Skip to content

Instantly share code, notes, and snippets.

@igo95862

igo95862/gist:deb5957ce5672ae7f646f28cf82fe1d7 Secret

Created May 30, 2022 08:26
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save igo95862/deb5957ce5672ae7f646f28cf82fe1d7 to your computer and use it in GitHub Desktop.
Save igo95862/deb5957ce5672ae7f646f28cf82fe1d7 to your computer and use it in GitHub Desktop.
Download ZIP
New `tools/generate-docs-nm-settings-docs-gir.py` output
Raw
gistfile1.txt
CONNECTION
General Connection Profile Settings
AUTH_RETRIES
The number of retries for the authentication. Zero means to try indefinitely; -1 means
to use a global default. If the global default is not set, the authentication
retries for 3 times before failing the connection.
Currently, this only applies to 802-1x authentication.
AUTOCONNECT
Whether or not the connection should be automatically connected by
NetworkManager when the resources for the connection are available.
TRUE to automatically activate the connection, FALSE to require manual
intervention to activate the connection.
Autoconnect happens when the circumstances are suitable. That means for
example that the device is currently managed and not active. Autoconnect
thus never replaces or competes with an already active profile.
Note that autoconnect is not implemented for VPN profiles. See
"secondaries" as an alternative to automatically
connect VPN profiles.
If multiple profiles are ready to autoconnect on the same device,
the one with the better "connection.autoconnect-priority" is chosen. If
the priorities are equal, then the most recently connected profile is activated.
If the profiles were not connected earlier or their
"connection.timestamp" is identical, the choice is undefined.
Depending on "connection.multi-connect", a profile can (auto)connect only
once at a time or multiple times.
AUTOCONNECT_PRIORITY
The autoconnect priority in range -999 to 999. If the connection is set
to autoconnect, connections with higher priority will be preferred.
The higher number means higher priority. Defaults to 0.
Note that this property only matters if there are more than one candidate
profile to select for autoconnect. In case of equal priority, the profile
used most recently is chosen.
AUTOCONNECT_RETRIES
The number of times a connection should be tried when autoactivating before
giving up. Zero means forever, -1 means the global default (4 times if not
overridden). Setting this to 1 means to try activation only once before
blocking autoconnect. Note that after a timeout, NetworkManager will try
to autoconnect again.
AUTOCONNECT_SLAVES
Whether or not slaves of this connection should be automatically brought up
when NetworkManager activates this connection. This only has a real effect
for master connections. The properties "autoconnect",
"autoconnect-priority" and "autoconnect-retries"
are unrelated to this setting.
The permitted values are: 0: leave slave connections untouched,
1: activate all the slave connections with this connection, -1: default.
If -1 (default) is set, global connection.autoconnect-slaves is read to
determine the real value. If it is default as well, this fallbacks to 0.
DNS_OVER_TLS
Whether DNSOverTls (dns-over-tls) is enabled for the connection.
DNSOverTls is a technology which uses TLS to encrypt dns traffic.
The permitted values are: "yes" (2) use DNSOverTls and disabled fallback,
"opportunistic" (1) use DNSOverTls but allow fallback to unencrypted resolution,
"no" (0) don't ever use DNSOverTls.
If unspecified "default" depends on the plugin used. Systemd-resolved
uses global setting.
This feature requires a plugin which supports DNSOverTls. Otherwise, the
setting has no effect. One such plugin is dns-systemd-resolved.
GATEWAY_PING_TIMEOUT
If greater than zero, delay success of IP addressing until either the
timeout is reached, or an IP gateway replies to a ping.
ID
A human readable unique identifier for the connection, like "Work Wi-Fi"
or "T-Mobile 3G".
INTERFACE_NAME
The name of the network interface this connection is bound to. If not
set, then the connection can be attached to any interface of the
appropriate type (subject to restrictions imposed by other settings).
For software devices this specifies the name of the created device.
For connection types where interface names cannot easily be made
persistent (e.g. mobile broadband or USB Ethernet), this property should
not be used. Setting this property restricts the interfaces a connection
can be used with, and if interface names change or are reordered the
connection may be applied to the wrong interface.
LLDP
Whether LLDP is enabled for the connection.
LLMNR
Whether Link-Local Multicast Name Resolution (LLMNR) is enabled
for the connection. LLMNR is a protocol based on the Domain Name
System (DNS) packet format that allows both IPv4 and IPv6 hosts
to perform name resolution for hosts on the same local link.
The permitted values are: "yes" (2) register hostname and resolving
for the connection, "no" (0) disable LLMNR for the interface, "resolve"
(1) do not register hostname but allow resolving of LLMNR host names
If unspecified, "default" ultimately depends on the DNS plugin (which
for systemd-resolved currently means "yes").
This feature requires a plugin which supports LLMNR. Otherwise, the
setting has no effect. One such plugin is dns-systemd-resolved.
MASTER
Interface name of the master device or UUID of the master connection.
MDNS
Whether mDNS is enabled for the connection.
The permitted values are: "yes" (2) register hostname and resolving
for the connection, "no" (0) disable mDNS for the interface, "resolve"
(1) do not register hostname but allow resolving of mDNS host names
and "default" (-1) to allow lookup of a global default in NetworkManager.conf.
If unspecified, "default" ultimately depends on the DNS plugin (which
for systemd-resolved currently means "no").
This feature requires a plugin which supports mDNS. Otherwise, the
setting has no effect. One such plugin is dns-systemd-resolved.
METERED
Whether the connection is metered.
When updating this property on a currently activated connection,
the change takes effect immediately.
MUD_URL
If configured, set to a Manufacturer Usage Description (MUD) URL that points
to manufacturer-recommended network policies for IoT devices. It is transmitted
as a DHCPv4 or DHCPv6 option. The value must be a valid URL starting with "https://".
The special value "none" is allowed to indicate that no MUD URL is used.
If the per-profile value is unspecified (the default), a global connection default gets
consulted. If still unspecified, the ultimate default is "none".
MULTI_CONNECT
Specifies whether the profile can be active multiple times at a particular
moment. The value is of type NMConnectionMultiConnect.
PERMISSIONS
An array of strings defining what access a given user has to this
connection. If this is NULL or empty, all users are allowed to access
this connection; otherwise users are allowed if and only if they are in
this list. When this is not empty, the connection can be active only when
one of the specified users is logged into an active session. Each entry
is of the form "[type]:[id]:[reserved]"; for example, "user:dcbw:blah".
At this time only the "user" [type] is allowed. Any other values are
ignored and reserved for future use. [id] is the username that this
permission refers to, which may not contain the ":" character. Any
[reserved] information present must be ignored and is reserved for future
use. All of [type], [id], and [reserved] must be valid UTF-8.
READ_ONLY
FALSE if the connection can be modified using the provided settings
service's D-Bus interface with the right privileges, or TRUE if the
connection is read-only and cannot be modified.
SECONDARIES
List of connection UUIDs that should be activated when the base
connection itself is activated. Currently, only VPN connections are
supported.
SLAVE_TYPE
Setting name of the device type of this slave's master connection (eg,
"bond"), or NULL if this connection is not a
slave.
STABLE_ID
This represents the identity of the connection used for various purposes.
It allows to configure multiple profiles to share the identity. Also,
the stable-id can contain placeholders that are substituted dynamically and
deterministically depending on the context.
The stable-id is used for generating IPv6 stable private addresses
with ipv6.addr-gen-mode=stable-privacy. It is also used to seed the
generated cloned MAC address for ethernet.cloned-mac-address=stable
and wifi.cloned-mac-address=stable. It is also used as DHCP client
identifier with ipv4.dhcp-client-id=stable and to derive the DHCP
DUID with ipv6.dhcp-duid=stable-[llt,ll,uuid].
Note that depending on the context where it is used, other parameters are
also seeded into the generation algorithm. For example, a per-host key
is commonly also included, so that different systems end up generating
different IDs. Or with ipv6.addr-gen-mode=stable-privacy, also the device's
name is included, so that different interfaces yield different addresses.
The per-host key is the identity of your machine and stored in /var/lib/NetworkManager/secret_key.
See NetworkManager(8) manual about the secret-key and the host identity.
The '$' character is treated special to perform dynamic substitutions
at runtime. Currently, supported are "${CONNECTION}", "${DEVICE}", "${MAC}",
"${BOOT}", "${RANDOM}".
These effectively create unique IDs per-connection, per-device, per-boot,
or every time. Note that "${DEVICE}" corresponds to the interface name of the
device and "${MAC}" is the permanent MAC address of the device.
Any unrecognized patterns following '$' are treated verbatim, however
are reserved for future use. You are thus advised to avoid '$' or
escape it as "$$".
For example, set it to "${CONNECTION}-${BOOT}-${DEVICE}" to create a unique id for
this connection that changes with every reboot and differs depending on the
interface where the profile activates.
If the value is unset, a global connection default is consulted. If the
value is still unset, the default is similar to "${CONNECTION}" and uses
a unique, fixed ID for the connection.
TIMESTAMP
The time, in seconds since the Unix Epoch, that the connection was last
_successfully_ fully activated.
NetworkManager updates the connection timestamp periodically when the
connection is active to ensure that an active connection has the latest
timestamp. The property is only meant for reading (changes to this
property will not be preserved).
TYPE
Base type of the connection. For hardware-dependent connections, should
contain the setting name of the hardware-type specific setting (ie,
"802-3-ethernet" or "802-11-wireless" or "bluetooth", etc), and for
non-hardware dependent connections like VPN or otherwise, should contain
the setting name of that setting type (ie, "vpn" or "bridge", etc).
UUID
A universally unique identifier for the connection, for example generated
with libuuid. It should be assigned when the connection is created, and
never changed as long as the connection still applies to the same
network. For example, it should not be changed when the
"id" property or NMSettingIP4Config changes, but
might need to be re-created when the Wi-Fi SSID, mobile broadband network
provider, or "type" property changes.
The UUID must be in the format "2815492f-7e56-435e-b2e9-246bd7cdc664"
(ie, contains only hexadecimal characters and "-").
WAIT_DEVICE_TIMEOUT
Timeout in milliseconds to wait for device at startup.
During boot, devices may take a while to be detected by the driver.
This property will cause to delay NetworkManager-wait-online.service
and nm-online to give the device a chance to appear. This works by
waiting for the given timeout until a compatible device for the
profile is available and managed.
The value 0 means no wait time. The default value is -1, which
currently has the same meaning as no wait time.
ZONE
The trust level of a the connection. Free form case-insensitive string
(for example "Home", "Work", "Public"). NULL or unspecified zone means
the connection will be placed in the default zone as defined by the
firewall.
When updating this property on a currently activated connection,
the change takes effect immediately.
6LOWPAN
6LoWPAN Settings
PARENT
If given, specifies the parent interface name or parent connection UUID
from which this 6LowPAN interface should be created.
802_1X
IEEE 802.1x Authentication Settings
ALTSUBJECT_MATCHES
List of strings to be matched against the altSubjectName of the
certificate presented by the authentication server. If the list is empty,
no verification of the server certificate's altSubjectName is performed.
ANONYMOUS_IDENTITY
Anonymous identity string for EAP authentication methods. Used as the
unencrypted identity with EAP types that support different tunneled
identity like EAP-TTLS.
AUTH_TIMEOUT
A timeout for the authentication. Zero means the global default; if the
global default is not set, the authentication timeout is 25 seconds.
CA_CERT
Contains the CA certificate if used by the EAP method specified in the
"eap" property.
Certificate data is specified using a "scheme"; three are currently
supported: blob, path and pkcs#11 URL. When using the blob scheme this property
should be set to the certificate's DER encoded data. When using the path
scheme, this property should be set to the full UTF-8 encoded path of the
certificate, prefixed with the string "file://" and ending with a terminating
NUL byte.
This property can be unset even if the EAP method supports CA certificates,
but this allows man-in-the-middle attacks and is NOT recommended.
Note that enabling NMSetting8021x:system-ca-certs will override this
setting to use the built-in path, if the built-in path is not a directory.
CA_CERT_PASSWORD
The password used to access the CA certificate stored in
"ca-cert" property. Only makes sense if the certificate
is stored on a PKCS#11 token that requires a login.
CA_CERT_PASSWORD_FLAGS
Flags indicating how to handle the "ca-cert-password" property.
CA_PATH
UTF-8 encoded path to a directory containing PEM or DER formatted
certificates to be added to the verification chain in addition to the
certificate specified in the "ca-cert" property.
If NMSetting8021x:system-ca-certs is enabled and the built-in CA
path is an existing directory, then this setting is ignored.
CLIENT_CERT
Contains the client certificate if used by the EAP method specified in
the "eap" property.
Certificate data is specified using a "scheme"; two are currently
supported: blob and path. When using the blob scheme (which is backwards
compatible with NM 0.7.x) this property should be set to the
certificate's DER encoded data. When using the path scheme, this property
should be set to the full UTF-8 encoded path of the certificate, prefixed
with the string "file://" and ending with a terminating NUL byte.
CLIENT_CERT_PASSWORD
The password used to access the client certificate stored in
"client-cert" property. Only makes sense if the certificate
is stored on a PKCS#11 token that requires a login.
CLIENT_CERT_PASSWORD_FLAGS
Flags indicating how to handle the "client-cert-password" property.
DOMAIN_MATCH
Constraint for server domain name. If set, this list of FQDNs is used as
a match requirement for dNSName element(s) of the certificate presented
by the authentication server. If a matching dNSName is found, this
constraint is met. If no dNSName values are present, this constraint is
matched against SubjectName CN using the same comparison.
Multiple valid FQDNs can be passed as a ";" delimited list.
DOMAIN_SUFFIX_MATCH
Constraint for server domain name. If set, this FQDN is used as a suffix
match requirement for dNSName element(s) of the certificate presented by
the authentication server. If a matching dNSName is found, this
constraint is met. If no dNSName values are present, this constraint is
matched against SubjectName CN using same suffix match comparison.
Since version 1.24, multiple valid FQDNs can be passed as a ";" delimited
list.
