name servers based on the domain. Queries for
2592 domains not present in any search list are routed through
2593 connections having the '~.' special wildcard domain, which is added
2594 automatically to connections with the default route (or can be
2595 added manually). When multiple connections specify the same domain,
2596 the one with the best priority (lowest numerical value) wins. If a
2597 sub domain is configured on another interface it will be accepted
2598 regardless the priority, unless parent domain on the other
2599 interface has a negative priority, which causes the sub domain to
2600 be shadowed. With Split DNS one can avoid undesired DNS leaks by
2601 properly configuring DNS priorities and the search domains, so that
2602 only name servers of the desired interface are configured.
2603 Format: int32
2605 ipv6.dns-search
2607 List of DNS search domains. Domains starting with a tilde ('~') are
2608 considered 'routing' domains and are used only to decide the
2609 interface over which a query must be forwarded; they are not used
2610 to complete unqualified host names.
2611 When using a DNS plugin that supports Conditional Forwarding or
2613 Split DNS, then the search domains specify which name servers to
2614 query. This makes the behavior different from running with plain
2615 /etc/resolv.conf. For more information see also the dns-priority
2616 setting.
2617 When set on a profile that also enabled DHCP, the DNS search list
2619 received automatically (option 119 for DHCPv4 and option 24 for
2620 DHCPv6) gets merged with the manual list. This can be prevented by
2621 setting "ignore-auto-dns". Note that if no DNS searches are
2622 configured, the fallback will be derived from the domain from DHCP
2623 (option 15).
2624 Format: array of string
2626 ipv6.gateway
2628 Alias: gw6
2629 The gateway associated with this configuration. This is only
2631 meaningful if "addresses" is also set.
2632 Setting the gateway causes NetworkManager to configure a standard
2634 default route with the gateway as next hop. This is ignored if
2635 "never-default" is set. An alternative is to configure the default
2636 route explicitly with a manual route and /0 as prefix length.
2637 Note that the gateway usually conflicts with routing that
2639 NetworkManager configures for WireGuard interfaces, so usually it
2640 should not be set in that case. See "ip4-auto-default-route".
2641 Format: string
2643 ipv6.ignore-auto-dns
2645 When "method" is set to "auto" and this property to TRUE,
2646 automatically configured name servers and search domains are
2647 ignored and only name servers and search domains specified in the
2648 "dns" and "dns-search" properties, if any, are used.
2649 Format: boolean
2651 ipv6.ignore-auto-routes
2653 When "method" is set to "auto" and this property to TRUE,
2654 automatically configured routes are ignored and only routes
2655 specified in the "routes" property, if any, are used.
2656 Format: boolean
2658 ipv6.ip6-privacy
2660 Configure IPv6 Privacy Extensions for SLAAC, described in RFC4941.
2661 If enabled, it makes the kernel generate a temporary IPv6 address
2662 in addition to the public one generated from MAC address via
2663 modified EUI-64. This enhances privacy, but could cause problems in
2664 some applications, on the other hand. The permitted values are: -1:
2665 unknown, 0: disabled, 1: enabled (prefer public address), 2:
2666 enabled (prefer temporary addresses).
2667 Having a per-connection setting set to "-1" (unknown) means
2669 fallback to global configuration "ipv6.ip6-privacy".
2670 If also global configuration is unspecified or set to "-1",
2672 fallback to read "/proc/sys/net/ipv6/conf/default/use_tempaddr".
2673 Note that this setting is distinct from the Stable Privacy
2675 addresses that can be enabled with the "addr-gen-mode" property's
2676 "stable-privacy" setting as another way of avoiding host tracking
2677 with IPv6 addresses.
2678 Format: NMSettingIP6ConfigPrivacy (int32)
2680 ipv6.may-fail
2682 If TRUE, allow overall network configuration to proceed even if the
2683 configuration specified by this property times out. Note that at
2684 least one IP configuration must succeed or overall network
2685 configuration will still fail. For example, in IPv6-only networks,
2686 setting this property to TRUE on the NMSettingIP4Config allows the
2687 overall network configuration to succeed if IPv4 configuration
2688 fails but IPv6 configuration completes successfully.
2689 Format: boolean
2691 ipv6.method
2693 Sets the IPv6 connection method. You can set one of the following
2694 values:
2695 • "auto" - Enables IPv6 auto-configuration. By default,
2697 NetworkManager uses Router Advertisements and, if the router
2698 announces the "managed" flag, NetworkManager requests an IPv6
2699 address and prefix from a DHCPv6 server.
2700 • "dhcp" - Requests an IPv6 address and prefix from a DHCPv6
2702 server. Note that DHCPv6 does not have options to provide
2703 routes and the default gateway. As a consequence, by using the
2704 "dhcp" method, connections are limited to their own subnet.
2705 • "manual" - Enables the configuration of static IPv6 addresses
2707 on the interface. Note that you must set at least one IP
2708 address and prefix in the "ipv6.addresses" property.
2709 • "disabled" - Disables the IPv6 protocol in this connection
2711 profile.
2712 • "ignore" - Configures NetworkManager to make no changes to the
2714 IPv6 configuration on the interface. For example, you can then
2715 use the "accept_ra" feature of the kernel to accept Router
2716 Advertisements.
2717 • "shared" - Provides network access to other computers.
2719 NetworkManager requests a prefix from an upstream DHCPv6
2720 server, assigns an address to the interface, and announces the
2721 prefix to clients that connect to this interface.
2722 • "link-local" - Assigns a random link-local address from the
2724 fe80::/64 subnet to the interface.
2725 If you set "auto", "dhcp", "manual", "ignore", or "shared",
2728 NetworkManager assigns, in addition to the global address, an IPv6
2729 link-local address to the interface. This is compliant with RFC
2730 4291.
2731 Format: string
2733 ipv6.mtu
2735 Maximum transmission unit size, in bytes. If zero (the default),
2736 the MTU is set automatically from router advertisements or is left
2737 equal to the link-layer MTU. If greater than the link-layer MTU, or
2738 greater than zero but less than the minimum IPv6 MTU of 1280, this
2739 value has no effect.
2740 Format: uint32
2742 ipv6.never-default
2744 If TRUE, this connection will never be the default connection for
2745 this IP type, meaning it will never be assigned the default route
2746 by NetworkManager.
2747 Format: boolean
2749 ipv6.ra-timeout
2751 A timeout for waiting Router Advertisements in seconds. If zero
2752 (the default), a globally configured default is used. If still
2753 unspecified, the timeout depends on the sysctl settings of the
2754 device.
2755 Set to 2147483647 (MAXINT32) for infinity.
2757 Format: int32
2759 ipv6.replace-local-rule
2761 Connections will default to keep the autogenerated priority 0 local
2762 rule unless this setting is set to TRUE.
2763 Format: NMTernary (int32)
2765 ipv6.required-timeout
2767 The minimum time interval in milliseconds for which dynamic IP
2768 configuration should be tried before the connection succeeds.
2769 This property is useful for example if both IPv4 and IPv6 are
2771 enabled and are allowed to fail. Normally the connection succeeds
2772 as soon as one of the two address families completes; by setting a
2773 required timeout for e.g. IPv4, one can ensure that even if IP6
2774 succeeds earlier than IPv4, NetworkManager waits some time for IPv4
2775 before the connection becomes active.
2776 Note that if "may-fail" is FALSE for the same address family, this
2778 property has no effect as NetworkManager needs to wait for the full
2779 DHCP timeout.
2780 A zero value means that no required timeout is present, -1 means
2782 the default value (either configuration ipvx.required-timeout
2783 override or zero).
2784 Format: int32
2786 ipv6.route-metric
2788 The default metric for routes that don't explicitly specify a
2789 metric. The default value -1 means that the metric is chosen
2790 automatically based on the device type. The metric applies to
2791 dynamic routes, manual (static) routes that don't have an explicit
2792 metric setting, address prefix routes, and the default route. Note
2793 that for IPv6, the kernel accepts zero (0) but coerces it to 1024
2794 (user default). Hence, setting this property to zero effectively
2795 mean setting it to 1024. For IPv4, zero is a regular value for the
2796 metric.
2797 Format: int64
2799 ipv6.route-table
2801 Enable policy routing (source routing) and set the routing table
2802 used when adding routes.
2803 This affects all routes, including device-routes, IPv4LL, DHCP,
2805 SLAAC, default-routes and static routes. But note that static
2806 routes can individually overwrite the setting by explicitly
2807 specifying a non-zero routing table.
2808 If the table setting is left at zero, it is eligible to be
2810 overwritten via global configuration. If the property is zero even
2811 after applying the global configuration value, policy routing is
2812 disabled for the address family of this connection.
2813 Policy routing disabled means that NetworkManager will add all
2815 routes to the main table (except static routes that explicitly
2816 configure a different table). Additionally, NetworkManager will not
2817 delete any extraneous routes from tables except the main table.
2818 This is to preserve backward compatibility for users who manage
2819 routing tables outside of NetworkManager.
2820 Format: uint32
2822 ipv6.routes
2824 A list of IPv6 destination addresses, prefix length, optional IPv6
2825 next hop addresses, optional route metric, optional attribute. The
2826 valid syntax is: "ip[/prefix] [next-hop] [metric]
2827 [attribute=val]...[,ip[/prefix]...]".
2828 Various attributes are supported:
2830 • "advmss" - an unsigned 32 bit integer.
2832 • "cwnd" - an unsigned 32 bit integer.
2834 • "from" - an IPv6 address with optional prefix. IPv6 only.
2836 • "initcwnd" - an unsigned 32 bit integer.
2838 • "initrwnd" - an unsigned 32 bit integer.
2840 • "lock-advmss" - a boolean value.
2842 • "lock-cwnd" - a boolean value.
2844 • "lock-initcwnd" - a boolean value.
2846 • "lock-initrwnd" - a boolean value.
2848 • "lock-mtu" - a boolean value.
2850 • "lock-window" - a boolean value.
2852 • "mtu" - an unsigned 32 bit integer.
2854 • "onlink" - a boolean value.
2856 • "quickack" - a boolean value.
2858 • "rto_min" - an unsigned 32 bit integer. The value is in
2860 milliseconds.
2861 • "src" - an IPv6 address.
2863 • "table" - an unsigned 32 bit integer. The default depends on
2865 ipv6.route-table.
2866 • "type" - one of unicast, local, blackhole, unreachable,
2868 prohibit, throw. The default is unicast.
2869 • "window" - an unsigned 32 bit integer.
2871 For details see also `man ip-route`.
2873 Format: a comma separated list of routes
2875 ipv6.routing-rules
2877 A comma separated list of routing rules for policy routing. The
2878 format is based on ip rule add syntax and mostly compatible. One
2879 difference is that routing rules in NetworkManager always need a
2880 fixed priority.
2881 Example: priority 5 from 1:2:3::5/128 table 45
2883 Format: a comma separated list of routing rules
2885 ipv6.token
2887 Configure the token for
2888 draft-chown-6man-tokenised-ipv6-identifiers-02 IPv6 tokenized
2889 interface identifiers. Useful with eui64 addr-gen-mode.