EAP
The allowed EAP method to be used when authenticating to the network with
802.1x. Valid methods are: "leap", "md5", "tls", "peap", "ttls", "pwd",
and "fast". Each method requires different configuration using the
properties of this setting; refer to wpa_supplicant documentation for the
allowed combinations.
IDENTITY
Identity string for EAP authentication methods. Often the user's user or
login name.
OPTIONAL
Whether the 802.1X authentication is optional. If TRUE, the activation
will continue even after a timeout or an authentication failure. Setting
the property to TRUE is currently allowed only for Ethernet connections.
If set to FALSE, the activation can continue only after a successful
authentication.
PAC_FILE
UTF-8 encoded file path containing PAC for EAP-FAST.
PASSWORD
UTF-8 encoded password used for EAP authentication methods. If both the
"password" property and the "password-raw"
property are specified, "password" is preferred.
PASSWORD_FLAGS
Flags indicating how to handle the "password" property.
PASSWORD_RAW
Password used for EAP authentication methods, given as a byte array to
allow passwords in other encodings than UTF-8 to be used. If both the
"password" property and the "password-raw"
property are specified, "password" is preferred.
PASSWORD_RAW_FLAGS
Flags indicating how to handle the "password-raw" property.
PHASE1_AUTH_FLAGS
Specifies authentication flags to use in "phase 1" outer
authentication using NMSetting8021xAuthFlags options.
The individual TLS versions can be explicitly disabled. If a certain
TLS disable flag is not set, it is up to the supplicant to allow
or forbid it. The TLS options map to tls_disable_tlsv1_x settings.
It also allows to set "tls-allow-unsafe-renegotiation" to workaround
authentication servers that don't support RFC 5746 secure authentication.
See the wpa_supplicant documentation for more details.
PHASE1_FAST_PROVISIONING
Enables or disables in-line provisioning of EAP-FAST credentials when
FAST is specified as the EAP method in the "eap" property.
Recognized values are "0" (disabled), "1" (allow unauthenticated
provisioning), "2" (allow authenticated provisioning), and "3" (allow
both authenticated and unauthenticated provisioning). See the
wpa_supplicant documentation for more details.
PHASE1_PEAPLABEL
Forces use of the new PEAP label during key derivation. Some RADIUS
servers may require forcing the new PEAP label to interoperate with
PEAPv1. Set to "1" to force use of the new PEAP label. See the
wpa_supplicant documentation for more details.
PHASE1_PEAPVER
Forces which PEAP version is used when PEAP is set as the EAP method in
the "eap" property. When unset, the version reported by
the server will be used. Sometimes when using older RADIUS servers, it
is necessary to force the client to use a particular PEAP version. To do
so, this property may be set to "0" or "1" to force that specific PEAP
version.
PHASE2_ALTSUBJECT_MATCHES
List of strings to be matched against the altSubjectName of the
certificate presented by the authentication server during the inner
"phase 2" authentication. If the list is empty, no verification of the
server certificate's altSubjectName is performed.
PHASE2_AUTH
Specifies the allowed "phase 2" inner authentication method when an EAP
method that uses an inner TLS tunnel is specified in the "eap"
property. For TTLS this property selects one of the supported non-EAP
inner methods: "pap", "chap", "mschap", "mschapv2" while
"phase2-autheap" selects an EAP inner method. For PEAP
this selects an inner EAP method, one of: "gtc", "otp", "md5" and "tls".
Each "phase 2" inner method requires specific parameters for successful
authentication; see the wpa_supplicant documentation for more details.
Both "phase2-auth" and "phase2-autheap" cannot
be specified.
PHASE2_AUTHEAP
Specifies the allowed "phase 2" inner EAP-based authentication method
when TTLS is specified in the "eap" property. Recognized
EAP-based "phase 2" methods are "md5", "mschapv2", "otp", "gtc", and
"tls". Each "phase 2" inner method requires specific parameters for
successful authentication; see the wpa_supplicant documentation for
more details.
PHASE2_CA_CERT
Contains the "phase 2" CA certificate if used by the EAP method specified
in the "phase2-auth" or "phase2-autheap"
properties.
Certificate data is specified using a "scheme"; three are currently
supported: blob, path and pkcs#11 URL. When using the blob scheme this property
should be set to the certificate's DER encoded data. When using the path
scheme, this property should be set to the full UTF-8 encoded path of the
certificate, prefixed with the string "file://" and ending with a terminating
NUL byte.
This property can be unset even if the EAP method supports CA certificates,
but this allows man-in-the-middle attacks and is NOT recommended.
Note that enabling NMSetting8021x:system-ca-certs will override this
setting to use the built-in path, if the built-in path is not a directory.
PHASE2_CA_CERT_PASSWORD
The password used to access the "phase2" CA certificate stored in
"phase2-ca-cert" property. Only makes sense if the certificate
is stored on a PKCS#11 token that requires a login.
PHASE2_CA_CERT_PASSWORD_FLAGS
Flags indicating how to handle the "phase2-ca-cert-password" property.
PHASE2_CA_PATH
UTF-8 encoded path to a directory containing PEM or DER formatted
certificates to be added to the verification chain in addition to the
certificate specified in the "phase2-ca-cert" property.
If NMSetting8021x:system-ca-certs is enabled and the built-in CA
path is an existing directory, then this setting is ignored.
PHASE2_CLIENT_CERT
Contains the "phase 2" client certificate if used by the EAP method
specified in the "phase2-auth" or
"phase2-autheap" properties.
Certificate data is specified using a "scheme"; two are currently
supported: blob and path. When using the blob scheme (which is backwards
compatible with NM 0.7.x) this property should be set to the
certificate's DER encoded data. When using the path scheme, this property
should be set to the full UTF-8 encoded path of the certificate, prefixed
with the string "file://" and ending with a terminating NUL byte. This
property can be unset even if the EAP method supports CA certificates,
but this allows man-in-the-middle attacks and is NOT recommended.
PHASE2_CLIENT_CERT_PASSWORD
The password used to access the "phase2" client certificate stored in
"phase2-client-cert" property. Only makes sense if the certificate
is stored on a PKCS#11 token that requires a login.
PHASE2_CLIENT_CERT_PASSWORD_FLAGS
Flags indicating how to handle the "phase2-client-cert-password" property.
PHASE2_DOMAIN_MATCH
Constraint for server domain name. If set, this list of FQDNs is used as
a match requirement for dNSName element(s) of the certificate presented
by the authentication server during the inner "phase 2" authentication.
If a matching dNSName is found, this constraint is met. If no dNSName
values are present, this constraint is matched against SubjectName CN
using the same comparison.
Multiple valid FQDNs can be passed as a ";" delimited list.
PHASE2_DOMAIN_SUFFIX_MATCH
Constraint for server domain name. If set, this FQDN is used as a suffix
match requirement for dNSName element(s) of the certificate presented by
the authentication server during the inner "phase 2" authentication. If
a matching dNSName is found, this constraint is met. If no dNSName
values are present, this constraint is matched against SubjectName CN
using same suffix match comparison.
Since version 1.24, multiple valid FQDNs can be passed as a ";" delimited
list.
PHASE2_PRIVATE_KEY
Contains the "phase 2" inner private key when the
"phase2-auth" or "phase2-autheap" property is
set to "tls".
Key data is specified using a "scheme"; two are currently supported: blob
and path. When using the blob scheme and private keys, this property
should be set to the key's encrypted PEM encoded data. When using private
keys with the path scheme, this property should be set to the full UTF-8
encoded path of the key, prefixed with the string "file://" and ending
with a terminating NUL byte. When using PKCS#12 format private
keys and the blob scheme, this property should be set to the
PKCS#12 data and the "phase2-private-key-password"
property must be set to password used to decrypt the PKCS#12
certificate and key. When using PKCS#12 files and the path
scheme, this property should be set to the full UTF-8 encoded path of the
key, prefixed with the string "file://" and ending with a terminating
NUL byte, and as with the blob scheme the
"phase2-private-key-password" property must be set to the
password used to decode the PKCS#12 private key and certificate.
PHASE2_PRIVATE_KEY_PASSWORD
The password used to decrypt the "phase 2" private key specified in the
"phase2-private-key" property when the private key either
uses the path scheme, or is a PKCS#12 format key.
PHASE2_PRIVATE_KEY_PASSWORD_FLAGS
Flags indicating how to handle the
"phase2-private-key-password" property.
PHASE2_SUBJECT_MATCH
Substring to be matched against the subject of the certificate presented
by the authentication server during the inner "phase 2"
authentication. When unset, no verification of the authentication server
certificate's subject is performed. This property provides little security,
if any, and its use is deprecated in favor of
NMSetting8021x:phase2-domain-suffix-match.
PIN
PIN used for EAP authentication methods.
PIN_FLAGS
Flags indicating how to handle the "pin" property.
PRIVATE_KEY
Contains the private key when the "eap" property is set to
"tls".
Key data is specified using a "scheme"; two are currently supported: blob
and path. When using the blob scheme and private keys, this property
should be set to the key's encrypted PEM encoded data. When using private
keys with the path scheme, this property should be set to the full UTF-8
encoded path of the key, prefixed with the string "file://" and ending
with a terminating NUL byte. When using PKCS#12 format private
keys and the blob scheme, this property should be set to the
PKCS#12 data and the "private-key-password"
property must be set to password used to decrypt the PKCS#12
certificate and key. When using PKCS#12 files and the path
scheme, this property should be set to the full UTF-8 encoded path of the
key, prefixed with the string "file://" and ending with a terminating
NUL byte, and as with the blob scheme the "private-key-password" property
must be set to the password used to decode the PKCS#12 private
key and certificate.
WARNING: "private-key" is not a "secret" property, and thus
unencrypted private key data using the BLOB scheme may be readable by
unprivileged users. Private keys should always be encrypted with a
private key password to prevent unauthorized access to unencrypted
private key data.
PRIVATE_KEY_PASSWORD
The password used to decrypt the private key specified in the
"private-key" property when the private key either uses the
path scheme, or if the private key is a PKCS#12 format key.
PRIVATE_KEY_PASSWORD_FLAGS
Flags indicating how to handle the "private-key-password"
property.
SUBJECT_MATCH
Substring to be matched against the subject of the certificate presented
by the authentication server. When unset, no verification of the
authentication server certificate's subject is performed. This property
provides little security, if any, and its use is deprecated in favor of
NMSetting8021x:domain-suffix-match.
SYSTEM_CA_CERTS
When TRUE, overrides the "ca-path" and
"phase2-ca-path" properties using the system CA directory
specified at configure time with the --system-ca-path switch. The
certificates in this directory are added to the verification chain in
addition to any certificates specified by the "ca-cert" and
"phase2-ca-cert" properties. If the path provided with
--system-ca-path is rather a file name (bundle of trusted CA certificates),
it overrides "ca-cert" and "phase2-ca-cert"
properties instead (sets ca_cert/ca_cert2 options for wpa_supplicant).
ADSL
ADSL Settings
ENCAPSULATION
Encapsulation of ADSL connection. Can be "vcmux" or "llc".
PASSWORD
Password used to authenticate with the ADSL service.
PASSWORD_FLAGS
Flags indicating how to handle the "password" property.
PROTOCOL
ADSL connection protocol. Can be "pppoa", "pppoe" or "ipoatm".
USERNAME
Username used to authenticate with the ADSL service.
VCI
VCI of ADSL connection
VPI
VPI of ADSL connection
BLUETOOTH
Bluetooth Settings
BDADDR
The Bluetooth address of the device.
TYPE
Either "dun" for Dial-Up Networking connections or "panu" for Personal
Area Networking connections to devices supporting the NAP profile.
BOND
Bonding Settings
OPTIONS
Dictionary of key/value pairs of bonding options. Both keys and values
must be strings. Option names must contain only alphanumeric characters
(ie, [a-zA-Z0-9]).
BOND_PORT
Bond Port Settings
QUEUE_ID
The queue ID of this bond port. The maximum value of queue ID is
the number of TX queues currently active in device.
BRIDGE
Bridging Settings
AGEING_TIME
The Ethernet MAC address aging time, in seconds.
FORWARD_DELAY
The Spanning Tree Protocol (STP) forwarding delay, in seconds.
GROUP_ADDRESS
If specified, The MAC address of the multicast group this bridge uses for STP.
The address must be a link-local address in standard Ethernet MAC address format,
ie an address of the form 01:80:C2:00:00:0X, with X in [0, 4..F].
If not specified the default value is 01:80:C2:00:00:00.
GROUP_FORWARD_MASK
A mask of group addresses to forward. Usually, group addresses in
the range from 01:80:C2:00:00:00 to 01:80:C2:00:00:0F are not
forwarded according to standards. This property is a mask of 16 bits,
each corresponding to a group address in that range that must be
forwarded. The mask can't have bits 0, 1 or 2 set because they are
used for STP, MAC pause frames and LACP.
HELLO_TIME
The Spanning Tree Protocol (STP) hello time, in seconds.
MAC_ADDRESS
If specified, the MAC address of bridge. When creating a new bridge, this
MAC address will be set.
If this field is left unspecified, the "ethernet.cloned-mac-address" is
referred instead to generate the initial MAC address. Note that setting
"ethernet.cloned-mac-address" anyway overwrites the MAC address of
the bridge later while activating the bridge. Hence, this property
is deprecated. Deprecated: 1
MAX_AGE
The Spanning Tree Protocol (STP) maximum message age, in seconds.
MULTICAST_HASH_MAX
Set maximum size of multicast hash table (value must be a power of 2).
MULTICAST_LAST_MEMBER_COUNT
Set the number of queries the bridge will send before
stopping forwarding a multicast group after a "leave"
message has been received.
MULTICAST_LAST_MEMBER_INTERVAL
Set interval (in deciseconds) between queries to find remaining
members of a group, after a "leave" message is received.
MULTICAST_MEMBERSHIP_INTERVAL
Set delay (in deciseconds) after which the bridge will
leave a group, if no membership reports for this
group are received.
MULTICAST_QUERIER
Enable or disable sending of multicast queries by the bridge.
If not specified the option is disabled.
MULTICAST_QUERIER_INTERVAL
If no queries are seen after this delay (in deciseconds) has passed,
the bridge will start to send its own queries.
MULTICAST_QUERY_INTERVAL
Interval (in deciseconds) between queries sent
by the bridge after the end of the startup phase.
MULTICAST_QUERY_RESPONSE_INTERVAL
Set the Max Response Time/Max Response Delay
(in deciseconds) for IGMP/MLD queries sent by the bridge.
MULTICAST_QUERY_USE_IFADDR
If enabled the bridge's own IP address is used as
the source address for IGMP queries otherwise
the default of 0.0.0.0 is used.
MULTICAST_ROUTER
Sets bridge's multicast router. Multicast-snooping must be enabled
for this option to work.
Supported values are: 'auto', 'disabled', 'enabled' to which kernel
assigns the numbers 1, 0, and 2, respectively.
If not specified the default value is 'auto' (1).
MULTICAST_SNOOPING
Controls whether IGMP snooping is enabled for this bridge.
Note that if snooping was automatically disabled due to hash collisions,
the system may refuse to enable the feature until the collisions are
resolved.
MULTICAST_STARTUP_QUERY_COUNT
Set the number of IGMP queries to send during startup phase.
MULTICAST_STARTUP_QUERY_INTERVAL
Sets the time (in deciseconds) between queries sent out
at startup to determine membership information.
PRIORITY
Sets the Spanning Tree Protocol (STP) priority for this bridge. Lower
values are "better"; the lowest priority bridge will be elected the root
bridge.
STP
Controls whether Spanning Tree Protocol (STP) is enabled for this bridge.
VLAN_DEFAULT_PVID
The default PVID for the ports of the bridge, that is the VLAN id
assigned to incoming untagged frames.
VLAN_FILTERING
Control whether VLAN filtering is enabled on the bridge.
VLAN_PROTOCOL
If specified, the protocol used for VLAN filtering.
Supported values are: '802.1Q', '802.1ad'.
If not specified the default value is '802.1Q'.
VLAN_STATS_ENABLED
Controls whether per-VLAN stats accounting is enabled.
VLANS
Array of bridge VLAN objects. In addition to the VLANs
specified here, the bridge will also have the default-pvid
VLAN configured by the bridge.vlan-default-pvid property.
In nmcli the VLAN list can be specified with the following
syntax:
$vid [pvid] [untagged] [, $vid [pvid] [untagged]]...
where $vid is either a single id between 1 and 4094 or a
range, represented as a couple of ids separated by a dash.
BRIDGE_PORT
Bridge Port Settings
HAIRPIN_MODE
Enables or disables "hairpin mode" for the port, which allows frames to
be sent back out through the port the frame was received on.
PATH_COST
The Spanning Tree Protocol (STP) port cost for destinations via this
port.
PRIORITY
The Spanning Tree Protocol (STP) priority of this bridge port.
VLANS
Array of bridge VLAN objects. In addition to the VLANs
specified here, the port will also have the default-pvid
VLAN configured on the bridge by the bridge.vlan-default-pvid
property.
In nmcli the VLAN list can be specified with the following
syntax:
$vid [pvid] [untagged] [, $vid [pvid] [untagged]]...
where $vid is either a single id between 1 and 4094 or a
range, represented as a couple of ids separated by a dash.
CDMA
CDMA-based Mobile Broadband Settings
MTU
If non-zero, only transmit packets of the specified size or smaller,
breaking larger packets up into multiple frames.
NUMBER
The number to dial to establish the connection to the CDMA-based mobile
broadband network, if any. If not specified, the default number (#777)
is used when required.
PASSWORD
The password used to authenticate with the network, if required. Many
providers do not require a password, or accept any password. But if a
password is required, it is specified here.
PASSWORD_FLAGS
Flags indicating how to handle the "password" property.
USERNAME
The username used to authenticate with the network, if required. Many
providers do not require a username, or accept any username. But if a
username is required, it is specified here.
DCB
Data Center Bridging Settings
APP_FCOE_FLAGS
Specifies the NMSettingDcbFlags for the DCB FCoE application. Flags may
be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and NM_SETTING_DCB_FLAG_WILLING (0x4).
APP_FCOE_MODE
The FCoE controller mode; either "fabric"
or "vn2vn".
Since 1.34, NULL is the default and means "fabric".
Before 1.34, NULL was rejected as invalid and the default was "fabric".
APP_FCOE_PRIORITY
The highest User Priority (0 - 7) which FCoE frames should use, or -1 for
default priority. Only used when the "app-fcoe-flags"
property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
APP_FIP_FLAGS
Specifies the NMSettingDcbFlags for the DCB FIP application. Flags may
be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and NM_SETTING_DCB_FLAG_WILLING (0x4).
APP_FIP_PRIORITY
The highest User Priority (0 - 7) which FIP frames should use, or -1 for
default priority. Only used when the "app-fip-flags"
property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
APP_ISCSI_FLAGS
Specifies the NMSettingDcbFlags for the DCB iSCSI application. Flags
may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and NM_SETTING_DCB_FLAG_WILLING (0x4).
APP_ISCSI_PRIORITY
The highest User Priority (0 - 7) which iSCSI frames should use, or -1
for default priority. Only used when the "app-iscsi-flags"
property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
PRIORITY_BANDWIDTH
An array of 8 uint values, where the array index corresponds to the User
Priority (0 - 7) and the value indicates the percentage of bandwidth of
the priority's assigned group that the priority may use. The sum of all
percentages for priorities which belong to the same group must total 100
percents.
PRIORITY_FLOW_CONTROL
An array of 8 boolean values, where the array index corresponds to the User
Priority (0 - 7) and the value indicates whether or not the corresponding
priority should transmit priority pause.
PRIORITY_FLOW_CONTROL_FLAGS
Specifies the NMSettingDcbFlags for DCB Priority Flow Control (PFC).
Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and NM_SETTING_DCB_FLAG_WILLING (0x4).
PRIORITY_GROUP_BANDWIDTH
An array of 8 uint values, where the array index corresponds to the
Priority Group ID (0 - 7) and the value indicates the percentage of link
bandwidth allocated to that group. Allowed values are 0 - 100, and the
sum of all values must total 100 percents.
PRIORITY_GROUP_FLAGS
Specifies the NMSettingDcbFlags for DCB Priority Groups. Flags may be
any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1),
NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and NM_SETTING_DCB_FLAG_WILLING (0x4).
PRIORITY_GROUP_ID
An array of 8 uint values, where the array index corresponds to the User
Priority (0 - 7) and the value indicates the Priority Group ID. Allowed
Priority Group ID values are 0 - 7 or 15 for the unrestricted group.
PRIORITY_STRICT_BANDWIDTH
An array of 8 boolean values, where the array index corresponds to the User
Priority (0 - 7) and the value indicates whether or not the priority may
use all of the bandwidth allocated to its assigned group.
PRIORITY_TRAFFIC_CLASS
An array of 8 uint values, where the array index corresponds to the User
Priority (0 - 7) and the value indicates the traffic class (0 - 7) to
which the priority is mapped.
DUMMY
Dummy Link Settings
ETHTOOL
Ethtool Ethernet Settings
GENERIC
Generic Link Settings
GSM
GSM-based Mobile Broadband Settings
APN
The GPRS Access Point Name specifying the APN used when establishing a
data session with the GSM-based network. The APN often determines how
the user will be billed for their network usage and whether the user has
access to the Internet or just a provider-specific walled-garden, so it
is important to use the correct APN for the user's mobile broadband plan.
The APN may only be composed of the characters a-z, 0-9, ., and - per GSM
03.60 Section 14.9.
AUTO_CONFIG
When TRUE, the settings such as APN, username, or password will
default to values that match the network the modem will register
to in the Mobile Broadband Provider database.
DEVICE_ID
The device unique identifier (as given by the WWAN management service)
which this connection applies to. If given, the connection will only
apply to the specified device.
HOME_ONLY
When TRUE, only connections to the home network will be allowed.
Connections to roaming networks will not be made.
MTU
If non-zero, only transmit packets of the specified size or smaller,
breaking larger packets up into multiple frames.
NETWORK_ID
The Network ID (GSM LAI format, ie MCC-MNC) to force specific network
registration. If the Network ID is specified, NetworkManager will
attempt to force the device to register only on the specified network.
This can be used to ensure that the device does not roam when direct
roaming control of the device is not otherwise possible.
NUMBER
Legacy setting that used to help establishing PPP data sessions for
GSM-based modems. Deprecated: 1
PASSWORD
The password used to authenticate with the network, if required. Many
providers do not require a password, or accept any password. But if a
password is required, it is specified here.
PASSWORD_FLAGS
Flags indicating how to handle the "password" property.
PIN
If the SIM is locked with a PIN it must be unlocked before any other
operations are requested. Specify the PIN here to allow operation of the
device.
PIN_FLAGS
Flags indicating how to handle the "pin" property.
SIM_ID
The SIM card unique identifier (as given by the WWAN management service)
which this connection applies to. If given, the connection will apply
to any device also allowed by "device-id" which contains a
SIM card matching the given identifier.
SIM_OPERATOR_ID
A MCC/MNC string like "310260" or "21601" identifying the specific
mobile network operator which this connection applies to. If given,
the connection will apply to any device also allowed by
"device-id" and "sim-id" which contains a SIM
card provisioned by the given operator.
USERNAME
The username used to authenticate with the network, if required. Many
providers do not require a username, or accept any username. But if a
username is required, it is specified here.
HOSTNAME
Hostname settings
FROM_DHCP
Whether the system hostname can be determined from DHCP on
this connection.
When set to NM_TERNARY_DEFAULT (-1), the value from global configuration
is used. If the property doesn't have a value in the global
configuration, NetworkManager assumes the value to be NM_TERNARY_TRUE (1).
FROM_DNS_LOOKUP
Whether the system hostname can be determined from reverse
DNS lookup of addresses on this device.
When set to NM_TERNARY_DEFAULT (-1), the value from global configuration
is used. If the property doesn't have a value in the global
configuration, NetworkManager assumes the value to be NM_TERNARY_TRUE (1).
ONLY_FROM_DEFAULT
If set to NM_TERNARY_TRUE (1), NetworkManager attempts to get
the hostname via DHCPv4/DHCPv6 or reverse DNS lookup on this
device only when the device has the default route for the given
address family (IPv4/IPv6).
If set to NM_TERNARY_FALSE (0), the hostname can be set from this
device even if it doesn't have the default route.
When set to NM_TERNARY_DEFAULT (-1), the value from global configuration
is used. If the property doesn't have a value in the global
configuration, NetworkManager assumes the value to be NM_TERNARY_FALSE (0).
PRIORITY
The relative priority of this connection to determine the
system hostname. A lower numerical value is better (higher
priority). A connection with higher priority is considered
before connections with lower priority.
If the value is zero, it can be overridden by a global value
from NetworkManager configuration. If the property doesn't have
a value in the global configuration, the value is assumed to be
100.
Negative values have the special effect of excluding other
connections with a greater numerical priority value; so in
presence of at least one negative priority, only connections
with the lowest priority value will be used to determine the
hostname.
INFINIBAND
Infiniband Settings
MAC_ADDRESS
If specified, this connection will only apply to the IPoIB device whose
permanent MAC address matches. This property does not change the MAC
address of the device (i.e. MAC spoofing).
MTU
If non-zero, only transmit packets of the specified size or smaller,
breaking larger packets up into multiple frames.
P_KEY
The InfiniBand P_Key to use for this device. A value of -1 means to use
the default P_Key (aka "the P_Key at index 0"). Otherwise, it is a 16-bit
unsigned integer, whose high bit is set if it is a "full membership"
P_Key.
PARENT
The interface name of the parent device of this device. Normally NULL,
but if the "p_key" property is set, then you must
specify the base device by setting either this property or
"mac-address".
TRANSPORT_MODE
The IP-over-InfiniBand transport mode. Either "datagram" or
"connected".
IP4_CONFIG
IPv4 Settings
ADDRESSES
Array of IP addresses.
DAD_TIMEOUT
Timeout in milliseconds used to check for the presence of duplicate IP
addresses on the network. If an address conflict is detected, the
activation will fail. A zero value means that no duplicate address
detection is performed, -1 means the default value (either configuration
ipvx.dad-timeout override or zero). A value greater than zero is a
timeout in milliseconds.
The property is currently implemented only for IPv4.
DHCP_CLIENT_ID
A string sent to the DHCP server to identify the local machine which the
DHCP server may use to customize the DHCP lease and options.
When the property is a hex string ('aa:bb:cc') it is interpreted as a
binary client ID, in which case the first byte is assumed to be the
'type' field as per RFC 2132 section 9.14 and the remaining bytes may be
an hardware address (e.g. '01:xx:xx:xx:xx:xx:xx' where 1 is the Ethernet
ARP type and the rest is a MAC address).
If the property is not a hex string it is considered as a
non-hardware-address client ID and the 'type' field is set to 0.
The special values "mac" and "perm-mac" are supported, which use the
current or permanent MAC address of the device to generate a client identifier
with type ethernet (01). Currently, these options only work for ethernet
type of links.
The special value "ipv6-duid" uses the DUID from "ipv6.dhcp-duid" property as
an RFC4361-compliant client identifier. As IAID it uses "ipv4.dhcp-iaid"
and falls back to "ipv6.dhcp-iaid" if unset.
The special value "duid" generates a RFC4361-compliant client identifier based
on "ipv4.dhcp-iaid" and uses a DUID generated by hashing /etc/machine-id.
The special value "stable" is supported to generate a type 0 client identifier based
on the stable-id (see connection.stable-id) and a per-host key. If you set the
stable-id, you may want to include the "${DEVICE}" or "${MAC}" specifier to get a
per-device key.
If unset, a globally configured default is used. If still unset, the default
depends on the DHCP plugin.
DHCP_FQDN
If the "dhcp-send-hostname" property is TRUE, then the
specified FQDN will be sent to the DHCP server when acquiring a lease. This
property and "dhcp-hostname" are mutually exclusive and
cannot be set at the same time.
DHCP_HOSTNAME
If the "dhcp-send-hostname" property is TRUE, then the
specified name will be sent to the DHCP server when acquiring a lease.