2890 When set, the token is used as IPv6 interface identifier instead of
2892 the hardware address. This only applies to addresses from stateless
2893 autoconfiguration, not to IPv6 link local addresses.
2894 Format: string
2896 ip-tunnel setting
2898 IP Tunneling Settings.
2899 Properties:
2901 ip-tunnel.encapsulation-limit
2903 How many additional levels of encapsulation are permitted to be
2904 prepended to packets. This property applies only to IPv6 tunnels.
2905 To disable this option, add 0x1 (ip6-ign-encap-limit) to ip-tunnel
2906 flags.
2907 Format: uint32
2909 ip-tunnel.flags
2911 Tunnel flags. Currently, the following values are supported: 0x1
2912 (ip6-ign-encap-limit), 0x2 (ip6-use-orig-tclass), 0x4
2913 (ip6-use-orig-flowlabel), 0x8 (ip6-mip6-dev), 0x10
2914 (ip6-rcv-dscp-copy) and 0x20 (ip6-use-orig-fwmark). They are valid
2915 only for IPv6 tunnels.
2916 Format: uint32
2918 ip-tunnel.flow-label
2920 The flow label to assign to tunnel packets. This property applies
2921 only to IPv6 tunnels.
2922 Format: uint32
2924 ip-tunnel.fwmark
2926 The fwmark value to assign to tunnel packets. This property can be
2927 set to a non zero value only on VTI and VTI6 tunnels.
2928 Format: uint32
2930 ip-tunnel.input-key
2932 The key used for tunnel input packets; the property is valid only
2933 for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
2934 Format: string
2936 ip-tunnel.local
2938 Alias: local
2939 The local endpoint of the tunnel; the value can be empty, otherwise
2941 it must contain an IPv4 or IPv6 address.
2942 Format: string
2944 ip-tunnel.mode
2946 Alias: mode
2947 The tunneling mode. Valid values: ipip (1), gre (2), sit (3),
2949 isatap (4), vti (5), ip6ip6 (6), ipip6 (7), ip6gre (8), vti6 (9),
2950 gretap (10) and ip6gretap (11)
2951 Format: uint32
2953 ip-tunnel.mtu
2955 If non-zero, only transmit packets of the specified size or
2956 smaller, breaking larger packets up into multiple fragments.
2957 Format: uint32
2959 ip-tunnel.output-key
2961 The key used for tunnel output packets; the property is valid only
2962 for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
2963 Format: string
2965 ip-tunnel.parent
2967 Alias: dev
2968 If given, specifies the parent interface name or parent connection
2970 UUID the new device will be bound to so that tunneled packets will
2971 only be routed via that interface.
2972 Format: string
2974 ip-tunnel.path-mtu-discovery
2976 Whether to enable Path MTU Discovery on this tunnel.
2977 Format: boolean
2979 ip-tunnel.remote
2981 Alias: remote
2982 The remote endpoint of the tunnel; the value must contain an IPv4
2984 or IPv6 address.
2985 Format: string
2987 ip-tunnel.tos
2989 The type of service (IPv4) or traffic class (IPv6) field to be set
2990 on tunneled packets.
2991 Format: uint32
2993 ip-tunnel.ttl
2995 The TTL to assign to tunneled packets. 0 is a special value meaning
2996 that packets inherit the TTL value.
2997 Format: uint32
2999 macsec setting
3001 MACSec Settings.
3002 Properties:
3004 macsec.encrypt
3006 Alias: encrypt
3007 Whether the transmitted traffic must be encrypted.
3009 Format: boolean
3011 macsec.mka-cak
3013 Alias: cak
3014 The pre-shared CAK (Connectivity Association Key) for MACsec Key
3016 Agreement. Must be a string of 32 hexadecimal characters.
3017 Format: string
3019 macsec.mka-cak-flags
3021 Flags indicating how to handle the "mka-cak" property.
3022 See the section called “Secret flag types:” for flag values.
3024 Format: NMSettingSecretFlags (uint32)
3026 macsec.mka-ckn
3028 Alias: ckn
3029 The pre-shared CKN (Connectivity-association Key Name) for MACsec
3031 Key Agreement. Must be a string of hexadecimal characters with a
3032 even length between 2 and 64.
3033 Format: string
3035 macsec.mode
3037 Alias: mode
3038 Specifies how the CAK (Connectivity Association Key) for MKA
3040 (MACsec Key Agreement) is obtained.
3041 Format: int32
3043 macsec.parent
3045 Alias: dev
3046 If given, specifies the parent interface name or parent connection
3048 UUID from which this MACSEC interface should be created. If this
3049 property is not specified, the connection must contain an
3050 "802-3-ethernet" setting with a "mac-address" property.
3051 Format: string
3053 macsec.port
3055 Alias: port
3056 The port component of the SCI (Secure Channel Identifier), between
3058 1 and 65534.
3059 Format: int32
3061 macsec.send-sci
3063 Specifies whether the SCI (Secure Channel Identifier) is included
3064 in every packet.
3065 Format: boolean
3067 macsec.validation
3069 Specifies the validation mode for incoming frames.
3070 Format: int32
3072 macvlan setting
3074 MAC VLAN Settings.
3075 Properties:
3077 macvlan.mode
3079 Alias: mode
3080 The macvlan mode, which specifies the communication mechanism
3082 between multiple macvlans on the same lower device.
3083 Format: uint32
3085 macvlan.parent
3087 Alias: dev
3088 If given, specifies the parent interface name or parent connection
3090 UUID from which this MAC-VLAN interface should be created. If this
3091 property is not specified, the connection must contain an
3092 "802-3-ethernet" setting with a "mac-address" property.
3093 Format: string
3095 macvlan.promiscuous
3097 Whether the interface should be put in promiscuous mode.
3098 Format: boolean
3100 macvlan.tap
3102 Alias: tap
3103 Whether the interface should be a MACVTAP.
3105 Format: boolean
3107 match setting
3109 Match settings.
3110 Properties:
3112 match.driver
3114 A list of driver names to match. Each element is a shell wildcard
3115 pattern.
3116 See NMSettingMatch:interface-name for how special characters '|',
3118 '&', '!' and '\\' are used for optional and mandatory matches and
3119 inverting the pattern.
3120 Format: array of string
3122 match.interface-name
3124 A list of interface names to match. Each element is a shell
3125 wildcard pattern.
3126 An element can be prefixed with a pipe symbol (|) or an ampersand
3128 (&). The former means that the element is optional and the latter
3129 means that it is mandatory. If there are any optional elements,
3130 than the match evaluates to true if at least one of the optional
3131 element matches (logical OR). If there are any mandatory elements,
3132 then they all must match (logical AND). By default, an element is
3133 optional. This means that an element "foo" behaves the same as
3134 "|foo". An element can also be inverted with exclamation mark (!)
3135 between the pipe symbol (or the ampersand) and before the pattern.
3136 Note that "!foo" is a shortcut for the mandatory match "&!foo".
3137 Finally, a backslash can be used at the beginning of the element
3138 (after the optional special characters) to escape the start of the
3139 pattern. For example, "&\\!a" is an mandatory match for literally
3140 "!a".
3141 Format: array of string
3143 match.kernel-command-line
3145 A list of kernel command line arguments to match. This may be used
3146 to check whether a specific kernel command line option is set (or
3147 unset, if prefixed with the exclamation mark). The argument must
3148 either be a single word, or an assignment (i.e. two words, joined
3149 by "="). In the former case the kernel command line is searched for
3150 the word appearing as is, or as left hand side of an assignment. In
3151 the latter case, the exact assignment is looked for with right and
3152 left hand side matching. Wildcard patterns are not supported.
3153 See NMSettingMatch:interface-name for how special characters '|',
3155 '&', '!' and '\\' are used for optional and mandatory matches and
3156 inverting the match.
3157 Format: array of string
3159 match.path
3161 A list of paths to match against the ID_PATH udev property of
3162 devices. ID_PATH represents the topological persistent path of a
3163 device. It typically contains a subsystem string (pci, usb,
3164 platform, etc.) and a subsystem-specific identifier.
3165 For PCI devices the path has the form
3167 "pci-$domain:$bus:$device.$function", where each variable is an
3168 hexadecimal value; for example "pci-0000:0a:00.0".
3169 The path of a device can be obtained with "udevadm info
3171 /sys/class/net/$dev | grep ID_PATH=" or by looking at the "path"
3172 property exported by NetworkManager ("nmcli -f general.path device
3173 show $dev").
3174 Each element of the list is a shell wildcard pattern.
3176 See NMSettingMatch:interface-name for how special characters '|',
3178 '&', '!' and '\\' are used for optional and mandatory matches and
3179 inverting the pattern.
3180 Format: array of string
3182 802-11-olpc-mesh setting
3184 Alias: olpc-mesh
3185 OLPC Wireless Mesh Settings.
3187 Properties:
3189 802-11-olpc-mesh.channel
3191 Alias: channel
3192 Channel on which the mesh network to join is located.
3194 Format: uint32
3196 802-11-olpc-mesh.dhcp-anycast-address
3198 Alias: dhcp-anycast
3199 Anycast DHCP MAC address used when requesting an IP address via
3201 DHCP. The specific anycast address used determines which DHCP
3202 server class answers the request.
3203 This is currently only implemented by dhclient DHCP plugin.
3205 Format: byte array
3207 802-11-olpc-mesh.ssid
3209 Alias: ssid
3210 SSID of the mesh network to join.
3212 Format: byte array
3214 ovs-bridge setting
3216 OvsBridge Link Settings.
3217 Properties:
3219 ovs-bridge.datapath-type
3221 The data path type. One of "system", "netdev" or empty.
3222 Format: string
3224 ovs-bridge.fail-mode
3226 The bridge failure mode. One of "secure", "standalone" or empty.
3227 Format: string
3229 ovs-bridge.mcast-snooping-enable
3231 Enable or disable multicast snooping.
3232 Format: boolean
3234 ovs-bridge.rstp-enable
3236 Enable or disable RSTP.
3237 Format: boolean
3239 ovs-bridge.stp-enable
3241 Enable or disable STP.
3242 Format: boolean
3244 ovs-dpdk setting
3246 OvsDpdk Link Settings.
3247 Properties:
3249 ovs-dpdk.devargs
3251 Open vSwitch DPDK device arguments.
3252 Format: string
3254 ovs-dpdk.n-rxq
3256 Open vSwitch DPDK number of rx queues. Defaults to zero which means
3257 to leave the parameter in OVS unspecified and effectively
3258 configures one queue.