This property and "dhcp-fqdn" are mutually exclusive and
cannot be set at the same time.
DHCP_HOSTNAME_FLAGS
Flags for the DHCP hostname and FQDN.
Currently, this property only includes flags to control the FQDN flags
set in the DHCP FQDN option. Supported FQDN flags are
NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is set and
NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the DHCP FQDN option will
contain no flag. Otherwise, if no FQDN flag is set and
NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set, the standard FQDN flags
are set in the request:
NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6.
When this property is set to the default value NM_DHCP_HOSTNAME_FLAG_NONE (0x0),
a global default is looked up in NetworkManager configuration. If that value
is unset or also NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
described above are sent in the DHCP requests.
DHCP_IAID
A string containing the "Identity Association Identifier" (IAID) used
by the DHCP client. The property is a 32-bit decimal value or a
special value among "mac", "perm-mac", "ifname" and "stable". When
set to "mac" (or "perm-mac"), the last 4 bytes of the current (or
permanent) MAC address are used as IAID. When set to "ifname", the
IAID is computed by hashing the interface name. The special value
"stable" can be used to generate an IAID based on the stable-id (see
connection.stable-id), a per-host key and the interface name. When
the property is unset, the value from global configuration is used;
if no global default is set then the IAID is assumed to be
"ifname". Note that at the moment this property is ignored for IPv6
by dhclient, which always derives the IAID from the MAC address.
DHCP_REJECT_SERVERS
Array of servers from which DHCP offers must be rejected. This property
is useful to avoid getting a lease from misconfigured or rogue servers.
For DHCPv4, each element must be an IPv4 address, optionally
followed by a slash and a prefix length (e.g. "192.168.122.0/24").
This property is currently not implemented for DHCPv6.
DHCP_SEND_HOSTNAME
If TRUE, a hostname is sent to the DHCP server when acquiring a lease.
Some DHCP servers use this hostname to update DNS databases, essentially
providing a static hostname for the computer. If the
"dhcp-hostname" property is NULL and this property is
TRUE, the current persistent hostname of the computer is sent.
DHCP_TIMEOUT
A timeout for a DHCP transaction in seconds. If zero (the default), a
globally configured default is used. If still unspecified, a device specific
timeout is used (usually 45 seconds).
Set to 2147483647 (MAXINT32) for infinity.
DHCP_VENDOR_CLASS_IDENTIFIER
The Vendor Class Identifier DHCP option (60).
Special characters in the data string may be escaped using C-style escapes,
nevertheless this property cannot contain nul bytes.
If the per-profile value is unspecified (the default),
a global connection default gets consulted.
If still unspecified, the DHCP option is not sent to the server.
Since 1.28
DNS
Array of IP addresses of DNS servers.
DNS_OPTIONS
Array of DNS options as described in man 5 resolv.conf.
NULL means that the options are unset and left at the default.
In this case NetworkManager will use default options. This is
distinct from an empty list of properties.
The currently supported options are "attempts", "debug", "edns0",
"inet6", "ip6-bytestring", "ip6-dotint", "ndots", "no-check-names",
"no-ip6-dotint", "no-reload", "no-tld-query", "rotate", "single-request",
"single-request-reopen", "timeout", "trust-ad", "use-vc".
The "trust-ad" setting is only honored if the profile contributes
name servers to resolv.conf, and if all contributing profiles have
"trust-ad" enabled.
When using a caching DNS plugin (dnsmasq or systemd-resolved in
NetworkManager.conf) then "edns0" and "trust-ad" are automatically
added.
DNS_PRIORITY
DNS servers priority.
The relative priority for DNS servers specified by this setting. A lower
numerical value is better (higher priority).
Negative values have the special effect of excluding other configurations
with a greater numerical priority value; so in presence of at least one negative
priority, only DNS servers from connections with the lowest priority value will be used.
To avoid all DNS leaks, set the priority of the profile that should be used
to the most negative value of all active connections profiles.
Zero selects a globally configured default value. If the latter is missing
or zero too, it defaults to 50 for VPNs (including WireGuard) and 100 for
other connections.
Note that the priority is to order DNS settings for multiple active
connections. It does not disambiguate multiple DNS servers within the
same connection profile.
When multiple devices have configurations with the same priority, VPNs will be
considered first, then devices with the best (lowest metric) default
route and then all other devices.
When using dns=default, servers with higher priority will be on top of
resolv.conf. To prioritize a given server over another one within the
same connection, just specify them in the desired order.
Note that commonly the resolver tries name servers in /etc/resolv.conf
in the order listed, proceeding with the next server in the list
on failure. See for example the "rotate" option of the dns-options setting.
If there are any negative DNS priorities, then only name servers from
the devices with that lowest priority will be considered.
When using a DNS resolver that supports Conditional Forwarding or
Split DNS (with dns=dnsmasq or dns=systemd-resolved settings), each connection
is used to query domains in its search list. The search domains determine which
name servers to ask, and the DNS priority is used to prioritize
name servers based on the domain. Queries for domains not present in any
search list are routed through connections having the '~.' special wildcard
domain, which is added automatically to connections with the default route
(or can be added manually). When multiple connections specify the same domain, the
one with the best priority (lowest numerical value) wins. If a sub domain
is configured on another interface it will be accepted regardless the priority,
unless parent domain on the other interface has a negative priority, which causes
the sub domain to be shadowed.
With Split DNS one can avoid undesired DNS leaks by properly configuring
DNS priorities and the search domains, so that only name servers of the desired
interface are configured.
DNS_SEARCH
Array of DNS search domains. Domains starting with a tilde ('~')
are considered 'routing' domains and are used only to decide the
interface over which a query must be forwarded; they are not used
to complete unqualified host names.
When using a DNS plugin that supports Conditional Forwarding or
Split DNS, then the search domains specify which name servers to
query. This makes the behavior different from running with plain
/etc/resolv.conf. For more information see also the dns-priority setting.
GATEWAY
The gateway associated with this configuration. This is only meaningful
if "addresses" is also set.
The gateway's main purpose is to control the next hop of the standard default route on the device.
Hence, the gateway property conflicts with "never-default" and will be
automatically dropped if the IP configuration is set to never-default.
As an alternative to set the gateway, configure a static default route with /0 as prefix
length.
IGNORE_AUTO_DNS
When "method" is set to "auto" and this property to
TRUE, automatically configured name servers and search domains are
ignored and only name servers and search domains specified in the
"dns" and "dns-search" properties, if
any, are used.
IGNORE_AUTO_ROUTES
When "method" is set to "auto" and this property to
TRUE, automatically configured routes are ignored and only routes
specified in the "routes" property, if any, are used.
MAY_FAIL
If TRUE, allow overall network configuration to proceed even if the
configuration specified by this property times out. Note that at least
one IP configuration must succeed or overall network configuration will
still fail. For example, in IPv6-only networks, setting this property to
TRUE on the NMSettingIP4Config allows the overall network configuration
to succeed if IPv4 configuration fails but IPv6 configuration completes
successfully.
METHOD
IP configuration method.
NMSettingIP4Config and NMSettingIP6Config both support "disabled",
"auto", "manual", and "link-local". See the subclass-specific
documentation for other values.
In general, for the "auto" method, properties such as
"dns" and "routes" specify information
that is added on to the information returned from automatic
configuration. The "ignore-auto-routes" and
"ignore-auto-dns" properties modify this behavior.
For methods that imply no upstream network, such as "shared" or
"link-local", these properties must be empty.
For IPv4 method "shared", the IP subnet can be configured by adding one
manual IPv4 address or otherwise 10.42.x.0/24 is chosen. Note that the
shared method must be configured on the interface which shares the internet
to a subnet, not on the uplink which is shared.
NEVER_DEFAULT
If TRUE, this connection will never be the default connection for this
IP type, meaning it will never be assigned the default route by
NetworkManager.
REQUIRED_TIMEOUT
The minimum time interval in milliseconds for which dynamic IP configuration
should be tried before the connection succeeds.
This property is useful for example if both IPv4 and IPv6 are enabled and
are allowed to fail. Normally the connection succeeds as soon as one of
the two address families completes; by setting a required timeout for
e.g. IPv4, one can ensure that even if IP6 succeeds earlier than IPv4,
NetworkManager waits some time for IPv4 before the connection becomes
active.
Note that if "may-fail" is FALSE for the same address
family, this property has no effect as NetworkManager needs to wait for
the full DHCP timeout.
A zero value means that no required timeout is present, -1 means the
default value (either configuration ipvx.required-timeout override or
zero).
ROUTE_METRIC
The default metric for routes that don't explicitly specify a metric.
The default value -1 means that the metric is chosen automatically
based on the device type.
The metric applies to dynamic routes, manual (static) routes that
don't have an explicit metric setting, address prefix routes, and
the default route.
Note that for IPv6, the kernel accepts zero (0) but coerces it to
1024 (user default). Hence, setting this property to zero effectively
mean setting it to 1024.
For IPv4, zero is a regular value for the metric.
ROUTE_TABLE
Enable policy routing (source routing) and set the routing table used when adding routes.
This affects all routes, including device-routes, IPv4LL, DHCP, SLAAC, default-routes
and static routes. But note that static routes can individually overwrite the setting
by explicitly specifying a non-zero routing table.
If the table setting is left at zero, it is eligible to be overwritten via global
configuration. If the property is zero even after applying the global configuration
value, policy routing is disabled for the address family of this connection.
Policy routing disabled means that NetworkManager will add all routes to the main
table (except static routes that explicitly configure a different table). Additionally,
NetworkManager will not delete any extraneous routes from tables except the main table.
This is to preserve backward compatibility for users who manage routing tables outside
of NetworkManager.
ROUTES
Array of IP routes.
IP6_CONFIG
IPv6 Settings
ADDR_GEN_MODE
Configure method for creating the address for use with RFC4862 IPv6
Stateless Address Autoconfiguration. The permitted values are:
NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_EUI64 (0) or
NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_STABLE_PRIVACY (1).
If the property is set to EUI64, the addresses will be generated
using the interface tokens derived from hardware address. This makes
the host part of the address to stay constant, making it possible
to track host's presence when it changes networks. The address changes
when the interface hardware is replaced.
The value of stable-privacy enables use of cryptographically
secure hash of a secret host-specific key along with the connection's
stable-id and the network address as specified by RFC7217.
This makes it impossible to use the address track host's presence,
and makes the address stable when the network interface hardware is
replaced.
On D-Bus, the absence of an addr-gen-mode setting equals enabling
stable-privacy. For keyfile plugin, the absence of the setting
on disk means EUI64 so that the property doesn't change on upgrade
from older versions.
Note that this setting is distinct from the Privacy Extensions as
configured by "ip6-privacy" property and it does not affect the
temporary addresses configured with this option.
ADDRESSES
Array of IP addresses.
DAD_TIMEOUT
Timeout in milliseconds used to check for the presence of duplicate IP
addresses on the network. If an address conflict is detected, the
activation will fail. A zero value means that no duplicate address
detection is performed, -1 means the default value (either configuration
ipvx.dad-timeout override or zero). A value greater than zero is a
timeout in milliseconds.
The property is currently implemented only for IPv4.
DHCP_DUID
A string containing the DHCPv6 Unique Identifier (DUID) used by the dhcp
client to identify itself to DHCPv6 servers (RFC 3315). The DUID is carried
in the Client Identifier option.
If the property is a hex string ('aa:bb:cc') it is interpreted as a binary
DUID and filled as an opaque value in the Client Identifier option.
The special value "lease" will retrieve the DUID previously used from the
lease file belonging to the connection. If no DUID is found and "dhclient"
is the configured dhcp client, the DUID is searched in the system-wide
dhclient lease file. If still no DUID is found, or another dhcp client is
used, a global and permanent DUID-UUID (RFC 6355) will be generated based
on the machine-id.
The special values "llt" and "ll" will generate a DUID of type LLT or LL
(see RFC 3315) based on the current MAC address of the device. In order to
try providing a stable DUID-LLT, the time field will contain a constant
timestamp that is used globally (for all profiles) and persisted to disk.
The special values "stable-llt", "stable-ll" and "stable-uuid" will generate
a DUID of the corresponding type, derived from the connection's stable-id and
a per-host unique key. You may want to include the "${DEVICE}" or "${MAC}" specifier
in the stable-id, in case this profile gets activated on multiple devices.
So, the link-layer address of "stable-ll" and "stable-llt" will be a generated
address derived from the stable id. The DUID-LLT time value in the "stable-llt"
option will be picked among a static timespan of three years (the upper bound
of the interval is the same constant timestamp used in "llt").
When the property is unset, the global value provided for "ipv6.dhcp-duid" is
used. If no global value is provided, the default "lease" value is assumed.
DHCP_HOSTNAME
If the "dhcp-send-hostname" property is TRUE, then the
specified name will be sent to the DHCP server when acquiring a lease.
This property and "dhcp-fqdn" are mutually exclusive and
cannot be set at the same time.
DHCP_HOSTNAME_FLAGS
Flags for the DHCP hostname and FQDN.
Currently, this property only includes flags to control the FQDN flags
set in the DHCP FQDN option. Supported FQDN flags are
NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) and
NM_DHCP_HOSTNAME_FLAG_FQDN_NO_UPDATE (0x4). When no FQDN flag is set and
NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is set, the DHCP FQDN option will
contain no flag. Otherwise, if no FQDN flag is set and
NM_DHCP_HOSTNAME_FLAG_FQDN_CLEAR_FLAGS (0x8) is not set, the standard FQDN flags
are set in the request:
NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1),
NM_DHCP_HOSTNAME_FLAG_FQDN_ENCODED (0x2) for IPv4 and
NM_DHCP_HOSTNAME_FLAG_FQDN_SERV_UPDATE (0x1) for IPv6.
When this property is set to the default value NM_DHCP_HOSTNAME_FLAG_NONE (0x0),
a global default is looked up in NetworkManager configuration. If that value
is unset or also NM_DHCP_HOSTNAME_FLAG_NONE (0x0), then the standard FQDN flags
described above are sent in the DHCP requests.