3259 Format: uint32
3261 ovs-dpdk.n-rxq-desc
3263 The rx queue size (number of rx descriptors) for DPDK ports. Must
3264 be zero or a power of 2 between 1 and 4096, and supported by the
3265 hardware. Defaults to zero which means to leave the parameter in
3266 OVS unspecified and effectively configures 2048 descriptors.
3267 Format: uint32
3269 ovs-dpdk.n-txq-desc
3271 The tx queue size (number of tx descriptors) for DPDK ports. Must
3272 be zero or a power of 2 between 1 and 4096, and supported by the
3273 hardware. Defaults to zero which means to leave the parameter in
3274 OVS unspecified and effectively configures 2048 descriptors.
3275 Format: uint32
3277 ovs-interface setting
3279 Open vSwitch Interface Settings.
3280 Properties:
3282 ovs-interface.ofport-request
3284 Open vSwitch openflow port number. Defaults to zero which means
3285 that port number will not be specified and it will be chosen
3286 randomly by ovs. OpenFlow ports are the network interfaces for
3287 passing packets between OpenFlow processing and the rest of the
3288 network. OpenFlow switches connect logically to each other via
3289 their OpenFlow ports.
3290 Format: uint32
3292 ovs-interface.type
3294 The interface type. Either "internal", "system", "patch", "dpdk",
3295 or empty.
3296 Format: string
3298 ovs-patch setting
3300 OvsPatch Link Settings.
3301 Properties:
3303 ovs-patch.peer
3305 Specifies the name of the interface for the other side of the
3306 patch. The patch on the other side must also set this interface as
3307 peer.
3308 Format: string
3310 ovs-port setting
3312 OvsPort Link Settings.
3313 Properties:
3315 ovs-port.bond-downdelay
3317 The time port must be inactive in order to be considered down.
3318 Format: uint32
3320 ovs-port.bond-mode
3322 Bonding mode. One of "active-backup", "balance-slb", or
3323 "balance-tcp".
3324 Format: string
3326 ovs-port.bond-updelay
3328 The time port must be active before it starts forwarding traffic.
3329 Format: uint32
3331 ovs-port.lacp
3333 LACP mode. One of "active", "off", or "passive".
3334 Format: string
3336 ovs-port.tag
3338 The VLAN tag in the range 0-4095.
3339 Format: uint32
3341 ovs-port.trunks
3343 A list of VLAN ranges that this port trunks.
3344 The property is valid only for ports with mode "trunk",
3346 "native-tagged", or "native-untagged port". If it is empty, the
3347 port trunks all VLANs.
3348 Format: array of vardict
3350 ovs-port.vlan-mode
3352 The VLAN mode. One of "access", "native-tagged", "native-untagged",
3353 "trunk", "dot1q-tunnel" or unset.
3354 Format: string
3356 ppp setting
3358 Point-to-Point Protocol Settings.
3359 Properties:
3361 ppp.baud
3363 If non-zero, instruct pppd to set the serial port to the specified
3364 baudrate. This value should normally be left as 0 to automatically
3365 choose the speed.
3366 Format: uint32
3368 ppp.crtscts
3370 If TRUE, specify that pppd should set the serial port to use
3371 hardware flow control with RTS and CTS signals. This value should
3372 normally be set to FALSE.
3373 Format: boolean
3375 ppp.lcp-echo-failure
3377 If non-zero, instruct pppd to presume the connection to the peer
3378 has failed if the specified number of LCP echo-requests go
3379 unanswered by the peer. The "lcp-echo-interval" property must also
3380 be set to a non-zero value if this property is used.
3381 Format: uint32
3383 ppp.lcp-echo-interval
3385 If non-zero, instruct pppd to send an LCP echo-request frame to the
3386 peer every n seconds (where n is the specified value). Note that
3387 some PPP peers will respond to echo requests and some will not, and
3388 it is not possible to autodetect this.
3389 Format: uint32
3391 ppp.mppe-stateful
3393 If TRUE, stateful MPPE is used. See pppd documentation for more
3394 information on stateful MPPE.
3395 Format: boolean
3397 ppp.mru
3399 If non-zero, instruct pppd to request that the peer send packets no
3400 larger than the specified size. If non-zero, the MRU should be
3401 between 128 and 16384.
3402 Format: uint32
3404 ppp.mtu
3406 If non-zero, instruct pppd to send packets no larger than the
3407 specified size.
3408 Format: uint32
3410 ppp.no-vj-comp
3412 If TRUE, Van Jacobsen TCP header compression will not be requested.
3413 Format: boolean
3415 ppp.noauth
3417 If TRUE, do not require the other side (usually the PPP server) to
3418 authenticate itself to the client. If FALSE, require authentication
3419 from the remote side. In almost all cases, this should be TRUE.
3420 Format: boolean
3422 ppp.nobsdcomp
3424 If TRUE, BSD compression will not be requested.
3425 Format: boolean
3427 ppp.nodeflate
3429 If TRUE, "deflate" compression will not be requested.
3430 Format: boolean
3432 ppp.refuse-chap
3434 If TRUE, the CHAP authentication method will not be used.
3435 Format: boolean
3437 ppp.refuse-eap
3439 If TRUE, the EAP authentication method will not be used.
3440 Format: boolean
3442 ppp.refuse-mschap
3444 If TRUE, the MSCHAP authentication method will not be used.
3445 Format: boolean
3447 ppp.refuse-mschapv2
3449 If TRUE, the MSCHAPv2 authentication method will not be used.
3450 Format: boolean
3452 ppp.refuse-pap
3454 If TRUE, the PAP authentication method will not be used.
3455 Format: boolean
3457 ppp.require-mppe
3459 If TRUE, MPPE (Microsoft Point-to-Point Encryption) will be
3460 required for the PPP session. If either 64-bit or 128-bit MPPE is
3461 not available the session will fail. Note that MPPE is not used on
3462 mobile broadband connections.
3463 Format: boolean
3465 ppp.require-mppe-128
3467 If TRUE, 128-bit MPPE (Microsoft Point-to-Point Encryption) will be
3468 required for the PPP session, and the "require-mppe" property must
3469 also be set to TRUE. If 128-bit MPPE is not available the session
3470 will fail.
3471 Format: boolean
3473 pppoe setting
3475 PPP-over-Ethernet Settings.
3476 Properties:
3478 pppoe.parent
3480 Alias: parent
3481 If given, specifies the parent interface name on which this PPPoE
3483 connection should be created. If this property is not specified,
3484 the connection is activated on the interface specified in
3485 "interface-name" of NMSettingConnection.
3486 Format: string
3488 pppoe.password
3490 Alias: password
3491 Password used to authenticate with the PPPoE service.
3493 Format: string
3495 pppoe.password-flags
3497 Flags indicating how to handle the "password" property.
3498 See the section called “Secret flag types:” for flag values.
3500 Format: NMSettingSecretFlags (uint32)
3502 pppoe.service
3504 Alias: service
3505 If specified, instruct PPPoE to only initiate sessions with access
3507 concentrators that provide the specified service. For most
3508 providers, this should be left blank. It is only required if there
3509 are multiple access concentrators or a specific service is known to
3510 be required.
3511 Format: string
3513 pppoe.username
3515 Alias: username
3516 Username used to authenticate with the PPPoE service.
3518 Format: string
3520 proxy setting
3522 WWW Proxy Settings.
3523 Properties:
3525 proxy.browser-only
3527 Alias: browser-only
3528 Whether the proxy configuration is for browser only.
3530 Format: boolean
3532 proxy.method
3534 Alias: method
3535 Method for proxy configuration, Default is
3537 NM_SETTING_PROXY_METHOD_NONE (0)
3538 Format: int32
3540 proxy.pac-script
3542 Alias: pac-script
3543 The PAC script. In the profile this must be an UTF-8 encoded
3545 javascript code that defines a FindProxyForURL() function. When
3546 setting the property in nmcli, a filename is accepted too. In that
3547 case, nmcli will read the content of the file and set the script.
3548 The prefixes "file://" and "js://" are supported to explicitly
3549 differentiate between the two.
3550 Format: string
3552 proxy.pac-url
3554 Alias: pac-url
3555 PAC URL for obtaining PAC file.
3557 Format: string
3559 serial setting
3561 Serial Link Settings.
3562 Properties:
3564 serial.baud
3566 Speed to use for communication over the serial port. Note that this
3567 value usually has no effect for mobile broadband modems as they
3568 generally ignore speed settings and use the highest available
3569 speed.
3570 Format: uint32
3572 serial.bits
3574 Byte-width of the serial communication. The 8 in "8n1" for example.
3575 Format: uint32
3577 serial.parity
3579 Parity setting of the serial port.
3580 Format: NMSettingSerialParity (byte)
3582 serial.send-delay
3584 Time to delay between each byte sent to the modem, in microseconds.
3585 Format: uint64
3587 serial.stopbits
3589 Number of stop bits for communication on the serial port. Either 1
3590 or 2. The 1 in "8n1" for example.
3591 Format: uint32
3593 sriov setting
3595 SR-IOV settings.
3596 Properties:
3598 sriov.autoprobe-drivers
3600 Whether to autoprobe virtual functions by a compatible driver.
3601 If set to NM_TERNARY_TRUE (1), the kernel will try to bind VFs to a
3603 compatible driver and if this succeeds a new network interface will
3604 be instantiated for each VF.
3605 If set to NM_TERNARY_FALSE (0), VFs will not be claimed and no
3607 network interfaces will be created for them.
3608 When set to NM_TERNARY_DEFAULT (-1), the global default is used; in
3610 case the global default is unspecified it is assumed to be
3611 NM_TERNARY_TRUE (1).
3612 Format: NMTernary (int32)
3614 sriov.total-vfs
3616 The total number of virtual functions to create.
3617 Note that when the sriov setting is present NetworkManager enforces
3619 the number of virtual functions on the interface (also when it is
3620 zero) during activation and resets it upon deactivation. To prevent
3621 any changes to SR-IOV parameters don't add a sriov setting to the
3622 connection.
3623 Format: uint32
3625 sriov.vfs
3627 Array of virtual function descriptors.
3628 Each VF descriptor is a dictionary mapping attribute names to
3630 GVariant values. The 'index' entry is mandatory for each VF.
3631 When represented as string a VF is in the form:
3633 "INDEX [ATTR=VALUE[ ATTR=VALUE]...]".
3635 for example:
3637 "2 mac=00:11:22:33:44:55 spoof-check=true".
3639 Multiple VFs can be specified using a comma as separator.
3641 Currently, the following attributes are supported: mac,
3642 spoof-check, trust, min-tx-rate, max-tx-rate, vlans.
3643 The "vlans" attribute is represented as a semicolon-separated list
3645 of VLAN descriptors, where each descriptor has the form
3646 "ID[.PRIORITY[.PROTO]]".
3648 PROTO can be either 'q' for 802.1Q (the default) or 'ad' for
3650 802.1ad.
3651 Format: array of vardict
3653 tc setting
3655 Linux Traffic Control Settings.
3656 Properties:
3658 tc.qdiscs
3660 Array of TC queueing disciplines. qdisc is a basic block in the
3661 Linux traffic control subsystem
3662 Each qdisc can be specified by the following attributes:
3664 handle HANDLE
3666 specifies the qdisc handle. A qdisc, which potentially can have
3667 children, gets assigned a major number, called a 'handle',
3668 leaving the minor number namespace available for classes. The
3669 handle is expressed as '10:'. It is customary to explicitly
3670 assign a handle to qdiscs expected to have children.
3671 parent HANDLE
3673 specifies the handle of the parent qdisc the current qdisc must
3674 be attached to.
3675 root
3677 specifies that the qdisc is attached to the root of device.
3678 KIND
3680 this is the qdisc kind. NetworkManager currently supports the
3681 following kinds: fq_codel, sfq, tbf. Each qdisc kind has a
3682 different set of parameters, described below. There are also
3683 some kinds like pfifo, pfifo_fast, prio supported by
3684 NetworkManager but their parameters are not supported by
3685 NetworkManager.
3686 Parameters for 'fq_codel':
3688 limit U32
3690 the hard limit on the real queue size. When this limit is
3691 reached, incoming packets are dropped. Default is 10240
3692 packets.
3693 memory_limit U32
3695 sets a limit on the total number of bytes that can be queued in
3696 this FQ-CoDel instance. The lower of the packet limit of the
3697 limit parameter and the memory limit will be enforced. Default
3698 is 32 MB.
3699 flows U32
3701 the number of flows into which the incoming packets are
3702 classified. Due to the stochastic nature of hashing, multiple
3703 flows may end up being hashed into the same slot. Newer flows
3704 have priority over older ones. This parameter can be set only
3705 at load time since memory has to be allocated for the hash
3706 table. Default value is 1024.
3707 target U32
3709 the acceptable minimum standing/persistent queue delay. This
3710 minimum delay is identified by tracking the local minimum queue
3711 delay that packets experience. The unit of measurement is
3712 microsecond(us). Default value is 5ms.
3713 interval U32
3715 used to ensure that the measured minimum delay does not become
3716 too stale. The minimum delay must be experienced in the last
3717 epoch of length .B interval. It should be set on the order of
3718 the worst-case RTT through the bottleneck to give endpoints
3719 sufficient time to react. Default value is 100ms.
3720 quantum U32
3722 the number of bytes used as 'deficit' in the fair queuing
3723 algorithm. Default is set to 1514 bytes which corresponds to
3724 the Ethernet MTU plus the hardware header length of 14 bytes.
3725 ecn BOOL
3727 can be used to mark packets instead of dropping them. ecn is
3728 turned on by default.
3729 ce_threshold U32
3731 sets a threshold above which all packets are marked with ECN
3732 Congestion Experienced. This is useful for DCTCP-style
3733 congestion control algorithms that require marking at very
3734 shallow queueing thresholds.
3735 Parameters for 'sfq':
3737 divisor U32
3739 can be used to set a different hash table size, available from
3740 kernel 2.6.39 onwards. The specified divisor must be a power of
3741 two and cannot be larger than 65536. Default value: 1024.
3742 limit U32
3744 Upper limit of the SFQ. Can be used to reduce the default
3745 length of 127 packets.
3746 depth U32
3748 Limit of packets per flow. Default to 127 and can be lowered.
3749 perturb_period U32
3751 Interval in seconds for queue algorithm perturbation. Defaults
3752 to 0, which means that no perturbation occurs. Do not set too
3753 low for each perturbation may cause some packet reordering or
3754 losses. Advised value: 60 This value has no effect when
3755 external flow classification is used. Its better to increase
3756 divisor value to lower risk of hash collisions.
3757 quantum U32
3759 Amount of bytes a flow is allowed to dequeue during a round of
3760 the round robin process. Defaults to the MTU of the interface
3761 which is also the advised value and the minimum value.
3762 flows U32
3764 Default value is 127.
3765 Parameters for 'tbf':
3767 rate U64
3769 Bandwidth or rate. These parameters accept a floating point
3770 number, possibly followed by either a unit (both SI and IEC
3771 units supported), or a float followed by a percent character to
3772 specify the rate as a percentage of the device's speed.
3773 burst U32
3775 Also known as buffer or maxburst. Size of the bucket, in bytes.
3776 This is the maximum amount of bytes that tokens can be
3777 available for instantaneously. In general, larger shaping rates
3778 require a larger buffer. For 10mbit/s on Intel, you need at
3779 least 10kbyte buffer if you want to reach your configured rate!
3780 If your buffer is too small, packets may be dropped because
3782 more tokens arrive per timer tick than fit in your bucket. The
3783 minimum buffer size can be calculated by dividing the rate by
3784 HZ.
3785 Token usage calculations are performed using a table which by
3787 default has a resolution of 8 packets. This resolution can be
3788 changed by specifying the cell size with the burst. For
3789 example, to specify a 6000 byte buffer with a 16 byte cell
3790 size, set a burst of 6000/16. You will probably never have to
3791 set this. Must be an integral power of 2.
3792 limit U32
3794 Limit is the number of bytes that can be queued waiting for
3795 tokens to become available.
3796 latency U32
3798 specifies the maximum amount of time a packet can sit in the
3799 TBF. The latency calculation takes into account the size of the
3800 bucket, the rate and possibly the peakrate (if set). The
3801 latency and limit are mutually exclusive.
3802 Format: GPtrArray(NMTCQdisc)
3804 tc.tfilters
3806 Array of TC traffic filters. Traffic control can manage the packet
3807 content during classification by using filters.
3808 Each tfilters can be specified by the following attributes:
3810 handle HANDLE
3812 specifies the tfilters handle. A filter is used by a classful
3813 qdisc to determine in which class a packet will be enqueued. It
3814 is important to notice that filters reside within qdiscs.
3815 Therefore, see qdiscs handle for detailed information.
3816 parent HANDLE
3818 specifies the handle of the parent qdisc the current qdisc must
3819 be attached to.
3820 root
3822 specifies that the qdisc is attached to the root of device.
3823 KIND
3825 this is the tfilters kind. NetworkManager currently supports
3826 following kinds: mirred, simple. Each filter kind has a
3827 different set of actions, described below. There are also some
3828 other kinds like matchall, basic, u32 supported by
3829 NetworkManager.
3830 Actions for 'mirred':
3832 egress bool
3834 Define whether the packet should exit from the interface.
3835 ingress bool
3837 Define whether the packet should come into the interface.
3838 mirror bool
3840 Define whether the packet should be copied to the destination
3841 space.
3842 redirect bool
3844 Define whether the packet should be moved to the destination
3845 space.
3846 Action for 'simple':
3848 sdata char[32]
3850 The actual string to print.
3851 Format: GPtrArray(NMTCTfilter)
3853 team setting
3855 Teaming Settings.
3856 Properties:
3858 team.config
3860 Alias: config
3861 The JSON configuration for the team network interface. The property
3863 should contain raw JSON configuration data suitable for teamd,
3864 because the value is passed directly to teamd. If not specified,
3865 the default configuration is used. See man teamd.conf for the
3866 format details.
3867 Format: string
3869 team.link-watchers
3871 Link watchers configuration for the connection: each link watcher
3872 is defined by a dictionary, whose keys depend upon the selected
3873 link watcher. Available link watchers are 'ethtool', 'nsna_ping'
3874 and 'arp_ping' and it is specified in the dictionary with the key
3875 'name'. Available keys are: ethtool: 'delay-up', 'delay-down',
3876 'init-wait'; nsna_ping: 'init-wait', 'interval', 'missed-max',
3877 'target-host'; arp_ping: all the ones in nsna_ping and
3878 'source-host', 'validate-active', 'validate-inactive',
3879 'send-always'. See teamd.conf man for more details.
3880 Format: array of vardict
3882 team.mcast-rejoin-count
3884 Corresponds to the teamd mcast_rejoin.count.
3885 Format: int32
3887 team.mcast-rejoin-interval
3889 Corresponds to the teamd mcast_rejoin.interval.
3890 Format: int32
3892 team.notify-peers-count
3894 Corresponds to the teamd notify_peers.count.
3895 Format: int32
3897 team.notify-peers-interval
3899 Corresponds to the teamd notify_peers.interval.
3900 Format: int32
3902 team.runner
3904 Corresponds to the teamd runner.name. Permitted values are:
3905 "roundrobin", "broadcast", "activebackup", "loadbalance", "lacp",
3906 "random".
3907 Format: string
3909 team.runner-active
3911 Corresponds to the teamd runner.active.
3912 Format: boolean
3914 team.runner-agg-select-policy
3916 Corresponds to the teamd runner.agg_select_policy.
3917 Format: string
3919 team.runner-fast-rate
3921 Corresponds to the teamd runner.fast_rate.
3922 Format: boolean
3924 team.runner-hwaddr-policy
3926 Corresponds to the teamd runner.hwaddr_policy.
3927 Format: string
3929 team.runner-min-ports
3931 Corresponds to the teamd runner.min_ports.
3932 Format: int32
3934 team.runner-sys-prio
3936 Corresponds to the teamd runner.sys_prio.
3937 Format: int32
3939 team.runner-tx-balancer
3941 Corresponds to the teamd runner.tx_balancer.name.
3942 Format: string
3944 team.runner-tx-balancer-interval
3946 Corresponds to the teamd runner.tx_balancer.interval.
3947 Format: int32
3949 team.runner-tx-hash
3951 Corresponds to the teamd runner.tx_hash.
3952 Format: array of string
3954 team-port setting
3956 Team Port Settings.
3957 Properties:
3959 team-port.config
3961 Alias: config
3962 The JSON configuration for the team port. The property should
3964 contain raw JSON configuration data suitable for teamd, because the
3965 value is passed directly to teamd. If not specified, the default
3966 configuration is used. See man teamd.conf for the format details.
3967 Format: string
3969 team-port.lacp-key
3971 Corresponds to the teamd ports.PORTIFNAME.lacp_key.
3972 Format: int32
3974 team-port.lacp-prio
3976 Corresponds to the teamd ports.PORTIFNAME.lacp_prio.
3977 Format: int32
3979 team-port.link-watchers
3981 Link watchers configuration for the connection: each link watcher
3982 is defined by a dictionary, whose keys depend upon the selected
3983 link watcher. Available link watchers are 'ethtool', 'nsna_ping'
3984 and 'arp_ping' and it is specified in the dictionary with the key
3985 'name'. Available keys are: ethtool: 'delay-up', 'delay-down',
3986 'init-wait'; nsna_ping: 'init-wait', 'interval', 'missed-max',
3987 'target-host'; arp_ping: all the ones in nsna_ping and
3988 'source-host', 'validate-active', 'validate-inactive',
3989 'send-always'. See teamd.conf man for more details.
3990 Format: array of vardict
3992 team-port.prio
3994 Corresponds to the teamd ports.PORTIFNAME.prio.
3995 Format: int32
3997 team-port.queue-id
3999 Corresponds to the teamd ports.PORTIFNAME.queue_id. When set to -1
4000 means the parameter is skipped from the json config.
4001 Format: int32
4003 team-port.sticky
4005 Corresponds to the teamd ports.PORTIFNAME.sticky.
4006 Format: boolean
4008 tun setting
4010 Tunnel Settings.
4011 Properties:
4013 tun.group
4015 Alias: group
4016 The group ID which will own the device. If set to NULL everyone
4018 will be able to use the device.