DHCP_IAID
A string containing the "Identity Association Identifier" (IAID) used
by the DHCP client. The property is a 32-bit decimal value or a
special value among "mac", "perm-mac", "ifname" and "stable". When
set to "mac" (or "perm-mac"), the last 4 bytes of the current (or
permanent) MAC address are used as IAID. When set to "ifname", the
IAID is computed by hashing the interface name. The special value
"stable" can be used to generate an IAID based on the stable-id (see
connection.stable-id), a per-host key and the interface name. When
the property is unset, the value from global configuration is used;
if no global default is set then the IAID is assumed to be
"ifname". Note that at the moment this property is ignored for IPv6
by dhclient, which always derives the IAID from the MAC address.
DHCP_REJECT_SERVERS
Array of servers from which DHCP offers must be rejected. This property
is useful to avoid getting a lease from misconfigured or rogue servers.
For DHCPv4, each element must be an IPv4 address, optionally
followed by a slash and a prefix length (e.g. "192.168.122.0/24").
This property is currently not implemented for DHCPv6.
DHCP_SEND_HOSTNAME
If TRUE, a hostname is sent to the DHCP server when acquiring a lease.
Some DHCP servers use this hostname to update DNS databases, essentially
providing a static hostname for the computer. If the
"dhcp-hostname" property is NULL and this property is
TRUE, the current persistent hostname of the computer is sent.
DHCP_TIMEOUT
A timeout for a DHCP transaction in seconds. If zero (the default), a
globally configured default is used. If still unspecified, a device specific
timeout is used (usually 45 seconds).
Set to 2147483647 (MAXINT32) for infinity.
DNS
Array of IP addresses of DNS servers.
DNS_OPTIONS
Array of DNS options as described in man 5 resolv.conf.
NULL means that the options are unset and left at the default.
In this case NetworkManager will use default options. This is
distinct from an empty list of properties.
The currently supported options are "attempts", "debug", "edns0",
"inet6", "ip6-bytestring", "ip6-dotint", "ndots", "no-check-names",
"no-ip6-dotint", "no-reload", "no-tld-query", "rotate", "single-request",
"single-request-reopen", "timeout", "trust-ad", "use-vc".
The "trust-ad" setting is only honored if the profile contributes
name servers to resolv.conf, and if all contributing profiles have
"trust-ad" enabled.
When using a caching DNS plugin (dnsmasq or systemd-resolved in
NetworkManager.conf) then "edns0" and "trust-ad" are automatically
added.
DNS_PRIORITY
DNS servers priority.
The relative priority for DNS servers specified by this setting. A lower
numerical value is better (higher priority).
Negative values have the special effect of excluding other configurations
with a greater numerical priority value; so in presence of at least one negative
priority, only DNS servers from connections with the lowest priority value will be used.
To avoid all DNS leaks, set the priority of the profile that should be used
to the most negative value of all active connections profiles.
Zero selects a globally configured default value. If the latter is missing
or zero too, it defaults to 50 for VPNs (including WireGuard) and 100 for
other connections.
Note that the priority is to order DNS settings for multiple active
connections. It does not disambiguate multiple DNS servers within the
same connection profile.
When multiple devices have configurations with the same priority, VPNs will be
considered first, then devices with the best (lowest metric) default
route and then all other devices.
When using dns=default, servers with higher priority will be on top of
resolv.conf. To prioritize a given server over another one within the
same connection, just specify them in the desired order.
Note that commonly the resolver tries name servers in /etc/resolv.conf
in the order listed, proceeding with the next server in the list
on failure. See for example the "rotate" option of the dns-options setting.
If there are any negative DNS priorities, then only name servers from
the devices with that lowest priority will be considered.
When using a DNS resolver that supports Conditional Forwarding or
Split DNS (with dns=dnsmasq or dns=systemd-resolved settings), each connection
is used to query domains in its search list. The search domains determine which
name servers to ask, and the DNS priority is used to prioritize
name servers based on the domain. Queries for domains not present in any
search list are routed through connections having the '~.' special wildcard
domain, which is added automatically to connections with the default route
(or can be added manually). When multiple connections specify the same domain, the
one with the best priority (lowest numerical value) wins. If a sub domain
is configured on another interface it will be accepted regardless the priority,
unless parent domain on the other interface has a negative priority, which causes
the sub domain to be shadowed.
With Split DNS one can avoid undesired DNS leaks by properly configuring
DNS priorities and the search domains, so that only name servers of the desired
interface are configured.
DNS_SEARCH
Array of DNS search domains. Domains starting with a tilde ('~')
are considered 'routing' domains and are used only to decide the
interface over which a query must be forwarded; they are not used
to complete unqualified host names.
When using a DNS plugin that supports Conditional Forwarding or
Split DNS, then the search domains specify which name servers to
query. This makes the behavior different from running with plain
/etc/resolv.conf. For more information see also the dns-priority setting.
GATEWAY
The gateway associated with this configuration. This is only meaningful
if "addresses" is also set.
The gateway's main purpose is to control the next hop of the standard default route on the device.
Hence, the gateway property conflicts with "never-default" and will be
automatically dropped if the IP configuration is set to never-default.
As an alternative to set the gateway, configure a static default route with /0 as prefix
length.
IGNORE_AUTO_DNS
When "method" is set to "auto" and this property to
TRUE, automatically configured name servers and search domains are
ignored and only name servers and search domains specified in the
"dns" and "dns-search" properties, if
any, are used.
IGNORE_AUTO_ROUTES
When "method" is set to "auto" and this property to
TRUE, automatically configured routes are ignored and only routes
specified in the "routes" property, if any, are used.
IP6_PRIVACY
Configure IPv6 Privacy Extensions for SLAAC, described in RFC4941. If
enabled, it makes the kernel generate a temporary IPv6 address in
addition to the public one generated from MAC address via modified
EUI-64. This enhances privacy, but could cause problems in some
applications, on the other hand. The permitted values are: -1: unknown,
0: disabled, 1: enabled (prefer public address), 2: enabled (prefer temporary
addresses).
Having a per-connection setting set to "-1" (unknown) means fallback to
global configuration "ipv6.ip6-privacy".
If also global configuration is unspecified or set to "-1", fallback to read
"/proc/sys/net/ipv6/conf/default/use_tempaddr".
Note that this setting is distinct from the Stable Privacy addresses
that can be enabled with the "addr-gen-mode" property's "stable-privacy"
setting as another way of avoiding host tracking with IPv6 addresses.
MAY_FAIL
If TRUE, allow overall network configuration to proceed even if the
configuration specified by this property times out. Note that at least
one IP configuration must succeed or overall network configuration will
still fail. For example, in IPv6-only networks, setting this property to
TRUE on the NMSettingIP4Config allows the overall network configuration
to succeed if IPv4 configuration fails but IPv6 configuration completes
successfully.
METHOD
IP configuration method.
NMSettingIP4Config and NMSettingIP6Config both support "disabled",
"auto", "manual", and "link-local". See the subclass-specific
documentation for other values.
In general, for the "auto" method, properties such as
"dns" and "routes" specify information
that is added on to the information returned from automatic
configuration. The "ignore-auto-routes" and
"ignore-auto-dns" properties modify this behavior.
For methods that imply no upstream network, such as "shared" or
"link-local", these properties must be empty.
For IPv4 method "shared", the IP subnet can be configured by adding one
manual IPv4 address or otherwise 10.42.x.0/24 is chosen. Note that the
shared method must be configured on the interface which shares the internet
to a subnet, not on the uplink which is shared.
NEVER_DEFAULT
If TRUE, this connection will never be the default connection for this
IP type, meaning it will never be assigned the default route by
NetworkManager.
RA_TIMEOUT
A timeout for waiting Router Advertisements in seconds. If zero (the default), a
globally configured default is used. If still unspecified, the timeout depends on the
sysctl settings of the device.
Set to 2147483647 (MAXINT32) for infinity.
REQUIRED_TIMEOUT
The minimum time interval in milliseconds for which dynamic IP configuration
should be tried before the connection succeeds.
This property is useful for example if both IPv4 and IPv6 are enabled and
are allowed to fail. Normally the connection succeeds as soon as one of
the two address families completes; by setting a required timeout for
e.g. IPv4, one can ensure that even if IP6 succeeds earlier than IPv4,
NetworkManager waits some time for IPv4 before the connection becomes
active.
Note that if "may-fail" is FALSE for the same address
family, this property has no effect as NetworkManager needs to wait for
the full DHCP timeout.
A zero value means that no required timeout is present, -1 means the
default value (either configuration ipvx.required-timeout override or
zero).
ROUTE_METRIC
The default metric for routes that don't explicitly specify a metric.
The default value -1 means that the metric is chosen automatically
based on the device type.
The metric applies to dynamic routes, manual (static) routes that
don't have an explicit metric setting, address prefix routes, and
the default route.
Note that for IPv6, the kernel accepts zero (0) but coerces it to
1024 (user default). Hence, setting this property to zero effectively
mean setting it to 1024.
For IPv4, zero is a regular value for the metric.
ROUTE_TABLE
Enable policy routing (source routing) and set the routing table used when adding routes.
This affects all routes, including device-routes, IPv4LL, DHCP, SLAAC, default-routes
and static routes. But note that static routes can individually overwrite the setting
by explicitly specifying a non-zero routing table.
If the table setting is left at zero, it is eligible to be overwritten via global
configuration. If the property is zero even after applying the global configuration
value, policy routing is disabled for the address family of this connection.
Policy routing disabled means that NetworkManager will add all routes to the main
table (except static routes that explicitly configure a different table). Additionally,
NetworkManager will not delete any extraneous routes from tables except the main table.
This is to preserve backward compatibility for users who manage routing tables outside
of NetworkManager.
ROUTES
Array of IP routes.
TOKEN
Configure the token for draft-chown-6man-tokenised-ipv6-identifiers-02
IPv6 tokenized interface identifiers. Useful with eui64 addr-gen-mode.
IP_TUNNEL
IP Tunneling Settings
ENCAPSULATION_LIMIT
How many additional levels of encapsulation are permitted to be prepended
to packets. This property applies only to IPv6 tunnels.
FLAGS
Tunnel flags. Currently, the following values are supported:
NM_IP_TUNNEL_FLAG_IP6_IGN_ENCAP_LIMIT (0x1), NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_TCLASS (0x2),
NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FLOWLABEL (0x4), NM_IP_TUNNEL_FLAG_IP6_MIP6_DEV (0x8),
NM_IP_TUNNEL_FLAG_IP6_RCV_DSCP_COPY (0x10), NM_IP_TUNNEL_FLAG_IP6_USE_ORIG_FWMARK (0x20).
They are valid only for IPv6 tunnels.
FLOW_LABEL
The flow label to assign to tunnel packets. This property applies only to
IPv6 tunnels.
INPUT_KEY
The key used for tunnel input packets; the property is valid only for
certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
LOCAL
The local endpoint of the tunnel; the value can be empty, otherwise it
must contain an IPv4 or IPv6 address.
MODE
The tunneling mode, for example NM_IP_TUNNEL_MODE_IPIP (1) or
NM_IP_TUNNEL_MODE_GRE (2).
MTU
If non-zero, only transmit packets of the specified size or smaller,
breaking larger packets up into multiple fragments.
OUTPUT_KEY
The key used for tunnel output packets; the property is valid only for
certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
PARENT
If given, specifies the parent interface name or parent connection UUID
the new device will be bound to so that tunneled packets will only be
routed via that interface.
PATH_MTU_DISCOVERY
Whether to enable Path MTU Discovery on this tunnel.
REMOTE
The remote endpoint of the tunnel; the value must contain an IPv4 or IPv6
address.
TOS
The type of service (IPv4) or traffic class (IPv6) field to be set on
tunneled packets.
TTL
The TTL to assign to tunneled packets. 0 is a special value meaning that
packets inherit the TTL value.
MACSEC
MACSec Settings
ENCRYPT
Whether the transmitted traffic must be encrypted.
MKA_CAK
The pre-shared CAK (Connectivity Association Key) for MACsec
Key Agreement.
MKA_CAK_FLAGS
Flags indicating how to handle the "mka-cak"
property.
MKA_CKN
The pre-shared CKN (Connectivity-association Key Name) for
MACsec Key Agreement.
MODE
Specifies how the CAK (Connectivity Association Key) for MKA (MACsec Key
Agreement) is obtained.
PARENT
If given, specifies the parent interface name or parent connection UUID
from which this MACSEC interface should be created. If this property is
not specified, the connection must contain an "802-3-ethernet" setting
with a "mac-address" property.
PORT
The port component of the SCI (Secure Channel Identifier), between 1 and 65534.
SEND_SCI
Specifies whether the SCI (Secure Channel Identifier) is included
in every packet.
VALIDATION
Specifies the validation mode for incoming frames.
MACVLAN
MAC VLAN Settings
MODE
The macvlan mode, which specifies the communication mechanism between multiple
macvlans on the same lower device.
PARENT
If given, specifies the parent interface name or parent connection UUID
from which this MAC-VLAN interface should be created. If this property is
not specified, the connection must contain an "802-3-ethernet" setting
with a "mac-address" property.
PROMISCUOUS
Whether the interface should be put in promiscuous mode.
TAP
Whether the interface should be a MACVTAP.
MATCH
Match settings
DRIVER
A list of driver names to match. Each element is a shell wildcard pattern.
See NMSettingMatch:interface-name for how special characters '|', '&',
'!' and '\\' are used for optional and mandatory matches and inverting the
pattern.
INTERFACE_NAME
A list of interface names to match. Each element is a shell wildcard
pattern.
An element can be prefixed with a pipe symbol (|) or an ampersand (&).
The former means that the element is optional and the latter means that
it is mandatory. If there are any optional elements, than the match
evaluates to true if at least one of the optional element matches
(logical OR). If there are any mandatory elements, then they all
must match (logical AND). By default, an element is optional. This means
that an element "foo" behaves the same as "|foo". An element can also be inverted
with exclamation mark (!) between the pipe symbol (or the ampersand) and before
the pattern. Note that "!foo" is a shortcut for the mandatory match "&!foo". Finally,
a backslash can be used at the beginning of the element (after the optional special characters)
to escape the start of the pattern. For example, "&\\!a" is an mandatory match for literally "!a".