4019 Format: string
4021 tun.mode
4023 Alias: mode
4024 The operating mode of the virtual device. Allowed values are
4026 NM_SETTING_TUN_MODE_TUN (1) to create a layer 3 device and
4027 NM_SETTING_TUN_MODE_TAP (2) to create an Ethernet-like layer 2 one.
4028 Format: uint32
4030 tun.multi-queue
4032 Alias: multi-queue
4033 If the property is set to TRUE, the interface will support multiple
4035 file descriptors (queues) to parallelize packet sending or
4036 receiving. Otherwise, the interface will only support a single
4037 queue.
4038 Format: boolean
4040 tun.owner
4042 Alias: owner
4043 The user ID which will own the device. If set to NULL everyone will
4045 be able to use the device.
4046 Format: string
4048 tun.pi
4050 Alias: pi
4051 If TRUE the interface will prepend a 4 byte header describing the
4053 physical interface to the packets.
4054 Format: boolean
4056 tun.vnet-hdr
4058 Alias: vnet-hdr
4059 If TRUE the IFF_VNET_HDR the tunnel packets will include a virtio
4061 network header.
4062 Format: boolean
4064 vlan setting
4066 VLAN Settings.
4067 Properties:
4069 vlan.egress-priority-map
4071 Alias: egress
4072 For outgoing packets, a list of mappings from Linux SKB priorities
4074 to 802.1p priorities. The mapping is given in the format "from:to"
4075 where both "from" and "to" are unsigned integers, ie "7:3".
4076 Format: array of string
4078 vlan.flags
4080 Alias: flags
4081 One or more flags which control the behavior and features of the
4083 VLAN interface. Flags include NM_VLAN_FLAG_REORDER_HEADERS (0x1)
4084 (reordering of output packet headers), NM_VLAN_FLAG_GVRP (0x2) (use
4085 of the GVRP protocol), and NM_VLAN_FLAG_LOOSE_BINDING (0x4) (loose
4086 binding of the interface to its master device's operating state).
4087 NM_VLAN_FLAG_MVRP (0x8) (use of the MVRP protocol).
4088 The default value of this property is NM_VLAN_FLAG_REORDER_HEADERS,
4090 but it used to be 0. To preserve backward compatibility, the
4091 default-value in the D-Bus API continues to be 0 and a missing
4092 property on D-Bus is still considered as 0.
4093 Format: NMVlanFlags (uint32)
4095 vlan.id
4097 Alias: id
4098 The VLAN identifier that the interface created by this connection
4100 should be assigned. The valid range is from 0 to 4094, without the
4101 reserved id 4095.
4102 Format: uint32
4104 vlan.ingress-priority-map
4106 Alias: ingress
4107 For incoming packets, a list of mappings from 802.1p priorities to
4109 Linux SKB priorities. The mapping is given in the format "from:to"
4110 where both "from" and "to" are unsigned integers, ie "7:3".
4111 Format: array of string
4113 vlan.parent
4115 Alias: dev
4116 If given, specifies the parent interface name or parent connection
4118 UUID from which this VLAN interface should be created. If this
4119 property is not specified, the connection must contain an
4120 "802-3-ethernet" setting with a "mac-address" property.
4121 Format: string
4123 vlan.protocol
4125 Specifies the VLAN protocol to use for encapsulation.
4126 Supported values are: '802.1Q', '802.1ad'. If not specified the
4128 default value is '802.1Q'.
4129 Format: string
4131 vpn setting
4133 VPN Settings.
4134 Properties:
4136 vpn.data
4138 Dictionary of key/value pairs of VPN plugin specific data. Both
4139 keys and values must be strings.
4140 Format: dict of string to string
4142 vpn.persistent
4144 If the VPN service supports persistence, and this property is TRUE,
4145 the VPN will attempt to stay connected across link changes and
4146 outages, until explicitly disconnected.
4147 Format: boolean
4149 vpn.secrets
4151 Dictionary of key/value pairs of VPN plugin specific secrets like
4152 passwords or private keys. Both keys and values must be strings.
4153 Format: dict of string to string
4155 vpn.service-type
4157 Alias: vpn-type
4158 D-Bus service name of the VPN plugin that this setting uses to
4160 connect to its network. i.e. org.freedesktop.NetworkManager.vpnc
4161 for the vpnc plugin.
4162 Format: string
4164 vpn.timeout
4166 Timeout for the VPN service to establish the connection. Some
4167 services may take quite a long time to connect. Value of 0 means a
4168 default timeout, which is 60 seconds (unless overridden by
4169 vpn.timeout in configuration file). Values greater than zero mean
4170 timeout in seconds.
4171 Format: uint32
4173 vpn.user-name
4175 Alias: user
4176 If the VPN connection requires a user name for authentication, that
4178 name should be provided here. If the connection is available to
4179 more than one user, and the VPN requires each user to supply a
4180 different name, then leave this property empty. If this property is
4181 empty, NetworkManager will automatically supply the username of the
4182 user which requested the VPN connection.
4183 Format: string
4185 vrf setting
4187 VRF settings.
4188 Properties:
4190 vrf.table
4192 Alias: table
4193 The routing table for this VRF.
4195 Format: uint32
4197 vxlan setting
4199 VXLAN Settings.
4200 Properties:
4202 vxlan.ageing
4204 Specifies the lifetime in seconds of FDB entries learnt by the
4205 kernel.
4206 Format: uint32
4208 vxlan.destination-port
4210 Alias: destination-port
4211 Specifies the UDP destination port to communicate to the remote
4213 VXLAN tunnel endpoint.
4214 Format: uint32
4216 vxlan.id
4218 Alias: id
4219 Specifies the VXLAN Network Identifier (or VXLAN Segment
4221 Identifier) to use.
4222 Format: uint32
4224 vxlan.l2-miss
4226 Specifies whether netlink LL ADDR miss notifications are generated.
4227 Format: boolean
4229 vxlan.l3-miss
4231 Specifies whether netlink IP ADDR miss notifications are generated.
4232 Format: boolean
4234 vxlan.learning
4236 Specifies whether unknown source link layer addresses and IP
4237 addresses are entered into the VXLAN device forwarding database.
4238 Format: boolean
4240 vxlan.limit
4242 Specifies the maximum number of FDB entries. A value of zero means
4243 that the kernel will store unlimited entries.
4244 Format: uint32
4246 vxlan.local
4248 Alias: local
4249 If given, specifies the source IP address to use in outgoing
4251 packets.
4252 Format: string
4254 vxlan.parent
4256 Alias: dev
4257 If given, specifies the parent interface name or parent connection
4259 UUID.
4260 Format: string
4262 vxlan.proxy
4264 Specifies whether ARP proxy is turned on.
4265 Format: boolean
4267 vxlan.remote
4269 Alias: remote
4270 Specifies the unicast destination IP address to use in outgoing
4272 packets when the destination link layer address is not known in the
4273 VXLAN device forwarding database, or the multicast IP address to
4274 join.
4275 Format: string
4277 vxlan.rsc
4279 Specifies whether route short circuit is turned on.
4280 Format: boolean
4282 vxlan.source-port-max
4284 Alias: source-port-max
4285 Specifies the maximum UDP source port to communicate to the remote
4287 VXLAN tunnel endpoint.
4288 Format: uint32
4290 vxlan.source-port-min
4292 Alias: source-port-min
4293 Specifies the minimum UDP source port to communicate to the remote
4295 VXLAN tunnel endpoint.
4296 Format: uint32
4298 vxlan.tos
4300 Specifies the TOS value to use in outgoing packets.
4301 Format: uint32
4303 vxlan.ttl
4305 Specifies the time-to-live value to use in outgoing packets.
4306 Format: uint32
4308 wifi-p2p setting
4310 Wi-Fi P2P Settings.
4311 Properties:
4313 wifi-p2p.peer
4315 Alias: peer
4316 The P2P device that should be connected to. Currently, this is the
4318 only way to create or join a group.
4319 Format: string
4321 wifi-p2p.wfd-ies
4323 The Wi-Fi Display (WFD) Information Elements (IEs) to set.
4324 Wi-Fi Display requires a protocol specific information element to
4326 be set in certain Wi-Fi frames. These can be specified here for the
4327 purpose of establishing a connection. This setting is only useful
4328 when implementing a Wi-Fi Display client.
4329 Format: byte array
4331 wifi-p2p.wps-method
4333 Flags indicating which mode of WPS is to be used.
4334 There's little point in changing the default setting as
4336 NetworkManager will automatically determine the best method to use.
4337 Format: uint32
4339 wimax setting
4341 WiMax Settings.
4342 Properties:
4344 wimax.mac-address
4346 Alias: mac
4347 If specified, this connection will only apply to the WiMAX device
4349 whose MAC address matches. This property does not change the MAC
4350 address of the device (known as MAC spoofing).
4351 This property is deprecated since version 1.2. WiMAX is no longer
4353 supported.
4354 Format: byte array
4356 wimax.network-name
4358 Alias: nsp
4359 Network Service Provider (NSP) name of the WiMAX network this
4361 connection should use.
4362 This property is deprecated since version 1.2. WiMAX is no longer
4364 supported.
4365 Format: string
4367 802-3-ethernet setting
4369 Alias: ethernet
4370 Wired Ethernet Settings.
4372 Properties:
4374 802-3-ethernet.accept-all-mac-addresses
4376 When TRUE, setup the interface to accept packets for all MAC
4377 addresses. This is enabling the kernel interface flag IFF_PROMISC.
4378 When FALSE, the interface will only accept the packets with the
4379 interface destination mac address or broadcast.
4380 Format: NMTernary (int32)
4382 802-3-ethernet.auto-negotiate
4384 When TRUE, enforce auto-negotiation of speed and duplex mode. If
4385 "speed" and "duplex" properties are both specified, only that
4386 single mode will be advertised and accepted during the link
4387 auto-negotiation process: this works only for BASE-T 802.3
4388 specifications and is useful for enforcing gigabits modes, as in
4389 these cases link negotiation is mandatory. When FALSE, "speed" and
4390 "duplex" properties should be both set or link configuration will
4391 be skipped.
4392 Format: boolean
4394 802-3-ethernet.cloned-mac-address
4396 Alias: cloned-mac
4397 If specified, request that the device use this MAC address instead.
4399 This is known as MAC cloning or spoofing.
4400 Beside explicitly specifying a MAC address, the special values
4402 "preserve", "permanent", "random" and "stable" are supported.
4403 "preserve" means not to touch the MAC address on activation.
4404 "permanent" means to use the permanent hardware address if the
4405 device has one (otherwise this is treated as "preserve"). "random"
4406 creates a random MAC address on each connect. "stable" creates a
4407 hashed MAC address based on connection.stable-id and a machine
4408 dependent key.
4409 If unspecified, the value can be overwritten via global defaults,
4411 see manual of NetworkManager.conf. If still unspecified, it
4412 defaults to "preserve" (older versions of NetworkManager may use a
4413 different default value).
4414 On D-Bus, this field is expressed as "assigned-mac-address" or the
4416 deprecated "cloned-mac-address".
4417 Format: byte array
4419 802-3-ethernet.duplex
4421 When a value is set, either "half" or "full", configures the device
4422 to use the specified duplex mode. If "auto-negotiate" is "yes" the
4423 specified duplex mode will be the only one advertised during link
4424 negotiation: this works only for BASE-T 802.3 specifications and is
4425 useful for enforcing gigabits modes, as in these cases link
4426 negotiation is mandatory. If the value is unset (the default), the
4427 link configuration will be either skipped (if "auto-negotiate" is
4428 "no", the default) or will be auto-negotiated (if "auto-negotiate"
4429 is "yes") and the local device will advertise all the supported
4430 duplex modes. Must be set together with the "speed" property if
4431 specified. Before specifying a duplex mode be sure your device
4432 supports it.
4433 Format: string
4435 802-3-ethernet.generate-mac-address-mask
4437 With "cloned-mac-address" setting "random" or "stable", by default
4438 all bits of the MAC address are scrambled and a
4439 locally-administered, unicast MAC address is created. This property
4440 allows to specify that certain bits are fixed. Note that the least
4441 significant bit of the first MAC address will always be unset to
4442 create a unicast MAC address.
4443 If the property is NULL, it is eligible to be overwritten by a
4445 default connection setting. If the value is still NULL or an empty
4446 string, the default is to create a locally-administered, unicast
4447 MAC address.
4448 If the value contains one MAC address, this address is used as
4450 mask. The set bits of the mask are to be filled with the current
4451 MAC address of the device, while the unset bits are subject to
4452 randomization. Setting "FE:FF:FF:00:00:00" means to preserve the
4453 OUI of the current MAC address and only randomize the lower 3 bytes
4454 using the "random" or "stable" algorithm.
4455 If the value contains one additional MAC address after the mask,
4457 this address is used instead of the current MAC address to fill the
4458 bits that shall not be randomized. For example, a value of
4459 "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set the OUI of the MAC
4460 address to 68:F7:28, while the lower bits are randomized. A value
4461 of "02:00:00:00:00:00 00:00:00:00:00:00" will create a fully
4462 scrambled globally-administered, burned-in MAC address.
4463 If the value contains more than one additional MAC addresses, one
4465 of them is chosen randomly. For example, "02:00:00:00:00:00
4466 00:00:00:00:00:00 02:00:00:00:00:00" will create a fully scrambled
4467 MAC address, randomly locally or globally administered.
4468 Format: string
4470 802-3-ethernet.mac-address
4472 Alias: mac
4473 If specified, this connection will only apply to the Ethernet
4475 device whose permanent MAC address matches. This property does not
4476 change the MAC address of the device (i.e. MAC spoofing).
4477 Format: byte array
4479 802-3-ethernet.mac-address-blacklist
4481 If specified, this connection will never apply to the Ethernet
4482 device whose permanent MAC address matches an address in the list.
4483 Each MAC address is in the standard hex-digits-and-colons notation
4484 (00:11:22:33:44:55).
4485 Format: array of string
4487 802-3-ethernet.mtu
4489 Alias: mtu
4490 If non-zero, only transmit packets of the specified size or
4492 smaller, breaking larger packets up into multiple Ethernet frames.
4493 Format: uint32
4495 802-3-ethernet.port
4497 Specific port type to use if the device supports multiple
4498 attachment methods. One of "tp" (Twisted Pair), "aui" (Attachment
4499 Unit Interface), "bnc" (Thin Ethernet) or "mii" (Media Independent
4500 Interface). If the device supports only one port type, this setting
4501 is ignored.
4502 Format: string
4504 802-3-ethernet.s390-nettype
4506 s390 network device type; one of "qeth", "lcs", or "ctc",
4507 representing the different types of virtual network devices
4508 available on s390 systems.
4509 Format: string
4511 802-3-ethernet.s390-options
4513 Dictionary of key/value pairs of s390-specific device options. Both
4514 keys and values must be strings. Allowed keys include "portno",
4515 "layer2", "portname", "protocol", among others. Key names must
4516 contain only alphanumeric characters (ie, [a-zA-Z0-9]).
4517 Currently, NetworkManager itself does nothing with this
4519 information. However, s390utils ships a udev rule which parses this
4520 information and applies it to the interface.
4521 Format: dict of string to string
4523 802-3-ethernet.s390-subchannels
4525 Identifies specific subchannels that this network device uses for
4526 communication with z/VM or s390 host. Like the "mac-address"
4527 property for non-z/VM devices, this property can be used to ensure
4528 this connection only applies to the network device that uses these
4529 subchannels. The list should contain exactly 3 strings, and each
4530 string may only be composed of hexadecimal characters and the
4531 period (.) character.
4532 Format: array of string
4534 802-3-ethernet.speed
4536 When a value greater than 0 is set, configures the device to use
4537 the specified speed. If "auto-negotiate" is "yes" the specified
4538 speed will be the only one advertised during link negotiation: this
4539 works only for BASE-T 802.3 specifications and is useful for
4540 enforcing gigabit speeds, as in this case link negotiation is
4541 mandatory. If the value is unset (0, the default), the link
4542 configuration will be either skipped (if "auto-negotiate" is "no",
4543 the default) or will be auto-negotiated (if "auto-negotiate" is
4544 "yes") and the local device will advertise all the supported
4545 speeds. In Mbit/s, ie 100 == 100Mbit/s. Must be set together with
4546 the "duplex" property when non-zero. Before specifying a speed
4547 value be sure your device supports it.
4548 Format: uint32
4550 802-3-ethernet.wake-on-lan
4552 The NMSettingWiredWakeOnLan options to enable. Not all devices
4553 support all options. May be any combination of
4554 NM_SETTING_WIRED_WAKE_ON_LAN_PHY (0x2),
4555 NM_SETTING_WIRED_WAKE_ON_LAN_UNICAST (0x4),
4556 NM_SETTING_WIRED_WAKE_ON_LAN_MULTICAST (0x8),
4557 NM_SETTING_WIRED_WAKE_ON_LAN_BROADCAST (0x10),
4558 NM_SETTING_WIRED_WAKE_ON_LAN_ARP (0x20),
4559 NM_SETTING_WIRED_WAKE_ON_LAN_MAGIC (0x40) or the special values
4560 NM_SETTING_WIRED_WAKE_ON_LAN_DEFAULT (0x1) (to use global settings)
4561 and NM_SETTING_WIRED_WAKE_ON_LAN_IGNORE (0x8000) (to disable
4562 management of Wake-on-LAN in NetworkManager).
4563 Format: uint32
4565 802-3-ethernet.wake-on-lan-password
4567 If specified, the password used with magic-packet-based
4568 Wake-on-LAN, represented as an Ethernet MAC address. If NULL, no
4569 password will be required.
4570 Format: string
4572 wireguard setting
4574 WireGuard Settings.
4575 Properties:
4577 wireguard.fwmark
4579 The use of fwmark is optional and is by default off. Setting it to
4580 0 disables it. Otherwise, it is a 32-bit fwmark for outgoing
4581 packets.
4582 Note that "ip4-auto-default-route" or "ip6-auto-default-route"
4584 enabled, implies to automatically choose a fwmark.
4585 Format: uint32
4587 wireguard.ip4-auto-default-route
4589 Whether to enable special handling of the IPv4 default route. If
4590 enabled, the IPv4 default route from wireguard.peer-routes will be
4591 placed to a dedicated routing-table and two policy routing rules
4592 will be added. The fwmark number is also used as routing-table for
4593 the default-route, and if fwmark is zero, an unused fwmark/table is
4594 chosen automatically. This corresponds to what wg-quick does with
4595 Table=auto and what WireGuard calls "Improved Rule-based Routing".
4596 Note that for this automatism to work, you usually don't want to
4598 set ipv4.gateway, because that will result in a conflicting default
4599 route.
4600 Leaving this at the default will enable this option automatically
4602 if ipv4.never-default is not set and there are any peers that use a
4603 default-route as allowed-ips. Since this automatism only makes
4604 sense if you also have a peer with an /0 allowed-ips, it is usually
4605 not necessary to enable this explicitly. However, you can disable
4606 it if you want to configure your own routing and rules.
4607 Format: NMTernary (int32)
4609 wireguard.ip6-auto-default-route
4611 Like ip4-auto-default-route, but for the IPv6 default route.
4612 Format: NMTernary (int32)
4614 wireguard.listen-port
4616 The listen-port. If listen-port is not specified, the port will be
4617 chosen randomly when the interface comes up.
4618 Format: uint32
4620 wireguard.mtu
4622 If non-zero, only transmit packets of the specified size or
4623 smaller, breaking larger packets up into multiple fragments.
4624 If zero a default MTU is used. Note that contrary to wg-quick's MTU
4626 setting, this does not take into account the current routes at the
4627 time of activation.
4628 Format: uint32
4630 wireguard.peer-routes
4632 Whether to automatically add routes for the AllowedIPs ranges of
4633 the peers. If TRUE (the default), NetworkManager will automatically
4634 add routes in the routing tables according to ipv4.route-table and
4635 ipv6.route-table. Usually you want this automatism enabled. If
4636 FALSE, no such routes are added automatically. In this case, the
4637 user may want to configure static routes in ipv4.routes and
4638 ipv6.routes, respectively.
4639 Note that if the peer's AllowedIPs is "0.0.0.0/0" or "::/0" and the
4641 profile's ipv4.never-default or ipv6.never-default setting is
4642 enabled, the peer route for this peer won't be added automatically.
4643 Format: boolean
4645 wireguard.private-key
4647 The 256 bit private-key in base64 encoding.
4648 Format: string
4650 wireguard.private-key-flags
4652 Flags indicating how to handle the "private-key" property.
4653 See the section called “Secret flag types:” for flag values.
4655 Format: NMSettingSecretFlags (uint32)
4657 802-11-wireless setting
4659 Alias: wifi
4660 Wi-Fi Settings.
4662 Properties:
4664 802-11-wireless.ap-isolation
4666 Configures AP isolation, which prevents communication between
4667 wireless devices connected to this AP. This property can be set to
4668 a value different from NM_TERNARY_DEFAULT (-1) only when the
4669 interface is configured in AP mode.
4670 If set to NM_TERNARY_TRUE (1), devices are not able to communicate
4672 with each other. This increases security because it protects
4673 devices against attacks from other clients in the network. At the
4674 same time, it prevents devices to access resources on the same
4675 wireless networks as file shares, printers, etc.
4676 If set to NM_TERNARY_FALSE (0), devices can talk to each other.
4678 When set to NM_TERNARY_DEFAULT (-1), the global default is used; in
4680 case the global default is unspecified it is assumed to be
4681 NM_TERNARY_FALSE (0).
4682 Format: NMTernary (int32)
4684 802-11-wireless.band
4686 802.11 frequency band of the network. One of "a" for 5GHz 802.11a
4687 or "bg" for 2.4GHz 802.11. This will lock associations to the Wi-Fi
4688 network to the specific band, i.e. if "a" is specified, the device
4689 will not associate with the same network in the 2.4GHz band even if
4690 the network's settings are compatible. This setting depends on
4691 specific driver capability and may not work with all drivers.