KERNEL_COMMAND_LINE
A list of kernel command line arguments to match. This may be used to check
whether a specific kernel command line option is set (or unset, if prefixed with
the exclamation mark). The argument must either be a single word, or
an assignment (i.e. two words, joined by "="). In the former case the kernel
command line is searched for the word appearing as is, or as left hand side
of an assignment. In the latter case, the exact assignment is looked for
with right and left hand side matching. Wildcard patterns are not supported.
See NMSettingMatch:interface-name for how special characters '|', '&',
'!' and '\\' are used for optional and mandatory matches and inverting the
match.
PATH
A list of paths to match against the ID_PATH udev property of
devices. ID_PATH represents the topological persistent path of a
device. It typically contains a subsystem string (pci, usb, platform,
etc.) and a subsystem-specific identifier.
For PCI devices the path has the form
"pci-$domain:$bus:$device.$function", where each variable is an
hexadecimal value; for example "pci-0000:0a:00.0".
The path of a device can be obtained with "udevadm info
/sys/class/net/$dev | grep ID_PATH=" or by looking at the "path"
property exported by NetworkManager ("nmcli -f general.path device
show $dev").
Each element of the list is a shell wildcard pattern.
See NMSettingMatch:interface-name for how special characters '|', '&',
'!' and '\\' are used for optional and mandatory matches and inverting the
pattern.
OLPC_MESH
OLPC Wireless Mesh Settings
CHANNEL
Channel on which the mesh network to join is located.
DHCP_ANYCAST_ADDRESS
Anycast DHCP MAC address used when requesting an IP address via DHCP.
The specific anycast address used determines which DHCP server class
answers the request.
This is currently only implemented by dhclient DHCP plugin.
SSID
SSID of the mesh network to join.
OVS_BRIDGE
OvsBridge Link Settings
DATAPATH_TYPE
The data path type. One of "system", "netdev" or empty.
FAIL_MODE
The bridge failure mode. One of "secure", "standalone" or empty.
MCAST_SNOOPING_ENABLE
Enable or disable multicast snooping.
RSTP_ENABLE
Enable or disable RSTP.
STP_ENABLE
Enable or disable STP.
OVS_DPDK
OvsDpdk Link Settings
DEVARGS
Open vSwitch DPDK device arguments.
N_RXQ
Open vSwitch DPDK number of rx queues.
Defaults to zero which means to leave the parameter in OVS unspecified
and effectively configures one queue.
OVS_EXTERNAL_IDS
OVS External IDs Settings
DATA
A dictionary of key/value pairs with exernal-ids for OVS.
OVS_INTERFACE
Open vSwitch Interface Settings
TYPE
The interface type. Either "internal", "system", "patch", "dpdk", or empty.
OVS_PATCH
OvsPatch Link Settings
PEER
Specifies the name of the interface for the other side of the patch.
The patch on the other side must also set this interface as peer.
OVS_PORT
OvsPort Link Settings
BOND_DOWNDELAY
The time port must be inactive in order to be considered down.
BOND_MODE
Bonding mode. One of "active-backup", "balance-slb", or "balance-tcp".
BOND_UPDELAY
The time port must be active before it starts forwarding traffic.
LACP
LACP mode. One of "active", "off", or "passive".
TAG
The VLAN tag in the range 0-4095.
VLAN_MODE
The VLAN mode. One of "access", "native-tagged", "native-untagged",
"trunk" or unset.
PPP
Point-to-Point Protocol Settings
BAUD
If non-zero, instruct pppd to set the serial port to the specified
baudrate. This value should normally be left as 0 to automatically
choose the speed.
CRTSCTS
If TRUE, specify that pppd should set the serial port to use hardware
flow control with RTS and CTS signals. This value should normally be set
to FALSE.
LCP_ECHO_FAILURE
If non-zero, instruct pppd to presume the connection to the peer has
failed if the specified number of LCP echo-requests go unanswered by the
peer. The "lcp-echo-interval" property must also be set to a non-zero
value if this property is used.
LCP_ECHO_INTERVAL
If non-zero, instruct pppd to send an LCP echo-request frame to the peer
every n seconds (where n is the specified value). Note that some PPP
peers will respond to echo requests and some will not, and it is not
possible to autodetect this.
MPPE_STATEFUL
If TRUE, stateful MPPE is used. See pppd documentation for more
information on stateful MPPE.
MRU
If non-zero, instruct pppd to request that the peer send packets no
larger than the specified size. If non-zero, the MRU should be between
128 and 16384.
MTU
If non-zero, instruct pppd to send packets no larger than the specified
size.
NO_VJ_COMP
If TRUE, Van Jacobsen TCP header compression will not be requested.
NOAUTH
If TRUE, do not require the other side (usually the PPP server) to
authenticate itself to the client. If FALSE, require authentication
from the remote side. In almost all cases, this should be TRUE.
NOBSDCOMP
If TRUE, BSD compression will not be requested.
NODEFLATE
If TRUE, "deflate" compression will not be requested.
REFUSE_CHAP
If TRUE, the CHAP authentication method will not be used.
REFUSE_EAP
If TRUE, the EAP authentication method will not be used.
REFUSE_MSCHAP
If TRUE, the MSCHAP authentication method will not be used.
REFUSE_MSCHAPV2
If TRUE, the MSCHAPv2 authentication method will not be used.
REFUSE_PAP
If TRUE, the PAP authentication method will not be used.
REQUIRE_MPPE
If TRUE, MPPE (Microsoft Point-to-Point Encryption) will be required for
the PPP session. If either 64-bit or 128-bit MPPE is not available the
session will fail. Note that MPPE is not used on mobile broadband
connections.
REQUIRE_MPPE_128
If TRUE, 128-bit MPPE (Microsoft Point-to-Point Encryption) will be
required for the PPP session, and the "require-mppe" property must also
be set to TRUE. If 128-bit MPPE is not available the session will fail.
PPPOE
PPP-over-Ethernet Settings
PARENT
If given, specifies the parent interface name on which this PPPoE
connection should be created. If this property is not specified,
the connection is activated on the interface specified in
"interface-name" of NMSettingConnection.
PASSWORD
Password used to authenticate with the PPPoE service.
PASSWORD_FLAGS
Flags indicating how to handle the "password" property.
SERVICE
If specified, instruct PPPoE to only initiate sessions with access
concentrators that provide the specified service. For most providers,
this should be left blank. It is only required if there are multiple
access concentrators or a specific service is known to be required.
USERNAME
Username used to authenticate with the PPPoE service.
PROXY
WWW Proxy Settings
BROWSER_ONLY
Whether the proxy configuration is for browser only.
METHOD
Method for proxy configuration, Default is NM_SETTING_PROXY_METHOD_NONE (0)
PAC_SCRIPT
PAC script for the connection. This is an UTF-8 encoded javascript code
that defines a FindProxyForURL() function.
PAC_URL
PAC URL for obtaining PAC file.
SERIAL
Serial Link Settings
BAUD
Speed to use for communication over the serial port. Note that this
value usually has no effect for mobile broadband modems as they generally
ignore speed settings and use the highest available speed.
BITS
Byte-width of the serial communication. The 8 in "8n1" for example.
PARITY
Parity setting of the serial port.
SEND_DELAY
Time to delay between each byte sent to the modem, in microseconds.
STOPBITS
Number of stop bits for communication on the serial port. Either 1 or 2.
The 1 in "8n1" for example.
SRIOV
SR-IOV settings
AUTOPROBE_DRIVERS
Whether to autoprobe virtual functions by a compatible driver.
If set to NM_TERNARY_TRUE (1), the kernel will try to bind VFs to
a compatible driver and if this succeeds a new network
interface will be instantiated for each VF.
If set to NM_TERNARY_FALSE (0), VFs will not be claimed and no
network interfaces will be created for them.
When set to NM_TERNARY_DEFAULT (-1), the global default is used; in
case the global default is unspecified it is assumed to be
NM_TERNARY_TRUE (1).
TOTAL_VFS
The total number of virtual functions to create.
Note that when the sriov setting is present NetworkManager
enforces the number of virtual functions on the interface
(also when it is zero) during activation and resets it
upon deactivation. To prevent any changes to SR-IOV
parameters don't add a sriov setting to the connection.
VFS
Array of virtual function descriptors.
Each VF descriptor is a dictionary mapping attribute names
to GVariant values. The 'index' entry is mandatory for
each VF.
When represented as string a VF is in the form:
"INDEX [ATTR=VALUE[ ATTR=VALUE]...]".
for example:
"2 mac=00:11:22:33:44:55 spoof-check=true".
Multiple VFs can be specified using a comma as separator.
Currently, the following attributes are supported: mac,
spoof-check, trust, min-tx-rate, max-tx-rate, vlans.
The "vlans" attribute is represented as a semicolon-separated
list of VLAN descriptors, where each descriptor has the form
"ID[.PRIORITY[.PROTO]]".
PROTO can be either 'q' for 802.1Q (the default) or 'ad' for
802.1ad.
TC_CONFIG
Linux Traffic Control Settings
QDISCS
Array of TC queueing disciplines.
When the "tc" setting is present, qdiscs from this
property are applied upon activation. If the property is empty,
all qdiscs are removed and the device will only
have the default qdisc assigned by kernel according to the
"net.core.default_qdisc" sysctl.
If the "tc" setting is not present, NetworkManager
doesn't touch the qdiscs present on the interface.
TFILTERS
Array of TC traffic filters.
When the "tc" setting is present, filters from this
property are applied upon activation. If the property is empty,
NetworkManager removes all the filters.
If the "tc" setting is not present, NetworkManager
doesn't touch the filters present on the interface.
TEAM
Teaming Settings
CONFIG
The JSON configuration for the team network interface. The property
should contain raw JSON configuration data suitable for teamd, because
the value is passed directly to teamd. If not specified, the default
configuration is used. See man teamd.conf for the format details.
LINK_WATCHERS
Link watchers configuration for the connection: each link watcher is
defined by a dictionary, whose keys depend upon the selected link
watcher. Available link watchers are 'ethtool', 'nsna_ping' and
'arp_ping' and it is specified in the dictionary with the key 'name'.
Available keys are: ethtool: 'delay-up', 'delay-down', 'init-wait';
nsna_ping: 'init-wait', 'interval', 'missed-max', 'target-host';
arp_ping: all the ones in nsna_ping and 'source-host', 'validate-active',
'validate-inactive', 'send-always'. See teamd.conf man for more details.
MCAST_REJOIN_COUNT
Corresponds to the teamd mcast_rejoin.count.
MCAST_REJOIN_INTERVAL
Corresponds to the teamd mcast_rejoin.interval.
NOTIFY_PEERS_COUNT
Corresponds to the teamd notify_peers.count.
NOTIFY_PEERS_INTERVAL
Corresponds to the teamd notify_peers.interval.
RUNNER
Corresponds to the teamd runner.name.
Permitted values are: "roundrobin", "broadcast", "activebackup",
"loadbalance", "lacp", "random".
RUNNER_ACTIVE
Corresponds to the teamd runner.active.
RUNNER_AGG_SELECT_POLICY
Corresponds to the teamd runner.agg_select_policy.
RUNNER_FAST_RATE
Corresponds to the teamd runner.fast_rate.
RUNNER_HWADDR_POLICY
Corresponds to the teamd runner.hwaddr_policy.
RUNNER_MIN_PORTS
Corresponds to the teamd runner.min_ports.
RUNNER_SYS_PRIO
Corresponds to the teamd runner.sys_prio.
RUNNER_TX_BALANCER
Corresponds to the teamd runner.tx_balancer.name.
RUNNER_TX_BALANCER_INTERVAL
Corresponds to the teamd runner.tx_balancer.interval.
RUNNER_TX_HASH
Corresponds to the teamd runner.tx_hash.
TEAM_PORT
Team Port Settings
CONFIG
The JSON configuration for the team port. The property should contain raw
JSON configuration data suitable for teamd, because the value is passed
directly to teamd. If not specified, the default configuration is
used. See man teamd.conf for the format details.
LACP_KEY
Corresponds to the teamd ports.PORTIFNAME.lacp_key.
LACP_PRIO
Corresponds to the teamd ports.PORTIFNAME.lacp_prio.
LINK_WATCHERS
Link watchers configuration for the connection: each link watcher is
defined by a dictionary, whose keys depend upon the selected link
watcher. Available link watchers are 'ethtool', 'nsna_ping' and
'arp_ping' and it is specified in the dictionary with the key 'name'.
Available keys are: ethtool: 'delay-up', 'delay-down', 'init-wait';
nsna_ping: 'init-wait', 'interval', 'missed-max', 'target-host';
arp_ping: all the ones in nsna_ping and 'source-host', 'validate-active',
'validate-inactive', 'send-always'. See teamd.conf man for more details.
PRIO
Corresponds to the teamd ports.PORTIFNAME.prio.
QUEUE_ID
Corresponds to the teamd ports.PORTIFNAME.queue_id.
When set to -1 means the parameter is skipped from the json config.
STICKY
Corresponds to the teamd ports.PORTIFNAME.sticky.
TUN
Tunnel Settings
GROUP
The group ID which will own the device. If set to NULL everyone
will be able to use the device.
MODE
The operating mode of the virtual device. Allowed values are
NM_SETTING_TUN_MODE_TUN (1) to create a layer 3 device and
NM_SETTING_TUN_MODE_TAP (2) to create an Ethernet-like layer 2
one.
MULTI_QUEUE
If the property is set to TRUE, the interface will support
multiple file descriptors (queues) to parallelize packet
sending or receiving. Otherwise, the interface will only
support a single queue.
OWNER
The user ID which will own the device. If set to NULL everyone
will be able to use the device.
PI
If TRUE the interface will prepend a 4 byte header describing the
physical interface to the packets.
VNET_HDR
If TRUE the IFF_VNET_HDR the tunnel packets will include a virtio
network header.
USER
General User Profile Settings
DATA
A dictionary of key/value pairs with user data. This data is ignored by NetworkManager
and can be used at the users discretion. The keys only support a strict ascii format,
but the values can be arbitrary UTF8 strings up to a certain length.
VETH
Veth Settings
PEER
This property specifies the peer interface name of the veth. This
property is mandatory.
VLAN
VLAN Settings
EGRESS_PRIORITY_MAP
For outgoing packets, a list of mappings from Linux SKB priorities to
802.1p priorities. The mapping is given in the format "from:to" where
both "from" and "to" are unsigned integers, ie "7:3".
FLAGS
One or more flags which control the behavior and features of the VLAN
interface. Flags include NM_VLAN_FLAG_REORDER_HEADERS (0x1) (reordering of
output packet headers), NM_VLAN_FLAG_GVRP (0x2) (use of the GVRP protocol),
and NM_VLAN_FLAG_LOOSE_BINDING (0x4) (loose binding of the interface to its
master device's operating state). NM_VLAN_FLAG_MVRP (0x8) (use of the MVRP
protocol).
The default value of this property is NM_VLAN_FLAG_REORDER_HEADERS,
but it used to be 0. To preserve backward compatibility, the default-value
in the D-Bus API continues to be 0 and a missing property on D-Bus
is still considered as 0.
ID
The VLAN identifier that the interface created by this connection should
be assigned. The valid range is from 0 to 4094, without the reserved id 4095.
INGRESS_PRIORITY_MAP
For incoming packets, a list of mappings from 802.1p priorities to Linux
SKB priorities. The mapping is given in the format "from:to" where both
"from" and "to" are unsigned integers, ie "7:3".
PARENT
If given, specifies the parent interface name or parent connection UUID
from which this VLAN interface should be created. If this property is
not specified, the connection must contain an "802-3-ethernet" setting
with a "mac-address" property.
VPN
VPN Settings
DATA
Dictionary of key/value pairs of VPN plugin specific data. Both keys and
values must be strings.
PERSISTENT
If the VPN service supports persistence, and this property is TRUE,
the VPN will attempt to stay connected across link changes and outages,
until explicitly disconnected.
SECRETS
Dictionary of key/value pairs of VPN plugin specific secrets like
passwords or private keys. Both keys and values must be strings.
SERVICE_TYPE
D-Bus service name of the VPN plugin that this setting uses to connect to
its network. i.e. org.freedesktop.NetworkManager.vpnc for the vpnc
plugin.
TIMEOUT
Timeout for the VPN service to establish the connection. Some services
may take quite a long time to connect.
Value of 0 means a default timeout, which is 60 seconds (unless overridden
by vpn.timeout in configuration file). Values greater than zero mean
timeout in seconds.
USER_NAME
If the VPN connection requires a user name for authentication, that name
should be provided here. If the connection is available to more than one
user, and the VPN requires each user to supply a different name, then
leave this property empty. If this property is empty, NetworkManager
will automatically supply the username of the user which requested the
VPN connection.
VRF
VRF settings
TABLE
The routing table for this VRF.
VXLAN
VXLAN Settings
AGEING
Specifies the lifetime in seconds of FDB entries learnt by the kernel.
DESTINATION_PORT
Specifies the UDP destination port to communicate to the remote VXLAN
tunnel endpoint.
ID
Specifies the VXLAN Network Identifier (or VXLAN Segment Identifier) to
use.
L2_MISS
Specifies whether netlink LL ADDR miss notifications are generated.
L3_MISS
Specifies whether netlink IP ADDR miss notifications are generated.
LEARNING
Specifies whether unknown source link layer addresses and IP addresses
are entered into the VXLAN device forwarding database.
LIMIT
Specifies the maximum number of FDB entries. A value of zero means that
the kernel will store unlimited entries.
LOCAL
If given, specifies the source IP address to use in outgoing packets.
PARENT
If given, specifies the parent interface name or parent connection UUID.
PROXY
Specifies whether ARP proxy is turned on.
REMOTE
Specifies the unicast destination IP address to use in outgoing packets
when the destination link layer address is not known in the VXLAN device
forwarding database, or the multicast IP address to join.
RSC
Specifies whether route short circuit is turned on.
SOURCE_PORT_MAX
Specifies the maximum UDP source port to communicate to the remote VXLAN
tunnel endpoint.
SOURCE_PORT_MIN
Specifies the minimum UDP source port to communicate to the remote VXLAN
tunnel endpoint.
TOS
Specifies the TOS value to use in outgoing packets.
TTL
Specifies the time-to-live value to use in outgoing packets.
WIFI_P2P
Wi-Fi P2P Settings
PEER
The P2P device that should be connected to. Currently, this is the only
way to create or join a group.
WFD_IES
The Wi-Fi Display (WFD) Information Elements (IEs) to set.
Wi-Fi Display requires a protocol specific information element to be
set in certain Wi-Fi frames. These can be specified here for the
purpose of establishing a connection.
This setting is only useful when implementing a Wi-Fi Display client.
WPS_METHOD
Flags indicating which mode of WPS is to be used.
There's little point in changing the default setting as NetworkManager will
automatically determine the best method to use.
WIMAX
WiMax Settings
MAC_ADDRESS
If specified, this connection will only apply to the WiMAX device whose
MAC address matches. This property does not change the MAC address of the
device (known as MAC spoofing). Deprecated: 1
NETWORK_NAME
Network Service Provider (NSP) name of the WiMAX network this connection
should use. Deprecated: 1
WIRED
Wired Ethernet Settings
ACCEPT_ALL_MAC_ADDRESSES
When TRUE, setup the interface to accept packets for all MAC addresses.
This is enabling the kernel interface flag IFF_PROMISC.
When FALSE, the interface will only accept the packets with the
interface destination mac address or broadcast.
AUTO_NEGOTIATE
When TRUE, enforce auto-negotiation of speed and duplex mode.
If "speed" and "duplex" properties are both specified, only that
single mode will be advertised and accepted during the link
auto-negotiation process: this works only for BASE-T 802.3 specifications
and is useful for enforcing gigabits modes, as in these cases link
negotiation is mandatory.
When FALSE, "speed" and "duplex" properties should be both set or
link configuration will be skipped.
CLONED_MAC_ADDRESS
If specified, request that the device use this MAC address instead.
This is known as MAC cloning or spoofing.
Beside explicitly specifying a MAC address, the special values "preserve", "permanent",
"random" and "stable" are supported.
"preserve" means not to touch the MAC address on activation.
"permanent" means to use the permanent hardware address if the device
has one (otherwise this is treated as "preserve").
"random" creates a random MAC address on each connect.
"stable" creates a hashed MAC address based on connection.stable-id and a
machine dependent key.
If unspecified, the value can be overwritten via global defaults, see manual
of NetworkManager.conf. If still unspecified, it defaults to "preserve"
(older versions of NetworkManager may use a different default value).
On D-Bus, this field is expressed as "assigned-mac-address" or the deprecated
"cloned-mac-address".
DUPLEX
When a value is set, either "half" or "full", configures the device
to use the specified duplex mode. If "auto-negotiate" is "yes" the
specified duplex mode will be the only one advertised during link
negotiation: this works only for BASE-T 802.3 specifications and is
useful for enforcing gigabits modes, as in these cases link negotiation
is mandatory.
If the value is unset (the default), the link configuration will be
either skipped (if "auto-negotiate" is "no", the default) or will
be auto-negotiated (if "auto-negotiate" is "yes") and the local device
will advertise all the supported duplex modes.
Must be set together with the "speed" property if specified.
Before specifying a duplex mode be sure your device supports it.
GENERATE_MAC_ADDRESS_MASK
With "cloned-mac-address" setting "random" or "stable",
by default all bits of the MAC address are scrambled and a locally-administered,
unicast MAC address is created. This property allows to specify that certain bits
are fixed. Note that the least significant bit of the first MAC address will
always be unset to create a unicast MAC address.
If the property is NULL, it is eligible to be overwritten by a default
connection setting. If the value is still NULL or an empty string, the
default is to create a locally-administered, unicast MAC address.
If the value contains one MAC address, this address is used as mask. The set
bits of the mask are to be filled with the current MAC address of the device,
while the unset bits are subject to randomization.
Setting "FE:FF:FF:00:00:00" means to preserve the OUI of the current MAC address
and only randomize the lower 3 bytes using the "random" or "stable" algorithm.
If the value contains one additional MAC address after the mask,
this address is used instead of the current MAC address to fill the bits
that shall not be randomized. For example, a value of
"FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set the OUI of the MAC address
to 68:F7:28, while the lower bits are randomized. A value of
"02:00:00:00:00:00 00:00:00:00:00:00" will create a fully scrambled
globally-administered, burned-in MAC address.
If the value contains more than one additional MAC addresses, one of
them is chosen randomly. For example, "02:00:00:00:00:00 00:00:00:00:00:00 02:00:00:00:00:00"
will create a fully scrambled MAC address, randomly locally or globally
administered.
MAC_ADDRESS
If specified, this connection will only apply to the Ethernet device
whose permanent MAC address matches. This property does not change the
MAC address of the device (i.e. MAC spoofing).
MAC_ADDRESS_BLACKLIST
If specified, this connection will never apply to the Ethernet device
whose permanent MAC address matches an address in the list. Each MAC
address is in the standard hex-digits-and-colons notation
(00:11:22:33:44:55).
MTU
If non-zero, only transmit packets of the specified size or smaller,
breaking larger packets up into multiple Ethernet frames.
PORT
Specific port type to use if the device supports multiple
attachment methods. One of "tp" (Twisted Pair), "aui" (Attachment Unit
Interface), "bnc" (Thin Ethernet) or "mii" (Media Independent Interface).
If the device supports only one port type, this setting is ignored.
S390_NETTYPE
s390 network device type; one of "qeth", "lcs", or "ctc", representing
the different types of virtual network devices available on s390 systems.
S390_OPTIONS
Dictionary of key/value pairs of s390-specific device options. Both keys
and values must be strings. Allowed keys include "portno", "layer2",
"portname", "protocol", among others. Key names must contain only
alphanumeric characters (ie, [a-zA-Z0-9]).
Currently, NetworkManager itself does nothing with this information.
However, s390utils ships a udev rule which parses this information
and applies it to the interface.
S390_SUBCHANNELS
Identifies specific subchannels that this network device uses for
communication with z/VM or s390 host. Like the
"mac-address" property for non-z/VM devices, this property
can be used to ensure this connection only applies to the network device
that uses these subchannels. The list should contain exactly 3 strings,
and each string may only be composed of hexadecimal characters and the
period (.) character.
SPEED
When a value greater than 0 is set, configures the device to use
the specified speed. If "auto-negotiate" is "yes" the specified
speed will be the only one advertised during link negotiation:
this works only for BASE-T 802.3 specifications and is useful for
enforcing gigabit speeds, as in this case link negotiation is
mandatory.
If the value is unset (0, the default), the link configuration will be
either skipped (if "auto-negotiate" is "no", the default) or will
be auto-negotiated (if "auto-negotiate" is "yes") and the local device
will advertise all the supported speeds.
In Mbit/s, ie 100 == 100Mbit/s.
Must be set together with the "duplex" property when non-zero.
Before specifying a speed value be sure your device supports it.
WAKE_ON_LAN
The NMSettingWiredWakeOnLan options to enable. Not all devices support all options.
May be any combination of NM_SETTING_WIRED_WAKE_ON_LAN_PHY (0x2),
NM_SETTING_WIRED_WAKE_ON_LAN_UNICAST (0x4), NM_SETTING_WIRED_WAKE_ON_LAN_MULTICAST (0x8),
NM_SETTING_WIRED_WAKE_ON_LAN_BROADCAST (0x10), NM_SETTING_WIRED_WAKE_ON_LAN_ARP (0x20),
NM_SETTING_WIRED_WAKE_ON_LAN_MAGIC (0x40) or the special values
NM_SETTING_WIRED_WAKE_ON_LAN_DEFAULT (0x1) (to use global settings) and
NM_SETTING_WIRED_WAKE_ON_LAN_IGNORE (0x8000) (to disable management of Wake-on-LAN in
NetworkManager).
WAKE_ON_LAN_PASSWORD
If specified, the password used with magic-packet-based
Wake-on-LAN, represented as an Ethernet MAC address. If NULL,
no password will be required.
WIREGUARD
WireGuard Settings
FWMARK
The use of fwmark is optional and is by default off. Setting it to 0
disables it. Otherwise, it is a 32-bit fwmark for outgoing packets.
Note that "ip4-auto-default-route" or "ip6-auto-default-route" enabled,
implies to automatically choose a fwmark.
IP4_AUTO_DEFAULT_ROUTE
Whether to enable special handling of the IPv4 default route.
If enabled, the IPv4 default route from wireguard.peer-routes
will be placed to a dedicated routing-table and two policy routing rules
will be added. The fwmark number is also used as routing-table for the default-route,
and if fwmark is zero, an unused fwmark/table is chosen automatically.
This corresponds to what wg-quick does with Table=auto and what WireGuard
calls "Improved Rule-based Routing".
Note that for this automatism to work, you usually don't want to set
ipv4.gateway, because that will result in a conflicting default route.
Leaving this at the default will enable this option automatically
if ipv4.never-default is not set and there are any peers that use
a default-route as allowed-ips.
IP6_AUTO_DEFAULT_ROUTE
Like ip4-auto-default-route, but for the IPv6 default route.
LISTEN_PORT
The listen-port. If listen-port is not specified, the port will be chosen
randomly when the interface comes up.
MTU
If non-zero, only transmit packets of the specified size or smaller,
breaking larger packets up into multiple fragments.
If zero a default MTU is used. Note that contrary to wg-quick's MTU
setting, this does not take into account the current routes at the
time of activation.
PEER_ROUTES
Whether to automatically add routes for the AllowedIPs ranges
of the peers. If TRUE (the default), NetworkManager will automatically
add routes in the routing tables according to ipv4.route-table and
ipv6.route-table. Usually you want this automatism enabled.
If FALSE, no such routes are added automatically. In this case, the
user may want to configure static routes in ipv4.routes and ipv6.routes,
respectively.