4692 Format: string
4694 802-11-wireless.bssid
4696 If specified, directs the device to only associate with the given
4697 access point. This capability is highly driver dependent and not
4698 supported by all devices. Note: this property does not control the
4699 BSSID used when creating an Ad-Hoc network and is unlikely to in
4700 the future.
4701 Locking a client profile to a certain BSSID will prevent roaming
4703 and also disable background scanning. That can be useful, if there
4704 is only one access point for the SSID.
4705 Format: byte array
4707 802-11-wireless.channel
4709 Wireless channel to use for the Wi-Fi connection. The device will
4710 only join (or create for Ad-Hoc networks) a Wi-Fi network on the
4711 specified channel. Because channel numbers overlap between bands,
4712 this property also requires the "band" property to be set.
4713 Format: uint32
4715 802-11-wireless.cloned-mac-address
4717 Alias: cloned-mac
4718 If specified, request that the device use this MAC address instead.
4720 This is known as MAC cloning or spoofing.
4721 Beside explicitly specifying a MAC address, the special values
4723 "preserve", "permanent", "random" and "stable" are supported.
4724 "preserve" means not to touch the MAC address on activation.
4725 "permanent" means to use the permanent hardware address of the
4726 device. "random" creates a random MAC address on each connect.
4727 "stable" creates a hashed MAC address based on connection.stable-id
4728 and a machine dependent key.
4729 If unspecified, the value can be overwritten via global defaults,
4731 see manual of NetworkManager.conf. If still unspecified, it
4732 defaults to "preserve" (older versions of NetworkManager may use a
4733 different default value).
4734 On D-Bus, this field is expressed as "assigned-mac-address" or the
4736 deprecated "cloned-mac-address".
4737 Format: byte array
4739 802-11-wireless.generate-mac-address-mask
4741 With "cloned-mac-address" setting "random" or "stable", by default
4742 all bits of the MAC address are scrambled and a
4743 locally-administered, unicast MAC address is created. This property
4744 allows to specify that certain bits are fixed. Note that the least
4745 significant bit of the first MAC address will always be unset to
4746 create a unicast MAC address.
4747 If the property is NULL, it is eligible to be overwritten by a
4749 default connection setting. If the value is still NULL or an empty
4750 string, the default is to create a locally-administered, unicast
4751 MAC address.
4752 If the value contains one MAC address, this address is used as
4754 mask. The set bits of the mask are to be filled with the current
4755 MAC address of the device, while the unset bits are subject to
4756 randomization. Setting "FE:FF:FF:00:00:00" means to preserve the
4757 OUI of the current MAC address and only randomize the lower 3 bytes
4758 using the "random" or "stable" algorithm.
4759 If the value contains one additional MAC address after the mask,
4761 this address is used instead of the current MAC address to fill the
4762 bits that shall not be randomized. For example, a value of
4763 "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set the OUI of the MAC
4764 address to 68:F7:28, while the lower bits are randomized. A value
4765 of "02:00:00:00:00:00 00:00:00:00:00:00" will create a fully
4766 scrambled globally-administered, burned-in MAC address.
4767 If the value contains more than one additional MAC addresses, one
4769 of them is chosen randomly. For example, "02:00:00:00:00:00
4770 00:00:00:00:00:00 02:00:00:00:00:00" will create a fully scrambled
4771 MAC address, randomly locally or globally administered.
4772 Format: string
4774 802-11-wireless.hidden
4776 If TRUE, indicates that the network is a non-broadcasting network
4777 that hides its SSID. This works both in infrastructure and AP mode.
4778 In infrastructure mode, various workarounds are used for a more
4780 reliable discovery of hidden networks, such as probe-scanning the
4781 SSID. However, these workarounds expose inherent insecurities with
4782 hidden SSID networks, and thus hidden SSID networks should be used
4783 with caution.
4784 In AP mode, the created network does not broadcast its SSID.
4786 Note that marking the network as hidden may be a privacy issue for
4788 you (in infrastructure mode) or client stations (in AP mode), as
4789 the explicit probe-scans are distinctly recognizable on the air.
4790 Format: boolean
4792 802-11-wireless.mac-address
4794 Alias: mac
4795 If specified, this connection will only apply to the Wi-Fi device
4797 whose permanent MAC address matches. This property does not change
4798 the MAC address of the device (i.e. MAC spoofing).
4799 Format: byte array
4801 802-11-wireless.mac-address-blacklist
4803 A list of permanent MAC addresses of Wi-Fi devices to which this
4804 connection should never apply. Each MAC address should be given in
4805 the standard hex-digits-and-colons notation (eg
4806 "00:11:22:33:44:55").
4807 Format: array of string
4809 802-11-wireless.mac-address-randomization
4811 One of NM_SETTING_MAC_RANDOMIZATION_DEFAULT (0) (never randomize
4812 unless the user has set a global default to randomize and the
4813 supplicant supports randomization),
4814 NM_SETTING_MAC_RANDOMIZATION_NEVER (1) (never randomize the MAC
4815 address), or NM_SETTING_MAC_RANDOMIZATION_ALWAYS (2) (always
4816 randomize the MAC address).
4817 This property is deprecated since version 1.4. Use the
4819 "cloned-mac-address" property instead.
4820 Format: uint32
4822 802-11-wireless.mode
4824 Alias: mode
4825 Wi-Fi network mode; one of "infrastructure", "mesh", "adhoc" or
4827 "ap". If blank, infrastructure is assumed.
4828 Format: string
4830 802-11-wireless.mtu
4832 Alias: mtu
4833 If non-zero, only transmit packets of the specified size or
4835 smaller, breaking larger packets up into multiple Ethernet frames.
4836 Format: uint32
4838 802-11-wireless.powersave
4840 One of NM_SETTING_WIRELESS_POWERSAVE_DISABLE (2) (disable Wi-Fi
4841 power saving), NM_SETTING_WIRELESS_POWERSAVE_ENABLE (3) (enable
4842 Wi-Fi power saving), NM_SETTING_WIRELESS_POWERSAVE_IGNORE (1)
4843 (don't touch currently configure setting) or
4844 NM_SETTING_WIRELESS_POWERSAVE_DEFAULT (0) (use the globally
4845 configured value). All other values are reserved.
4846 Format: uint32
4848 802-11-wireless.seen-bssids
4850 A list of BSSIDs (each BSSID formatted as a MAC address like
4851 "00:11:22:33:44:55") that have been detected as part of the Wi-Fi
4852 network. NetworkManager internally tracks previously seen BSSIDs.
4853 The property is only meant for reading and reflects the BSSID list
4854 of NetworkManager. The changes you make to this property will not
4855 be preserved.
4856 This is not a regular property that the user would configure.
4858 Instead, NetworkManager automatically sets the seen BSSIDs and
4859 tracks them internally in "/var/lib/NetworkManager/seen-bssids"
4860 file.
4861 Format: array of string
4863 802-11-wireless.ssid
4865 Alias: ssid
4866 SSID of the Wi-Fi network. Must be specified.
4868 Format: byte array
4870 802-11-wireless.wake-on-wlan
4872 The NMSettingWirelessWakeOnWLan options to enable. Not all devices
4873 support all options. May be any combination of
4874 NM_SETTING_WIRELESS_WAKE_ON_WLAN_ANY (0x2),
4875 NM_SETTING_WIRELESS_WAKE_ON_WLAN_DISCONNECT (0x4),
4876 NM_SETTING_WIRELESS_WAKE_ON_WLAN_MAGIC (0x8),
4877 NM_SETTING_WIRELESS_WAKE_ON_WLAN_GTK_REKEY_FAILURE (0x10),
4878 NM_SETTING_WIRELESS_WAKE_ON_WLAN_EAP_IDENTITY_REQUEST (0x20),
4879 NM_SETTING_WIRELESS_WAKE_ON_WLAN_4WAY_HANDSHAKE (0x40),
4880 NM_SETTING_WIRELESS_WAKE_ON_WLAN_RFKILL_RELEASE (0x80),
4881 NM_SETTING_WIRELESS_WAKE_ON_WLAN_TCP (0x100) or the special values
4882 NM_SETTING_WIRELESS_WAKE_ON_WLAN_DEFAULT (0x1) (to use global
4883 settings) and NM_SETTING_WIRELESS_WAKE_ON_WLAN_IGNORE (0x8000) (to
4884 disable management of Wake-on-LAN in NetworkManager).
4885 Format: uint32
4887 802-11-wireless-security setting
4889 Alias: wifi-sec
4890 Wi-Fi Security Settings.
4892 Properties:
4894 802-11-wireless-security.auth-alg
4896 When WEP is used (ie, key-mgmt = "none" or "ieee8021x") indicate
4897 the 802.11 authentication algorithm required by the AP here. One of
4898 "open" for Open System, "shared" for Shared Key, or "leap" for
4899 Cisco LEAP. When using Cisco LEAP (ie, key-mgmt = "ieee8021x" and
4900 auth-alg = "leap") the "leap-username" and "leap-password"
4901 properties must be specified.
4902 Format: string
4904 802-11-wireless-security.fils
4906 Indicates whether Fast Initial Link Setup (802.11ai) must be
4907 enabled for the connection. One of
4908 NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) (use global default
4909 value), NM_SETTING_WIRELESS_SECURITY_FILS_DISABLE (1) (disable
4910 FILS), NM_SETTING_WIRELESS_SECURITY_FILS_OPTIONAL (2) (enable FILS
4911 if the supplicant and the access point support it) or
4912 NM_SETTING_WIRELESS_SECURITY_FILS_REQUIRED (3) (enable FILS and
4913 fail if not supported). When set to
4914 NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) and no global default
4915 is set, FILS will be optionally enabled.
4916 Format: int32
4918 802-11-wireless-security.group
4920 A list of group/broadcast encryption algorithms which prevents
4921 connections to Wi-Fi networks that do not utilize one of the
4922 algorithms in the list. For maximum compatibility leave this
4923 property empty. Each list element may be one of "wep40", "wep104",
4924 "tkip", or "ccmp".
4925 Format: array of string
4927 802-11-wireless-security.key-mgmt
4929 Key management used for the connection. One of "none" (WEP or no
4930 password protection), "ieee8021x" (Dynamic WEP), "owe"
4931 (Opportunistic Wireless Encryption), "wpa-psk" (WPA2 + WPA3
4932 personal), "sae" (WPA3 personal only), "wpa-eap" (WPA2 + WPA3
4933 enterprise) or "wpa-eap-suite-b-192" (WPA3 enterprise only).
4934 This property must be set for any Wi-Fi connection that uses
4936 security.
4937 Format: string
4939 802-11-wireless-security.leap-password
4941 The login password for legacy LEAP connections (ie, key-mgmt =
4942 "ieee8021x" and auth-alg = "leap").
4943 Format: string
4945 802-11-wireless-security.leap-password-flags
4947 Flags indicating how to handle the "leap-password" property.
4948 See the section called “Secret flag types:” for flag values.
4950 Format: NMSettingSecretFlags (uint32)
4952 802-11-wireless-security.leap-username
4954 The login username for legacy LEAP connections (ie, key-mgmt =
4955 "ieee8021x" and auth-alg = "leap").
4956 Format: string
4958 802-11-wireless-security.pairwise
4960 A list of pairwise encryption algorithms which prevents connections
4961 to Wi-Fi networks that do not utilize one of the algorithms in the
4962 list. For maximum compatibility leave this property empty. Each
4963 list element may be one of "tkip" or "ccmp".
4964 Format: array of string
4966 802-11-wireless-security.pmf
4968 Indicates whether Protected Management Frames (802.11w) must be
4969 enabled for the connection. One of
4970 NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) (use global default
4971 value), NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE (1) (disable PMF),
4972 NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL (2) (enable PMF if the
4973 supplicant and the access point support it) or
4974 NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED (3) (enable PMF and fail
4975 if not supported). When set to
4976 NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) and no global default
4977 is set, PMF will be optionally enabled.
4978 Format: int32
4980 802-11-wireless-security.proto
4982 List of strings specifying the allowed WPA protocol versions to
4983 use. Each element may be one "wpa" (allow WPA) or "rsn" (allow
4984 WPA2/RSN). If not specified, both WPA and RSN connections are
4985 allowed.
4986 Format: array of string
4988 802-11-wireless-security.psk
4990 Pre-Shared-Key for WPA networks. For WPA-PSK, it's either an ASCII
4991 passphrase of 8 to 63 characters that is (as specified in the
4992 802.11i standard) hashed to derive the actual key, or the key in
4993 form of 64 hexadecimal character. The WPA3-Personal networks use a
4994 passphrase of any length for SAE authentication.
4995 Format: string
4997 802-11-wireless-security.psk-flags
4999 Flags indicating how to handle the "psk" property.
5000 See the section called “Secret flag types:” for flag values.
5002 Format: NMSettingSecretFlags (uint32)
5004 802-11-wireless-security.wep-key-flags
5006 Flags indicating how to handle the "wep-key0", "wep-key1",
5007 "wep-key2", and "wep-key3" properties.
5008 See the section called “Secret flag types:” for flag values.
5010 Format: NMSettingSecretFlags (uint32)
5012 802-11-wireless-security.wep-key-type
5014 Controls the interpretation of WEP keys. Allowed values are
5015 NM_WEP_KEY_TYPE_KEY (1), in which case the key is either a 10- or
5016 26-character hexadecimal string, or a 5- or 13-character ASCII
5017 password; or NM_WEP_KEY_TYPE_PASSPHRASE (2), in which case the
5018 passphrase is provided as a string and will be hashed using the
5019 de-facto MD5 method to derive the actual WEP key.
5020 Format: NMWepKeyType (uint32)
5022 802-11-wireless-security.wep-key0
5024 Index 0 WEP key. This is the WEP key used in most networks. See the
5025 "wep-key-type" property for a description of how this key is
5026 interpreted.
5027 Format: string
5029 802-11-wireless-security.wep-key1
5031 Index 1 WEP key. This WEP index is not used by most networks. See
5032 the "wep-key-type" property for a description of how this key is
5033 interpreted.
5034 Format: string
5036 802-11-wireless-security.wep-key2
5038 Index 2 WEP key. This WEP index is not used by most networks. See
5039 the "wep-key-type" property for a description of how this key is
5040 interpreted.
5041 Format: string
5043 802-11-wireless-security.wep-key3
5045 Index 3 WEP key. This WEP index is not used by most networks. See
5046 the "wep-key-type" property for a description of how this key is
5047 interpreted.
5048 Format: string
5050 802-11-wireless-security.wep-tx-keyidx
5052 When static WEP is used (ie, key-mgmt = "none") and a non-default
5053 WEP key index is used by the AP, put that WEP key index here. Valid
5054 values are 0 (default key) through 3. Note that some consumer
5055 access points (like the Linksys WRT54G) number the keys 1 - 4.
5056 Format: uint32
5058 802-11-wireless-security.wps-method
5060 Flags indicating which mode of WPS is to be used if any.
5061 There's little point in changing the default setting as
5063 NetworkManager will automatically determine whether it's feasible
5064 to start WPS enrollment from the Access Point capabilities.
5065 WPS can be disabled by setting this property to a value of 1.
5067 Format: uint32
5069 wpan setting
5071 IEEE 802.15.4 (WPAN) MAC Settings.
5072 Properties:
5074 wpan.channel
5076 Alias: channel
5077 IEEE 802.15.4 channel. A positive integer or -1, meaning "do not
5079 set, use whatever the device is already set to".
5080 Format: int32
5082 wpan.mac-address
5084 Alias: mac
5085 If specified, this connection will only apply to the IEEE 802.15.4
5087 (WPAN) MAC layer device whose permanent MAC address matches.
5088 Format: string
5090 wpan.page
5092 Alias: page
5093 IEEE 802.15.4 channel page. A positive integer or -1, meaning "do
5095 not set, use whatever the device is already set to".
5096 Format: int32
5098 wpan.pan-id
5100 Alias: pan-id
5101 IEEE 802.15.4 Personal Area Network (PAN) identifier.
5103 Format: uint32
5105 wpan.short-address
5107 Alias: short-addr
5108 Short IEEE 802.15.4 address to be used within a restricted
5110 environment.
5111 Format: uint32
5113 bond-port setting
5115 Bond Port Settings.
5116 Properties:
5118 bond-port.prio
5120 Alias: prio
5121 The port priority for bond active port re-selection during
5123 failover. A higher number means a higher priority in selection. The
5124 primary port has the highest priority. This option is only
5125 compatible with active-backup, balance-tlb and balance-alb modes.
5126 Format: int32
5128 bond-port.queue-id
5130 Alias: queue-id
5131 The queue ID of this bond port. The maximum value of queue ID is
5133 the number of TX queues currently active in device.
5134 Format: uint32
5136 hostname setting
5138 Hostname settings.
5139 Properties:
5141 hostname.from-dhcp
5143 Whether the system hostname can be determined from DHCP on this
5144 connection.
5145 When set to NM_TERNARY_DEFAULT (-1), the value from global
5147 configuration is used. If the property doesn't have a value in the
5148 global configuration, NetworkManager assumes the value to be
5149 NM_TERNARY_TRUE (1).
5150 Format: NMTernary (int32)
5152 hostname.from-dns-lookup
5154 Whether the system hostname can be determined from reverse DNS
5155 lookup of addresses on this device.
5156 When set to NM_TERNARY_DEFAULT (-1), the value from global
5158 configuration is used. If the property doesn't have a value in the
5159 global configuration, NetworkManager assumes the value to be
5160 NM_TERNARY_TRUE (1).
5161 Format: NMTernary (int32)
5163 hostname.only-from-default
5165 If set to NM_TERNARY_TRUE (1), NetworkManager attempts to get the
5166 hostname via DHCPv4/DHCPv6 or reverse DNS lookup on this device
5167 only when the device has the default route for the given address
5168 family (IPv4/IPv6).
5169 If set to NM_TERNARY_FALSE (0), the hostname can be set from this
5171 device even if it doesn't have the default route.
5172 When set to NM_TERNARY_DEFAULT (-1), the value from global
5174 configuration is used. If the property doesn't have a value in the
5175 global configuration, NetworkManager assumes the value to be
5176 NM_TERNARY_FALSE (0).
5177 Format: NMTernary (int32)
5179 hostname.priority
5181 The relative priority of this connection to determine the system
5182 hostname. A lower numerical value is better (higher priority). A
5183 connection with higher priority is considered before connections
5184 with lower priority.
5185 If the value is zero, it can be overridden by a global value from
5187 NetworkManager configuration. If the property doesn't have a value
5188 in the global configuration, the value is assumed to be 100.
5189 Negative values have the special effect of excluding other
5191 connections with a greater numerical priority value; so in presence
5192 of at least one negative priority, only connections with the lowest
5193 priority value will be used to determine the hostname.
5194 Format: int32
5196 link setting
5198 Link settings.
5199 Properties:
5201 link.gro-max-size
5203 The maximum size of a packet built by the Generic Receive Offload
5204 stack for this device. The value must be between 0 and 4294967295.
5205 When set to -1, the existing value is preserved.
5206 Format: int64
5208 link.gso-max-segments
5210 The maximum segments of a Generic Segment Offload packet the device
5211 should accept. The value must be between 0 and 4294967295. When set
5212 to -1, the existing value is preserved.
5213 Format: int64
5215 link.gso-max-size
5217 The maximum size of a Generic Segment Offload packet the device
5218 should accept. The value must be between 0 and 4294967295. When set
5219 to -1, the existing value is preserved.
5220 Format: int64
5222 link.tx-queue-length
5224 The size of the transmit queue for the device, in number of
5225 packets. The value must be between 0 and 4294967295. When set to
5226 -1, the existing value is preserved.
5227 Format: int64
5229 loopback setting
5231 Loopback Link Settings.
5232 Properties:
5234 loopback.mtu
5236 Alias: mtu
5237 If non-zero, only transmit packets of the specified size or
5239 smaller, breaking larger packets up into multiple Ethernet frames.
5240 Format: uint32
5242 veth setting
5244 Veth Settings.
5245 Properties:
5247 veth.peer
5249 Alias: peer
5250 This property specifies the peer interface name of the veth. This
5252 property is mandatory.
5253 Format: string
5255 Secret flag types:
5257 Each password or secret property in a setting has an associated flags
5258 property that describes how to handle that secret. The flags property
5259 is a bitfield that contains zero or more of the following values
5260 logically OR-ed together.
5261 • 0x0 (none) - the system is responsible for providing and storing
5263 this secret. This may be required so that secrets are already
5264 available before the user logs in. It also commonly means that the
5265 secret will be stored in plain text on disk, accessible to root
5266 only. For example via the keyfile settings plugin as described in
5267 the "PLUGINS" section in NetworkManager.conf(5).
5268 • 0x1 (agent-owned) - a user-session secret agent is responsible for
5270 providing and storing this secret; when it is required, agents will
5271 be asked to provide it.
5272 • 0x2 (not-saved) - this secret should not be saved but should be
5274 requested from the user each time it is required. This flag should
5275 be used for One-Time-Pad secrets, PIN codes from hardware tokens,
5276 or if the user simply does not want to save the secret.
5277 • 0x4 (not-required) - in some situations it cannot be automatically
5279 determined that a secret is required or not. This flag hints that
5280 the secret is not required and should not be requested from the
5281 user.
5282
5284 /etc/NetworkManager/system-connections or distro plugin-specific
5285 location
5286
5288 nmcli(1), nmcli-examples(7), NetworkManager(8), nm-settings-dbus(5),
5289 nm-settings-keyfile(5), NetworkManager.conf(5)
5290NetworkManager 1.44.2 NM-SETTINGS-NMCLI(5)