Note that if the peer's AllowedIPs is "0.0.0.0/0" or "::/0" and the profile's
ipv4.never-default or ipv6.never-default setting is enabled, the peer route for
this peer won't be added automatically.
PRIVATE_KEY
The 256 bit private-key in base64 encoding.
PRIVATE_KEY_FLAGS
Flags indicating how to handle the "private-key"
property.
WIRELESS
Wi-Fi Settings
AP_ISOLATION
Configures AP isolation, which prevents communication between
wireless devices connected to this AP. This property can be set
to a value different from NM_TERNARY_DEFAULT (-1) only when the
interface is configured in AP mode.
If set to NM_TERNARY_TRUE (1), devices are not able to communicate
with each other. This increases security because it protects
devices against attacks from other clients in the network. At
the same time, it prevents devices to access resources on the
same wireless networks as file shares, printers, etc.
If set to NM_TERNARY_FALSE (0), devices can talk to each other.
When set to NM_TERNARY_DEFAULT (-1), the global default is used; in
case the global default is unspecified it is assumed to be
NM_TERNARY_FALSE (0).
BAND
802.11 frequency band of the network. One of "a" for 5GHz 802.11a or
"bg" for 2.4GHz 802.11. This will lock associations to the Wi-Fi network
to the specific band, i.e. if "a" is specified, the device will not
associate with the same network in the 2.4GHz band even if the network's
settings are compatible. This setting depends on specific driver
capability and may not work with all drivers.
BSSID
If specified, directs the device to only associate with the given access
point. This capability is highly driver dependent and not supported by
all devices. Note: this property does not control the BSSID used when
creating an Ad-Hoc network and is unlikely to in the future.
CHANNEL
Wireless channel to use for the Wi-Fi connection. The device will only
join (or create for Ad-Hoc networks) a Wi-Fi network on the specified
channel. Because channel numbers overlap between bands, this property
also requires the "band" property to be set.
CLONED_MAC_ADDRESS
If specified, request that the device use this MAC address instead.
This is known as MAC cloning or spoofing.
Beside explicitly specifying a MAC address, the special values "preserve", "permanent",
"random" and "stable" are supported.
"preserve" means not to touch the MAC address on activation.
"permanent" means to use the permanent hardware address of the device.
"random" creates a random MAC address on each connect.
"stable" creates a hashed MAC address based on connection.stable-id and a
machine dependent key.
If unspecified, the value can be overwritten via global defaults, see manual
of NetworkManager.conf. If still unspecified, it defaults to "preserve"
(older versions of NetworkManager may use a different default value).
On D-Bus, this field is expressed as "assigned-mac-address" or the deprecated
"cloned-mac-address".
GENERATE_MAC_ADDRESS_MASK
With "cloned-mac-address" setting "random" or "stable",
by default all bits of the MAC address are scrambled and a locally-administered,
unicast MAC address is created. This property allows to specify that certain bits
are fixed. Note that the least significant bit of the first MAC address will
always be unset to create a unicast MAC address.
If the property is NULL, it is eligible to be overwritten by a default
connection setting. If the value is still NULL or an empty string, the
default is to create a locally-administered, unicast MAC address.
If the value contains one MAC address, this address is used as mask. The set
bits of the mask are to be filled with the current MAC address of the device,
while the unset bits are subject to randomization.
Setting "FE:FF:FF:00:00:00" means to preserve the OUI of the current MAC address
and only randomize the lower 3 bytes using the "random" or "stable" algorithm.
If the value contains one additional MAC address after the mask,
this address is used instead of the current MAC address to fill the bits
that shall not be randomized. For example, a value of
"FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set the OUI of the MAC address
to 68:F7:28, while the lower bits are randomized. A value of
"02:00:00:00:00:00 00:00:00:00:00:00" will create a fully scrambled
globally-administered, burned-in MAC address.
If the value contains more than one additional MAC addresses, one of
them is chosen randomly. For example, "02:00:00:00:00:00 00:00:00:00:00:00 02:00:00:00:00:00"
will create a fully scrambled MAC address, randomly locally or globally
administered.
HIDDEN
If TRUE, indicates that the network is a non-broadcasting network that
hides its SSID. This works both in infrastructure and AP mode.
In infrastructure mode, various workarounds are used for a more reliable
discovery of hidden networks, such as probe-scanning the SSID. However,
these workarounds expose inherent insecurities with hidden SSID networks,
and thus hidden SSID networks should be used with caution.
In AP mode, the created network does not broadcast its SSID.
Note that marking the network as hidden may be a privacy issue for you
(in infrastructure mode) or client stations (in AP mode), as the explicit
probe-scans are distinctly recognizable on the air.
MAC_ADDRESS
If specified, this connection will only apply to the Wi-Fi device whose
permanent MAC address matches. This property does not change the MAC
address of the device (i.e. MAC spoofing).
MAC_ADDRESS_BLACKLIST
A list of permanent MAC addresses of Wi-Fi devices to which this
connection should never apply. Each MAC address should be given in the
standard hex-digits-and-colons notation (eg "00:11:22:33:44:55").
MAC_ADDRESS_RANDOMIZATION
One of NM_SETTING_MAC_RANDOMIZATION_DEFAULT (0) (never randomize unless
the user has set a global default to randomize and the supplicant
supports randomization), NM_SETTING_MAC_RANDOMIZATION_NEVER (1) (never
randomize the MAC address), or NM_SETTING_MAC_RANDOMIZATION_ALWAYS (2)
(always randomize the MAC address). This property is deprecated for
'cloned-mac-address'. Deprecated: 1
MODE
Wi-Fi network mode; one of "infrastructure", "mesh", "adhoc" or "ap". If blank,
infrastructure is assumed.
MTU
If non-zero, only transmit packets of the specified size or smaller,
breaking larger packets up into multiple Ethernet frames.
POWERSAVE
One of NM_SETTING_WIRELESS_POWERSAVE_DISABLE (2) (disable Wi-Fi power
saving), NM_SETTING_WIRELESS_POWERSAVE_ENABLE (3) (enable Wi-Fi power
saving), NM_SETTING_WIRELESS_POWERSAVE_IGNORE (1) (don't touch currently
configure setting) or NM_SETTING_WIRELESS_POWERSAVE_DEFAULT (0) (use the
globally configured value). All other values are reserved.
RATE
If non-zero, directs the device to only use the specified bitrate for
communication with the access point. Units are in Kb/s, ie 5500 = 5.5
Mbit/s. This property is highly driver dependent and not all devices
support setting a static bitrate.
SEEN_BSSIDS
A list of BSSIDs (each BSSID formatted as a MAC address like
"00:11:22:33:44:55") that have been detected as part of the Wi-Fi
network. NetworkManager internally tracks previously seen BSSIDs. The
property is only meant for reading and reflects the BSSID list of
NetworkManager. The changes you make to this property will not be
preserved.
SSID
SSID of the Wi-Fi network. Must be specified.
TX_POWER
If non-zero, directs the device to use the specified transmit power.
Units are dBm. This property is highly driver dependent and not all
devices support setting a static transmit power.
WAKE_ON_WLAN
The NMSettingWirelessWakeOnWLan options to enable. Not all devices support all options.
May be any combination of NM_SETTING_WIRELESS_WAKE_ON_WLAN_ANY (0x2),
NM_SETTING_WIRELESS_WAKE_ON_WLAN_DISCONNECT (0x4),
NM_SETTING_WIRELESS_WAKE_ON_WLAN_MAGIC (0x8),
NM_SETTING_WIRELESS_WAKE_ON_WLAN_GTK_REKEY_FAILURE (0x10),
NM_SETTING_WIRELESS_WAKE_ON_WLAN_EAP_IDENTITY_REQUEST (0x20),
NM_SETTING_WIRELESS_WAKE_ON_WLAN_4WAY_HANDSHAKE (0x40),
NM_SETTING_WIRELESS_WAKE_ON_WLAN_RFKILL_RELEASE (0x80),
NM_SETTING_WIRELESS_WAKE_ON_WLAN_TCP (0x100) or the special values
NM_SETTING_WIRELESS_WAKE_ON_WLAN_DEFAULT (0x1) (to use global settings) and
NM_SETTING_WIRELESS_WAKE_ON_WLAN_IGNORE (0x8000) (to disable management of Wake-on-LAN in
NetworkManager).
WIRELESS_SECURITY
Wi-Fi Security Settings
AUTH_ALG
When WEP is used (ie, key-mgmt = "none" or "ieee8021x") indicate the
802.11 authentication algorithm required by the AP here. One of "open"
for Open System, "shared" for Shared Key, or "leap" for Cisco LEAP. When
using Cisco LEAP (ie, key-mgmt = "ieee8021x" and auth-alg = "leap") the
"leap-username" and "leap-password" properties must be specified.
FILS
Indicates whether Fast Initial Link Setup (802.11ai) must be enabled for
the connection. One of NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) (use
global default value), NM_SETTING_WIRELESS_SECURITY_FILS_DISABLE (1)
(disable FILS), NM_SETTING_WIRELESS_SECURITY_FILS_OPTIONAL (2) (enable FILS
if the supplicant and the access point support it) or
NM_SETTING_WIRELESS_SECURITY_FILS_REQUIRED (3) (enable FILS and fail if not
supported). When set to NM_SETTING_WIRELESS_SECURITY_FILS_DEFAULT (0) and
no global default is set, FILS will be optionally enabled.
GROUP
A list of group/broadcast encryption algorithms which prevents
connections to Wi-Fi networks that do not utilize one of the algorithms
in the list. For maximum compatibility leave this property empty. Each
list element may be one of "wep40", "wep104", "tkip", or "ccmp".
KEY_MGMT
Key management used for the connection. One of "none" (WEP or no
password protection), "ieee8021x" (Dynamic WEP), "owe" (Opportunistic
Wireless Encryption), "wpa-psk" (WPA2 + WPA3 personal), "sae" (WPA3
personal only), "wpa-eap" (WPA2 + WPA3 enterprise) or
"wpa-eap-suite-b-192" (WPA3 enterprise only).
This property must be set for any Wi-Fi connection that uses security.
LEAP_PASSWORD
The login password for legacy LEAP connections (ie, key-mgmt =
"ieee8021x" and auth-alg = "leap").
LEAP_PASSWORD_FLAGS
Flags indicating how to handle the
"leap-password" property.
LEAP_USERNAME
The login username for legacy LEAP connections (ie, key-mgmt =
"ieee8021x" and auth-alg = "leap").
PAIRWISE
A list of pairwise encryption algorithms which prevents connections to
Wi-Fi networks that do not utilize one of the algorithms in the list.
For maximum compatibility leave this property empty. Each list element
may be one of "tkip" or "ccmp".
PMF
Indicates whether Protected Management Frames (802.11w) must be enabled
for the connection. One of NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0)
(use global default value), NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE (1)
(disable PMF), NM_SETTING_WIRELESS_SECURITY_PMF_OPTIONAL (2) (enable PMF if
the supplicant and the access point support it) or
NM_SETTING_WIRELESS_SECURITY_PMF_REQUIRED (3) (enable PMF and fail if not
supported). When set to NM_SETTING_WIRELESS_SECURITY_PMF_DEFAULT (0) and no
global default is set, PMF will be optionally enabled.
PROTO
List of strings specifying the allowed WPA protocol versions to use.
Each element may be one "wpa" (allow WPA) or "rsn" (allow WPA2/RSN). If
not specified, both WPA and RSN connections are allowed.
PSK
Pre-Shared-Key for WPA networks. For WPA-PSK, it's either an ASCII
passphrase of 8 to 63 characters that is (as specified in the 802.11i
standard) hashed to derive the actual key, or the key in form of 64
hexadecimal character. The WPA3-Personal networks use a passphrase
of any length for SAE authentication.
PSK_FLAGS
Flags indicating how to handle the "psk"
property.
WEP_KEY_FLAGS
Flags indicating how to handle the "wep-key0",
"wep-key1", "wep-key2",
and "wep-key3" properties.
WEP_KEY_TYPE
Controls the interpretation of WEP keys. Allowed values are
NM_WEP_KEY_TYPE_KEY (1), in which case the key is either a 10- or
26-character hexadecimal string, or a 5- or 13-character ASCII password;
or NM_WEP_KEY_TYPE_PASSPHRASE (2), in which case the passphrase is provided
as a string and will be hashed using the de-facto MD5 method to derive
the actual WEP key.
WEP_KEY0
Index 0 WEP key. This is the WEP key used in most networks. See the
"wep-key-type" property for a description of how this key is interpreted.
WEP_KEY1
Index 1 WEP key. This WEP index is not used by most networks. See the
"wep-key-type" property for a description of how this key is interpreted.
WEP_KEY2
Index 2 WEP key. This WEP index is not used by most networks. See the
"wep-key-type" property for a description of how this key is interpreted.
WEP_KEY3
Index 3 WEP key. This WEP index is not used by most networks. See the
"wep-key-type" property for a description of how this key is interpreted.
WEP_TX_KEYIDX
When static WEP is used (ie, key-mgmt = "none") and a non-default WEP key
index is used by the AP, put that WEP key index here. Valid values are 0
(default key) through 3. Note that some consumer access points (like the
Linksys WRT54G) number the keys 1 - 4.
WPS_METHOD
Flags indicating which mode of WPS is to be used if any.
There's little point in changing the default setting as NetworkManager will
automatically determine whether it's feasible to start WPS enrollment from
the Access Point capabilities.
WPS can be disabled by setting this property to a value of 1.
WPAN
IEEE 802.15.4 (WPAN) MAC Settings
CHANNEL
IEEE 802.15.4 channel. A positive integer or -1, meaning "do not
set, use whatever the device is already set to".
MAC_ADDRESS
If specified, this connection will only apply to the IEEE 802.15.4 (WPAN)
MAC layer device whose permanent MAC address matches.
PAGE
IEEE 802.15.4 channel page. A positive integer or -1, meaning "do not
set, use whatever the device is already set to".
PAN_ID
IEEE 802.15.4 Personal Area Network (PAN) identifier.
SHORT_ADDRESS
Short IEEE 802.15.4 address to be used within a restricted environment.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment