nm-settings-dbus
NM-SETTINGS-DBUS(5) Configuration NM-SETTINGS-DBUS(5)
NAME
nm-settings-dbus - Description of settings and properties of NetworkManager connection profiles on the D-Bus APIDESCRIPTION
NetworkManager is based on a concept of connection profiles, sometimes referred to as connections only. These connection profiles contain a network configuration. When NetworkManager
activates a connection profile on a network device the configuration will be applied and an active network connection will be established. Users are free to create as many connection
profiles as they see fit. Thus they are flexible in having various network configurations for different networking needs. The connection profiles are handled by NetworkManager via
settings service and are exported on D-Bus (/org/freedesktop/NetworkManager/Settings/<num> objects). The conceptual objects can be described as follows:
Connection (profile)
A specific, encapsulated, independent group of settings describing all the configuration required to connect to a specific network. It is referred to by a unique identifier called
the UUID. A connection is tied to a one specific device type, but not necessarily a specific hardware device. It is composed of one or more Settings objects.
Setting
A group of related key/value pairs describing a specific piece of a Connection (profile). Settings keys and allowed values are described in the tables below. Keys are also
referred to as properties. Developers can find the setting objects and their properties in the libnm-core sources. Look for the *_class_init functions near the bottom of each
setting source file.
The settings and properties shown in tables below list all available connection configuration options. However, note that not all settings are applicable to all connection types.
NetworkManager provides a command-line tool nmcli that allows direct configuration of the settings and properties according to a connection profile type. nmcli connection editor has
also a built-in describe command that can display description of particular settings and properties of this page.connection setting
General Connection Profile Settings.
┌───────────────────────────────┬──────────────────────────────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ auth-retries │ int32 │ -1 │ The number of retries for the │
│ │ │ │ authentication. Zero means to try │
│ │ │ │ indefinitely; -1 means to use a global │
│ │ │ │ default. If the global default is not │
│ │ │ │ set, the authentication retries for 3 │
│ │ │ │ times before failing the connection. │
│ │ │ │ │
│ │ │ │ Currently, this only applies to 802-1x │
│ │ │ │ authentication. │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ autoconnect │ boolean │ TRUE │ Whether or not the connection should │
│ │ │ │ be automatically connected by │
│ │ │ │ NetworkManager when the resources for │
│ │ │ │ the connection are available. TRUE to │
│ │ │ │ automatically activate the connection, │
│ │ │ │ FALSE to require manual intervention │
│ │ │ │ to activate the connection. │
│ │ │ │ │
│ │ │ │ Autoconnect happens when the │
│ │ │ │ circumstances are suitable. That means │
│ │ │ │ for example that the device is │
│ │ │ │ currently managed and not active. │
│ │ │ │ Autoconnect thus never replaces or │
│ │ │ │ competes with an already active │
│ │ │ │ profile. │
│ │ │ │ │
│ │ │ │ Note that autoconnect is not │
│ │ │ │ implemented for VPN profiles. See │
│ │ │ │ "secondaries" as an alternative to │
│ │ │ │ automatically connect VPN profiles. │
│ │ │ │ │
│ │ │ │ If multiple profiles are ready to │
│ │ │ │ autoconnect on the same device, the │
│ │ │ │ one with the better │
│ │ │ │ "connection.autoconnect-priority" is │
│ │ │ │ chosen. If the priorities are equal, │
│ │ │ │ then the most recently connected │
│ │ │ │ profile is activated. If the profiles │
│ │ │ │ were not connected earlier or their │
│ │ │ │ "connection.timestamp" is identical, │
│ │ │ │ the choice is undefined. │
│ │ │ │ │
│ │ │ │ Depending on │
│ │ │ │ "connection.multi-connect", a profile │
│ │ │ │ can (auto)connect only once at a time │
│ │ │ │ or multiple times. │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ autoconnect-ports │ int32 │ -1 │ Whether or not ports of this │
│ │ │ │ connection should be automatically │
│ │ │ │ brought up when NetworkManager │
│ │ │ │ activates this connection. This only │
│ │ │ │ has a real effect for controller │
│ │ │ │ connections. The properties │
│ │ │ │ "autoconnect", "autoconnect-priority" │
│ │ │ │ and "autoconnect-retries" are │
│ │ │ │ unrelated to this setting. The │
│ │ │ │ permitted values are: 0: leave port │
│ │ │ │ connections untouched, 1: activate all │
│ │ │ │ the port connections with this │
│ │ │ │ connection, -1: default. If -1 │
│ │ │ │ (default) is set, global │
│ │ │ │ connection.autoconnect-ports is read │
│ │ │ │ to determine the real value. If it is │
│ │ │ │ default as well, this fallbacks to 0. │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ autoconnect-priority │ int32 │ 0 │ The autoconnect priority in range -999 │
│ │ │ │ to 999. If the connection is set to │
│ │ │ │ autoconnect, connections with higher │
│ │ │ │ priority will be preferred. The higher │
│ │ │ │ number means higher priority. Defaults │
│ │ │ │ to 0. Note that this property only │
│ │ │ │ matters if there are more than one │
│ │ │ │ candidate profile to select for │
│ │ │ │ autoconnect. In case of equal │
│ │ │ │ priority, the profile used most │
│ │ │ │ recently is chosen. │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ autoconnect-retries │ int32 │ -1 │ The number of times a connection │
│ │ │ │ should be tried when autoactivating │
│ │ │ │ before giving up. Zero means forever, │
│ │ │ │ -1 means the global default (4 times │
│ │ │ │ if not overridden). Setting this to 1 │
│ │ │ │ means to try activation only once │
│ │ │ │ before blocking autoconnect. Note that │
│ │ │ │ after a timeout, NetworkManager will │
│ │ │ │ try to autoconnect again. │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ autoconnect-slaves │ NMSettingConnectionAutoconnectSlaves │ │ Whether or not ports of this │
│ │ (int32) │ │ connection should be automatically │
│ │ │ │ brought up when NetworkManager │
│ │ │ │ activates this connection. This only │
│ │ │ │ has a real effect for controller │
│ │ │ │ connections. The properties │
│ │ │ │ "autoconnect", "autoconnect-priority" │
│ │ │ │ and "autoconnect-retries" are │
│ │ │ │ unrelated to this setting. The │
│ │ │ │ permitted values are: 0: leave port │
│ │ │ │ connections untouched, 1: activate all │
│ │ │ │ the port connections with this │
│ │ │ │ connection, -1: default. If -1 │
│ │ │ │ (default) is set, global │
│ │ │ │ connection.autoconnect-slaves is read │
│ │ │ │ to determine the real value. If it is │
│ │ │ │ default as well, this fallbacks to 0. │
│ │ │ │ │
│ │ │ │ Deprecated 1.46. Use │
│ │ │ │ "autoconnect-ports" instead, this is │
│ │ │ │ just an alias. │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ controller │ string │ │ Interface name of the controller │
│ │ │ │ device or UUID of the controller │
│ │ │ │ connection. │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ dns-over-tls │ int32 │ -1 │ Whether DNSOverTls (dns-over-tls) is │
│ │ │ │ enabled for the connection. DNSOverTls │
│ │ │ │ is a technology which uses TLS to │
│ │ │ │ encrypt dns traffic. │
│ │ │ │ │
│ │ │ │ The permitted values are: "yes" (2) │
│ │ │ │ use DNSOverTls and disabled fallback, │
│ │ │ │ "opportunistic" (1) use DNSOverTls but │
│ │ │ │ allow fallback to unencrypted │
│ │ │ │ resolution, "no" (0) don't ever use │
│ │ │ │ DNSOverTls. If unspecified "default" │
│ │ │ │ depends on the plugin used. │
│ │ │ │ Systemd-resolved uses global setting. │
│ │ │ │ │
│ │ │ │ This feature requires a plugin which │
│ │ │ │ supports DNSOverTls. Otherwise, the │
│ │ │ │ setting has no effect. One such plugin │
│ │ │ │ is dns-systemd-resolved. │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ down-on-poweroff │ int32 │ -1 │ Whether the connection will be brought │
│ │ │ │ down before the system is powered off. │
│ │ │ │ The default value is -1 (default). │
│ │ │ │ When the default value is specified, │
│ │ │ │ then the global value from │
│ │ │ │ NetworkManager configuration is looked │
│ │ │ │ up, if not set, it is considered as 0 │
│ │ │ │ (no). │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ gateway-ping-timeout │ uint32 │ 0 │ If greater than zero, delay success of │
│ │ │ │ IP addressing until either the timeout │
│ │ │ │ is reached, or an IP gateway replies │
│ │ │ │ to a ping. │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ id │ string │ │ A human readable unique identifier for │
│ │ │ │ the connection, like "Work Wi-Fi" or │
│ │ │ │ "T-Mobile 3G". │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ interface-name │ string │ │ The name of the network interface this │
│ │ │ │ connection is bound to. If not set, │
│ │ │ │ then the connection can be attached to │
│ │ │ │ any interface of the appropriate type │
│ │ │ │ (subject to restrictions imposed by │
│ │ │ │ other settings). │
│ │ │ │ │
│ │ │ │ For software devices this specifies │
│ │ │ │ the name of the created device. │
│ │ │ │ │
│ │ │ │ For connection types where interface │
│ │ │ │ names cannot easily be made persistent │
│ │ │ │ (e.g. mobile broadband or USB │
│ │ │ │ Ethernet), this property should not be │
│ │ │ │ used. Setting this property restricts │
│ │ │ │ the interfaces a connection can be │
│ │ │ │ used with, and if interface names │
│ │ │ │ change or are reordered the connection │
│ │ │ │ may be applied to the wrong interface. │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ ip-ping-addresses │ array of string │ │ The property specifies a list of │
│ │ │ │ target IP addresses for pinging. When │
│ │ │ │ multiple targets are set, │
│ │ │ │ NetworkManager will start multiple │
│ │ │ │ ping processes in parallel. This │
│ │ │ │ property can only be set if │
│ │ │ │ connection.ip-ping-timeout is set. The │
│ │ │ │ ip-ping-timeout is used to delay the │
│ │ │ │ success of IP addressing until either │
│ │ │ │ the specified timeout (in seconds) is │
│ │ │ │ reached, or an target IP address │
│ │ │ │ replies to a ping. Configuring │
│ │ │ │ "ip-ping-addresses" may delay reaching │
│ │ │ │ the systemd's network-online.target │
│ │ │ │ due to waiting for the ping operations │
│ │ │ │ to complete or timeout. │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ ip-ping-addresses-require-all │ int32 │ -1 │ The property determines whether it is │
│ │ │ │ sufficient for any ping check to │
│ │ │ │ succeed among "ip-ping-addresses", or │
│ │ │ │ if all ping checks must succeed for │
│ │ │ │ "ip-ping-addresses". │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ ip-ping-timeout │ uint32 │ 0 │ If greater than zero, delay success of │
│ │ │ │ IP addressing until either the │
│ │ │ │ specified timeout (in seconds) is │
│ │ │ │ reached, or a target IP address │
│ │ │ │ replies to a ping. The property │
│ │ │ │ specifies the timeout for the │
│ │ │ │ "ip-ping-addresses". This property is │
│ │ │ │ incompatible with │
│ │ │ │ "gateway-ping-timeout", you cannot set │
│ │ │ │ these two properties at the same time. │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ lldp │ int32 │ -1 │ Whether LLDP is enabled for the │
│ │ │ │ connection. │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ llmnr │ int32 │ -1 │ Whether Link-Local Multicast Name │
│ │ │ │ Resolution (LLMNR) is enabled for the │
│ │ │ │ connection. LLMNR is a protocol based │
│ │ │ │ on the Domain Name System (DNS) packet │
│ │ │ │ format that allows both IPv4 and IPv6 │
│ │ │ │ hosts to perform name resolution for │
│ │ │ │ hosts on the same local link. │
│ │ │ │ │
│ │ │ │ The permitted values are: "yes" (2) │
│ │ │ │ register hostname and resolving for │
│ │ │ │ the connection, "no" (0) disable LLMNR │
│ │ │ │ for the interface, "resolve" (1) do │
│ │ │ │ not register hostname but allow │
│ │ │ │ resolving of LLMNR host names If │
│ │ │ │ unspecified, "default" ultimately │
│ │ │ │ depends on the DNS plugin (which for │
│ │ │ │ systemd-resolved currently means │
│ │ │ │ "yes"). │
│ │ │ │ │
│ │ │ │ This feature requires a plugin which │
│ │ │ │ supports LLMNR. Otherwise, the setting │
│ │ │ │ has no effect. One such plugin is │
│ │ │ │ dns-systemd-resolved. │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ master │ string │ │ Interface name of the controller │
│ │ │ │ device or UUID of the controller │
│ │ │ │ connection. │
│ │ │ │ │
│ │ │ │ Deprecated 1.46. Use "controller" │
│ │ │ │ instead, this is just an alias. │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ mdns │ int32 │ -1 │ Whether mDNS is enabled for the │
│ │ │ │ connection. │
│ │ │ │ │
│ │ │ │ The permitted values are: "yes" (2) │
│ │ │ │ register hostname and resolving for │
│ │ │ │ the connection, "no" (0) disable mDNS │
│ │ │ │ for the interface, "resolve" (1) do │
│ │ │ │ not register hostname but allow │
│ │ │ │ resolving of mDNS host names and │
│ │ │ │ "default" (-1) to allow lookup of a │
│ │ │ │ global default in NetworkManager.conf. │
│ │ │ │ If unspecified, "default" ultimately │
│ │ │ │ depends on the DNS plugin. │
│ │ │ │ │
│ │ │ │ This feature requires a plugin which │
│ │ │ │ supports mDNS. Otherwise, the setting │
│ │ │ │ has no effect. Currently the only │
│ │ │ │ supported DNS plugin is │
│ │ │ │ systemd-resolved. For │
│ │ │ │ systemd-resolved, the default is │
│ │ │ │ configurable via MulticastDNS= setting │
│ │ │ │ in resolved.conf. │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ metered │ NMMetered (int32) │ │ Whether the connection is metered. │
│ │ │ │ │
│ │ │ │ When updating this property on a │
│ │ │ │ currently activated connection, the │
│ │ │ │ change takes effect immediately. │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ mptcp-flags │ uint32 │ 0 │ Whether to configure MPTCP endpoints │
│ │ │ │ and the address flags. If MPTCP is │
│ │ │ │ enabled in NetworkManager, it will │
│ │ │ │ configure the addresses of the │
│ │ │ │ interface as MPTCP endpoints. Note │
│ │ │ │ that IPv4 loopback addresses │
│ │ │ │ (127.0.0.0/8), IPv4 link local │
│ │ │ │ addresses (169.254.0.0/16), the IPv6 │
│ │ │ │ loopback address (::1), IPv6 link │
│ │ │ │ local addresses (fe80::/10), IPv6 │
│ │ │ │ unique local addresses (ULA, fc00::/7) │
│ │ │ │ and IPv6 privacy extension addresses │
│ │ │ │ (rfc3041, ipv6.ip6-privacy) will be │
│ │ │ │ excluded from being configured as │
│ │ │ │ endpoints. │
│ │ │ │ │
│ │ │ │ If "disabled" (0x1), MPTCP handling │
│ │ │ │ for the interface is disabled and no │
│ │ │ │ endpoints are registered. │
│ │ │ │ │
│ │ │ │ The "enabled" (0x2) flag means that │
│ │ │ │ MPTCP handling is enabled. This flag │
│ │ │ │ can also be implied from the presence │
│ │ │ │ of other flags. │
│ │ │ │ │
│ │ │ │ Even when enabled, MPTCP handling will │
│ │ │ │ by default still be disabled unless │
│ │ │ │ "/proc/sys/net/mptcp/enabled" sysctl │
│ │ │ │ is on. NetworkManager does not change │
│ │ │ │ the sysctl and this is up to the │
│ │ │ │ administrator or distribution. To │
│ │ │ │ configure endpoints even if the sysctl │
│ │ │ │ is disabled, "also-without-sysctl" │
│ │ │ │ (0x4) flag can be used. In that case, │
│ │ │ │ NetworkManager doesn't look at the │
│ │ │ │ sysctl and configures endpoints │
│ │ │ │ regardless. │
│ │ │ │ │
│ │ │ │ Even when enabled, NetworkManager will │
│ │ │ │ only configure MPTCP endpoints for a │
│ │ │ │ certain address family, if there is a │
│ │ │ │ unicast default route (0.0.0.0/0 or │
│ │ │ │ ::/0) in the main routing table. The │
│ │ │ │ flag "also-without-default-route" │
│ │ │ │ (0x8) can override that. │
│ │ │ │ │
│ │ │ │ When MPTCP handling is enabled then │
│ │ │ │ endpoints are configured with the │
│ │ │ │ specified address flags "signal" │
│ │ │ │ (0x10), "subflow" (0x20), "backup" │
│ │ │ │ (0x40), "fullmesh" (0x80). See │
│ │ │ │ ip-mptcp(8) manual for additional │
│ │ │ │ information about the flags. │
│ │ │ │ │
│ │ │ │ If the flags are zero (0x0), the │
│ │ │ │ global connection default from │
│ │ │ │ NetworkManager.conf is honored. If │
│ │ │ │ still unspecified, the fallback is │
│ │ │ │ "enabled,subflow". Note that this │
│ │ │ │ means that MPTCP is by default done │
│ │ │ │ depending on the │
│ │ │ │ "/proc/sys/net/mptcp/enabled" sysctl. │
│ │ │ │ │
│ │ │ │ NetworkManager does not change the │
│ │ │ │ MPTCP limits nor enable MPTCP via │
│ │ │ │ "/proc/sys/net/mptcp/enabled". That is │
│ │ │ │ a host configuration which the admin │
│ │ │ │ can change via sysctl and ip-mptcp. │
│ │ │ │ │
│ │ │ │ Strict reverse path filtering │
│ │ │ │ (rp_filter) breaks many MPTCP use │
│ │ │ │ cases, so when MPTCP handling for IPv4 │
│ │ │ │ addresses on the interface is enabled, │
│ │ │ │ NetworkManager would loosen the strict │
│ │ │ │ reverse path filtering (1) to the │
│ │ │ │ loose setting (2). │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ mud-url │ string │ │ If configured, set to a Manufacturer │
│ │ │ │ Usage Description (MUD) URL that │
│ │ │ │ points to manufacturer-recommended │
│ │ │ │ network policies for IoT devices. It │
│ │ │ │ is transmitted as a DHCPv4 or DHCPv6 │
│ │ │ │ option. The value must be a valid URL │
│ │ │ │ starting with "https://". │
│ │ │ │ │
│ │ │ │ The special value "none" is allowed to │
│ │ │ │ indicate that no MUD URL is used. │
│ │ │ │ │
│ │ │ │ If the per-profile value is │
│ │ │ │ unspecified (the default), a global │
│ │ │ │ connection default gets consulted. If │
│ │ │ │ still unspecified, the ultimate │
│ │ │ │ default is "none". │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ multi-connect │ int32 │ 0 │ Specifies whether the profile can be │
│ │ │ │ active multiple times at a particular │
│ │ │ │ moment. The value is of type │
│ │ │ │ NMConnectionMultiConnect. │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ permissions │ array of string │ │ An array of strings defining what │
│ │ │ │ access a given user has to this │
│ │ │ │ connection. If this is NULL or empty, │
│ │ │ │ all users are allowed to access this │
│ │ │ │ connection; otherwise users are │
│ │ │ │ allowed if and only if they are in │
│ │ │ │ this list. When this is not empty, │
│ │ │ │ the connection can be active only when │
│ │ │ │ one of the specified users is logged │
│ │ │ │ into an active session. Each entry is │
│ │ │ │ of the form "[type]:[id]:[reserved]"; │
│ │ │ │ for example, "user:dcbw:blah". │
│ │ │ │ │
│ │ │ │ At this time only the "user" [type] is │
│ │ │ │ allowed. Any other values are ignored │
│ │ │ │ and reserved for future use. [id] is │
│ │ │ │ the username that this permission │
│ │ │ │ refers to, which may not contain the │
│ │ │ │ ":" character. Any [reserved] │
│ │ │ │ information present must be ignored │
│ │ │ │ and is reserved for future use. All │
│ │ │ │ of [type], [id], and [reserved] must │
│ │ │ │ be valid UTF-8. │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ port-type │ string │ │ Setting name of the device type of │
│ │ │ │ this port's controller connection (eg, │
│ │ │ │ "bond"), or NULL if this connection is │
│ │ │ │ not a port. │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ read-only │ boolean │ FALSE │ This property is deprecated and has no │
│ │ │ │ meaning. │
│ │ │ │ │
│ │ │ │ This property is deprecated since │
│ │ │ │ version 1.44.This property is │
│ │ │ │ deprecated and has no meaning. │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ secondaries │ array of string │ │ List of connection UUIDs that should │
│ │ │ │ be activated when the base connection │
│ │ │ │ itself is activated. Currently, only │
│ │ │ │ VPN connections are supported. │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ slave-type │ string │ │ Setting name of the device type of │
│ │ │ │ this port's controller connection (eg, │
│ │ │ │ "bond"), or NULL if this connection is │
│ │ │ │ not a port. │
│ │ │ │ │
│ │ │ │ Deprecated 1.46. Use "port-type" │
│ │ │ │ instead, this is just an alias. │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ stable-id │ string │ │ This represents the identity of the │
│ │ │ │ connection used for various purposes. │
│ │ │ │ It allows to configure multiple │
│ │ │ │ profiles to share the identity. Also, │
│ │ │ │ the stable-id can contain placeholders │
│ │ │ │ that are substituted dynamically and │
│ │ │ │ deterministically depending on the │
│ │ │ │ context. │
│ │ │ │ │
│ │ │ │ The stable-id is used for generating │
│ │ │ │ IPv6 stable private addresses with │
│ │ │ │ ipv6.addr-gen-mode=stable-privacy. It │
│ │ │ │ is also used to seed the generated │
│ │ │ │ cloned MAC address for │
│ │ │ │ ethernet.cloned-mac-address=stable and │
│ │ │ │ wifi.cloned-mac-address=stable. It is │
│ │ │ │ also used to derive the DHCP client │
│ │ │ │ identifier with │
│ │ │ │ ipv4.dhcp-client-id=stable, the DHCPv6 │
│ │ │ │ DUID with │
│ │ │ │ ipv6.dhcp-duid=stable-[llt,ll,uuid] │
│ │ │ │ and the DHCP IAID with │
│ │ │ │ ipv4.iaid=stable and ipv6.iaid=stable. │
│ │ │ │ │
│ │ │ │ Note that depending on the context │
│ │ │ │ where it is used, other parameters are │
│ │ │ │ also seeded into the generation │
│ │ │ │ algorithm. For example, a per-host key │
│ │ │ │ is commonly also included, so that │
│ │ │ │ different systems end up generating │
│ │ │ │ different IDs. Or with │
│ │ │ │ ipv6.addr-gen-mode=stable-privacy, │
│ │ │ │ also the device's name is included, so │
│ │ │ │ that different interfaces yield │
│ │ │ │ different addresses. The per-host key │
│ │ │ │ is the identity of your machine and │
│ │ │ │ stored in │
│ │ │ │ /var/lib/NetworkManager/secret_key. │
│ │ │ │ See NetworkManager(8) manual about the │
│ │ │ │ secret-key and the host identity. │
│ │ │ │ │
│ │ │ │ The '$' character is treated special │
│ │ │ │ to perform dynamic substitutions at │
│ │ │ │ activation time. Currently, supported │
│ │ │ │ are "${CONNECTION}", "${DEVICE}", │
│ │ │ │ "${MAC}", "${NETWORK_SSID}", │
│ │ │ │ "${BOOT}", "${RANDOM}". These │
│ │ │ │ effectively create unique IDs │
│ │ │ │ per-connection, per-device, per-SSID, │
│ │ │ │ per-boot, or every time. The │
│ │ │ │ "${CONNECTION}" uses the profile's │
│ │ │ │ connection.uuid, the "${DEVICE}" uses │
│ │ │ │ the interface name of the device and │
│ │ │ │ "${MAC}" the permanent MAC address of │
│ │ │ │ the device. "${NETWORK_SSID}" uses the │
│ │ │ │ SSID for Wi-Fi networks and falls back │
│ │ │ │ to "${CONNECTION}" on other networks. │
│ │ │ │ Any unrecognized patterns following │
│ │ │ │ '$' are treated verbatim, however are │
│ │ │ │ reserved for future use. You are thus │
│ │ │ │ advised to avoid '$' or escape it as │
│ │ │ │ "$$". For example, set it to │
│ │ │ │ "${CONNECTION}-${BOOT}-${DEVICE}" to │
│ │ │ │ create a unique id for this connection │
│ │ │ │ that changes with every reboot and │
│ │ │ │ differs depending on the interface │
│ │ │ │ where the profile activates. │
│ │ │ │ │
│ │ │ │ If the value is unset, a global │
│ │ │ │ connection default is consulted. If │
│ │ │ │ the value is still unset, the default │
│ │ │ │ is "default${CONNECTION}" go generate │
│ │ │ │ an ID unique per connection profile. │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ timestamp │ uint64 │ 0 │ The time, in seconds since the Unix │
│ │ │ │ Epoch, that the connection was last │
│ │ │ │ _successfully_ fully activated. │
│ │ │ │ │
│ │ │ │ NetworkManager updates the connection │
│ │ │ │ timestamp periodically when the │
│ │ │ │ connection is active to ensure that an │
│ │ │ │ active connection has the latest │
│ │ │ │ timestamp. The property is only meant │
│ │ │ │ for reading (changes to this property │
│ │ │ │ will not be preserved). │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ type │ string │ │ Base type of the connection. For │
│ │ │ │ hardware-dependent connections, should │
│ │ │ │ contain the setting name of the │
│ │ │ │ hardware-type specific setting (ie, │
│ │ │ │ "802-3-ethernet" or "802-11-wireless" │
│ │ │ │ or "bluetooth", etc), and for │
│ │ │ │ non-hardware dependent connections │
│ │ │ │ like VPN or otherwise, should contain │
│ │ │ │ the setting name of that setting type │
│ │ │ │ (ie, "vpn" or "bridge", etc). │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ uuid │ string │ │ A universally unique identifier for │
│ │ │ │ the connection, for example generated │
│ │ │ │ with libuuid. It should be assigned │
│ │ │ │ when the connection is created, and │
│ │ │ │ never changed as long as the │
│ │ │ │ connection still applies to the same │
│ │ │ │ network. For example, it should not │
│ │ │ │ be changed when the "id" property or │
│ │ │ │ NMSettingIP4Config changes, but might │
│ │ │ │ need to be re-created when the Wi-Fi │
│ │ │ │ SSID, mobile broadband network │
│ │ │ │ provider, or "type" property changes. │
│ │ │ │ │
│ │ │ │ The UUID must be in the format │
│ │ │ │ "2815492f-7e56-435e-b2e9-246bd7cdc664" │
│ │ │ │ (ie, contains only hexadecimal │
│ │ │ │ characters and "-"). │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ wait-activation-delay │ int32 │ -1 │ Time in milliseconds to wait for │
│ │ │ │ connection to be considered activated. │
│ │ │ │ The wait will start after the pre-up │
│ │ │ │ dispatcher event. │
│ │ │ │ │
│ │ │ │ The value 0 means no wait time. The │
│ │ │ │ default value is -1, which currently │
│ │ │ │ has the same meaning as no wait time. │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ wait-device-timeout │ int32 │ -1 │ Timeout in milliseconds to wait for │
│ │ │ │ device at startup. During boot, │
│ │ │ │ devices may take a while to be │
│ │ │ │ detected by the driver. This property │
│ │ │ │ will cause to delay │
│ │ │ │ NetworkManager-wait-online.service and │
│ │ │ │ nm-online to give the device a chance │
│ │ │ │ to appear. This works by waiting for │
│ │ │ │ the given timeout until a compatible │
│ │ │ │ device for the profile is available │
│ │ │ │ and managed. │
│ │ │ │ │
│ │ │ │ The value 0 means no wait time. The │
│ │ │ │ default value is -1, which currently │
│ │ │ │ has the same meaning as no wait time. │
├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ zone │ string │ │ The trust level of a the connection. │
│ │ │ │ Free form case-insensitive string (for │
│ │ │ │ example "Home", "Work", "Public"). │
│ │ │ │ NULL or unspecified zone means the │
│ │ │ │ connection will be placed in the │
│ │ │ │ default zone as defined by the │
│ │ │ │ firewall. │
│ │ │ │ │
│ │ │ │ When updating this property on a │
│ │ │ │ currently activated connection, the │
│ │ │ │ change takes effect immediately. │
└───────────────────────────────┴──────────────────────────────────────┴───────────────┴────────────────────────────────────────┘6lowpan setting
6LoWPAN Settings.
┌──────────┬────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├──────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ parent │ string │ │ If given, specifies the parent │
│ │ │ │ interface name or parent connection │
│ │ │ │ UUID from which this 6LowPAN interface │
│ │ │ │ should be created. │
└──────────┴────────────┴───────────────┴────────────────────────────────────────┘802-1x setting
IEEE 802.1x Authentication Settings.
┌───────────────────────────────────┬───────────────────────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ altsubject-matches │ array of string │ │ List of strings to be matched against │
│ │ │ │ the altSubjectName of the certificate │
│ │ │ │ presented by the authentication │
│ │ │ │ server. If the list is empty, no │
│ │ │ │ verification of the server │
│ │ │ │ certificate's altSubjectName is │
│ │ │ │ performed. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ anonymous-identity │ string │ │ Anonymous identity string for EAP │
│ │ │ │ authentication methods. Used as the │
│ │ │ │ unencrypted identity with EAP types │
│ │ │ │ that support different tunneled │
│ │ │ │ identity like EAP-TTLS. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ auth-timeout │ int32 │ 0 │ A timeout for the authentication. Zero │
│ │ │ │ means the global default; if the │
│ │ │ │ global default is not set, the │
│ │ │ │ authentication timeout is 25 seconds. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ ca-cert │ byte array │ │ Contains the CA certificate if used by │
│ │ │ │ the EAP method specified in the "eap" │
│ │ │ │ property. │
│ │ │ │ │
│ │ │ │ Certificate data is specified using a │
│ │ │ │ "scheme"; three are currently │
│ │ │ │ supported: blob, path and pkcs#11 URL. │
│ │ │ │ When using the blob scheme this │
│ │ │ │ property should be set to the │
│ │ │ │ certificate's DER encoded data. When │
│ │ │ │ using the path scheme, this property │
│ │ │ │ should be set to the full UTF-8 │
│ │ │ │ encoded path of the certificate, │
│ │ │ │ prefixed with the string "file://" and │
│ │ │ │ ending with a terminating NUL byte. │
│ │ │ │ This property can be unset even if the │
│ │ │ │ EAP method supports CA certificates, │
│ │ │ │ but this allows man-in-the-middle │
│ │ │ │ attacks and is NOT recommended. │
│ │ │ │ │
│ │ │ │ Note that enabling │
│ │ │ │ NMSetting8021x:system-ca-certs will │
│ │ │ │ override this setting to use the │
│ │ │ │ built-in path, if the built-in path is │
│ │ │ │ not a directory. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ ca-cert-password │ string │ │ The password used to access the CA │
│ │ │ │ certificate stored in "ca-cert" │
│ │ │ │ property. Only makes sense if the │
│ │ │ │ certificate is stored on a PKCS#11 │
│ │ │ │ token that requires a login. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ ca-cert-password-flags │ NMSettingSecretFlags (uint32) │ │ Flags indicating how to handle the │
│ │ │ │ "ca-cert-password" property. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ ca-path │ string │ │ UTF-8 encoded path to a directory │
│ │ │ │ containing PEM or DER formatted │
│ │ │ │ certificates to be added to the │
│ │ │ │ verification chain in addition to the │
│ │ │ │ certificate specified in the "ca-cert" │
│ │ │ │ property. │
│ │ │ │ │
│ │ │ │ If NMSetting8021x:system-ca-certs is │
│ │ │ │ enabled and the built-in CA path is an │
│ │ │ │ existing directory, then this setting │
│ │ │ │ is ignored. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ client-cert │ byte array │ │ Contains the client certificate if │
│ │ │ │ used by the EAP method specified in │
│ │ │ │ the "eap" property. │
│ │ │ │ │
│ │ │ │ Certificate data is specified using a │
│ │ │ │ "scheme"; two are currently supported: │
│ │ │ │ blob and path. When using the blob │
│ │ │ │ scheme (which is backwards compatible │
│ │ │ │ with NM 0.7.x) this property should be │
│ │ │ │ set to the certificate's DER encoded │
│ │ │ │ data. When using the path scheme, this │
│ │ │ │ property should be set to the full │
│ │ │ │ UTF-8 encoded path of the certificate, │
│ │ │ │ prefixed with the string "file://" and │
│ │ │ │ ending with a terminating NUL byte. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ client-cert-password │ string │ │ The password used to access the client │
│ │ │ │ certificate stored in "client-cert" │
│ │ │ │ property. Only makes sense if the │
│ │ │ │ certificate is stored on a PKCS#11 │
│ │ │ │ token that requires a login. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ client-cert-password-flags │ NMSettingSecretFlags (uint32) │ │ Flags indicating how to handle the │
│ │ │ │ "client-cert-password" property. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ domain-match │ string │ │ Constraint for server domain name. If │
│ │ │ │ set, this list of FQDNs is used as a │
│ │ │ │ match requirement for dNSName │
│ │ │ │ element(s) of the certificate │
│ │ │ │ presented by the authentication │
│ │ │ │ server. If a matching dNSName is │
│ │ │ │ found, this constraint is met. If no │
│ │ │ │ dNSName values are present, this │
│ │ │ │ constraint is matched against │
│ │ │ │ SubjectName CN using the same │
│ │ │ │ comparison. Multiple valid FQDNs can │
│ │ │ │ be passed as a ";" delimited list. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ domain-suffix-match │ string │ │ Constraint for server domain name. If │
│ │ │ │ set, this FQDN is used as a suffix │
│ │ │ │ match requirement for dNSName │
│ │ │ │ element(s) of the certificate │
│ │ │ │ presented by the authentication │
│ │ │ │ server. If a matching dNSName is │
│ │ │ │ found, this constraint is met. If no │
│ │ │ │ dNSName values are present, this │
│ │ │ │ constraint is matched against │
│ │ │ │ SubjectName CN using same suffix match │
│ │ │ │ comparison. Since version 1.24, │
│ │ │ │ multiple valid FQDNs can be passed as │
│ │ │ │ a ";" delimited list. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ eap │ array of string │ │ The allowed EAP method to be used when │
│ │ │ │ authenticating to the network with │
│ │ │ │ 802.1x. Valid methods are: "leap", │
│ │ │ │ "md5", "tls", "peap", "ttls", "pwd", │
│ │ │ │ and "fast". Each method requires │
│ │ │ │ different configuration using the │
│ │ │ │ properties of this setting; refer to │
│ │ │ │ wpa_supplicant documentation for the │
│ │ │ │ allowed combinations. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ identity │ string │ │ Identity string for EAP authentication │
│ │ │ │ methods. Often the user's user or │
│ │ │ │ login name. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ openssl-ciphers │ string │ │ Define openssl_ciphers for │
│ │ │ │ wpa_supplicant. Openssl sometimes │
│ │ │ │ moves ciphers among SECLEVELs, thus │
│ │ │ │ compiled-in default value in │
│ │ │ │ wpa_supplicant (as modified by some │
│ │ │ │ linux distributions) sometimes │
│ │ │ │ prevents to connect to old servers │
│ │ │ │ that do not support new protocols. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ optional │ boolean │ FALSE │ Whether the 802.1X authentication is │
│ │ │ │ optional. If TRUE, the activation will │
│ │ │ │ continue even after a timeout or an │
│ │ │ │ authentication failure. Setting the │
│ │ │ │ property to TRUE is currently allowed │
│ │ │ │ only for Ethernet connections. If set │
│ │ │ │ to FALSE, the activation can continue │
│ │ │ │ only after a successful │
│ │ │ │ authentication. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ pac-file │ string │ │ UTF-8 encoded file path containing PAC │
│ │ │ │ for EAP-FAST. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ password │ string │ │ UTF-8 encoded password used for EAP │
│ │ │ │ authentication methods. If both the │
│ │ │ │ "password" property and the │
│ │ │ │ "password-raw" property are specified, │
│ │ │ │ "password" is preferred. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ password-flags │ NMSettingSecretFlags (uint32) │ │ Flags indicating how to handle the │
│ │ │ │ "password" property. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ password-raw │ byte array │ │ Password used for EAP authentication │
│ │ │ │ methods, given as a byte array to │
│ │ │ │ allow passwords in other encodings │
│ │ │ │ than UTF-8 to be used. If both the │
│ │ │ │ "password" property and the │
│ │ │ │ "password-raw" property are specified, │
│ │ │ │ "password" is preferred. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ password-raw-flags │ NMSettingSecretFlags (uint32) │ │ Flags indicating how to handle the │
│ │ │ │ "password-raw" property. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ phase1-auth-flags │ uint32 │ 0 │ Specifies authentication flags to use │
│ │ │ │ in "phase 1" outer authentication │
│ │ │ │ using NMSetting8021xAuthFlags options. │
│ │ │ │ The individual TLS versions can be │
│ │ │ │ explicitly disabled. TLS time checks │
│ │ │ │ can be also disabled. If a certain TLS │
│ │ │ │ disable flag is not set, it is up to │
│ │ │ │ the supplicant to allow or forbid it. │
│ │ │ │ The TLS options map to │
│ │ │ │ tls_disable_tlsv1_x and │
│ │ │ │ tls_disable_time_checks settings. See │
│ │ │ │ the wpa_supplicant documentation for │
│ │ │ │ more details. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ phase1-fast-provisioning │ string │ │ Enables or disables in-line │
│ │ │ │ provisioning of EAP-FAST credentials │
│ │ │ │ when FAST is specified as the EAP │
│ │ │ │ method in the "eap" property. │
│ │ │ │ Recognized values are "0" (disabled), │
│ │ │ │ "1" (allow unauthenticated │
│ │ │ │ provisioning), "2" (allow │
│ │ │ │ authenticated provisioning), and "3" │
│ │ │ │ (allow both authenticated and │
│ │ │ │ unauthenticated provisioning). See │
│ │ │ │ the wpa_supplicant documentation for │
│ │ │ │ more details. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ phase1-peaplabel │ string │ │ Forces use of the new PEAP label │
│ │ │ │ during key derivation. Some RADIUS │
│ │ │ │ servers may require forcing the new │
│ │ │ │ PEAP label to interoperate with │
│ │ │ │ PEAPv1. Set to "1" to force use of │
│ │ │ │ the new PEAP label. See the │
│ │ │ │ wpa_supplicant documentation for more │
│ │ │ │ details. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ phase1-peapver │ string │ │ Forces which PEAP version is used when │
│ │ │ │ PEAP is set as the EAP method in the │
│ │ │ │ "eap" property. When unset, the │
│ │ │ │ version reported by the server will be │
│ │ │ │ used. Sometimes when using older │
│ │ │ │ RADIUS servers, it is necessary to │
│ │ │ │ force the client to use a particular │
│ │ │ │ PEAP version. To do so, this property │
│ │ │ │ may be set to "0" or "1" to force that │
│ │ │ │ specific PEAP version. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ phase2-altsubject-matches │ array of string │ │ List of strings to be matched against │
│ │ │ │ the altSubjectName of the certificate │
│ │ │ │ presented by the authentication server │
│ │ │ │ during the inner "phase 2" │
│ │ │ │ authentication. If the list is empty, │
│ │ │ │ no verification of the server │
│ │ │ │ certificate's altSubjectName is │
│ │ │ │ performed. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ phase2-auth │ string │ │ Specifies the allowed "phase 2" inner │
│ │ │ │ authentication method when an EAP │
│ │ │ │ method that uses an inner TLS tunnel │
│ │ │ │ is specified in the "eap" property. │
│ │ │ │ For TTLS this property selects one of │
│ │ │ │ the supported non-EAP inner methods: │
│ │ │ │ "pap", "chap", "mschap", "mschapv2" │
│ │ │ │ while "phase2-autheap" selects an EAP │
│ │ │ │ inner method. For PEAP this selects │
│ │ │ │ an inner EAP method, one of: "gtc", │
│ │ │ │ "otp", "md5" and "tls". Each "phase 2" │
│ │ │ │ inner method requires specific │
│ │ │ │ parameters for successful │
│ │ │ │ authentication; see the wpa_supplicant │
│ │ │ │ documentation for more details. Both │
│ │ │ │ "phase2-auth" and "phase2-autheap" │
│ │ │ │ cannot be specified. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ phase2-autheap │ string │ │ Specifies the allowed "phase 2" inner │
│ │ │ │ EAP-based authentication method when │
│ │ │ │ TTLS is specified in the "eap" │
│ │ │ │ property. Recognized EAP-based "phase │
│ │ │ │ 2" methods are "md5", "mschapv2", │
│ │ │ │ "otp", "gtc", and "tls". Each "phase │
│ │ │ │ 2" inner method requires specific │
│ │ │ │ parameters for successful │
│ │ │ │ authentication; see the wpa_supplicant │
│ │ │ │ documentation for more details. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ phase2-ca-cert │ byte array │ │ Contains the "phase 2" CA certificate │
│ │ │ │ if used by the EAP method specified in │
│ │ │ │ the "phase2-auth" or "phase2-autheap" │
│ │ │ │ properties. │
│ │ │ │ │
│ │ │ │ Certificate data is specified using a │
│ │ │ │ "scheme"; three are currently │
│ │ │ │ supported: blob, path and pkcs#11 URL. │
│ │ │ │ When using the blob scheme this │
│ │ │ │ property should be set to the │
│ │ │ │ certificate's DER encoded data. When │
│ │ │ │ using the path scheme, this property │
│ │ │ │ should be set to the full UTF-8 │
│ │ │ │ encoded path of the certificate, │
│ │ │ │ prefixed with the string "file://" and │
│ │ │ │ ending with a terminating NUL byte. │
│ │ │ │ This property can be unset even if the │
│ │ │ │ EAP method supports CA certificates, │
│ │ │ │ but this allows man-in-the-middle │
│ │ │ │ attacks and is NOT recommended. │
│ │ │ │ │
│ │ │ │ Note that enabling │
│ │ │ │ NMSetting8021x:system-ca-certs will │
│ │ │ │ override this setting to use the │
│ │ │ │ built-in path, if the built-in path is │
│ │ │ │ not a directory. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ phase2-ca-cert-password │ string │ │ The password used to access the │
│ │ │ │ "phase2" CA certificate stored in │
│ │ │ │ "phase2-ca-cert" property. Only makes │
│ │ │ │ sense if the certificate is stored on │
│ │ │ │ a PKCS#11 token that requires a login. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ phase2-ca-cert-password-flags │ NMSettingSecretFlags (uint32) │ │ Flags indicating how to handle the │
│ │ │ │ "phase2-ca-cert-password" property. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ phase2-ca-path │ string │ │ UTF-8 encoded path to a directory │
│ │ │ │ containing PEM or DER formatted │
│ │ │ │ certificates to be added to the │
│ │ │ │ verification chain in addition to the │
│ │ │ │ certificate specified in the │
│ │ │ │ "phase2-ca-cert" property. │
│ │ │ │ │
│ │ │ │ If NMSetting8021x:system-ca-certs is │
│ │ │ │ enabled and the built-in CA path is an │
│ │ │ │ existing directory, then this setting │
│ │ │ │ is ignored. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ phase2-client-cert │ byte array │ │ Contains the "phase 2" client │
│ │ │ │ certificate if used by the EAP method │
│ │ │ │ specified in the "phase2-auth" or │
│ │ │ │ "phase2-autheap" properties. │
│ │ │ │ │
│ │ │ │ Certificate data is specified using a │
│ │ │ │ "scheme"; two are currently supported: │
│ │ │ │ blob and path. When using the blob │
│ │ │ │ scheme (which is backwards compatible │
│ │ │ │ with NM 0.7.x) this property should be │
│ │ │ │ set to the certificate's DER encoded │
│ │ │ │ data. When using the path scheme, this │
│ │ │ │ property should be set to the full │
│ │ │ │ UTF-8 encoded path of the certificate, │
│ │ │ │ prefixed with the string "file://" and │
│ │ │ │ ending with a terminating NUL byte. │
│ │ │ │ This property can be unset even if the │
│ │ │ │ EAP method supports CA certificates, │
│ │ │ │ but this allows man-in-the-middle │
│ │ │ │ attacks and is NOT recommended. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ phase2-client-cert-password │ string │ │ The password used to access the │
│ │ │ │ "phase2" client certificate stored in │
│ │ │ │ "phase2-client-cert" property. Only │
│ │ │ │ makes sense if the certificate is │
│ │ │ │ stored on a PKCS#11 token that │
│ │ │ │ requires a login. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ phase2-client-cert-password-flags │ NMSettingSecretFlags (uint32) │ │ Flags indicating how to handle the │
│ │ │ │ "phase2-client-cert-password" │
│ │ │ │ property. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ phase2-domain-match │ string │ │ Constraint for server domain name. If │
│ │ │ │ set, this list of FQDNs is used as a │
│ │ │ │ match requirement for dNSName │
│ │ │ │ element(s) of the certificate │
│ │ │ │ presented by the authentication server │
│ │ │ │ during the inner "phase 2" │
│ │ │ │ authentication. If a matching dNSName │
│ │ │ │ is found, this constraint is met. If │
│ │ │ │ no dNSName values are present, this │
│ │ │ │ constraint is matched against │
│ │ │ │ SubjectName CN using the same │
│ │ │ │ comparison. Multiple valid FQDNs can │
│ │ │ │ be passed as a ";" delimited list. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ phase2-domain-suffix-match │ string │ │ Constraint for server domain name. If │
│ │ │ │ set, this FQDN is used as a suffix │
│ │ │ │ match requirement for dNSName │
│ │ │ │ element(s) of the certificate │
│ │ │ │ presented by the authentication server │
│ │ │ │ during the inner "phase 2" │
│ │ │ │ authentication. If a matching dNSName │
│ │ │ │ is found, this constraint is met. If │
│ │ │ │ no dNSName values are present, this │
│ │ │ │ constraint is matched against │
│ │ │ │ SubjectName CN using same suffix match │
│ │ │ │ comparison. Since version 1.24, │
│ │ │ │ multiple valid FQDNs can be passed as │
│ │ │ │ a ";" delimited list. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ phase2-private-key │ byte array │ │ Contains the "phase 2" inner private │
│ │ │ │ key when the "phase2-auth" or │
│ │ │ │ "phase2-autheap" property is set to │
│ │ │ │ "tls". │
│ │ │ │ │
│ │ │ │ Key data is specified using a │
│ │ │ │ "scheme"; two are currently supported: │
│ │ │ │ blob and path. When using the blob │
│ │ │ │ scheme and private keys, this property │
│ │ │ │ should be set to the key's encrypted │
│ │ │ │ PEM encoded data. When using private │
│ │ │ │ keys with the path scheme, this │
│ │ │ │ property should be set to the full │
│ │ │ │ UTF-8 encoded path of the key, │
│ │ │ │ prefixed with the string "file://" and │
│ │ │ │ ending with a terminating NUL byte. │
│ │ │ │ When using PKCS#12 format private keys │
│ │ │ │ and the blob scheme, this property │
│ │ │ │ should be set to the PKCS#12 data and │
│ │ │ │ the "phase2-private-key-password" │
│ │ │ │ property must be set to password used │
│ │ │ │ to decrypt the PKCS#12 certificate and │
│ │ │ │ key. When using PKCS#12 files and the │
│ │ │ │ path scheme, this property should be │
│ │ │ │ set to the full UTF-8 encoded path of │
│ │ │ │ the key, prefixed with the string │
│ │ │ │ "file://" and ending with a │
│ │ │ │ terminating NUL byte, and as with the │
│ │ │ │ blob scheme the │
│ │ │ │ "phase2-private-key-password" property │
│ │ │ │ must be set to the password used to │
│ │ │ │ decode the PKCS#12 private key and │
│ │ │ │ certificate. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ phase2-private-key-password │ string │ │ The password used to decrypt the │
│ │ │ │ "phase 2" private key specified in the │
│ │ │ │ "phase2-private-key" property when the │
│ │ │ │ private key either uses the path │
│ │ │ │ scheme, or is a PKCS#12 format key. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ phase2-private-key-password-flags │ NMSettingSecretFlags (uint32) │ │ Flags indicating how to handle the │
│ │ │ │ "phase2-private-key-password" │
│ │ │ │ property. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ phase2-subject-match │ string │ │ Substring to be matched against the │
│ │ │ │ subject of the certificate presented │
│ │ │ │ by the authentication server during │
│ │ │ │ the inner "phase 2" authentication. │
│ │ │ │ When unset, no verification of the │
│ │ │ │ authentication server certificate's │
│ │ │ │ subject is performed. This property │
│ │ │ │ provides little security, if any, and │
│ │ │ │ should not be used. │
│ │ │ │ │
│ │ │ │ This property is deprecated since │
│ │ │ │ version 1.2.Use │
│ │ │ │ "phase2-domain-suffix-match" instead. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ pin │ string │ │ PIN used for EAP authentication │
│ │ │ │ methods. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ pin-flags │ NMSettingSecretFlags (uint32) │ │ Flags indicating how to handle the │
│ │ │ │ "pin" property. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ private-key │ byte array │ │ Contains the private key when the │
│ │ │ │ "eap" property is set to "tls". │
│ │ │ │ │
│ │ │ │ Key data is specified using a │
│ │ │ │ "scheme"; two are currently supported: │
│ │ │ │ blob and path. When using the blob │
│ │ │ │ scheme and private keys, this property │
│ │ │ │ should be set to the key's encrypted │
│ │ │ │ PEM encoded data. When using private │
│ │ │ │ keys with the path scheme, this │
│ │ │ │ property should be set to the full │
│ │ │ │ UTF-8 encoded path of the key, │
│ │ │ │ prefixed with the string "file://" and │
│ │ │ │ ending with a terminating NUL byte. │
│ │ │ │ When using PKCS#12 format private keys │
│ │ │ │ and the blob scheme, this property │
│ │ │ │ should be set to the PKCS#12 data and │
│ │ │ │ the "private-key-password" property │
│ │ │ │ must be set to password used to │
│ │ │ │ decrypt the PKCS#12 certificate and │
│ │ │ │ key. When using PKCS#12 files and the │
│ │ │ │ path scheme, this property should be │
│ │ │ │ set to the full UTF-8 encoded path of │
│ │ │ │ the key, prefixed with the string │
│ │ │ │ "file://" and ending with a │
│ │ │ │ terminating NUL byte, and as with the │
│ │ │ │ blob scheme the "private-key-password" │
│ │ │ │ property must be set to the password │
│ │ │ │ used to decode the PKCS#12 private key │
│ │ │ │ and certificate. │
│ │ │ │ │
│ │ │ │ WARNING: "private-key" is not a │
│ │ │ │ "secret" property, and thus │
│ │ │ │ unencrypted private key data using the │
│ │ │ │ BLOB scheme may be readable by │
│ │ │ │ unprivileged users. Private keys │
│ │ │ │ should always be encrypted with a │
│ │ │ │ private key password to prevent │
│ │ │ │ unauthorized access to unencrypted │
│ │ │ │ private key data. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ private-key-password │ string │ │ The password used to decrypt the │
│ │ │ │ private key specified in the │
│ │ │ │ "private-key" property when the │
│ │ │ │ private key either uses the path │
│ │ │ │ scheme, or if the private key is a │
│ │ │ │ PKCS#12 format key. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ private-key-password-flags │ NMSettingSecretFlags (uint32) │ │ Flags indicating how to handle the │
│ │ │ │ "private-key-password" property. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ subject-match │ string │ │ Substring to be matched against the │
│ │ │ │ subject of the certificate presented │
│ │ │ │ by the authentication server. When │
│ │ │ │ unset, no verification of the │
│ │ │ │ authentication server certificate's │
│ │ │ │ subject is performed. This property │
│ │ │ │ provides little security, if any, and │
│ │ │ │ should not be used. │
│ │ │ │ │
│ │ │ │ This property is deprecated since │
│ │ │ │ version 1.2.Use │
│ │ │ │ "phase2-domain-suffix-match" instead. │
├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ system-ca-certs │ boolean │ FALSE │ When TRUE, overrides the "ca-path" and │
│ │ │ │ "phase2-ca-path" properties using the │
│ │ │ │ system CA directory specified at │
│ │ │ │ configure time with the │
│ │ │ │ --system-ca-path switch. The │
│ │ │ │ certificates in this directory are │
│ │ │ │ added to the verification chain in │
│ │ │ │ addition to any certificates specified │
│ │ │ │ by the "ca-cert" and "phase2-ca-cert" │
│ │ │ │ properties. If the path provided with │
│ │ │ │ --system-ca-path is rather a file name │
│ │ │ │ (bundle of trusted CA certificates), │
│ │ │ │ it overrides "ca-cert" and │
│ │ │ │ "phase2-ca-cert" properties instead │
│ │ │ │ (sets ca_cert/ca_cert2 options for │
│ │ │ │ wpa_supplicant). │
└───────────────────────────────────┴───────────────────────────────┴───────────────┴────────────────────────────────────────┘adsl setting
ADSL Settings.
┌────────────────┬───────────────────────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ encapsulation │ string │ │ Encapsulation of ADSL connection. Can │
│ │ │ │ be "vcmux" or "llc". │
├────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ password │ string │ │ Password used to authenticate with the │
│ │ │ │ ADSL service. │
├────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ password-flags │ NMSettingSecretFlags (uint32) │ │ Flags indicating how to handle the │
│ │ │ │ "password" property. │
├────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ protocol │ string │ │ ADSL connection protocol. Can be │
│ │ │ │ "pppoa", "pppoe" or "ipoatm". │
├────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ username │ string │ │ Username used to authenticate with the │
│ │ │ │ ADSL service. │
├────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ vci │ uint32 │ 0 │ VCI of ADSL connection │
├────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ vpi │ uint32 │ 0 │ VPI of ADSL connection │
└────────────────┴───────────────────────────────┴───────────────┴────────────────────────────────────────┘bluetooth setting
Bluetooth Settings.
┌──────────┬────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├──────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ bdaddr │ byte array │ │ The Bluetooth address of the device. │
├──────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ type │ string │ │ Either "dun" for Dial-Up Networking │
│ │ │ │ connections or "panu" for Personal │
│ │ │ │ Area Networking connections to devices │
│ │ │ │ supporting the NAP profile. │
└──────────┴────────────┴───────────────┴────────────────────────────────────────┘bond setting
Bonding Settings.
┌────────────────┬──────────────────────────┬────────────────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├────────────────┼──────────────────────────┼────────────────────────┼────────────────────────────────────────┤
│ interface-name │ string │ │ Deprecated in favor of │
│ │ │ │ connection.interface-name, but can be │
│ │ │ │ used for backward-compatibility with │
│ │ │ │ older daemons, to set the bond's │
│ │ │ │ interface name. │
├────────────────┼──────────────────────────┼────────────────────────┼────────────────────────────────────────┤
│ options │ dict of string to string │ {'mode': 'balance-rr'} │ Dictionary of key/value pairs of │
│ │ │ │ bonding options. Both keys and values │
│ │ │ │ must be strings. Option names must │
│ │ │ │ contain only alphanumeric characters │
│ │ │ │ (ie, [a-zA-Z0-9]). │
└────────────────┴──────────────────────────┴────────────────────────┴────────────────────────────────────────┘bridge setting
Bridging Settings.
┌───────────────────────────────────┬──────────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ ageing-time │ uint32 │ 300 │ The Ethernet MAC address aging time, │
│ │ │ │ in seconds. │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ forward-delay │ uint32 │ 15 │ The Spanning Tree Protocol (STP) │
│ │ │ │ forwarding delay, in seconds. │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ group-address │ byte array │ │ If specified, The MAC address of the │
│ │ │ │ multicast group this bridge uses for │
│ │ │ │ STP. │
│ │ │ │ │
│ │ │ │ The address must be a link-local │
│ │ │ │ address in standard Ethernet MAC │
│ │ │ │ address format, ie an address of the │
│ │ │ │ form 01:80:C2:00:00:0X, with X in [0, │
│ │ │ │ 4..F]. If not specified the default │
│ │ │ │ value is 01:80:C2:00:00:00. │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ group-forward-mask │ uint32 │ 0 │ A mask of group addresses to forward. │
│ │ │ │ Usually, group addresses in the range │
│ │ │ │ from 01:80:C2:00:00:00 to │
│ │ │ │ 01:80:C2:00:00:0F are not forwarded │
│ │ │ │ according to standards. This property │
│ │ │ │ is a mask of 16 bits, each │
│ │ │ │ corresponding to a group address in │
│ │ │ │ that range that must be forwarded. The │
│ │ │ │ mask can't have bits 0, 1 or 2 set │
│ │ │ │ because they are used for STP, MAC │
│ │ │ │ pause frames and LACP. │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ hello-time │ uint32 │ 2 │ The Spanning Tree Protocol (STP) hello │
│ │ │ │ time, in seconds. │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ interface-name │ string │ │ Deprecated in favor of │
│ │ │ │ connection.interface-name, but can be │
│ │ │ │ used for backward-compatibility with │
│ │ │ │ older daemons, to set the bridge's │
│ │ │ │ interface name. │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ mac-address │ byte array │ │ If specified, the MAC address of │
│ │ │ │ bridge. When creating a new bridge, │
│ │ │ │ this MAC address will be set. │
│ │ │ │ │
│ │ │ │ If this field is left unspecified, the │
│ │ │ │ "ethernet.cloned-mac-address" is │
│ │ │ │ referred instead to generate the │
│ │ │ │ initial MAC address. Note that setting │
│ │ │ │ "ethernet.cloned-mac-address" anyway │
│ │ │ │ overwrites the MAC address of the │
│ │ │ │ bridge later while activating the │
│ │ │ │ bridge. │
│ │ │ │ │
│ │ │ │ This property is deprecated since │
│ │ │ │ version 1.12.Use the │
│ │ │ │ "cloned-mac-address" property instead. │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ max-age │ uint32 │ 20 │ The Spanning Tree Protocol (STP) │
│ │ │ │ maximum message age, in seconds. │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ multicast-hash-max │ uint32 │ 4096 │ Set maximum size of multicast hash │
│ │ │ │ table (value must be a power of 2). │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ multicast-last-member-count │ uint32 │ 2 │ Set the number of queries the bridge │
│ │ │ │ will send before stopping forwarding a │
│ │ │ │ multicast group after a "leave" │
│ │ │ │ message has been received. │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ multicast-last-member-interval │ uint64 │ 100 │ Set interval (in deciseconds) between │
│ │ │ │ queries to find remaining members of a │
│ │ │ │ group, after a "leave" message is │
│ │ │ │ received. │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ multicast-membership-interval │ uint64 │ 26000 │ Set delay (in deciseconds) after which │
│ │ │ │ the bridge will leave a group, if no │
│ │ │ │ membership reports for this group are │
│ │ │ │ received. │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ multicast-querier │ boolean │ FALSE │ Enable or disable sending of multicast │
│ │ │ │ queries by the bridge. If not │
│ │ │ │ specified the option is disabled. │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ multicast-querier-interval │ uint64 │ 25500 │ If no queries are seen after this │
│ │ │ │ delay (in deciseconds) has passed, the │
│ │ │ │ bridge will start to send its own │
│ │ │ │ queries. │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ multicast-query-interval │ uint64 │ 12500 │ Interval (in deciseconds) between │
│ │ │ │ queries sent by the bridge after the │
│ │ │ │ end of the startup phase. │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ multicast-query-response-interval │ uint64 │ 1000 │ Set the Max Response Time/Max Response │
│ │ │ │ Delay (in deciseconds) for IGMP/MLD │
│ │ │ │ queries sent by the bridge. │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ multicast-query-use-ifaddr │ boolean │ FALSE │ If enabled the bridge's own IP address │
│ │ │ │ is used as the source address for IGMP │
│ │ │ │ queries otherwise the default of │
│ │ │ │ 0.0.0.0 is used. │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ multicast-router │ string │ │ Sets bridge's multicast router. │
│ │ │ │ Multicast-snooping must be enabled for │
│ │ │ │ this option to work. │
│ │ │ │ │
│ │ │ │ Supported values are: 'auto', │
│ │ │ │ 'disabled', 'enabled' to which kernel │
│ │ │ │ assigns the numbers 1, 0, and 2, │
│ │ │ │ respectively. If not specified the │
│ │ │ │ default value is 'auto' (1). │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ multicast-snooping │ boolean │ TRUE │ Controls whether IGMP snooping is │
│ │ │ │ enabled for this bridge. Note that if │
│ │ │ │ snooping was automatically disabled │
│ │ │ │ due to hash collisions, the system may │
│ │ │ │ refuse to enable the feature until the │
│ │ │ │ collisions are resolved. │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ multicast-startup-query-count │ uint32 │ 2 │ Set the number of IGMP queries to send │
│ │ │ │ during startup phase. │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ multicast-startup-query-interval │ uint64 │ 3125 │ Sets the time (in deciseconds) between │
│ │ │ │ queries sent out at startup to │
│ │ │ │ determine membership information. │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ priority │ uint32 │ 32768 │ Sets the Spanning Tree Protocol (STP) │
│ │ │ │ priority for this bridge. Lower │
│ │ │ │ values are "better"; the lowest │
│ │ │ │ priority bridge will be elected the │
│ │ │ │ root bridge. │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ stp │ boolean │ TRUE │ Controls whether Spanning Tree │
│ │ │ │ Protocol (STP) is enabled for this │
│ │ │ │ bridge. │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ vlan-default-pvid │ uint32 │ 1 │ The default PVID for the ports of the │
│ │ │ │ bridge, that is the VLAN id assigned │
│ │ │ │ to incoming untagged frames. │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ vlan-filtering │ boolean │ FALSE │ Control whether VLAN filtering is │
│ │ │ │ enabled on the bridge. │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ vlan-protocol │ string │ │ If specified, the protocol used for │
│ │ │ │ VLAN filtering. │
│ │ │ │ │
│ │ │ │ Supported values are: '802.1Q', │
│ │ │ │ '802.1ad'. If not specified the │
│ │ │ │ default value is '802.1Q'. │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ vlan-stats-enabled │ boolean │ FALSE │ Controls whether per-VLAN stats │
│ │ │ │ accounting is enabled. │
├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ vlans │ array of vardict │ │ Array of bridge VLAN objects. In │
│ │ │ │ addition to the VLANs specified here, │
│ │ │ │ the bridge will also have the │
│ │ │ │ default-pvid VLAN configured by the │
│ │ │ │ bridge.vlan-default-pvid property. │
│ │ │ │ │
│ │ │ │ In nmcli the VLAN list can be │
│ │ │ │ specified with the following syntax: │
│ │ │ │ │
│ │ │ │ $vid [pvid] [untagged] [, $vid [pvid] │
│ │ │ │ [untagged]]... │
│ │ │ │ │
│ │ │ │ where $vid is either a single id │
│ │ │ │ between 1 and 4094 or a range, │
│ │ │ │ represented as a couple of ids │
│ │ │ │ separated by a dash. │
└───────────────────────────────────┴──────────────────┴───────────────┴────────────────────────────────────────┘bridge-port setting
Bridge Port Settings.
┌──────────────┬──────────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├──────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ hairpin-mode │ boolean │ FALSE │ Enables or disables "hairpin mode" for │
│ │ │ │ the port, which allows frames to be │
│ │ │ │ sent back out through the port the │
│ │ │ │ frame was received on. │
├──────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ path-cost │ uint32 │ 100 │ The Spanning Tree Protocol (STP) port │
│ │ │ │ cost for destinations via this port. │
├──────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ priority │ uint32 │ 32 │ The Spanning Tree Protocol (STP) │
│ │ │ │ priority of this bridge port. │
├──────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ vlans │ array of vardict │ │ Array of bridge VLAN objects. In │
│ │ │ │ addition to the VLANs specified here, │
│ │ │ │ the port will also have the │
│ │ │ │ default-pvid VLAN configured on the │
│ │ │ │ bridge by the bridge.vlan-default-pvid │
│ │ │ │ property. │
│ │ │ │ │
│ │ │ │ In nmcli the VLAN list can be │
│ │ │ │ specified with the following syntax: │
│ │ │ │ │
│ │ │ │ $vid [pvid] [untagged] [, $vid [pvid] │
│ │ │ │ [untagged]]... │
│ │ │ │ │
│ │ │ │ where $vid is either a single id │
│ │ │ │ between 1 and 4094 or a range, │
│ │ │ │ represented as a couple of ids │
│ │ │ │ separated by a dash. │
└──────────────┴──────────────────┴───────────────┴────────────────────────────────────────┘cdma setting
CDMA-based Mobile Broadband Settings.
┌────────────────┬───────────────────────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ mtu │ uint32 │ 0 │ If non-zero, only transmit packets of │
│ │ │ │ the specified size or smaller, │
│ │ │ │ breaking larger packets up into │
│ │ │ │ multiple frames. │
├────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ number │ string │ │ The number to dial to establish the │
│ │ │ │ connection to the CDMA-based mobile │
│ │ │ │ broadband network, if any. If not │
│ │ │ │ specified, the default number (#777) │
│ │ │ │ is used when required. │
├────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ password │ string │ │ The password used to authenticate with │
│ │ │ │ the network, if required. Many │
│ │ │ │ providers do not require a password, │
│ │ │ │ or accept any password. But if a │
│ │ │ │ password is required, it is specified │
│ │ │ │ here. │
├────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ password-flags │ NMSettingSecretFlags (uint32) │ │ Flags indicating how to handle the │
│ │ │ │ "password" property. │
├────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ username │ string │ │ The username used to authenticate with │
│ │ │ │ the network, if required. Many │
│ │ │ │ providers do not require a username, │
│ │ │ │ or accept any username. But if a │
│ │ │ │ username is required, it is specified │
│ │ │ │ here. │
└────────────────┴───────────────────────────────┴───────────────┴────────────────────────────────────────┘dcb setting
Data Center Bridging Settings.
┌─────────────────────────────┬────────────────────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├─────────────────────────────┼────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ app-fcoe-flags │ NMSettingDcbFlags (uint32) │ │ Specifies the NMSettingDcbFlags for │
│ │ │ │ the DCB FCoE application. Flags may │
│ │ │ │ be any combination of 0x1 (enable), │
│ │ │ │ 0x2 (advertise), and 0x4 (willing). │
├─────────────────────────────┼────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ app-fcoe-mode │ string │ │ The FCoE controller mode; either │
│ │ │ │ "fabric" or "vn2vn". │
│ │ │ │ │
│ │ │ │ Since 1.34, NULL is the default and │
│ │ │ │ means "fabric". Before 1.34, NULL was │
│ │ │ │ rejected as invalid and the default │
│ │ │ │ was "fabric". │
├─────────────────────────────┼────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ app-fcoe-priority │ int32 │ -1 │ The highest User Priority (0 - 7) │
│ │ │ │ which FCoE frames should use, or -1 │
│ │ │ │ for default priority. Only used when │
│ │ │ │ the "app-fcoe-flags" property includes │
│ │ │ │ the 0x1 (enable) flag. │
├─────────────────────────────┼────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ app-fip-flags │ NMSettingDcbFlags (uint32) │ │ Specifies the NMSettingDcbFlags for │
│ │ │ │ the DCB FIP application. Flags may be │
│ │ │ │ any combination of 0x1 (enable), 0x2 │
│ │ │ │ (advertise), and 0x4 (willing). │
├─────────────────────────────┼────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ app-fip-priority │ int32 │ -1 │ The highest User Priority (0 - 7) │
│ │ │ │ which FIP frames should use, or -1 for │
│ │ │ │ default priority. Only used when the │
│ │ │ │ "app-fip-flags" property includes the │
│ │ │ │ 0x1 (enable) flag. │
├─────────────────────────────┼────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ app-iscsi-flags │ NMSettingDcbFlags (uint32) │ │ Specifies the NMSettingDcbFlags for │
│ │ │ │ the DCB iSCSI application. Flags may │
│ │ │ │ be any combination of 0x1 (enable), │
│ │ │ │ 0x2 (advertise), and 0x4 (willing). │
├─────────────────────────────┼────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ app-iscsi-priority │ int32 │ -1 │ The highest User Priority (0 - 7) │
│ │ │ │ which iSCSI frames should use, or -1 │
│ │ │ │ for default priority. Only used when │
│ │ │ │ the "app-iscsi-flags" property │
│ │ │ │ includes the 0x1 (enable) flag. │
├─────────────────────────────┼────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ priority-bandwidth │ array of uint32 │ │ An array of 8 uint values, where the │
│ │ │ │ array index corresponds to the User │
│ │ │ │ Priority (0 - 7) and the value │
│ │ │ │ indicates the percentage of bandwidth │
│ │ │ │ of the priority's assigned group that │
│ │ │ │ the priority may use. The sum of all │
│ │ │ │ percentages for priorities which │
│ │ │ │ belong to the same group must total │
│ │ │ │ 100 percents. │
├─────────────────────────────┼────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ priority-flow-control │ array of uint32 │ │ An array of 8 boolean values, where │
│ │ │ │ the array index corresponds to the │
│ │ │ │ User Priority (0 - 7) and the value │
│ │ │ │ indicates whether or not the │
│ │ │ │ corresponding priority should transmit │
│ │ │ │ priority pause. │
├─────────────────────────────┼────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ priority-flow-control-flags │ NMSettingDcbFlags (uint32) │ │ Specifies the NMSettingDcbFlags for │
│ │ │ │ DCB Priority Flow Control (PFC). Flags │
│ │ │ │ may be any combination of 0x1 │
│ │ │ │ (enable), 0x2 (advertise), and 0x4 │
│ │ │ │ (willing). │
├─────────────────────────────┼────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ priority-group-bandwidth │ array of uint32 │ │ An array of 8 uint values, where the │
│ │ │ │ array index corresponds to the │
│ │ │ │ Priority Group ID (0 - 7) and the │
│ │ │ │ value indicates the percentage of link │
│ │ │ │ bandwidth allocated to that group. │
│ │ │ │ Allowed values are 0 - 100, and the │
│ │ │ │ sum of all values must total 100 │
│ │ │ │ percents. │
├─────────────────────────────┼────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ priority-group-flags │ NMSettingDcbFlags (uint32) │ │ Specifies the NMSettingDcbFlags for │
│ │ │ │ DCB Priority Groups. Flags may be any │
│ │ │ │ combination of 0x1 (enable), 0x2 │
│ │ │ │ (advertise), and 0x4 (willing). │
├─────────────────────────────┼────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ priority-group-id │ array of uint32 │ │ An array of 8 uint values, where the │
│ │ │ │ array index corresponds to the User │
│ │ │ │ Priority (0 - 7) and the value │
│ │ │ │ indicates the Priority Group ID. │
│ │ │ │ Allowed Priority Group ID values are 0 │
│ │ │ │ - 7 or 15 for the unrestricted group. │
├─────────────────────────────┼────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ priority-strict-bandwidth │ array of uint32 │ │ An array of 8 boolean values, where │
│ │ │ │ the array index corresponds to the │
│ │ │ │ User Priority (0 - 7) and the value │
│ │ │ │ indicates whether or not the priority │
│ │ │ │ may use all of the bandwidth allocated │
│ │ │ │ to its assigned group. │
├─────────────────────────────┼────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ priority-traffic-class │ array of uint32 │ │ An array of 8 uint values, where the │
│ │ │ │ array index corresponds to the User │
│ │ │ │ Priority (0 - 7) and the value │
│ │ │ │ indicates the traffic class (0 - 7) to │
│ │ │ │ which the priority is mapped. │
└─────────────────────────────┴────────────────────────────┴───────────────┴────────────────────────────────────────┘dummy setting
Dummy Link Settings.ethtool setting
Ethtool Ethernet Settings.generic setting
Generic Link Settings.
┌────────────────┬────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ device-handler │ string │ │ Name of the device handler that will │
│ │ │ │ be invoked to add and delete the │
│ │ │ │ device for this connection. The name │
│ │ │ │ can only contain ASCII alphanumeric │
│ │ │ │ characters and '-', '_', '.'. It │
│ │ │ │ cannot start with '.'. │
│ │ │ │ │
│ │ │ │ See the NetworkManager-dispatcher(8) │
│ │ │ │ man page for more details about how to │
│ │ │ │ write the device handler. │
│ │ │ │ │
│ │ │ │ By setting this property the generic │
│ │ │ │ connection becomes "virtual", meaning │
│ │ │ │ that it can be activated without an │
│ │ │ │ existing device; the device will be │
│ │ │ │ created at the time the connection is │
│ │ │ │ started by invoking the │
│ │ │ │ device-handler. │
└────────────────┴────────────┴───────────────┴────────────────────────────────────────┘gsm setting
GSM-based Mobile Broadband Settings.
┌────────────────────────────────────┬───────────────────────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├────────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ apn │ string │ │ The GPRS Access Point Name specifying │
│ │ │ │ the APN used when establishing a data │
│ │ │ │ session with the GSM-based network. │
│ │ │ │ The APN often determines how the user │
│ │ │ │ will be billed for their network usage │
│ │ │ │ and whether the user has access to the │
│ │ │ │ Internet or just a provider-specific │
│ │ │ │ walled-garden, so it is important to │
│ │ │ │ use the correct APN for the user's │
│ │ │ │ mobile broadband plan. The APN may │
│ │ │ │ only be composed of the characters │
│ │ │ │ a-z, 0-9, ., and - per GSM 03.60 │
│ │ │ │ Section 14.9. │
│ │ │ │ │
│ │ │ │ If the APN is unset (the default) then │
│ │ │ │ it may be detected based on │
│ │ │ │ "auto-config" setting. The property │
│ │ │ │ can be explicitly set to the empty │
│ │ │ │ string to prevent that and use no APN. │
├────────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ auto-config │ boolean │ FALSE │ When TRUE, the settings such as APN, │
│ │ │ │ username, or password will default to │
│ │ │ │ values that match the network the │
│ │ │ │ modem will register to in the Mobile │
│ │ │ │ Broadband Provider database. │
├────────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ device-id │ string │ │ The device unique identifier (as given │
│ │ │ │ by the WWAN management service) which │
│ │ │ │ this connection applies to. If given, │
│ │ │ │ the connection will only apply to the │
│ │ │ │ specified device. │
├────────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ home-only │ boolean │ FALSE │ When TRUE, only connections to the │
│ │ │ │ home network will be allowed. │
│ │ │ │ Connections to roaming networks will │
│ │ │ │ not be made. │
├────────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ initial-eps-bearer-apn │ string │ │ For LTE modems, this sets the APN for │
│ │ │ │ the initial EPS bearer that is set up │
│ │ │ │ when attaching to the network. │
│ │ │ │ Setting this parameter implies │
│ │ │ │ initial-eps-bearer-configure to be │
│ │ │ │ TRUE. │
├────────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ initial-eps-bearer-configure │ boolean │ FALSE │ For LTE modems, this setting │
│ │ │ │ determines whether the initial EPS │
│ │ │ │ bearer shall be configured when │
│ │ │ │ bringing up the connection. It is │
│ │ │ │ inferred TRUE if │
│ │ │ │ initial-eps-bearer-apn is set. │
├────────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ initial-eps-bearer-noauth │ boolean │ TRUE │ For LTE modems, this sets NOAUTH │
│ │ │ │ authentication method for the initial │
│ │ │ │ EPS bearer that is set up when │
│ │ │ │ attaching to the network. If TRUE, do │
│ │ │ │ not require the other side to │
│ │ │ │ authenticate itself to the client. If │
│ │ │ │ FALSE, require authentication from the │
│ │ │ │ remote side. In almost all cases, │
│ │ │ │ this should be TRUE. │
├────────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ initial-eps-bearer-password │ string │ │ For LTE modems, this sets the password │
│ │ │ │ for the initial EPS bearer that is set │
│ │ │ │ up when attaching to the network. │
│ │ │ │ Setting this parameter implies │
│ │ │ │ initial-eps-bearer-configure to be │
│ │ │ │ TRUE. │
├────────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ initial-eps-bearer-password-flags │ NMSettingSecretFlags (uint32) │ │ Flags indicating how to handle the │
│ │ │ │ "initial-eps-bearer-password" │
│ │ │ │ property. │
├────────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ initial-eps-bearer-refuse-chap │ boolean │ FALSE │ For LTE modems, this disables CHAP │
│ │ │ │ authentication method for the initial │
│ │ │ │ EPS bearer that is set up when │
│ │ │ │ attaching to the network. │
├────────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ initial-eps-bearer-refuse-eap │ boolean │ FALSE │ For LTE modems, this disables EAP │
│ │ │ │ authentication method for the initial │
│ │ │ │ EPS bearer that is set up when │
│ │ │ │ attaching to the network. │
├────────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ initial-eps-bearer-refuse-mschap │ boolean │ FALSE │ For LTE modems, this disables MSCHAP │
│ │ │ │ authentication method for the initial │
│ │ │ │ EPS bearer that is set up when │
│ │ │ │ attaching to the network. │
├────────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ initial-eps-bearer-refuse-mschapv2 │ boolean │ FALSE │ For LTE modems, this disables MSCHAPV2 │
│ │ │ │ authentication method for the initial │
│ │ │ │ EPS bearer that is set up when │
│ │ │ │ attaching to the network. │
├────────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ initial-eps-bearer-refuse-pap │ boolean │ FALSE │ For LTE modems, this disables PAP │
│ │ │ │ authentication method for the initial │
│ │ │ │ EPS bearer that is set up when │
│ │ │ │ attaching to the network. │
├────────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ initial-eps-bearer-username │ string │ │ For LTE modems, this sets the username │
│ │ │ │ for the initial EPS bearer that is set │
│ │ │ │ up when attaching to the network. │
│ │ │ │ Setting this parameter implies │
│ │ │ │ initial-eps-bearer-configure to be │
│ │ │ │ TRUE. │
├────────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ mtu │ uint32 │ 0 │ If non-zero, only transmit packets of │
│ │ │ │ the specified size or smaller, │
│ │ │ │ breaking larger packets up into │
│ │ │ │ multiple frames. │
├────────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ network-id │ string │ │ The Network ID (GSM LAI format, ie │
│ │ │ │ MCC-MNC) to force specific network │
│ │ │ │ registration. If the Network ID is │
│ │ │ │ specified, NetworkManager will attempt │
│ │ │ │ to force the device to register only │
│ │ │ │ on the specified network. This can be │
│ │ │ │ used to ensure that the device does │
│ │ │ │ not roam when direct roaming control │
│ │ │ │ of the device is not otherwise │
│ │ │ │ possible. │
├────────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ number │ string │ │ Legacy setting that used to help │
│ │ │ │ establishing PPP data sessions for │
│ │ │ │ GSM-based modems. │
│ │ │ │ │
│ │ │ │ This property is deprecated since │
│ │ │ │ version 1.16.User-provided values for │
│ │ │ │ this setting are no longer used. │
├────────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ password │ string │ │ The password used to authenticate with │
│ │ │ │ the network, if required. Many │
│ │ │ │ providers do not require a password, │
│ │ │ │ or accept any password. But if a │
│ │ │ │ password is required, it is specified │
│ │ │ │ here. │
├────────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ password-flags │ NMSettingSecretFlags (uint32) │ │ Flags indicating how to handle the │
│ │ │ │ "password" property. │
├────────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ pin │ string │ │ If the SIM is locked with a PIN it │
│ │ │ │ must be unlocked before any other │
│ │ │ │ operations are requested. Specify the │
│ │ │ │ PIN here to allow operation of the │
│ │ │ │ device. │
├────────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ pin-flags │ NMSettingSecretFlags (uint32) │ │ Flags indicating how to handle the │
│ │ │ │ "pin" property. │
├────────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ sim-id │ string │ │ The SIM card unique identifier (as │
│ │ │ │ given by the WWAN management service) │
│ │ │ │ which this connection applies to. If │
│ │ │ │ given, the connection will apply to │
│ │ │ │ any device also allowed by "device-id" │
│ │ │ │ which contains a SIM card matching the │
│ │ │ │ given identifier. │
├────────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ sim-operator-id │ string │ │ A MCC/MNC string like "310260" or │
│ │ │ │ "21601" identifying the specific │
│ │ │ │ mobile network operator which this │
│ │ │ │ connection applies to. If given, the │
│ │ │ │ connection will apply to any device │
│ │ │ │ also allowed by "device-id" and │
│ │ │ │ "sim-id" which contains a SIM card │
│ │ │ │ provisioned by the given operator. │
├────────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ username │ string │ │ The username used to authenticate with │
│ │ │ │ the network, if required. Many │
│ │ │ │ providers do not require a username, │
│ │ │ │ or accept any username. But if a │
│ │ │ │ username is required, it is specified │
│ │ │ │ here. │
└────────────────────────────────────┴───────────────────────────────┴───────────────┴────────────────────────────────────────┘hsr setting
HSR/PRP Settings.
┌────────────────┬────────────┬───────────────┬───────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├────────────────┼────────────┼───────────────┼───────────────────────────────────────┤
│ multicast-spec │ uint32 │ 0 │ The last byte of supervision address. │
├────────────────┼────────────┼───────────────┼───────────────────────────────────────┤
│ port1 │ string │ │ The port1 interface name of the HSR. │
│ │ │ │ This property is mandatory. │
├────────────────┼────────────┼───────────────┼───────────────────────────────────────┤
│ port2 │ string │ │ The port2 interface name of the HSR. │
│ │ │ │ This property is mandatory. │
├────────────────┼────────────┼───────────────┼───────────────────────────────────────┤
│ prp │ boolean │ FALSE │ The protocol used by the interface, │
│ │ │ │ whether it is PRP or HSR. │
└────────────────┴────────────┴───────────────┴───────────────────────────────────────┘infiniband setting
Infiniband Settings.
┌────────────────┬────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ mac-address │ byte array │ │ If specified, this connection will │
│ │ │ │ only apply to the IPoIB device whose │
│ │ │ │ permanent MAC address matches. This │
│ │ │ │ property does not change the MAC │
│ │ │ │ address of the device (i.e. MAC │
│ │ │ │ spoofing). │
├────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ mtu │ uint32 │ 0 │ If non-zero, only transmit packets of │
│ │ │ │ the specified size or smaller, │
│ │ │ │ breaking larger packets up into │
│ │ │ │ multiple frames. │
├────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ p-key │ int32 │ -1 │ The InfiniBand p-key to use for this │
│ │ │ │ device. A value of -1 means to use the │
│ │ │ │ default p-key (aka "the p-key at index │
│ │ │ │ 0"). Otherwise, it is a 16-bit │
│ │ │ │ unsigned integer, whose high bit │
│ │ │ │ 0x8000 is set if it is a "full │
│ │ │ │ membership" p-key. The values 0 and │
│ │ │ │ 0x8000 are not allowed. │
│ │ │ │ │
│ │ │ │ With the p-key set, the interface name │
│ │ │ │ is always "$parent.$p_key". Setting │
│ │ │ │ "connection.interface-name" to another │
│ │ │ │ name is not supported. │
│ │ │ │ │
│ │ │ │ Note that kernel will internally │
│ │ │ │ always set the full membership bit, │
│ │ │ │ although the interface name does not │
│ │ │ │ reflect that. Usually the user would │
│ │ │ │ want to configure a full membership │
│ │ │ │ p-key with 0x8000 flag set. │
├────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ parent │ string │ │ The interface name of the parent │
│ │ │ │ device of this device. Normally NULL, │
│ │ │ │ but if the "p_key" property is set, │
│ │ │ │ then you must specify the base device │
│ │ │ │ by setting either this property or │
│ │ │ │ "mac-address". │
├────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ transport-mode │ string │ │ The IP-over-InfiniBand transport mode. │
│ │ │ │ Either "datagram" or "connected". │
└────────────────┴────────────┴───────────────┴────────────────────────────────────────┘ipv4 setting
IPv4 Settings.
┌──────────────────────────────┬──────────────────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ address-data │ array of vardict │ │ Array of IPv4 addresses. Each address │
│ │ │ │ dictionary contains at least 'address' │
│ │ │ │ and 'prefix' entries, containing the │
│ │ │ │ IP address as a string, and the prefix │
│ │ │ │ length as a uint32. Additional │
│ │ │ │ attributes may also exist on some │
│ │ │ │ addresses. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ addresses │ array of array of uint32 │ │ Deprecated in favor of the │
│ │ │ │ 'address-data' and 'gateway' │
│ │ │ │ properties, but this can be used for │
│ │ │ │ backward-compatibility with older │
│ │ │ │ daemons. Note that if you send this │
│ │ │ │ property the daemon will ignore │
│ │ │ │ 'address-data' and 'gateway'. Array │
│ │ │ │ of IPv4 address structures. Each IPv4 │
│ │ │ │ address structure is composed of 3 │
│ │ │ │ 32-bit values; the first being the │
│ │ │ │ IPv4 address (network byte order), the │
│ │ │ │ second the prefix (1 - 32), and last │
│ │ │ │ the IPv4 gateway (network byte order). │
│ │ │ │ The gateway may be left as 0 if no │
│ │ │ │ gateway exists for that subnet. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ auto-route-ext-gw │ NMTernary (int32) │ │ VPN connections will default to add │
│ │ │ │ the route automatically unless this │
│ │ │ │ setting is set to FALSE. │
│ │ │ │ │
│ │ │ │ For other connection types, adding │
│ │ │ │ such an automatic route is currently │
│ │ │ │ not supported and setting this to TRUE │
│ │ │ │ has no effect. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ dad-timeout │ int32 │ -1 │ Maximum timeout in milliseconds used │
│ │ │ │ to check for the presence of duplicate │
│ │ │ │ IP addresses on the network. If an │
│ │ │ │ address conflict is detected, the │
│ │ │ │ activation will fail. The property is │
│ │ │ │ currently implemented only for IPv4. │
│ │ │ │ │
│ │ │ │ A zero value means that no duplicate │
│ │ │ │ address detection is performed, -1 │
│ │ │ │ means the default value (either the │
│ │ │ │ value configured globally in │
│ │ │ │ NetworkManger.conf or 200ms). A value │
│ │ │ │ greater than zero is a timeout in │
│ │ │ │ milliseconds. Note that the time │
│ │ │ │ intervals are subject to randomization │
│ │ │ │ as per RFC 5227 and so the actual │
│ │ │ │ duration can be between half and the │
│ │ │ │ full time specified in this property. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ dhcp-client-id │ string │ │ A string sent to the DHCP server to │
│ │ │ │ identify the local machine which the │
│ │ │ │ DHCP server may use to customize the │
│ │ │ │ DHCP lease and options. When the │
│ │ │ │ property is a hex string ('aa:bb:cc') │
│ │ │ │ it is interpreted as a binary client │
│ │ │ │ ID, in which case the first byte is │
│ │ │ │ assumed to be the 'type' field as per │
│ │ │ │ RFC 2132 section 9.14 and the │
│ │ │ │ remaining bytes may be an hardware │
│ │ │ │ address (e.g. '01:xx:xx:xx:xx:xx:xx' │
│ │ │ │ where 1 is the Ethernet ARP type and │
│ │ │ │ the rest is a MAC address). If the │
│ │ │ │ property is not a hex string it is │
│ │ │ │ considered as a non-hardware-address │
│ │ │ │ client ID and the 'type' field is set │
│ │ │ │ to 0. │
│ │ │ │ │
│ │ │ │ The special values "mac" and │
│ │ │ │ "perm-mac" are supported, which use │
│ │ │ │ the current or permanent MAC address │
│ │ │ │ of the device to generate a client │
│ │ │ │ identifier with type ethernet (01). │
│ │ │ │ Currently, these options only work for │
│ │ │ │ ethernet type of links. │
│ │ │ │ │
│ │ │ │ The special value "ipv6-duid" uses the │
│ │ │ │ DUID from "ipv6.dhcp-duid" property as │
│ │ │ │ an RFC4361-compliant client │
│ │ │ │ identifier. As IAID it uses │
│ │ │ │ "ipv4.dhcp-iaid" and falls back to │
│ │ │ │ "ipv6.dhcp-iaid" if unset. │
│ │ │ │ │
│ │ │ │ The special value "duid" generates a │
│ │ │ │ RFC4361-compliant client identifier │
│ │ │ │ based on "ipv4.dhcp-iaid" and uses a │
│ │ │ │ DUID generated by hashing │
│ │ │ │ /etc/machine-id. │
│ │ │ │ │
│ │ │ │ The special value "stable" is │
│ │ │ │ supported to generate a type 0 client │
│ │ │ │ identifier based on the stable-id (see │
│ │ │ │ connection.stable-id) and a per-host │
│ │ │ │ key. If you set the stable-id, you may │
│ │ │ │ want to include the "${DEVICE}" or │
│ │ │ │ "${MAC}" specifier to get a per-device │
│ │ │ │ key. │
│ │ │ │ │
│ │ │ │ The special value "none" prevents any │
│ │ │ │ client identifier from being sent. │
│ │ │ │ Note that this is normally not │
│ │ │ │ recommended. │
│ │ │ │ │
│ │ │ │ If unset, a globally configured │
│ │ │ │ default from NetworkManager.conf is │
│ │ │ │ used. If still unset, the default │
│ │ │ │ depends on the DHCP plugin. The │
│ │ │ │ internal dhcp client will default to │
│ │ │ │ "mac" and the dhclient plugin will try │
│ │ │ │ to use one from its config file if │
│ │ │ │ present, or won't sent any client-id │
│ │ │ │ otherwise. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ dhcp-dscp │ string │ │ Specifies the value for the DSCP field │
│ │ │ │ (traffic class) of the IP header. When │
│ │ │ │ empty, the global default value is │
│ │ │ │ used; if no global default is │
│ │ │ │ specified, it is assumed to be "CS0". │
│ │ │ │ Allowed values are: "CS0", "CS4" and │
│ │ │ │ "CS6". │
│ │ │ │ │
│ │ │ │ The property is currently valid only │
│ │ │ │ for IPv4, and it is supported only by │
│ │ │ │ the "internal" DHCP plugin. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ dhcp-fqdn │ string │ │ If the "dhcp-send-hostname" property │
│ │ │ │ is TRUE, then the specified FQDN will │
│ │ │ │ be sent to the DHCP server when │
│ │ │ │ acquiring a lease. This property and │
│ │ │ │ "dhcp-hostname" are mutually exclusive │
│ │ │ │ and cannot be set at the same time. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ dhcp-hostname │ string │ │ If the "dhcp-send-hostname" property │
│ │ │ │ is TRUE, then the specified name will │
│ │ │ │ be sent to the DHCP server when │
│ │ │ │ acquiring a lease. This property and │
│ │ │ │ "dhcp-fqdn" are mutually exclusive and │
│ │ │ │ cannot be set at the same time. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ dhcp-hostname-flags │ uint32 │ 0 │ Flags for the DHCP hostname and FQDN. │
│ │ │ │ │
│ │ │ │ Currently, this property only includes │
│ │ │ │ flags to control the FQDN flags set in │
│ │ │ │ the DHCP FQDN option. Supported FQDN │
│ │ │ │ flags are 0x1 (fqdn-serv-update), 0x2 │
│ │ │ │ (fqdn-encoded) and 0x4 │
│ │ │ │ (fqdn-no-update). When no FQDN flag │
│ │ │ │ is set and 0x8 (fqdn-clear-flags) is │
│ │ │ │ set, the DHCP FQDN option will contain │
│ │ │ │ no flag. Otherwise, if no FQDN flag is │
│ │ │ │ set and 0x8 (fqdn-clear-flags) is not │
│ │ │ │ set, the standard FQDN flags are set │
│ │ │ │ in the request: 0x1 │
│ │ │ │ (fqdn-serv-update), 0x2 (fqdn-encoded) │
│ │ │ │ for IPv4 and 0x1 (fqdn-serv-update) │
│ │ │ │ for IPv6. │
│ │ │ │ │
│ │ │ │ When this property is set to the │
│ │ │ │ default value 0x0 (none), a global │
│ │ │ │ default is looked up in NetworkManager │
│ │ │ │ configuration. If that value is unset │
│ │ │ │ or also 0x0 (none), then the standard │
│ │ │ │ FQDN flags described above are sent in │
│ │ │ │ the DHCP requests. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ dhcp-iaid │ string │ │ A string containing the "Identity │
│ │ │ │ Association Identifier" (IAID) used by │
│ │ │ │ the DHCP client. The string can be a │
│ │ │ │ 32-bit number (either decimal, │
│ │ │ │ hexadecimal or as colon separated │
│ │ │ │ hexadecimal numbers). Alternatively it │
│ │ │ │ can be set to the special values │
│ │ │ │ "mac", "perm-mac", "ifname" or │
│ │ │ │ "stable". When set to "mac" (or │
│ │ │ │ "perm-mac"), the last 4 bytes of the │
│ │ │ │ current (or permanent) MAC address are │
│ │ │ │ used as IAID. When set to "ifname", │
│ │ │ │ the IAID is computed by hashing the │
│ │ │ │ interface name. The special value │
│ │ │ │ "stable" can be used to generate an │
│ │ │ │ IAID based on the stable-id (see │
│ │ │ │ connection.stable-id), a per-host key │
│ │ │ │ and the interface name. When the │
│ │ │ │ property is unset, the value from │
│ │ │ │ global configuration is used; if no │
│ │ │ │ global default is set then the IAID is │
│ │ │ │ assumed to be "ifname". │
│ │ │ │ │
│ │ │ │ For DHCPv4, the IAID is only used with │
│ │ │ │ "ipv4.dhcp-client-id" values "duid" │
│ │ │ │ and "ipv6-duid" to generate the │
│ │ │ │ client-id. │
│ │ │ │ │
│ │ │ │ For DHCPv6, note that at the moment │
│ │ │ │ this property is only supported by the │
│ │ │ │ "internal" DHCPv6 plugin. The │
│ │ │ │ "dhclient" DHCPv6 plugin always │
│ │ │ │ derives the IAID from the MAC address. │
│ │ │ │ │
│ │ │ │ The actually used DHCPv6 IAID for a │
│ │ │ │ currently activated interface is │
│ │ │ │ exposed in the lease information of │
│ │ │ │ the device. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ dhcp-ipv6-only-preferred │ int32 │ -1 │ Controls the "IPv6-Only Preferred" │
│ │ │ │ DHCPv4 option (RFC 8925). │
│ │ │ │ │
│ │ │ │ When set to 1 (yes), the host adds the │
│ │ │ │ option to the parameter request list; │
│ │ │ │ if the DHCP server sends the option │
│ │ │ │ back, the host stops the DHCP client │
│ │ │ │ for the time interval specified in the │
│ │ │ │ option. │
│ │ │ │ │
│ │ │ │ Enable this feature if the host │
│ │ │ │ supports an IPv6-only mode, i.e. │
│ │ │ │ either all applications are IPv6-only │
│ │ │ │ capable or there is a form of 464XLAT │
│ │ │ │ deployed. │
│ │ │ │ │
│ │ │ │ When set to -1 (default), the actual │
│ │ │ │ value is looked up in the global │
│ │ │ │ configuration; if not specified, it │
│ │ │ │ defaults to 0 (no). │
│ │ │ │ │
│ │ │ │ If the connection has IPv6 method set │
│ │ │ │ to "disabled", this property does not │
│ │ │ │ have effect and the "IPv6-Only │
│ │ │ │ Preferred" option is always disabled. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ dhcp-reject-servers │ array of string │ │ Array of servers from which DHCP │
│ │ │ │ offers must be rejected. This property │
│ │ │ │ is useful to avoid getting a lease │
│ │ │ │ from misconfigured or rogue servers. │
│ │ │ │ │
│ │ │ │ For DHCPv4, each element must be an │
│ │ │ │ IPv4 address, optionally followed by a │
│ │ │ │ slash and a prefix length (e.g. │
│ │ │ │ "192.168.122.0/24"). │
│ │ │ │ │
│ │ │ │ This property is currently not │
│ │ │ │ implemented for DHCPv6. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ dhcp-send-hostname │ boolean │ TRUE │ Since 1.52 this property is deprecated │
│ │ │ │ and is only used as fallback value for │
│ │ │ │ "dhcp-send-hostname-v2" if it's set to │
│ │ │ │ 'default'. This is only done to avoid │
│ │ │ │ breaking existing configurations, the │
│ │ │ │ new property should be used from now │
│ │ │ │ on. │
│ │ │ │ │
│ │ │ │ This property is deprecated since │
│ │ │ │ version 1.52.use the new version of │
│ │ │ │ dhcp-send-hostname instead. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ dhcp-send-hostname-v2 │ int32 │ -1 │ If TRUE, a hostname is sent to the │
│ │ │ │ DHCP server when acquiring a lease. │
│ │ │ │ Some DHCP servers use this hostname to │
│ │ │ │ update DNS databases, essentially │
│ │ │ │ providing a static hostname for the │
│ │ │ │ computer. If the "dhcp-hostname" │
│ │ │ │ property is NULL and this property is │
│ │ │ │ TRUE, the current persistent hostname │
│ │ │ │ of the computer is sent. │
│ │ │ │ │
│ │ │ │ The default value is -1 (default). In │
│ │ │ │ this case the global value from │
│ │ │ │ NetworkManager configuration is looked │
│ │ │ │ up. If it's not set, the value from │
│ │ │ │ "dhcp-send-hostname", which defaults │
│ │ │ │ to TRUE, is used for backwards │
│ │ │ │ compatibility. In the future this will │
│ │ │ │ change and, in absence of a global │
│ │ │ │ default, it will always fallback to │
│ │ │ │ TRUE. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ dhcp-send-release │ NMTernary (int32) │ │ Whether the DHCP client will send │
│ │ │ │ RELEASE message when bringing the │
│ │ │ │ connection down. The default value is │
│ │ │ │ -1 (default). When the default value │
│ │ │ │ is specified, then the global value │
│ │ │ │ from NetworkManager configuration is │
│ │ │ │ looked up, if not set, it is │
│ │ │ │ considered as FALSE. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ dhcp-timeout │ int32 │ 0 │ A timeout for a DHCP transaction in │
│ │ │ │ seconds. If zero (the default), a │
│ │ │ │ globally configured default is used. │
│ │ │ │ If still unspecified, a device │
│ │ │ │ specific timeout is used (usually 45 │
│ │ │ │ seconds). │
│ │ │ │ │
│ │ │ │ Set to 2147483647 (MAXINT32) for │
│ │ │ │ infinity. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ dhcp-vendor-class-identifier │ string │ │ The Vendor Class Identifier DHCP │
│ │ │ │ option (60). Special characters in the │
│ │ │ │ data string may be escaped using │
│ │ │ │ C-style escapes, nevertheless this │
│ │ │ │ property cannot contain nul bytes. If │
│ │ │ │ the per-profile value is unspecified │
│ │ │ │ (the default), a global connection │
│ │ │ │ default gets consulted. If still │
│ │ │ │ unspecified, the DHCP option is not │
│ │ │ │ sent to the server. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ dns │ array of uint32 │ │ Array of IP addresses of DNS servers │
│ │ │ │ (as network-byte-order integers) │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ dns-data │ array of strings │ │ Array of DNS name servers. This │
│ │ │ │ replaces the deprecated "dns" │
│ │ │ │ property. Each name server can also │
│ │ │ │ contain a DoT server name. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ dns-options │ array of string │ │ Array of DNS options to be added to │
│ │ │ │ resolv.conf. │
│ │ │ │ │
│ │ │ │ NULL means that the options are unset │
│ │ │ │ and left at the default. In this case │
│ │ │ │ NetworkManager will use default │
│ │ │ │ options. This is distinct from an │
│ │ │ │ empty list of properties. │
│ │ │ │ │
│ │ │ │ The following options are directly │
│ │ │ │ added to resolv.conf: "attempts", │
│ │ │ │ "debug", "edns0", "inet6", │
│ │ │ │ "ip6-bytestring", "ip6-dotint", │
│ │ │ │ "ndots", "no-aaaa", "no-check-names", │
│ │ │ │ "no-ip6-dotint", "no-reload", │
│ │ │ │ "no-tld-query", "rotate", │
│ │ │ │ "single-request", │
│ │ │ │ "single-request-reopen", "timeout", │
│ │ │ │ "trust-ad", "use-vc". See the │
│ │ │ │ resolv.conf(5) man page for a detailed │
│ │ │ │ description of these options. │
│ │ │ │ │
│ │ │ │ In addition, NetworkManager supports │
│ │ │ │ the special options "_no-add-edns0" │
│ │ │ │ and "_no-add-trust-ad". They are not │
│ │ │ │ added to resolv.conf, and can be used │
│ │ │ │ to prevent the automatic addition of │
│ │ │ │ options "edns0" and "trust-ad" when │
│ │ │ │ using caching DNS plugins (see below). │
│ │ │ │ │
│ │ │ │ The "trust-ad" setting is only honored │
│ │ │ │ if the profile contributes name │
│ │ │ │ servers to resolv.conf, and if all │
│ │ │ │ contributing profiles have "trust-ad" │
│ │ │ │ enabled. │
│ │ │ │ │
│ │ │ │ When using a caching DNS plugin │
│ │ │ │ (dnsmasq or systemd-resolved in │
│ │ │ │ NetworkManager.conf) then "edns0" and │
│ │ │ │ "trust-ad" are automatically added, │
│ │ │ │ unless "_no-add-edns0" and │
│ │ │ │ "_no-add-trust-ad" are present. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ dns-priority │ int32 │ 0 │ DNS servers priority. │
│ │ │ │ │
│ │ │ │ The relative priority for DNS servers │
│ │ │ │ specified by this setting. A lower │
│ │ │ │ numerical value is better (higher │
│ │ │ │ priority). │
│ │ │ │ │
│ │ │ │ Negative values have the special │
│ │ │ │ effect of excluding other │
│ │ │ │ configurations with a greater │
│ │ │ │ numerical priority value; so in │
│ │ │ │ presence of at least one negative │
│ │ │ │ priority, only DNS servers from │
│ │ │ │ connections with the lowest priority │
│ │ │ │ value will be used. To avoid all DNS │
│ │ │ │ leaks, set the priority of the profile │
│ │ │ │ that should be used to the most │
│ │ │ │ negative value of all active │
│ │ │ │ connections profiles. │
│ │ │ │ │
│ │ │ │ Zero selects a globally configured │
│ │ │ │ default value. If the latter is │
│ │ │ │ missing or zero too, it defaults to 50 │
│ │ │ │ for VPNs (including WireGuard) and 100 │
│ │ │ │ for other connections. │
│ │ │ │ │
│ │ │ │ Note that the priority is to order DNS │
│ │ │ │ settings for multiple active │
│ │ │ │ connections. It does not disambiguate │
│ │ │ │ multiple DNS servers within the same │
│ │ │ │ connection profile. │
│ │ │ │ │
│ │ │ │ When multiple devices have │
│ │ │ │ configurations with the same priority, │
│ │ │ │ VPNs will be considered first, then │
│ │ │ │ devices with the best (lowest metric) │
│ │ │ │ default route and then all other │
│ │ │ │ devices. │
│ │ │ │ │
│ │ │ │ When using dns=default, servers with │
│ │ │ │ higher priority will be on top of │
│ │ │ │ resolv.conf. To prioritize a given │
│ │ │ │ server over another one within the │
│ │ │ │ same connection, just specify them in │
│ │ │ │ the desired order. Note that commonly │
│ │ │ │ the resolver tries name servers in │
│ │ │ │ /etc/resolv.conf in the order listed, │
│ │ │ │ proceeding with the next server in the │
│ │ │ │ list on failure. See for example the │
│ │ │ │ "rotate" option of the dns-options │
│ │ │ │ setting. If there are any negative DNS │
│ │ │ │ priorities, then only name servers │
│ │ │ │ from the devices with that lowest │
│ │ │ │ priority will be considered. │
│ │ │ │ │
│ │ │ │ When using a DNS resolver that │
│ │ │ │ supports Conditional Forwarding or │
│ │ │ │ Split DNS (with dns=dnsmasq or │
│ │ │ │ dns=systemd-resolved settings), each │
│ │ │ │ connection is used to query domains in │
│ │ │ │ its search list. The search domains │
│ │ │ │ determine which name servers to ask, │
│ │ │ │ and the DNS priority is used to │
│ │ │ │ prioritize name servers based on the │
│ │ │ │ domain. Queries for domains not │
│ │ │ │ present in any search list are routed │
│ │ │ │ through connections having the '~.' │
│ │ │ │ special wildcard domain, which is │
│ │ │ │ added automatically to connections │
│ │ │ │ with the default route (or can be │
│ │ │ │ added manually). When multiple │
│ │ │ │ connections specify the same domain, │
│ │ │ │ the one with the best priority (lowest │
│ │ │ │ numerical value) wins. If a sub │
│ │ │ │ domain is configured on another │
│ │ │ │ interface it will be accepted │
│ │ │ │ regardless the priority, unless parent │
│ │ │ │ domain on the other interface has a │
│ │ │ │ negative priority, which causes the │
│ │ │ │ sub domain to be shadowed. With Split │
│ │ │ │ DNS one can avoid undesired DNS leaks │
│ │ │ │ by properly configuring DNS priorities │
│ │ │ │ and the search domains, so that only │
│ │ │ │ name servers of the desired interface │
│ │ │ │ are configured. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ dns-search │ array of string │ │ List of DNS search domains. Domains │
│ │ │ │ starting with a tilde ('~') are │
│ │ │ │ considered 'routing' domains and are │
│ │ │ │ used only to decide the interface over │
│ │ │ │ which a query must be forwarded; they │
│ │ │ │ are not used to complete unqualified │
│ │ │ │ host names. │
│ │ │ │ │
│ │ │ │ When using a DNS plugin that supports │
│ │ │ │ Conditional Forwarding or Split DNS, │
│ │ │ │ then the search domains specify which │
│ │ │ │ name servers to query. This makes the │
│ │ │ │ behavior different from running with │
│ │ │ │ plain /etc/resolv.conf. For more │
│ │ │ │ information see also the dns-priority │
│ │ │ │ setting. │
│ │ │ │ │
│ │ │ │ When set on a profile that also │
│ │ │ │ enabled DHCP, the DNS search list │
│ │ │ │ received automatically (option 119 for │
│ │ │ │ DHCPv4 and option 24 for DHCPv6) gets │
│ │ │ │ merged with the manual list. This can │
│ │ │ │ be prevented by setting │
│ │ │ │ "ignore-auto-dns". Note that if no DNS │
│ │ │ │ searches are configured, the fallback │
│ │ │ │ will be derived from the domain from │
│ │ │ │ DHCP (option 15). │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ gateway │ string │ │ The gateway associated with this │
│ │ │ │ configuration. This is only meaningful │
│ │ │ │ if "addresses" is also set. │
│ │ │ │ │
│ │ │ │ Setting the gateway causes │
│ │ │ │ NetworkManager to configure a standard │
│ │ │ │ default route with the gateway as next │
│ │ │ │ hop. This is ignored if │
│ │ │ │ "never-default" is set. An alternative │
│ │ │ │ is to configure the default route │
│ │ │ │ explicitly with a manual route and /0 │
│ │ │ │ as prefix length. │
│ │ │ │ │
│ │ │ │ Note that the gateway usually │
│ │ │ │ conflicts with routing that │
│ │ │ │ NetworkManager configures for │
│ │ │ │ WireGuard interfaces, so usually it │
│ │ │ │ should not be set in that case. See │
│ │ │ │ "ip4-auto-default-route". │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ ignore-auto-dns │ boolean │ FALSE │ When "method" is set to "auto" and │
│ │ │ │ this property to TRUE, automatically │
│ │ │ │ configured name servers and search │
│ │ │ │ domains are ignored and only name │
│ │ │ │ servers and search domains specified │
│ │ │ │ in the "dns" and "dns-search" │
│ │ │ │ properties, if any, are used. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ ignore-auto-routes │ boolean │ FALSE │ When "method" is set to "auto" and │
│ │ │ │ this property to TRUE, automatically │
│ │ │ │ configured routes are ignored and only │
│ │ │ │ routes specified in the "routes" │
│ │ │ │ property, if any, are used. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ link-local │ int32 │ 0 │ Enable and disable the IPv4 link-local │
│ │ │ │ configuration independently of the │
│ │ │ │ ipv4.method configuration. This allows │
│ │ │ │ a link-local address (169.254.x.y/16) │
│ │ │ │ to be obtained in addition to other │
│ │ │ │ addresses, such as those manually │
│ │ │ │ configured or obtained from a DHCP │
│ │ │ │ server. │
│ │ │ │ │
│ │ │ │ When set to "auto", the value is │
│ │ │ │ dependent on "ipv4.method". When set │
│ │ │ │ to "default", it honors the global │
│ │ │ │ connection default, before falling │
│ │ │ │ back to "auto". Note that if │
│ │ │ │ "ipv4.method" is "disabled", then link │
│ │ │ │ local addressing is always disabled │
│ │ │ │ too. The default is "default". Since │
│ │ │ │ 1.52, when set to "fallback", a │
│ │ │ │ link-local address is obtained if no │
│ │ │ │ other IPv4 address is set. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ may-fail │ boolean │ TRUE │ If TRUE, allow overall network │
│ │ │ │ configuration to proceed even if the │
│ │ │ │ configuration specified by this │
│ │ │ │ property times out. Note that at │
│ │ │ │ least one IP configuration must │
│ │ │ │ succeed or overall network │
│ │ │ │ configuration will still fail. For │
│ │ │ │ example, in IPv6-only networks, │
│ │ │ │ setting this property to TRUE on the │
│ │ │ │ NMSettingIP4Config allows the overall │
│ │ │ │ network configuration to succeed if │
│ │ │ │ IPv4 configuration fails but IPv6 │
│ │ │ │ configuration completes successfully. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ method │ string │ │ IP configuration method. │
│ │ │ │ │
│ │ │ │ NMSettingIP4Config and │
│ │ │ │ NMSettingIP6Config both support │
│ │ │ │ "disabled", "auto", "manual", and │
│ │ │ │ "link-local". See the │
│ │ │ │ subclass-specific documentation for │
│ │ │ │ other values. │
│ │ │ │ │
│ │ │ │ In general, for the "auto" method, │
│ │ │ │ properties such as "dns" and "routes" │
│ │ │ │ specify information that is added on │
│ │ │ │ to the information returned from │
│ │ │ │ automatic configuration. The │
│ │ │ │ "ignore-auto-routes" and │
│ │ │ │ "ignore-auto-dns" properties modify │
│ │ │ │ this behavior. │
│ │ │ │ │
│ │ │ │ For methods that imply no upstream │
│ │ │ │ network, such as "shared" or │
│ │ │ │ "link-local", these properties must be │
│ │ │ │ empty. │
│ │ │ │ │
│ │ │ │ For IPv4 method "shared", the IP │
│ │ │ │ subnet can be configured by adding one │
│ │ │ │ manual IPv4 address or otherwise │
│ │ │ │ 10.42.x.0/24 is chosen. Note that the │
│ │ │ │ shared method must be configured on │
│ │ │ │ the interface which shares the │
│ │ │ │ internet to a subnet, not on the │
│ │ │ │ uplink which is shared. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ never-default │ boolean │ FALSE │ If TRUE, this connection will never be │
│ │ │ │ the default connection for this IP │
│ │ │ │ type, meaning it will never be │
│ │ │ │ assigned the default route by │
│ │ │ │ NetworkManager. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ replace-local-rule │ NMTernary (int32) │ │ Connections will default to keep the │
│ │ │ │ autogenerated priority 0 local rule │
│ │ │ │ unless this setting is set to TRUE. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ required-timeout │ int32 │ -1 │ The minimum time interval in │
│ │ │ │ milliseconds for which dynamic IP │
│ │ │ │ configuration should be tried before │
│ │ │ │ the connection succeeds. │
│ │ │ │ │
│ │ │ │ This property is useful for example if │
│ │ │ │ both IPv4 and IPv6 are enabled and are │
│ │ │ │ allowed to fail. Normally the │
│ │ │ │ connection succeeds as soon as one of │
│ │ │ │ the two address families completes; by │
│ │ │ │ setting a required timeout for e.g. │
│ │ │ │ IPv4, one can ensure that even if IP6 │
│ │ │ │ succeeds earlier than IPv4, │
│ │ │ │ NetworkManager waits some time for │
│ │ │ │ IPv4 before the connection becomes │
│ │ │ │ active. │
│ │ │ │ │
│ │ │ │ Note that if "may-fail" is FALSE for │
│ │ │ │ the same address family, this property │
│ │ │ │ has no effect as NetworkManager needs │
│ │ │ │ to wait for the full DHCP timeout. │
│ │ │ │ │
│ │ │ │ A zero value means that no required │
│ │ │ │ timeout is present, -1 means the │
│ │ │ │ default value (either configuration │
│ │ │ │ ipvx.required-timeout override or │
│ │ │ │ zero). │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ route-data │ array of vardict │ │ Array of IPv4 routes. Each route │
│ │ │ │ dictionary contains at least 'dest' │
│ │ │ │ and 'prefix' entries, containing the │
│ │ │ │ destination IP address as a string, │
│ │ │ │ and the prefix length as a uint32. │
│ │ │ │ Most routes will also have a │
│ │ │ │ 'next-hop' entry, containing the next │
│ │ │ │ hop IP address as a string. If the │
│ │ │ │ route has a 'metric' entry (containing │
│ │ │ │ a uint32), that will be used as the │
│ │ │ │ metric for the route (otherwise NM │
│ │ │ │ will pick a default value appropriate │
│ │ │ │ to the device). Additional attributes │
│ │ │ │ may also exist on some routes. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ route-metric │ int64 │ -1 │ The default metric for routes that │
│ │ │ │ don't explicitly specify a metric. The │
│ │ │ │ default value -1 means that the metric │
│ │ │ │ is chosen automatically based on the │
│ │ │ │ device type. The metric applies to │
│ │ │ │ dynamic routes, manual (static) routes │
│ │ │ │ that don't have an explicit metric │
│ │ │ │ setting, address prefix routes, and │
│ │ │ │ the default route. Note that for IPv6, │
│ │ │ │ the kernel accepts zero (0) but │
│ │ │ │ coerces it to 1024 (user default). │
│ │ │ │ Hence, setting this property to zero │
│ │ │ │ effectively mean setting it to 1024. │
│ │ │ │ For IPv4, zero is a regular value for │
│ │ │ │ the metric. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ route-table │ uint32 │ 0 │ Enable policy routing (source routing) │
│ │ │ │ and set the routing table used when │
│ │ │ │ adding routes. │
│ │ │ │ │
│ │ │ │ This affects all routes, including │
│ │ │ │ device-routes, IPv4LL, DHCP, SLAAC, │
│ │ │ │ default-routes and static routes. But │
│ │ │ │ note that static routes can │
│ │ │ │ individually overwrite the setting by │
│ │ │ │ explicitly specifying a non-zero │
│ │ │ │ routing table. │
│ │ │ │ │
│ │ │ │ If the table setting is left at zero, │
│ │ │ │ it is eligible to be overwritten via │
│ │ │ │ global configuration. If the property │
│ │ │ │ is zero even after applying the global │
│ │ │ │ configuration value, policy routing is │
│ │ │ │ disabled for the address family of │
│ │ │ │ this connection. │
│ │ │ │ │
│ │ │ │ Policy routing disabled means that │
│ │ │ │ NetworkManager will add all routes to │
│ │ │ │ the main table (except static routes │
│ │ │ │ that explicitly configure a different │
│ │ │ │ table). Additionally, NetworkManager │
│ │ │ │ will not delete any extraneous routes │
│ │ │ │ from tables except the main table. │
│ │ │ │ This is to preserve backward │
│ │ │ │ compatibility for users who manage │
│ │ │ │ routing tables outside of │
│ │ │ │ NetworkManager. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ routed-dns │ int32 │ -1 │ Whether to add routes for DNS servers. │
│ │ │ │ When enabled, NetworkManager adds a │
│ │ │ │ route for each DNS server that is │
│ │ │ │ associated with this connection either │
│ │ │ │ statically (defined in the connection │
│ │ │ │ profile) or dynamically (for example, │
│ │ │ │ retrieved via DHCP). The route │
│ │ │ │ guarantees that the DNS server is │
│ │ │ │ reached via this interface. When set │
│ │ │ │ to -1 (default), the value from global │
│ │ │ │ configuration is used; if no global │
│ │ │ │ default is defined, this feature is │
│ │ │ │ disabled. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ routes │ array of array of uint32 │ │ Deprecated in favor of the │
│ │ │ │ 'route-data' property, but this can be │
│ │ │ │ used for backward-compatibility with │
│ │ │ │ older daemons. Note that if you send │
│ │ │ │ this property the daemon will ignore │
│ │ │ │ 'route-data'. Array of IPv4 route │
│ │ │ │ structures. Each IPv4 route structure │
│ │ │ │ is composed of 4 32-bit values; the │
│ │ │ │ first being the destination IPv4 │
│ │ │ │ network or address (network byte │
│ │ │ │ order), the second the destination │
│ │ │ │ network or address prefix (1 - 32), │
│ │ │ │ the third being the next-hop (network │
│ │ │ │ byte order) if any, and the fourth │
│ │ │ │ being the route metric. If the metric │
│ │ │ │ is 0, NM will choose an appropriate │
│ │ │ │ default metric for the device. (There │
│ │ │ │ is no way to explicitly specify an │
│ │ │ │ actual metric of 0 with this │
│ │ │ │ property.) │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ routing-rules │ array of 'a{sv}' │ │ Array of dictionaries for routing │
│ │ │ │ rules. Each routing rule supports the │
│ │ │ │ following options: action (y), │
│ │ │ │ dport-end (q), dport-start (q), family │
│ │ │ │ (i), from (s), from-len (y), fwmark │
│ │ │ │ (u), fwmask (u), iifname (s), invert │
│ │ │ │ (b), ipproto (s), oifname (s), │
│ │ │ │ priority (u), sport-end (q), │
│ │ │ │ sport-start (q), supress-prefixlength │
│ │ │ │ (i), table (u), to (s), tos (y), │
│ │ │ │ to-len (y), range-end (u), range-start │
│ │ │ │ (u). │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ shared-dhcp-lease-time │ int32 │ 0 │ This option allows you to specify a │
│ │ │ │ custom DHCP lease time for the shared │
│ │ │ │ connection method in seconds. The │
│ │ │ │ value should be either a number │
│ │ │ │ between 120 and 31536000 (one year) If │
│ │ │ │ this option is not specified, 3600 │
│ │ │ │ (one hour) is used. │
│ │ │ │ │
│ │ │ │ Special values are 0 for default value │
│ │ │ │ of 1 hour and 2147483647 (MAXINT32) │
│ │ │ │ for infinite lease time. │
├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ shared-dhcp-range │ string │ │ This option allows you to specify a │
│ │ │ │ custom DHCP range for the shared │
│ │ │ │ connection method. The value is │
│ │ │ │ expected to be in │
│ │ │ │ `<START_ADDRESS>,<END_ADDRESS>` │
│ │ │ │ format. The range should be part of │
│ │ │ │ network set by ipv4.address option and │
│ │ │ │ it should not contain network address │
│ │ │ │ or broadcast address. If this option │
│ │ │ │ is not specified, the DHCP range will │
│ │ │ │ be automatically determined based on │
│ │ │ │ the interface address. The range will │
│ │ │ │ be selected to be adjacent to the │
│ │ │ │ interface address, either before or │
│ │ │ │ after it, with the larger possible │
│ │ │ │ range being preferred. The range will │
│ │ │ │ be adjusted to fill the available │
│ │ │ │ address space, except for networks │
│ │ │ │ with a prefix length greater than 24, │
│ │ │ │ which will be treated as if they have │
│ │ │ │ a prefix length of 24. │
└──────────────────────────────┴──────────────────────────┴───────────────┴────────────────────────────────────────┘ipv6 setting
IPv6 Settings.
┌─────────────────────────┬─────────────────────────────────────┬───────────────┬──────────────────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ addr-gen-mode │ int32 │ 3 │ Configure the method for creating the │
│ │ │ │ IPv6 interface identifier of addresses │
│ │ │ │ for RFC4862 IPv6 Stateless Address │
│ │ │ │ Autoconfiguration and IPv6 Link Local. │
│ │ │ │ │
│ │ │ │ The permitted values are: 0 (eui64), 1 │
│ │ │ │ (stable-privacy). 2 (default-or-eui64) │
│ │ │ │ or 3 (default). │
│ │ │ │ │
│ │ │ │ If the property is set to "eui64", the │
│ │ │ │ addresses will be generated using the │
│ │ │ │ interface token derived from the │
│ │ │ │ hardware address. This makes the host │
│ │ │ │ part of the address constant, making │
│ │ │ │ it possible to track the host's │
│ │ │ │ presence when it changes networks. The │
│ │ │ │ address changes when the interface │
│ │ │ │ hardware is replaced. If a duplicate │
│ │ │ │ address is detected, there is no │
│ │ │ │ fallback to generate another address. │
│ │ │ │ When configured, the "ipv6.token" is │
│ │ │ │ used instead of the MAC address to │
│ │ │ │ generate addresses for stateless │
│ │ │ │ autoconfiguration. │
│ │ │ │ │
│ │ │ │ If the property is set to │
│ │ │ │ "stable-privacy", the interface │
│ │ │ │ identifier is generated as specified │
│ │ │ │ by RFC7217. This works by hashing a │
│ │ │ │ host specific key (see │
│ │ │ │ NetworkManager(8) manual), the │
│ │ │ │ interface name, the connection's │
│ │ │ │ "connection.stable-id" property and │
│ │ │ │ the address prefix. This improves │
│ │ │ │ privacy by making it harder to use the │
│ │ │ │ address to track the host's presence │
│ │ │ │ as every prefix and network has a │
│ │ │ │ different identifier. Also, the │
│ │ │ │ address is stable when the network │
│ │ │ │ interface hardware is replaced. │
│ │ │ │ │
│ │ │ │ The special values "default" and │
│ │ │ │ "default-or-eui64" will fallback to │
│ │ │ │ the global connection default as │
│ │ │ │ documented in the │
│ │ │ │ NetworkManager.conf(5) manual. If the │
│ │ │ │ global default is not specified, the │
│ │ │ │ fallback value is "stable-privacy" or │
│ │ │ │ "eui64", respectively. │
│ │ │ │ │
│ │ │ │ For libnm, the property defaults to │
│ │ │ │ "default" since 1.40. Previously it │
│ │ │ │ used to default to "stable-privacy". │
│ │ │ │ On D-Bus, the absence of an │
│ │ │ │ addr-gen-mode setting equals │
│ │ │ │ "default". For keyfile plugin, the │
│ │ │ │ absence of the setting on disk means │
│ │ │ │ "default-or-eui64" so that the │
│ │ │ │ property doesn't change on upgrade │
│ │ │ │ from older versions. │
│ │ │ │ │
│ │ │ │ Note that this setting is distinct │
│ │ │ │ from the Privacy Extensions as │
│ │ │ │ configured by "ip6-privacy" property │
│ │ │ │ and it does not affect the temporary │
│ │ │ │ addresses configured with this option. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ address-data │ array of vardict │ │ Array of IPv6 addresses. Each address │
│ │ │ │ dictionary contains at least 'address' │
│ │ │ │ and 'prefix' entries, containing the │
│ │ │ │ IP address as a string, and the prefix │
│ │ │ │ length as a uint32. Additional │
│ │ │ │ attributes may also exist on some │
│ │ │ │ addresses. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ addresses │ array of legacy IPv6 address struct │ │ Deprecated in favor of the │
│ │ (a(ayuay)) │ │ 'address-data' and 'gateway' │
│ │ │ │ properties, but this can be used for │
│ │ │ │ backward-compatibility with older │
│ │ │ │ daemons. Note that if you send this │
│ │ │ │ property the daemon will ignore │
│ │ │ │ 'address-data' and 'gateway'. Array │
│ │ │ │ of IPv6 address structures. Each IPv6 │
│ │ │ │ address structure is composed of an │
│ │ │ │ IPv6 address, a prefix length (0 - │
│ │ │ │ 128), and an IPv6 gateway address. The │
│ │ │ │ gateway may be zeroed out if no │
│ │ │ │ gateway exists for that subnet. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ auto-route-ext-gw │ NMTernary (int32) │ │ VPN connections will default to add │
│ │ │ │ the route automatically unless this │
│ │ │ │ setting is set to FALSE. │
│ │ │ │ │
│ │ │ │ For other connection types, adding │
│ │ │ │ such an automatic route is currently │
│ │ │ │ not supported and setting this to TRUE │
│ │ │ │ has no effect. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ dad-timeout │ int32 │ -1 │ Maximum timeout in milliseconds used │
│ │ │ │ to check for the presence of duplicate │
│ │ │ │ IP addresses on the network. If an │
│ │ │ │ address conflict is detected, the │
│ │ │ │ activation will fail. The property is │
│ │ │ │ currently implemented only for IPv4. │
│ │ │ │ │
│ │ │ │ A zero value means that no duplicate │
│ │ │ │ address detection is performed, -1 │
│ │ │ │ means the default value (either the │
│ │ │ │ value configured globally in │
│ │ │ │ NetworkManger.conf or 200ms). A value │
│ │ │ │ greater than zero is a timeout in │
│ │ │ │ milliseconds. Note that the time │
│ │ │ │ intervals are subject to randomization │
│ │ │ │ as per RFC 5227 and so the actual │
│ │ │ │ duration can be between half and the │
│ │ │ │ full time specified in this property. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ dhcp-dscp │ string │ │ Specifies the value for the DSCP field │
│ │ │ │ (traffic class) of the IP header. When │
│ │ │ │ empty, the global default value is │
│ │ │ │ used; if no global default is │
│ │ │ │ specified, it is assumed to be "CS0". │
│ │ │ │ Allowed values are: "CS0", "CS4" and │
│ │ │ │ "CS6". │
│ │ │ │ │
│ │ │ │ The property is currently valid only │
│ │ │ │ for IPv4, and it is supported only by │
│ │ │ │ the "internal" DHCP plugin. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ dhcp-duid │ string │ │ A string containing the DHCPv6 Unique │
│ │ │ │ Identifier (DUID) used by the dhcp │
│ │ │ │ client to identify itself to DHCPv6 │
│ │ │ │ servers (RFC 3315). The DUID is │
│ │ │ │ carried in the Client Identifier │
│ │ │ │ option. If the property is a hex │
│ │ │ │ string ('aa:bb:cc') it is interpreted │
│ │ │ │ as a binary DUID and filled as an │
│ │ │ │ opaque value in the Client Identifier │
│ │ │ │ option. │
│ │ │ │ │
│ │ │ │ The special value "lease" will │
│ │ │ │ retrieve the DUID previously used from │
│ │ │ │ the lease file belonging to the │
│ │ │ │ connection. If no DUID is found and │
│ │ │ │ "dhclient" is the configured dhcp │
│ │ │ │ client, the DUID is searched in the │
│ │ │ │ system-wide dhclient lease file. If │
│ │ │ │ still no DUID is found, or another │
│ │ │ │ dhcp client is used, a global and │
│ │ │ │ permanent DUID-UUID (RFC 6355) will be │
│ │ │ │ generated based on the machine-id. │
│ │ │ │ │
│ │ │ │ The special values "llt" and "ll" will │
│ │ │ │ generate a DUID of type LLT or LL (see │
│ │ │ │ RFC 3315) based on the current MAC │
│ │ │ │ address of the device. In order to try │
│ │ │ │ providing a stable DUID-LLT, the time │
│ │ │ │ field will contain a constant │
│ │ │ │ timestamp that is used globally (for │
│ │ │ │ all profiles) and persisted to disk. │
│ │ │ │ │
│ │ │ │ The special values "stable-llt", │
│ │ │ │ "stable-ll" and "stable-uuid" will │
│ │ │ │ generate a DUID of the corresponding │
│ │ │ │ type, derived from the connection's │
│ │ │ │ stable-id and a per-host unique key. │
│ │ │ │ You may want to include the │
│ │ │ │ "${DEVICE}" or "${MAC}" specifier in │
│ │ │ │ the stable-id, in case this profile │
│ │ │ │ gets activated on multiple devices. │
│ │ │ │ So, the link-layer address of │
│ │ │ │ "stable-ll" and "stable-llt" will be a │
│ │ │ │ generated address derived from the │
│ │ │ │ stable id. The DUID-LLT time value in │
│ │ │ │ the "stable-llt" option will be picked │
│ │ │ │ among a static timespan of three years │
│ │ │ │ (the upper bound of the interval is │
│ │ │ │ the same constant timestamp used in │
│ │ │ │ "llt"). │
│ │ │ │ │
│ │ │ │ When the property is unset, the global │
│ │ │ │ value provided for "ipv6.dhcp-duid" is │
│ │ │ │ used. If no global value is provided, │
│ │ │ │ the default "lease" value is assumed. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ dhcp-hostname │ string │ │ If the "dhcp-send-hostname" property │
│ │ │ │ is TRUE, then the specified name will │
│ │ │ │ be sent to the DHCP server when │
│ │ │ │ acquiring a lease. This property and │
│ │ │ │ "dhcp-fqdn" are mutually exclusive and │
│ │ │ │ cannot be set at the same time. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ dhcp-hostname-flags │ uint32 │ 0 │ Flags for the DHCP hostname and FQDN. │
│ │ │ │ │
│ │ │ │ Currently, this property only includes │
│ │ │ │ flags to control the FQDN flags set in │
│ │ │ │ the DHCP FQDN option. Supported FQDN │
│ │ │ │ flags are 0x1 (fqdn-serv-update), 0x2 │
│ │ │ │ (fqdn-encoded) and 0x4 │
│ │ │ │ (fqdn-no-update). When no FQDN flag │
│ │ │ │ is set and 0x8 (fqdn-clear-flags) is │
│ │ │ │ set, the DHCP FQDN option will contain │
│ │ │ │ no flag. Otherwise, if no FQDN flag is │
│ │ │ │ set and 0x8 (fqdn-clear-flags) is not │
│ │ │ │ set, the standard FQDN flags are set │
│ │ │ │ in the request: 0x1 │
│ │ │ │ (fqdn-serv-update), 0x2 (fqdn-encoded) │
│ │ │ │ for IPv4 and 0x1 (fqdn-serv-update) │
│ │ │ │ for IPv6. │
│ │ │ │ │
│ │ │ │ When this property is set to the │
│ │ │ │ default value 0x0 (none), a global │
│ │ │ │ default is looked up in NetworkManager │
│ │ │ │ configuration. If that value is unset │
│ │ │ │ or also 0x0 (none), then the standard │
│ │ │ │ FQDN flags described above are sent in │
│ │ │ │ the DHCP requests. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ dhcp-iaid │ string │ │ A string containing the "Identity │
│ │ │ │ Association Identifier" (IAID) used by │
│ │ │ │ the DHCP client. The string can be a │
│ │ │ │ 32-bit number (either decimal, │
│ │ │ │ hexadecimal or as colon separated │
│ │ │ │ hexadecimal numbers). Alternatively it │
│ │ │ │ can be set to the special values │
│ │ │ │ "mac", "perm-mac", "ifname" or │
│ │ │ │ "stable". When set to "mac" (or │
│ │ │ │ "perm-mac"), the last 4 bytes of the │
│ │ │ │ current (or permanent) MAC address are │
│ │ │ │ used as IAID. When set to "ifname", │
│ │ │ │ the IAID is computed by hashing the │
│ │ │ │ interface name. The special value │
│ │ │ │ "stable" can be used to generate an │
│ │ │ │ IAID based on the stable-id (see │
│ │ │ │ connection.stable-id), a per-host key │
│ │ │ │ and the interface name. When the │
│ │ │ │ property is unset, the value from │
│ │ │ │ global configuration is used; if no │
│ │ │ │ global default is set then the IAID is │
│ │ │ │ assumed to be "ifname". │
│ │ │ │ │
│ │ │ │ For DHCPv4, the IAID is only used with │
│ │ │ │ "ipv4.dhcp-client-id" values "duid" │
│ │ │ │ and "ipv6-duid" to generate the │
│ │ │ │ client-id. │
│ │ │ │ │
│ │ │ │ For DHCPv6, note that at the moment │
│ │ │ │ this property is only supported by the │
│ │ │ │ "internal" DHCPv6 plugin. The │
│ │ │ │ "dhclient" DHCPv6 plugin always │
│ │ │ │ derives the IAID from the MAC address. │
│ │ │ │ │
│ │ │ │ The actually used DHCPv6 IAID for a │
│ │ │ │ currently activated interface is │
│ │ │ │ exposed in the lease information of │
│ │ │ │ the device. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ dhcp-pd-hint │ string │ │ A IPv6 address followed by a slash and │
│ │ │ │ a prefix length. If set, the value is │
│ │ │ │ sent to the DHCPv6 server as hint │
│ │ │ │ indicating the prefix delegation │
│ │ │ │ (IA_PD) we want to receive. To only │
│ │ │ │ hint a prefix length without prefix, │
│ │ │ │ set the address part to the zero │
│ │ │ │ address (for example "::/60"). │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ dhcp-reject-servers │ array of string │ │ Array of servers from which DHCP │
│ │ │ │ offers must be rejected. This property │
│ │ │ │ is useful to avoid getting a lease │
│ │ │ │ from misconfigured or rogue servers. │
│ │ │ │ │
│ │ │ │ For DHCPv4, each element must be an │
│ │ │ │ IPv4 address, optionally followed by a │
│ │ │ │ slash and a prefix length (e.g. │
│ │ │ │ "192.168.122.0/24"). │
│ │ │ │ │
│ │ │ │ This property is currently not │
│ │ │ │ implemented for DHCPv6. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ dhcp-send-hostname │ boolean │ TRUE │ Since 1.52 this property is deprecated │
│ │ │ │ and is only used as fallback value for │
│ │ │ │ "dhcp-send-hostname-v2" if it's set to │
│ │ │ │ 'default'. This is only done to avoid │
│ │ │ │ breaking existing configurations, the │
│ │ │ │ new property should be used from now │
│ │ │ │ on. │
│ │ │ │ │
│ │ │ │ This property is deprecated since │
│ │ │ │ version 1.52.use the new version of │
│ │ │ │ dhcp-send-hostname instead. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ dhcp-send-hostname-v2 │ int32 │ -1 │ If TRUE, a hostname is sent to the │
│ │ │ │ DHCP server when acquiring a lease. │
│ │ │ │ Some DHCP servers use this hostname to │
│ │ │ │ update DNS databases, essentially │
│ │ │ │ providing a static hostname for the │
│ │ │ │ computer. If the "dhcp-hostname" │
│ │ │ │ property is NULL and this property is │
│ │ │ │ TRUE, the current persistent hostname │
│ │ │ │ of the computer is sent. │
│ │ │ │ │
│ │ │ │ The default value is -1 (default). In │
│ │ │ │ this case the global value from │
│ │ │ │ NetworkManager configuration is looked │
│ │ │ │ up. If it's not set, the value from │
│ │ │ │ "dhcp-send-hostname", which defaults │
│ │ │ │ to TRUE, is used for backwards │
│ │ │ │ compatibility. In the future this will │
│ │ │ │ change and, in absence of a global │
│ │ │ │ default, it will always fallback to │
│ │ │ │ TRUE. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ dhcp-send-release │ NMTernary (int32) │ │ Whether the DHCP client will send │
│ │ │ │ RELEASE message when bringing the │
│ │ │ │ connection down. The default value is │
│ │ │ │ -1 (default). When the default value │
│ │ │ │ is specified, then the global value │
│ │ │ │ from NetworkManager configuration is │
│ │ │ │ looked up, if not set, it is │
│ │ │ │ considered as FALSE. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ dhcp-timeout │ int32 │ 0 │ A timeout for a DHCP transaction in │
│ │ │ │ seconds. If zero (the default), a │
│ │ │ │ globally configured default is used. │
│ │ │ │ If still unspecified, a device │
│ │ │ │ specific timeout is used (usually 45 │
│ │ │ │ seconds). │
│ │ │ │ │
│ │ │ │ Set to 2147483647 (MAXINT32) for │
│ │ │ │ infinity. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ dns │ array of byte array │ │ Array of IP addresses of DNS servers │
│ │ │ │ (in network byte order) │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ dns-data │ array of strings │ │ Array of DNS name servers. This │
│ │ │ │ replaces the deprecated "dns" │
│ │ │ │ property. Each name server can also │
│ │ │ │ contain a DoT server name. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ dns-options │ array of string │ │ Array of DNS options to be added to │
│ │ │ │ resolv.conf. │
│ │ │ │ │
│ │ │ │ NULL means that the options are unset │
│ │ │ │ and left at the default. In this case │
│ │ │ │ NetworkManager will use default │
│ │ │ │ options. This is distinct from an │
│ │ │ │ empty list of properties. │
│ │ │ │ │
│ │ │ │ The following options are directly │
│ │ │ │ added to resolv.conf: "attempts", │
│ │ │ │ "debug", "edns0", "inet6", │
│ │ │ │ "ip6-bytestring", "ip6-dotint", │
│ │ │ │ "ndots", "no-aaaa", "no-check-names", │
│ │ │ │ "no-ip6-dotint", "no-reload", │
│ │ │ │ "no-tld-query", "rotate", │
│ │ │ │ "single-request", │
│ │ │ │ "single-request-reopen", "timeout", │
│ │ │ │ "trust-ad", "use-vc". See the │
│ │ │ │ resolv.conf(5) man page for a detailed │
│ │ │ │ description of these options. │
│ │ │ │ │
│ │ │ │ In addition, NetworkManager supports │
│ │ │ │ the special options "_no-add-edns0" │
│ │ │ │ and "_no-add-trust-ad". They are not │
│ │ │ │ added to resolv.conf, and can be used │
│ │ │ │ to prevent the automatic addition of │
│ │ │ │ options "edns0" and "trust-ad" when │
│ │ │ │ using caching DNS plugins (see below). │
│ │ │ │ │
│ │ │ │ The "trust-ad" setting is only honored │
│ │ │ │ if the profile contributes name │
│ │ │ │ servers to resolv.conf, and if all │
│ │ │ │ contributing profiles have "trust-ad" │
│ │ │ │ enabled. │
│ │ │ │ │
│ │ │ │ When using a caching DNS plugin │
│ │ │ │ (dnsmasq or systemd-resolved in │
│ │ │ │ NetworkManager.conf) then "edns0" and │
│ │ │ │ "trust-ad" are automatically added, │
│ │ │ │ unless "_no-add-edns0" and │
│ │ │ │ "_no-add-trust-ad" are present. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ dns-priority │ int32 │ 0 │ DNS servers priority. │
│ │ │ │ │
│ │ │ │ The relative priority for DNS servers │
│ │ │ │ specified by this setting. A lower │
│ │ │ │ numerical value is better (higher │
│ │ │ │ priority). │
│ │ │ │ │
│ │ │ │ Negative values have the special │
│ │ │ │ effect of excluding other │
│ │ │ │ configurations with a greater │
│ │ │ │ numerical priority value; so in │
│ │ │ │ presence of at least one negative │
│ │ │ │ priority, only DNS servers from │
│ │ │ │ connections with the lowest priority │
│ │ │ │ value will be used. To avoid all DNS │
│ │ │ │ leaks, set the priority of the profile │
│ │ │ │ that should be used to the most │
│ │ │ │ negative value of all active │
│ │ │ │ connections profiles. │
│ │ │ │ │
│ │ │ │ Zero selects a globally configured │
│ │ │ │ default value. If the latter is │
│ │ │ │ missing or zero too, it defaults to 50 │
│ │ │ │ for VPNs (including WireGuard) and 100 │
│ │ │ │ for other connections. │
│ │ │ │ │
│ │ │ │ Note that the priority is to order DNS │
│ │ │ │ settings for multiple active │
│ │ │ │ connections. It does not disambiguate │
│ │ │ │ multiple DNS servers within the same │
│ │ │ │ connection profile. │
│ │ │ │ │
│ │ │ │ When multiple devices have │
│ │ │ │ configurations with the same priority, │
│ │ │ │ VPNs will be considered first, then │
│ │ │ │ devices with the best (lowest metric) │
│ │ │ │ default route and then all other │
│ │ │ │ devices. │
│ │ │ │ │
│ │ │ │ When using dns=default, servers with │
│ │ │ │ higher priority will be on top of │
│ │ │ │ resolv.conf. To prioritize a given │
│ │ │ │ server over another one within the │
│ │ │ │ same connection, just specify them in │
│ │ │ │ the desired order. Note that commonly │
│ │ │ │ the resolver tries name servers in │
│ │ │ │ /etc/resolv.conf in the order listed, │
│ │ │ │ proceeding with the next server in the │
│ │ │ │ list on failure. See for example the │
│ │ │ │ "rotate" option of the dns-options │
│ │ │ │ setting. If there are any negative DNS │
│ │ │ │ priorities, then only name servers │
│ │ │ │ from the devices with that lowest │
│ │ │ │ priority will be considered. │
│ │ │ │ │
│ │ │ │ When using a DNS resolver that │
│ │ │ │ supports Conditional Forwarding or │
│ │ │ │ Split DNS (with dns=dnsmasq or │
│ │ │ │ dns=systemd-resolved settings), each │
│ │ │ │ connection is used to query domains in │
│ │ │ │ its search list. The search domains │
│ │ │ │ determine which name servers to ask, │
│ │ │ │ and the DNS priority is used to │
│ │ │ │ prioritize name servers based on the │
│ │ │ │ domain. Queries for domains not │
│ │ │ │ present in any search list are routed │
│ │ │ │ through connections having the '~.' │
│ │ │ │ special wildcard domain, which is │
│ │ │ │ added automatically to connections │
│ │ │ │ with the default route (or can be │
│ │ │ │ added manually). When multiple │
│ │ │ │ connections specify the same domain, │
│ │ │ │ the one with the best priority (lowest │
│ │ │ │ numerical value) wins. If a sub │
│ │ │ │ domain is configured on another │
│ │ │ │ interface it will be accepted │
│ │ │ │ regardless the priority, unless parent │
│ │ │ │ domain on the other interface has a │
│ │ │ │ negative priority, which causes the │
│ │ │ │ sub domain to be shadowed. With Split │
│ │ │ │ DNS one can avoid undesired DNS leaks │
│ │ │ │ by properly configuring DNS priorities │
│ │ │ │ and the search domains, so that only │
│ │ │ │ name servers of the desired interface │
│ │ │ │ are configured. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ dns-search │ array of string │ │ List of DNS search domains. Domains │
│ │ │ │ starting with a tilde ('~') are │
│ │ │ │ considered 'routing' domains and are │
│ │ │ │ used only to decide the interface over │
│ │ │ │ which a query must be forwarded; they │
│ │ │ │ are not used to complete unqualified │
│ │ │ │ host names. │
│ │ │ │ │
│ │ │ │ When using a DNS plugin that supports │
│ │ │ │ Conditional Forwarding or Split DNS, │
│ │ │ │ then the search domains specify which │
│ │ │ │ name servers to query. This makes the │
│ │ │ │ behavior different from running with │
│ │ │ │ plain /etc/resolv.conf. For more │
│ │ │ │ information see also the dns-priority │
│ │ │ │ setting. │
│ │ │ │ │
│ │ │ │ When set on a profile that also │
│ │ │ │ enabled DHCP, the DNS search list │
│ │ │ │ received automatically (option 119 for │
│ │ │ │ DHCPv4 and option 24 for DHCPv6) gets │
│ │ │ │ merged with the manual list. This can │
│ │ │ │ be prevented by setting │
│ │ │ │ "ignore-auto-dns". Note that if no DNS │
│ │ │ │ searches are configured, the fallback │
│ │ │ │ will be derived from the domain from │
│ │ │ │ DHCP (option 15). │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ gateway │ string │ │ The gateway associated with this │
│ │ │ │ configuration. This is only meaningful │
│ │ │ │ if "addresses" is also set. │
│ │ │ │ │
│ │ │ │ Setting the gateway causes │
│ │ │ │ NetworkManager to configure a standard │
│ │ │ │ default route with the gateway as next │
│ │ │ │ hop. This is ignored if │
│ │ │ │ "never-default" is set. An alternative │
│ │ │ │ is to configure the default route │
│ │ │ │ explicitly with a manual route and /0 │
│ │ │ │ as prefix length. │
│ │ │ │ │
│ │ │ │ Note that the gateway usually │
│ │ │ │ conflicts with routing that │
│ │ │ │ NetworkManager configures for │
│ │ │ │ WireGuard interfaces, so usually it │
│ │ │ │ should not be set in that case. See │
│ │ │ │ "ip4-auto-default-route". │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ ignore-auto-dns │ boolean │ FALSE │ When "method" is set to "auto" and │
│ │ │ │ this property to TRUE, automatically │
│ │ │ │ configured name servers and search │
│ │ │ │ domains are ignored and only name │
│ │ │ │ servers and search domains specified │
│ │ │ │ in the "dns" and "dns-search" │
│ │ │ │ properties, if any, are used. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ ignore-auto-routes │ boolean │ FALSE │ When "method" is set to "auto" and │
│ │ │ │ this property to TRUE, automatically │
│ │ │ │ configured routes are ignored and only │
│ │ │ │ routes specified in the "routes" │
│ │ │ │ property, if any, are used. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ ip6-privacy │ NMSettingIP6ConfigPrivacy (int32) │ │ Configure IPv6 Privacy Extensions for │
│ │ │ │ SLAAC, described in RFC4941. If │
│ │ │ │ enabled, it makes the kernel generate │
│ │ │ │ a temporary IPv6 address in addition │
│ │ │ │ to the public one generated from MAC │
│ │ │ │ address via modified EUI-64. This │
│ │ │ │ enhances privacy, but could cause │
│ │ │ │ problems in some applications, on the │
│ │ │ │ other hand. The permitted values are: │
│ │ │ │ -1: unknown, 0: disabled, 1: enabled │
│ │ │ │ (prefer public address), 2: enabled │
│ │ │ │ (prefer temporary addresses). │
│ │ │ │ │
│ │ │ │ Having a per-connection setting set to │
│ │ │ │ "-1" (default) means fallback to │
│ │ │ │ global configuration │
│ │ │ │ "ipv6.ip6-privacy". If it's also │
│ │ │ │ unspecified or set to "-1", fallback │
│ │ │ │ to read │
│ │ │ │ "/proc/sys/net/ipv6/conf/default/use_tempaddr". │
│ │ │ │ │
│ │ │ │ Note that this setting is distinct │
│ │ │ │ from the Stable Privacy addresses that │
│ │ │ │ can be enabled with the │
│ │ │ │ "addr-gen-mode" property's │
│ │ │ │ "stable-privacy" setting as another │
│ │ │ │ way of avoiding host tracking with │
│ │ │ │ IPv6 addresses. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ may-fail │ boolean │ TRUE │ If TRUE, allow overall network configuration to │
│ │ │ │ proceed even if the configuration specified by │
│ │ │ │ this property times out. Note that at least │
│ │ │ │ one IP configuration must succeed or overall │
│ │ │ │ network configuration will still fail. For │
│ │ │ │ example, in IPv6-only networks, setting this │
│ │ │ │ property to TRUE on the NMSettingIP4Config │
│ │ │ │ allows the overall network configuration to │
│ │ │ │ succeed if IPv4 configuration fails but IPv6 │
│ │ │ │ configuration completes successfully. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ method │ string │ │ IP configuration method. │
│ │ │ │ │
│ │ │ │ NMSettingIP4Config and NMSettingIP6Config both │
│ │ │ │ support "disabled", "auto", "manual", and │
│ │ │ │ "link-local". See the subclass-specific │
│ │ │ │ documentation for other values. │
│ │ │ │ │
│ │ │ │ In general, for the "auto" method, properties │
│ │ │ │ such as "dns" and "routes" specify information │
│ │ │ │ that is added on to the information returned │
│ │ │ │ from automatic configuration. The │
│ │ │ │ "ignore-auto-routes" and "ignore-auto-dns" │
│ │ │ │ properties modify this behavior. │
│ │ │ │ │
│ │ │ │ For methods that imply no upstream network, │
│ │ │ │ such as "shared" or "link-local", these │
│ │ │ │ properties must be empty. │
│ │ │ │ │
│ │ │ │ For IPv4 method "shared", the IP subnet can be │
│ │ │ │ configured by adding one manual IPv4 address or │
│ │ │ │ otherwise 10.42.x.0/24 is chosen. Note that the │
│ │ │ │ shared method must be configured on the │
│ │ │ │ interface which shares the internet to a │
│ │ │ │ subnet, not on the uplink which is shared. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ mtu │ uint32 │ 0 │ Maximum transmission unit size, in bytes. If │
│ │ │ │ zero (the default), the MTU is set │
│ │ │ │ automatically from router advertisements or is │
│ │ │ │ left equal to the link-layer MTU. If greater │
│ │ │ │ than the link-layer MTU, or greater than zero │
│ │ │ │ but less than the minimum IPv6 MTU of 1280, │
│ │ │ │ this value has no effect. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ never-default │ boolean │ FALSE │ If TRUE, this connection will never be the │
│ │ │ │ default connection for this IP type, meaning it │
│ │ │ │ will never be assigned the default route by │
│ │ │ │ NetworkManager. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ ra-timeout │ int32 │ 0 │ A timeout for waiting Router Advertisements in │
│ │ │ │ seconds. If zero (the default), a globally │
│ │ │ │ configured default is used. If still │
│ │ │ │ unspecified, the timeout depends on the sysctl │
│ │ │ │ settings of the device. │
│ │ │ │ │
│ │ │ │ Set to 2147483647 (MAXINT32) for infinity. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ replace-local-rule │ NMTernary (int32) │ │ Connections will default to keep the │
│ │ │ │ autogenerated priority 0 local rule unless this │
│ │ │ │ setting is set to TRUE. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ required-timeout │ int32 │ -1 │ The minimum time interval in milliseconds for │
│ │ │ │ which dynamic IP configuration should be tried │
│ │ │ │ before the connection succeeds. │
│ │ │ │ │
│ │ │ │ This property is useful for example if both │
│ │ │ │ IPv4 and IPv6 are enabled and are allowed to │
│ │ │ │ fail. Normally the connection succeeds as soon │
│ │ │ │ as one of the two address families completes; │
│ │ │ │ by setting a required timeout for e.g. IPv4, │
│ │ │ │ one can ensure that even if IP6 succeeds │
│ │ │ │ earlier than IPv4, NetworkManager waits some │
│ │ │ │ time for IPv4 before the connection becomes │
│ │ │ │ active. │
│ │ │ │ │
│ │ │ │ Note that if "may-fail" is FALSE for the same │
│ │ │ │ address family, this property has no effect as │
│ │ │ │ NetworkManager needs to wait for the full DHCP │
│ │ │ │ timeout. │
│ │ │ │ │
│ │ │ │ A zero value means that no required timeout is │
│ │ │ │ present, -1 means the default value (either │
│ │ │ │ configuration ipvx.required-timeout override or │
│ │ │ │ zero). │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ route-data │ array of vardict │ │ Array of IPv6 routes. Each route dictionary │
│ │ │ │ contains at least 'dest' and 'prefix' entries, │
│ │ │ │ containing the destination IP address as a │
│ │ │ │ string, and the prefix length as a uint32. Most │
│ │ │ │ routes will also have a 'next-hop' entry, │
│ │ │ │ containing the next hop IP address as a string. │
│ │ │ │ If the route has a 'metric' entry (containing a │
│ │ │ │ uint32), that will be used as the metric for │
│ │ │ │ the route (otherwise NM will pick a default │
│ │ │ │ value appropriate to the device). Additional │
│ │ │ │ attributes may also exist on some routes. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ route-metric │ int64 │ -1 │ The default metric for routes that don't │
│ │ │ │ explicitly specify a metric. The default value │
│ │ │ │ -1 means that the metric is chosen │
│ │ │ │ automatically based on the device type. The │
│ │ │ │ metric applies to dynamic routes, manual │
│ │ │ │ (static) routes that don't have an explicit │
│ │ │ │ metric setting, address prefix routes, and the │
│ │ │ │ default route. Note that for IPv6, the kernel │
│ │ │ │ accepts zero (0) but coerces it to 1024 (user │
│ │ │ │ default). Hence, setting this property to zero │
│ │ │ │ effectively mean setting it to 1024. For IPv4, │
│ │ │ │ zero is a regular value for the metric. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ route-table │ uint32 │ 0 │ Enable policy routing (source routing) and set │
│ │ │ │ the routing table used when adding routes. │
│ │ │ │ │
│ │ │ │ This affects all routes, including │
│ │ │ │ device-routes, IPv4LL, DHCP, SLAAC, │
│ │ │ │ default-routes and static routes. But note that │
│ │ │ │ static routes can individually overwrite the │
│ │ │ │ setting by explicitly specifying a non-zero │
│ │ │ │ routing table. │
│ │ │ │ │
│ │ │ │ If the table setting is left at zero, it is │
│ │ │ │ eligible to be overwritten via global │
│ │ │ │ configuration. If the property is zero even │
│ │ │ │ after applying the global configuration value, │
│ │ │ │ policy routing is disabled for the address │
│ │ │ │ family of this connection. │
│ │ │ │ │
│ │ │ │ Policy routing disabled means that │
│ │ │ │ NetworkManager will add all routes to the main │
│ │ │ │ table (except static routes that explicitly │
│ │ │ │ configure a different table). Additionally, │
│ │ │ │ NetworkManager will not delete any extraneous │
│ │ │ │ routes from tables except the main table. This │
│ │ │ │ is to preserve backward compatibility for users │
│ │ │ │ who manage routing tables outside of │
│ │ │ │ NetworkManager. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ routed-dns │ int32 │ -1 │ Whether to add routes for DNS servers. When │
│ │ │ │ enabled, NetworkManager adds a route for each │
│ │ │ │ DNS server that is associated with this │
│ │ │ │ connection either statically (defined in the │
│ │ │ │ connection profile) or dynamically (for │
│ │ │ │ example, retrieved via DHCP). The route │
│ │ │ │ guarantees that the DNS server is reached via │
│ │ │ │ this interface. When set to -1 (default), the │
│ │ │ │ value from global configuration is used; if no │
│ │ │ │ global default is defined, this feature is │
│ │ │ │ disabled. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ routes │ array of legacy IPv6 route struct │ │ Deprecated in favor of the 'route-data' │
│ │ (a(ayuayu)) │ │ property, but this can be used for │
│ │ │ │ backward-compatibility with older daemons. Note │
│ │ │ │ that if you send this property the daemon will │
│ │ │ │ ignore 'route-data'. Array of IPv6 route │
│ │ │ │ structures. Each IPv6 route structure is │
│ │ │ │ composed of an IPv6 address, a prefix length (0 │
│ │ │ │ - 128), an IPv6 next hop address (which may be │
│ │ │ │ zeroed out if there is no next hop), and a │
│ │ │ │ metric. If the metric is 0, NM will choose an │
│ │ │ │ appropriate default metric for the device. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ routing-rules │ array of 'a{sv}' │ │ Array of dictionaries for routing rules. Each │
│ │ │ │ routing rule supports the following options: │
│ │ │ │ action (y), dport-end (q), dport-start (q), │
│ │ │ │ family (i), from (s), from-len (y), fwmark (u), │
│ │ │ │ fwmask (u), iifname (s), invert (b), ipproto │
│ │ │ │ (s), oifname (s), priority (u), sport-end (q), │
│ │ │ │ sport-start (q), supress-prefixlength (i), │
│ │ │ │ table (u), to (s), tos (y), to-len (y), │
│ │ │ │ range-end (u), range-start (u). │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ shared-dhcp-lease-time │ int32 │ 0 │ This option allows you to specify a custom DHCP │
│ │ │ │ lease time for the shared connection method in │
│ │ │ │ seconds. The value should be either a number │
│ │ │ │ between 120 and 31536000 (one year) If this │
│ │ │ │ option is not specified, 3600 (one hour) is │
│ │ │ │ used. │
│ │ │ │ │
│ │ │ │ Special values are 0 for default value of 1 │
│ │ │ │ hour and 2147483647 (MAXINT32) for infinite │
│ │ │ │ lease time. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ shared-dhcp-range │ string │ │ This option allows you to specify a custom DHCP │
│ │ │ │ range for the shared connection method. The │
│ │ │ │ value is expected to be in │
│ │ │ │ `<START_ADDRESS>,<END_ADDRESS>` format. The │
│ │ │ │ range should be part of network set by │
│ │ │ │ ipv4.address option and it should not contain │
│ │ │ │ network address or broadcast address. If this │
│ │ │ │ option is not specified, the DHCP range will be │
│ │ │ │ automatically determined based on the interface │
│ │ │ │ address. The range will be selected to be │
│ │ │ │ adjacent to the interface address, either │
│ │ │ │ before or after it, with the larger possible │
│ │ │ │ range being preferred. The range will be │
│ │ │ │ adjusted to fill the available address space, │
│ │ │ │ except for networks with a prefix length │
│ │ │ │ greater than 24, which will be treated as if │
│ │ │ │ they have a prefix length of 24. │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ temp-preferred-lifetime │ int32 │ 0 │ The preferred lifetime of autogenerated │
│ │ │ │ temporary addresses, in seconds. │
│ │ │ │ │
│ │ │ │ Having a per-connection setting set to "0" │
│ │ │ │ (default) means fallback to global │
│ │ │ │ configuration "ipv6.temp-preferred-lifetime" │
│ │ │ │ setting". If it's also unspecified or set to │
│ │ │ │ "0", fallback to read │
│ │ │ │ "/proc/sys/net/ipv6/conf/default/temp_prefered_lft". │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ temp-valid-lifetime │ int32 │ 0 │ The valid lifetime of autogenerated temporary │
│ │ │ │ addresses, in seconds. │
│ │ │ │ │
│ │ │ │ Having a per-connection setting set to "0" (default) │
│ │ │ │ means fallback to global configuration │
│ │ │ │ "ipv6.temp-valid-lifetime" setting". If it's also │
│ │ │ │ unspecified or set to "0", fallback to read │
│ │ │ │ "/proc/sys/net/ipv6/conf/default/temp_valid_lft". │
├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ token │ string │ │ Configure the token for │
│ │ │ │ draft-chown-6man-tokenised-ipv6-identifiers-02 IPv6 │
│ │ │ │ tokenized interface identifiers. Useful with eui64 │
│ │ │ │ addr-gen-mode. │
│ │ │ │ │
│ │ │ │ When set, the token is used as IPv6 interface │
│ │ │ │ identifier instead of the hardware address. This │
│ │ │ │ only applies to addresses from stateless │
│ │ │ │ autoconfiguration, not to IPv6 link local addresses. │
└─────────────────────────┴─────────────────────────────────────┴───────────────┴──────────────────────────────────────────────────────┘ip-tunnel setting
IP Tunneling Settings.
┌─────────────────────┬────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├─────────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ encapsulation-limit │ uint32 │ 0 │ How many additional levels of │
│ │ │ │ encapsulation are permitted to be │
│ │ │ │ prepended to packets. This property │
│ │ │ │ applies only to IPv6 tunnels. To │
│ │ │ │ disable this option, add 0x1 │
│ │ │ │ (ip6-ign-encap-limit) to ip-tunnel │
│ │ │ │ flags. │
├─────────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ flags │ uint32 │ 0 │ Tunnel flags. Currently, the following │
│ │ │ │ values are supported: 0x1 │
│ │ │ │ (ip6-ign-encap-limit), 0x2 │
│ │ │ │ (ip6-use-orig-tclass), 0x4 │
│ │ │ │ (ip6-use-orig-flowlabel), 0x8 │
│ │ │ │ (ip6-mip6-dev), 0x10 │
│ │ │ │ (ip6-rcv-dscp-copy), 0x20 │
│ │ │ │ (ip6-use-orig-fwmark). They are valid │
│ │ │ │ only for IPv6 tunnels. │
├─────────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ flow-label │ uint32 │ 0 │ The flow label to assign to tunnel │
│ │ │ │ packets. This property applies only to │
│ │ │ │ IPv6 tunnels. │
├─────────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ fwmark │ uint32 │ 0 │ The fwmark value to assign to tunnel │
│ │ │ │ packets. This property can be set to a │
│ │ │ │ non zero value only on VTI and VTI6 │
│ │ │ │ tunnels. │
├─────────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ input-key │ string │ │ The key used for tunnel input packets; │
│ │ │ │ the property is valid only for certain │
│ │ │ │ tunnel modes (GRE, IP6GRE). If empty, │
│ │ │ │ no key is used. │
├─────────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ local │ string │ │ The local endpoint of the tunnel; the │
│ │ │ │ value can be empty, otherwise it must │
│ │ │ │ contain an IPv4 or IPv6 address. │
├─────────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ mode │ uint32 │ 0 │ The tunneling mode. Valid values: 1 │
│ │ │ │ (ipip), 2 (gre), 3 (sit), 4 (isatap), │
│ │ │ │ 5 (vti), 6 (ip6ip6), 7 (ipip6), 8 │
│ │ │ │ (ip6gre), 9 (vti6), 10 (gretap) and 11 │
│ │ │ │ (ip6gretap) │
├─────────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ mtu │ uint32 │ 0 │ If non-zero, only transmit packets of │
│ │ │ │ the specified size or smaller, │
│ │ │ │ breaking larger packets up into │
│ │ │ │ multiple fragments. │
├─────────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ output-key │ string │ │ The key used for tunnel output │
│ │ │ │ packets; the property is valid only │
│ │ │ │ for certain tunnel modes (GRE, │
│ │ │ │ IP6GRE). If empty, no key is used. │
├─────────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ parent │ string │ │ If given, specifies the parent │
│ │ │ │ interface name or parent connection │
│ │ │ │ UUID the new device will be bound to │
│ │ │ │ so that tunneled packets will only be │
│ │ │ │ routed via that interface. │
├─────────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ path-mtu-discovery │ boolean │ TRUE │ Whether to enable Path MTU Discovery │
│ │ │ │ on this tunnel. │
├─────────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ remote │ string │ │ The remote endpoint of the tunnel; the │
│ │ │ │ value must contain an IPv4 or IPv6 │
│ │ │ │ address. │
├─────────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ tos │ uint32 │ 0 │ The type of service (IPv4) or traffic │
│ │ │ │ class (IPv6) field to be set on │
│ │ │ │ tunneled packets. │
├─────────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ ttl │ uint32 │ 0 │ The TTL to assign to tunneled packets. │
│ │ │ │ 0 is a special value meaning that │
│ │ │ │ packets inherit the TTL value. │
└─────────────────────┴────────────┴───────────────┴────────────────────────────────────────┘ipvlan setting
IPVLAN Settings.
┌──────────┬────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├──────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ mode │ uint32 │ 0 │ The IPVLAN mode. Valid values: 1 (l2), │
│ │ │ │ 2 (l3) and 3 (l3s). │
├──────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ parent │ string │ │ If given, specifies the parent │
│ │ │ │ interface name or parent connection │
│ │ │ │ UUID from which this IPVLAN interface │
│ │ │ │ should be created. If this property is │
│ │ │ │ not specified, the connection must │
│ │ │ │ contain an "802-3-ethernet" setting │
│ │ │ │ with a "mac-address" property. │
├──────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ private │ boolean │ FALSE │ Whether the interface should be put in │
│ │ │ │ private mode. │
├──────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ vepa │ boolean │ FALSE │ Whether the interface should be put in │
│ │ │ │ VEPA mode. │
└──────────┴────────────┴───────────────┴────────────────────────────────────────┘macsec setting
MACSec Settings.
┌───────────────┬───────────────────────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├───────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ encrypt │ boolean │ TRUE │ Whether the transmitted traffic must │
│ │ │ │ be encrypted. │
├───────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ mka-cak │ string │ │ The pre-shared CAK (Connectivity │
│ │ │ │ Association Key) for MACsec Key │
│ │ │ │ Agreement. Must be a string of 32 │
│ │ │ │ hexadecimal characters. │
├───────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ mka-cak-flags │ NMSettingSecretFlags (uint32) │ │ Flags indicating how to handle the │
│ │ │ │ "mka-cak" property. │
├───────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ mka-ckn │ string │ │ The pre-shared CKN │
│ │ │ │ (Connectivity-association Key Name) │
│ │ │ │ for MACsec Key Agreement. Must be a │
│ │ │ │ string of hexadecimal characters with │
│ │ │ │ a even length between 2 and 64. │
├───────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ mode │ int32 │ 0 │ Specifies how the CAK (Connectivity │
│ │ │ │ Association Key) for MKA (MACsec Key │
│ │ │ │ Agreement) is obtained. │
├───────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ offload │ int32 │ -1 │ Specifies the MACsec offload mode. │
│ │ │ │ │
│ │ │ │ 0 (off) disables MACsec offload. │
│ │ │ │ │
│ │ │ │ 1 (phy) and 2 (mac) request offload │
│ │ │ │ respectively to the PHY or to the MAC; │
│ │ │ │ if the selected mode is not available, │
│ │ │ │ the connection will fail. │
│ │ │ │ │
│ │ │ │ -1 (default) uses the global default │
│ │ │ │ value specified in NetworkManager │
│ │ │ │ configuration; if no global default is │
│ │ │ │ defined, the built-in default is 0 │
│ │ │ │ (off). │
├───────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ parent │ string │ │ If given, specifies the parent │
│ │ │ │ interface name or parent connection │
│ │ │ │ UUID from which this MACSEC interface │
│ │ │ │ should be created. If this property │
│ │ │ │ is not specified, the connection must │
│ │ │ │ contain an "802-3-ethernet" setting │
│ │ │ │ with a "mac-address" property. │
├───────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ port │ int32 │ 1 │ The port component of the SCI (Secure │
│ │ │ │ Channel Identifier), between 1 and │
│ │ │ │ 65534. │
├───────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ send-sci │ boolean │ TRUE │ Specifies whether the SCI (Secure │
│ │ │ │ Channel Identifier) is included in │
│ │ │ │ every packet. │
├───────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ validation │ int32 │ 2 │ Specifies the validation mode for │
│ │ │ │ incoming frames. │
└───────────────┴───────────────────────────────┴───────────────┴────────────────────────────────────────┘macvlan setting
MAC VLAN Settings.
┌─────────────┬────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├─────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ mode │ uint32 │ 0 │ The macvlan mode, which specifies the │
│ │ │ │ communication mechanism between │
│ │ │ │ multiple macvlans on the same lower │
│ │ │ │ device. │
├─────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ parent │ string │ │ If given, specifies the parent │
│ │ │ │ interface name or parent connection │
│ │ │ │ UUID from which this MAC-VLAN │
│ │ │ │ interface should be created. If this │
│ │ │ │ property is not specified, the │
│ │ │ │ connection must contain an │
│ │ │ │ "802-3-ethernet" setting with a │
│ │ │ │ "mac-address" property. │
├─────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ promiscuous │ boolean │ TRUE │ Whether the parent interface should be │
│ │ │ │ put in promiscuous mode (true by │
│ │ │ │ default). │
├─────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ tap │ boolean │ FALSE │ Whether the interface should be a │
│ │ │ │ MACVTAP. │
└─────────────┴────────────┴───────────────┴────────────────────────────────────────┘match setting
Match settings.
┌─────────────────────┬─────────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├─────────────────────┼─────────────────┼───────────────┼────────────────────────────────────────┤
│ driver │ array of string │ │ A list of driver names to match. Each │
│ │ │ │ element is a shell wildcard pattern. │
│ │ │ │ │
│ │ │ │ See NMSettingMatch:interface-name for │
│ │ │ │ how special characters '|', '&', '!' │
│ │ │ │ and '\\' are used for optional and │
│ │ │ │ mandatory matches and inverting the │
│ │ │ │ pattern. │
├─────────────────────┼─────────────────┼───────────────┼────────────────────────────────────────┤
│ interface-name │ array of string │ │ A list of interface names to match. │
│ │ │ │ Each element is a shell wildcard │
│ │ │ │ pattern. │
│ │ │ │ │
│ │ │ │ An element can be prefixed with a pipe │
│ │ │ │ symbol (|) or an ampersand (&). The │
│ │ │ │ former means that the element is │
│ │ │ │ optional and the latter means that it │
│ │ │ │ is mandatory. If there are any │
│ │ │ │ optional elements, than the match │
│ │ │ │ evaluates to true if at least one of │
│ │ │ │ the optional element matches (logical │
│ │ │ │ OR). If there are any mandatory │
│ │ │ │ elements, then they all must match │
│ │ │ │ (logical AND). By default, an element │
│ │ │ │ is optional. This means that an │
│ │ │ │ element "foo" behaves the same as │
│ │ │ │ "|foo". An element can also be │
│ │ │ │ inverted with exclamation mark (!) │
│ │ │ │ between the pipe symbol (or the │
│ │ │ │ ampersand) and before the pattern. │
│ │ │ │ Note that "!foo" is a shortcut for the │
│ │ │ │ mandatory match "&!foo". Finally, a │
│ │ │ │ backslash can be used at the beginning │
│ │ │ │ of the element (after the optional │
│ │ │ │ special characters) to escape the │
│ │ │ │ start of the pattern. For example, │
│ │ │ │ "&\\!a" is an mandatory match for │
│ │ │ │ literally "!a". │
├─────────────────────┼─────────────────┼───────────────┼────────────────────────────────────────┤
│ kernel-command-line │ array of string │ │ A list of kernel command line │
│ │ │ │ arguments to match. This may be used │
│ │ │ │ to check whether a specific kernel │
│ │ │ │ command line option is set (or unset, │
│ │ │ │ if prefixed with the exclamation │
│ │ │ │ mark). The argument must either be a │
│ │ │ │ single word, or an assignment (i.e. │
│ │ │ │ two words, joined by "="). In the │
│ │ │ │ former case the kernel command line is │
│ │ │ │ searched for the word appearing as is, │
│ │ │ │ or as left hand side of an assignment. │
│ │ │ │ In the latter case, the exact │
│ │ │ │ assignment is looked for with right │
│ │ │ │ and left hand side matching. Wildcard │
│ │ │ │ patterns are not supported. │
│ │ │ │ │
│ │ │ │ See NMSettingMatch:interface-name for │
│ │ │ │ how special characters '|', '&', '!' │
│ │ │ │ and '\\' are used for optional and │
│ │ │ │ mandatory matches and inverting the │
│ │ │ │ match. │
├─────────────────────┼─────────────────┼───────────────┼────────────────────────────────────────┤
│ path │ array of string │ │ A list of paths to match against the │
│ │ │ │ ID_PATH udev property of devices. │
│ │ │ │ ID_PATH represents the topological │
│ │ │ │ persistent path of a device. It │
│ │ │ │ typically contains a subsystem string │
│ │ │ │ (pci, usb, platform, etc.) and a │
│ │ │ │ subsystem-specific identifier. │
│ │ │ │ │
│ │ │ │ For PCI devices the path has the form │
│ │ │ │ "pci-$domain:$bus:$device.$function", │
│ │ │ │ where each variable is an hexadecimal │
│ │ │ │ value; for example "pci-0000:0a:00.0". │
│ │ │ │ │
│ │ │ │ The path of a device can be obtained │
│ │ │ │ with "udevadm info /sys/class/net/$dev │
│ │ │ │ | grep ID_PATH=" or by looking at the │
│ │ │ │ "path" property exported by │
│ │ │ │ NetworkManager ("nmcli -f general.path │
│ │ │ │ device show $dev"). │
│ │ │ │ │
│ │ │ │ Each element of the list is a shell │
│ │ │ │ wildcard pattern. │
│ │ │ │ │
│ │ │ │ See NMSettingMatch:interface-name for │
│ │ │ │ how special characters '|', '&', '!' │
│ │ │ │ and '\\' are used for optional and │
│ │ │ │ mandatory matches and inverting the │
│ │ │ │ pattern. │
└─────────────────────┴─────────────────┴───────────────┴────────────────────────────────────────┘802-11-olpc-mesh setting
OLPC Wireless Mesh Settings.
┌──────────────────────┬────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├──────────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ channel │ uint32 │ 0 │ Channel on which the mesh network to │
│ │ │ │ join is located. │
├──────────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ dhcp-anycast-address │ byte array │ │ Anycast DHCP MAC address used when │
│ │ │ │ requesting an IP address via DHCP. The │
│ │ │ │ specific anycast address used │
│ │ │ │ determines which DHCP server class │
│ │ │ │ answers the request. │
│ │ │ │ │
│ │ │ │ This is currently only implemented by │
│ │ │ │ dhclient DHCP plugin. │
├──────────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ ssid │ byte array │ │ SSID of the mesh network to join. │
└──────────────────────┴────────────┴───────────────┴────────────────────────────────────────┘ovs-bridge setting
OvsBridge Link Settings.
┌───────────────────────┬────────────┬───────────────┬───────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├───────────────────────┼────────────┼───────────────┼───────────────────────────────────────┤
│ datapath-type │ string │ │ The data path type. One of "system", │
│ │ │ │ "netdev" or empty. │
├───────────────────────┼────────────┼───────────────┼───────────────────────────────────────┤
│ fail-mode │ string │ │ The bridge failure mode. One of │
│ │ │ │ "secure", "standalone" or empty. │
├───────────────────────┼────────────┼───────────────┼───────────────────────────────────────┤
│ mcast-snooping-enable │ boolean │ FALSE │ Enable or disable multicast snooping. │
├───────────────────────┼────────────┼───────────────┼───────────────────────────────────────┤
│ rstp-enable │ boolean │ FALSE │ Enable or disable RSTP. │
├───────────────────────┼────────────┼───────────────┼───────────────────────────────────────┤
│ stp-enable │ boolean │ FALSE │ Enable or disable STP. │
└───────────────────────┴────────────┴───────────────┴───────────────────────────────────────┘ovs-dpdk setting
OvsDpdk Link Settings.
┌────────────┬────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ devargs │ string │ │ Open vSwitch DPDK device arguments. │
├────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ n-rxq │ uint32 │ 0 │ Open vSwitch DPDK number of rx queues. │
│ │ │ │ Defaults to zero which means to leave │
│ │ │ │ the parameter in OVS unspecified and │
│ │ │ │ effectively configures one queue. │
├────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ n-rxq-desc │ uint32 │ 0 │ The rx queue size (number of rx │
│ │ │ │ descriptors) for DPDK ports. Must be │
│ │ │ │ zero or a power of 2 between 1 and │
│ │ │ │ 4096, and supported by the hardware. │
│ │ │ │ Defaults to zero which means to leave │
│ │ │ │ the parameter in OVS unspecified and │
│ │ │ │ effectively configures 2048 │
│ │ │ │ descriptors. │
├────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ n-txq-desc │ uint32 │ 0 │ The tx queue size (number of tx │
│ │ │ │ descriptors) for DPDK ports. Must be │
│ │ │ │ zero or a power of 2 between 1 and │
│ │ │ │ 4096, and supported by the hardware. │
│ │ │ │ Defaults to zero which means to leave │
│ │ │ │ the parameter in OVS unspecified and │
│ │ │ │ effectively configures 2048 │
│ │ │ │ descriptors. │
└────────────┴────────────┴───────────────┴────────────────────────────────────────┘ovs-interface setting
Open vSwitch Interface Settings.
┌────────────────┬────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ ofport-request │ uint32 │ 0 │ Open vSwitch openflow port number. │
│ │ │ │ Defaults to zero which means that port │
│ │ │ │ number will not be specified and it │
│ │ │ │ will be chosen randomly by ovs. │
│ │ │ │ OpenFlow ports are the network │
│ │ │ │ interfaces for passing packets between │
│ │ │ │ OpenFlow processing and the rest of │
│ │ │ │ the network. OpenFlow switches connect │
│ │ │ │ logically to each other via their │
│ │ │ │ OpenFlow ports. │
├────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ type │ string │ │ The interface type. Either "internal", │
│ │ │ │ "system", "patch", "dpdk", or empty. │
└────────────────┴────────────┴───────────────┴────────────────────────────────────────┘ovs-patch setting
OvsPatch Link Settings.
┌──────────┬────────────┬───────────────┬───────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├──────────┼────────────┼───────────────┼───────────────────────────────────────┤
│ peer │ string │ │ Specifies the name of the interface │
│ │ │ │ for the other side of the patch. The │
│ │ │ │ patch on the other side must also set │
│ │ │ │ this interface as peer. │
└──────────┴────────────┴───────────────┴───────────────────────────────────────┘ovs-port setting
OvsPort Link Settings.
┌────────────────┬──────────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ bond-downdelay │ uint32 │ 0 │ The time port must be inactive in │
│ │ │ │ order to be considered down. │
├────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ bond-mode │ string │ │ Bonding mode. One of "active-backup", │
│ │ │ │ "balance-slb", or "balance-tcp". │
├────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ bond-updelay │ uint32 │ 0 │ The time port must be active before it │
│ │ │ │ starts forwarding traffic. │
├────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ lacp │ string │ │ LACP mode. One of "active", "off", or │
│ │ │ │ "passive". │
├────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ tag │ uint32 │ 0 │ The VLAN tag in the range 0-4095. │
├────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ trunks │ array of vardict │ │ A list of VLAN ranges that this port │
│ │ │ │ trunks. │
│ │ │ │ │
│ │ │ │ The property is valid only for ports │
│ │ │ │ with mode "trunk", "native-tagged", or │
│ │ │ │ "native-untagged port". If it is │
│ │ │ │ empty, the port trunks all VLANs. │
├────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ vlan-mode │ string │ │ The VLAN mode. One of "access", │
│ │ │ │ "native-tagged", "native-untagged", │
│ │ │ │ "trunk", "dot1q-tunnel" or unset. │
└────────────────┴──────────────────┴───────────────┴────────────────────────────────────────┘ppp setting
Point-to-Point Protocol Settings.
┌───────────────────┬────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├───────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ baud │ uint32 │ 0 │ If non-zero, instruct pppd to set the │
│ │ │ │ serial port to the specified baudrate. │
│ │ │ │ This value should normally be left as │
│ │ │ │ 0 to automatically choose the speed. │
├───────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ crtscts │ boolean │ FALSE │ If TRUE, specify that pppd should set │
│ │ │ │ the serial port to use hardware flow │
│ │ │ │ control with RTS and CTS signals. │
│ │ │ │ This value should normally be set to │
│ │ │ │ FALSE. │
├───────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ lcp-echo-failure │ uint32 │ 0 │ If non-zero, instruct pppd to presume │
│ │ │ │ the connection to the peer has failed │
│ │ │ │ if the specified number of LCP │
│ │ │ │ echo-requests go unanswered by the │
│ │ │ │ peer. The "lcp-echo-interval" │
│ │ │ │ property must also be set to a │
│ │ │ │ non-zero value if this property is │
│ │ │ │ used. │
├───────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ lcp-echo-interval │ uint32 │ 0 │ If non-zero, instruct pppd to send an │
│ │ │ │ LCP echo-request frame to the peer │
│ │ │ │ every n seconds (where n is the │
│ │ │ │ specified value). Note that some PPP │
│ │ │ │ peers will respond to echo requests │
│ │ │ │ and some will not, and it is not │
│ │ │ │ possible to autodetect this. │
├───────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ mppe-stateful │ boolean │ FALSE │ If TRUE, stateful MPPE is used. See │
│ │ │ │ pppd documentation for more │
│ │ │ │ information on stateful MPPE. │
├───────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ mru │ uint32 │ 0 │ If non-zero, instruct pppd to request │
│ │ │ │ that the peer send packets no larger │
│ │ │ │ than the specified size. If non-zero, │
│ │ │ │ the MRU should be between 128 and │
│ │ │ │ 16384. │
├───────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ mtu │ uint32 │ 0 │ If non-zero, instruct pppd to send │
│ │ │ │ packets no larger than the specified │
│ │ │ │ size. │
├───────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ no-vj-comp │ boolean │ FALSE │ If TRUE, Van Jacobsen TCP header │
│ │ │ │ compression will not be requested. │
├───────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ noauth │ boolean │ TRUE │ If TRUE, do not require the other side │
│ │ │ │ (usually the PPP server) to │
│ │ │ │ authenticate itself to the client. If │
│ │ │ │ FALSE, require authentication from the │
│ │ │ │ remote side. In almost all cases, │
│ │ │ │ this should be TRUE. │
├───────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ nobsdcomp │ boolean │ FALSE │ If TRUE, BSD compression will not be │
│ │ │ │ requested. │
├───────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ nodeflate │ boolean │ FALSE │ If TRUE, "deflate" compression will │
│ │ │ │ not be requested. │
├───────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ refuse-chap │ boolean │ FALSE │ If TRUE, the CHAP authentication │
│ │ │ │ method will not be used. │
├───────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ refuse-eap │ boolean │ FALSE │ If TRUE, the EAP authentication method │
│ │ │ │ will not be used. │
├───────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ refuse-mschap │ boolean │ FALSE │ If TRUE, the MSCHAP authentication │
│ │ │ │ method will not be used. │
├───────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ refuse-mschapv2 │ boolean │ FALSE │ If TRUE, the MSCHAPv2 authentication │
│ │ │ │ method will not be used. │
├───────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ refuse-pap │ boolean │ FALSE │ If TRUE, the PAP authentication method │
│ │ │ │ will not be used. │
├───────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ require-mppe │ boolean │ FALSE │ If TRUE, MPPE (Microsoft │
│ │ │ │ Point-to-Point Encryption) will be │
│ │ │ │ required for the PPP session. If │
│ │ │ │ either 64-bit or 128-bit MPPE is not │
│ │ │ │ available the session will fail. Note │
│ │ │ │ that MPPE is not used on mobile │
│ │ │ │ broadband connections. │
├───────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ require-mppe-128 │ boolean │ FALSE │ If TRUE, 128-bit MPPE (Microsoft │
│ │ │ │ Point-to-Point Encryption) will be │
│ │ │ │ required for the PPP session, and the │
│ │ │ │ "require-mppe" property must also be │
│ │ │ │ set to TRUE. If 128-bit MPPE is not │
│ │ │ │ available the session will fail. │
└───────────────────┴────────────┴───────────────┴────────────────────────────────────────┘pppoe setting
PPP-over-Ethernet Settings.
┌────────────────┬───────────────────────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ parent │ string │ │ If given, specifies the parent │
│ │ │ │ interface name on which this PPPoE │
│ │ │ │ connection should be created. If this │
│ │ │ │ property is not specified, the │
│ │ │ │ connection is activated on the │
│ │ │ │ interface specified in │
│ │ │ │ "interface-name" of │
│ │ │ │ NMSettingConnection. │
├────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ password │ string │ │ Password used to authenticate with the │
│ │ │ │ PPPoE service. │
├────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ password-flags │ NMSettingSecretFlags (uint32) │ │ Flags indicating how to handle the │
│ │ │ │ "password" property. │
├────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ service │ string │ │ If specified, instruct PPPoE to only │
│ │ │ │ initiate sessions with access │
│ │ │ │ concentrators that provide the │
│ │ │ │ specified service. For most │
│ │ │ │ providers, this should be left blank. │
│ │ │ │ It is only required if there are │
│ │ │ │ multiple access concentrators or a │
│ │ │ │ specific service is known to be │
│ │ │ │ required. │
├────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ username │ string │ │ Username used to authenticate with the │
│ │ │ │ PPPoE service. │
└────────────────┴───────────────────────────────┴───────────────┴────────────────────────────────────────┘proxy setting
WWW Proxy Settings.
┌──────────────┬────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├──────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ browser-only │ boolean │ FALSE │ Whether the proxy configuration is for │
│ │ │ │ browser only. │
├──────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ method │ int32 │ 0 │ Method for proxy configuration, │
│ │ │ │ Default is 0 (none) │
├──────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ pac-script │ string │ │ PAC script for the connection. This is │
│ │ │ │ an UTF-8 encoded javascript code that │
│ │ │ │ defines a FindProxyForURL() function. │
├──────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ pac-url │ string │ │ PAC URL for obtaining PAC file. │
└──────────────┴────────────┴───────────────┴────────────────────────────────────────┘serial setting
Serial Link Settings.
┌────────────┬────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ baud │ uint32 │ 57600 │ Speed to use for communication over │
│ │ │ │ the serial port. Note that this value │
│ │ │ │ usually has no effect for mobile │
│ │ │ │ broadband modems as they generally │
│ │ │ │ ignore speed settings and use the │
│ │ │ │ highest available speed. │
├────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ bits │ uint32 │ 8 │ Byte-width of the serial │
│ │ │ │ communication. The 8 in "8n1" for │
│ │ │ │ example. │
├────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ parity │ byte │ │ The connection parity: 69 (ASCII 'E') │
│ │ │ │ for even parity, 111 (ASCII 'o') for │
│ │ │ │ odd, 110 (ASCII 'n') for none. │
├────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ send-delay │ uint64 │ 0 │ Time to delay between each byte sent │
│ │ │ │ to the modem, in microseconds. │
├────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ stopbits │ uint32 │ 1 │ Number of stop bits for communication │
│ │ │ │ on the serial port. Either 1 or 2. │
│ │ │ │ The 1 in "8n1" for example. │
└────────────┴────────────┴───────────────┴────────────────────────────────────────┘sriov setting
SR-IOV settings.
┌─────────────────────┬───────────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├─────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ autoprobe-drivers │ NMTernary (int32) │ │ Whether to autoprobe virtual functions │
│ │ │ │ by a compatible driver. │
│ │ │ │ │
│ │ │ │ If set to 1 (true), the kernel will │
│ │ │ │ try to bind VFs to a compatible driver │
│ │ │ │ and if this succeeds a new network │
│ │ │ │ interface will be instantiated for │
│ │ │ │ each VF. │
│ │ │ │ │
│ │ │ │ If set to 0 (false), VFs will not be │
│ │ │ │ claimed and no network interfaces will │
│ │ │ │ be created for them. │
│ │ │ │ │
│ │ │ │ When set to -1 (default), the global │
│ │ │ │ default is used; in case the global │
│ │ │ │ default is unspecified it is assumed │
│ │ │ │ to be 1 (true). │
├─────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ eswitch-encap-mode │ int32 │ -1 │ Select the eswitch encapsulation │
│ │ │ │ support. │
│ │ │ │ │
│ │ │ │ Currently it's only supported for PCI │
│ │ │ │ PF devices, and only if the eswitch │
│ │ │ │ device is managed from the same PCI │
│ │ │ │ address than the PF. │
│ │ │ │ │
│ │ │ │ If set to -1 (preserve) (default) the │
│ │ │ │ eswitch encap-mode won't be modified │
│ │ │ │ by NetworkManager. │
├─────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ eswitch-inline-mode │ int32 │ -1 │ Select the eswitch inline-mode of the │
│ │ │ │ device. Some HWs need the VF driver to │
│ │ │ │ put part of the packet headers on the │
│ │ │ │ TX descriptor so the e-switch can do │
│ │ │ │ proper matching and steering. │
│ │ │ │ │
│ │ │ │ Currently it's only supported for PCI │
│ │ │ │ PF devices, and only if the eswitch │
│ │ │ │ device is managed from the same PCI │
│ │ │ │ address than the PF. │
│ │ │ │ │
│ │ │ │ If set to -1 (preserve) (default) the │
│ │ │ │ eswitch inline-mode won't be modified │
│ │ │ │ by NetworkManager. │
├─────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ eswitch-mode │ int32 │ -1 │ Select the eswitch mode of the device. │
│ │ │ │ Currently it's only supported for PCI │
│ │ │ │ PF devices, and only if the eswitch │
│ │ │ │ device is managed from the same PCI │
│ │ │ │ address than the PF. │
│ │ │ │ │
│ │ │ │ If set to -1 (preserve) (default) the │
│ │ │ │ eswitch mode won't be modified by │
│ │ │ │ NetworkManager. │
├─────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ total-vfs │ uint32 │ 0 │ The total number of virtual functions │
│ │ │ │ to create. │
│ │ │ │ │
│ │ │ │ Note that when the sriov setting is │
│ │ │ │ present NetworkManager enforces the │
│ │ │ │ number of virtual functions on the │
│ │ │ │ interface (also when it is zero) │
│ │ │ │ during activation and resets it upon │
│ │ │ │ deactivation. To prevent any changes │
│ │ │ │ to SR-IOV parameters don't add a sriov │
│ │ │ │ setting to the connection. │
├─────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ vfs │ array of vardict │ │ Array of virtual function descriptors. │
│ │ │ │ │
│ │ │ │ Each VF descriptor is a dictionary │
│ │ │ │ mapping attribute names to GVariant │
│ │ │ │ values. The 'index' entry is mandatory │
│ │ │ │ for each VF. │
│ │ │ │ │
│ │ │ │ When represented as string a VF is in │
│ │ │ │ the form: │
│ │ │ │ │
│ │ │ │ "INDEX [ATTR=VALUE[ ATTR=VALUE]...]". │
│ │ │ │ │
│ │ │ │ for example: │
│ │ │ │ │
│ │ │ │ "2 mac=00:11:22:33:44:55 │
│ │ │ │ spoof-check=true". │
│ │ │ │ │
│ │ │ │ Multiple VFs can be specified using a │
│ │ │ │ comma as separator. Currently, the │
│ │ │ │ following attributes are supported: │
│ │ │ │ mac, spoof-check, trust, min-tx-rate, │
│ │ │ │ max-tx-rate, vlans. │
│ │ │ │ │
│ │ │ │ The "vlans" attribute is represented │
│ │ │ │ as a semicolon-separated list of VLAN │
│ │ │ │ descriptors, where each descriptor has │
│ │ │ │ the form │
│ │ │ │ │
│ │ │ │ "ID[.PRIORITY[.PROTO]]". │
│ │ │ │ │
│ │ │ │ PROTO can be either 'q' for 802.1Q │
│ │ │ │ (the default) or 'ad' for 802.1ad. │
└─────────────────────┴───────────────────┴───────────────┴────────────────────────────────────────┘tc setting
Linux Traffic Control Settings.
┌──────────┬──────────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├──────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ qdiscs │ array of vardict │ │ Array of TC queueing disciplines. │
│ │ │ │ │
│ │ │ │ When the "tc" setting is present, │
│ │ │ │ qdiscs from this property are applied │
│ │ │ │ upon activation. If the property is │
│ │ │ │ empty, all qdiscs are removed and the │
│ │ │ │ device will only have the default │
│ │ │ │ qdisc assigned by kernel according to │
│ │ │ │ the "net.core.default_qdisc" sysctl. │
│ │ │ │ │
│ │ │ │ If the "tc" setting is not present, │
│ │ │ │ NetworkManager doesn't touch the │
│ │ │ │ qdiscs present on the interface. │
├──────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ tfilters │ array of vardict │ │ Array of TC traffic filters. │
│ │ │ │ │
│ │ │ │ When the "tc" setting is present, │
│ │ │ │ filters from this property are applied │
│ │ │ │ upon activation. If the property is │
│ │ │ │ empty, NetworkManager removes all the │
│ │ │ │ filters. │
│ │ │ │ │
│ │ │ │ If the "tc" setting is not present, │
│ │ │ │ NetworkManager doesn't touch the │
│ │ │ │ filters present on the interface. │
└──────────┴──────────────────┴───────────────┴────────────────────────────────────────┘team setting
Teaming Settings.
┌─────────────────────────────┬──────────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├─────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ config │ string │ │ The JSON configuration for the team │
│ │ │ │ network interface. The property │
│ │ │ │ should contain raw JSON configuration │
│ │ │ │ data suitable for teamd, because the │
│ │ │ │ value is passed directly to teamd. If │
│ │ │ │ not specified, the default │
│ │ │ │ configuration is used. See man │
│ │ │ │ teamd.conf for the format details. │
├─────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ interface-name │ string │ │ Deprecated in favor of │
│ │ │ │ connection.interface-name, but can be │
│ │ │ │ used for backward-compatibility with │
│ │ │ │ older daemons, to set the team's │
│ │ │ │ interface name. │
├─────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ link-watchers │ array of vardict │ │ Link watchers configuration for the │
│ │ │ │ connection: each link watcher is │
│ │ │ │ defined by a dictionary, whose keys │
│ │ │ │ depend upon the selected link watcher. │
│ │ │ │ Available link watchers are 'ethtool', │
│ │ │ │ 'nsna_ping' and 'arp_ping' and it is │
│ │ │ │ specified in the dictionary with the │
│ │ │ │ key 'name'. Available keys are: │
│ │ │ │ ethtool: 'delay-up', 'delay-down', │
│ │ │ │ 'init-wait'; nsna_ping: 'init-wait', │
│ │ │ │ 'interval', 'missed-max', │
│ │ │ │ 'target-host'; arp_ping: all the ones │
│ │ │ │ in nsna_ping and 'source-host', │
│ │ │ │ 'validate-active', │
│ │ │ │ 'validate-inactive', 'send-always'. │
│ │ │ │ See teamd.conf man for more details. │
├─────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ mcast-rejoin-count │ int32 │ -1 │ Corresponds to the teamd │
│ │ │ │ mcast_rejoin.count. │
├─────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ mcast-rejoin-interval │ int32 │ -1 │ Corresponds to the teamd │
│ │ │ │ mcast_rejoin.interval. │
├─────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ notify-peers-count │ int32 │ -1 │ Corresponds to the teamd │
│ │ │ │ notify_peers.count. │
├─────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ notify-peers-interval │ int32 │ -1 │ Corresponds to the teamd │
│ │ │ │ notify_peers.interval. │
├─────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ runner │ string │ │ Corresponds to the teamd runner.name. │
│ │ │ │ Permitted values are: "roundrobin", │
│ │ │ │ "broadcast", "activebackup", │
│ │ │ │ "loadbalance", "lacp", "random". │
├─────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ runner-active │ boolean │ TRUE │ Corresponds to the teamd │
│ │ │ │ runner.active. │
├─────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ runner-agg-select-policy │ string │ │ Corresponds to the teamd │
│ │ │ │ runner.agg_select_policy. │
├─────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ runner-fast-rate │ boolean │ FALSE │ Corresponds to the teamd │
│ │ │ │ runner.fast_rate. │
├─────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ runner-hwaddr-policy │ string │ │ Corresponds to the teamd │
│ │ │ │ runner.hwaddr_policy. │
├─────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ runner-min-ports │ int32 │ -1 │ Corresponds to the teamd │
│ │ │ │ runner.min_ports. │
├─────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ runner-sys-prio │ int32 │ -1 │ Corresponds to the teamd │
│ │ │ │ runner.sys_prio. │
├─────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ runner-tx-balancer │ string │ │ Corresponds to the teamd │
│ │ │ │ runner.tx_balancer.name. │
├─────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ runner-tx-balancer-interval │ int32 │ -1 │ Corresponds to the teamd │
│ │ │ │ runner.tx_balancer.interval. │
├─────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ runner-tx-hash │ array of string │ │ Corresponds to the teamd │
│ │ │ │ runner.tx_hash. │
└─────────────────────────────┴──────────────────┴───────────────┴────────────────────────────────────────┘team-port setting
Team Port Settings.
┌───────────────┬──────────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├───────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ config │ string │ │ The JSON configuration for the team │
│ │ │ │ port. The property should contain raw │
│ │ │ │ JSON configuration data suitable for │
│ │ │ │ teamd, because the value is passed │
│ │ │ │ directly to teamd. If not specified, │
│ │ │ │ the default configuration is used. See │
│ │ │ │ man teamd.conf for the format details. │
├───────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ lacp-key │ int32 │ -1 │ Corresponds to the teamd │
│ │ │ │ ports.PORTIFNAME.lacp_key. │
├───────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ lacp-prio │ int32 │ -1 │ Corresponds to the teamd │
│ │ │ │ ports.PORTIFNAME.lacp_prio. │
├───────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ link-watchers │ array of vardict │ │ Link watchers configuration for the │
│ │ │ │ connection: each link watcher is │
│ │ │ │ defined by a dictionary, whose keys │
│ │ │ │ depend upon the selected link watcher. │
│ │ │ │ Available link watchers are 'ethtool', │
│ │ │ │ 'nsna_ping' and 'arp_ping' and it is │
│ │ │ │ specified in the dictionary with the │
│ │ │ │ key 'name'. Available keys are: │
│ │ │ │ ethtool: 'delay-up', 'delay-down', │
│ │ │ │ 'init-wait'; nsna_ping: 'init-wait', │
│ │ │ │ 'interval', 'missed-max', │
│ │ │ │ 'target-host'; arp_ping: all the ones │
│ │ │ │ in nsna_ping and 'source-host', │
│ │ │ │ 'validate-active', │
│ │ │ │ 'validate-inactive', 'send-always'. │
│ │ │ │ See teamd.conf man for more details. │
├───────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ prio │ int32 │ 0 │ Corresponds to the teamd │
│ │ │ │ ports.PORTIFNAME.prio. │
├───────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ queue-id │ int32 │ -1 │ Corresponds to the teamd │
│ │ │ │ ports.PORTIFNAME.queue_id. When set to │
│ │ │ │ -1 means the parameter is skipped from │
│ │ │ │ the json config. │
├───────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
│ sticky │ boolean │ FALSE │ Corresponds to the teamd │
│ │ │ │ ports.PORTIFNAME.sticky. │
└───────────────┴──────────────────┴───────────────┴────────────────────────────────────────┘tun setting
Tunnel Settings.
┌─────────────┬────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├─────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ group │ string │ │ The group ID which will own the │
│ │ │ │ device. If set to NULL everyone will │
│ │ │ │ be able to use the device. │
├─────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ mode │ uint32 │ 1 │ The operating mode of the virtual │
│ │ │ │ device. Allowed values are 1 (tun) to │
│ │ │ │ create a layer 3 device and 2 (tap) to │
│ │ │ │ create an Ethernet-like layer 2 one. │
├─────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ multi-queue │ boolean │ FALSE │ If the property is set to TRUE, the │
│ │ │ │ interface will support multiple file │
│ │ │ │ descriptors (queues) to parallelize │
│ │ │ │ packet sending or receiving. │
│ │ │ │ Otherwise, the interface will only │
│ │ │ │ support a single queue. │
├─────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ owner │ string │ │ The user ID which will own the device. │
│ │ │ │ If set to NULL everyone will be able │
│ │ │ │ to use the device. │
├─────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ pi │ boolean │ FALSE │ If TRUE the interface will prepend a 4 │
│ │ │ │ byte header describing the physical │
│ │ │ │ interface to the packets. │
├─────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ vnet-hdr │ boolean │ FALSE │ If TRUE the IFF_VNET_HDR the tunnel │
│ │ │ │ packets will include a virtio network │
│ │ │ │ header. │
└─────────────┴────────────┴───────────────┴────────────────────────────────────────┘user setting
General User Profile Settings.
┌──────────┬──────────────────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├──────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ data │ dict of string to string │ {} │ A dictionary of key/value pairs with │
│ │ │ │ user data. This data is ignored by │
│ │ │ │ NetworkManager and can be used at the │
│ │ │ │ users discretion. The keys only │
│ │ │ │ support a strict ascii format, but the │
│ │ │ │ values can be arbitrary UTF8 strings │
│ │ │ │ up to a certain length. │
└──────────┴──────────────────────────┴───────────────┴────────────────────────────────────────┘vlan setting
VLAN Settings.
┌──────────────────────┬──────────────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├──────────────────────┼──────────────────────┼───────────────┼────────────────────────────────────────┤
│ egress-priority-map │ array of string │ │ For outgoing packets, a list of │
│ │ │ │ mappings from Linux SKB priorities to │
│ │ │ │ 802.1p priorities. The mapping is │
│ │ │ │ given in the format "from:to" where │
│ │ │ │ both "from" and "to" are unsigned │
│ │ │ │ integers, ie "7:3". │
├──────────────────────┼──────────────────────┼───────────────┼────────────────────────────────────────┤
│ flags │ NMVlanFlags (uint32) │ │ One or more flags which control the │
│ │ │ │ behavior and features of the VLAN │
│ │ │ │ interface. Flags include 0x1 │
│ │ │ │ (reorder-headers) (reordering of │
│ │ │ │ output packet headers), 0x2 (gvrp) │
│ │ │ │ (use of the GVRP protocol), and 0x4 │
│ │ │ │ (loose-binding) (loose binding of the │
│ │ │ │ interface to its controller device's │
│ │ │ │ operating state). 0x8 (mvrp) (use of │
│ │ │ │ the MVRP protocol). │
│ │ │ │ │
│ │ │ │ The default value of this property is │
│ │ │ │ NM_VLAN_FLAG_REORDER_HEADERS, but it │
│ │ │ │ used to be 0. To preserve backward │
│ │ │ │ compatibility, the default-value in │
│ │ │ │ the D-Bus API continues to be 0 and a │
│ │ │ │ missing property on D-Bus is still │
│ │ │ │ considered as 0. │
├──────────────────────┼──────────────────────┼───────────────┼────────────────────────────────────────┤
│ id │ uint32 │ 0 │ The VLAN identifier that the interface │
│ │ │ │ created by this connection should be │
│ │ │ │ assigned. The valid range is from 0 to │
│ │ │ │ 4094, without the reserved id 4095. │
├──────────────────────┼──────────────────────┼───────────────┼────────────────────────────────────────┤
│ ingress-priority-map │ array of string │ │ For incoming packets, a list of │
│ │ │ │ mappings from 802.1p priorities to │
│ │ │ │ Linux SKB priorities. The mapping is │
│ │ │ │ given in the format "from:to" where │
│ │ │ │ both "from" and "to" are unsigned │
│ │ │ │ integers, ie "7:3". │
├──────────────────────┼──────────────────────┼───────────────┼────────────────────────────────────────┤
│ interface-name │ string │ │ Deprecated in favor of │
│ │ │ │ connection.interface-name, but can be │
│ │ │ │ used for backward-compatibility with │
│ │ │ │ older daemons, to set the vlan's │
│ │ │ │ interface name. │
├──────────────────────┼──────────────────────┼───────────────┼────────────────────────────────────────┤
│ parent │ string │ │ If given, specifies the parent │
│ │ │ │ interface name or parent connection │
│ │ │ │ UUID from which this VLAN interface │
│ │ │ │ should be created. If this property │
│ │ │ │ is not specified, the connection must │
│ │ │ │ contain an "802-3-ethernet" setting │
│ │ │ │ with a "mac-address" property. │
├──────────────────────┼──────────────────────┼───────────────┼────────────────────────────────────────┤
│ protocol │ string │ │ Specifies the VLAN protocol to use for │
│ │ │ │ encapsulation. │
│ │ │ │ │
│ │ │ │ Supported values are: '802.1Q', │
│ │ │ │ '802.1ad'. If not specified the │
│ │ │ │ default value is '802.1Q'. │
└──────────────────────┴──────────────────────┴───────────────┴────────────────────────────────────────┘vpn setting
VPN Settings.
┌──────────────┬──────────────────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├──────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ data │ dict of string to string │ {} │ Dictionary of key/value pairs of VPN │
│ │ │ │ plugin specific data. Both keys and │
│ │ │ │ values must be strings. │
├──────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ persistent │ boolean │ FALSE │ If the VPN service supports │
│ │ │ │ persistence, and this property is │
│ │ │ │ TRUE, the VPN will attempt to stay │
│ │ │ │ connected across link changes and │
│ │ │ │ outages, until explicitly │
│ │ │ │ disconnected. │
├──────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ secrets │ dict of string to string │ {} │ Dictionary of key/value pairs of VPN │
│ │ │ │ plugin specific secrets like passwords │
│ │ │ │ or private keys. Both keys and values │
│ │ │ │ must be strings. │
├──────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ service-type │ string │ │ D-Bus service name of the VPN plugin │
│ │ │ │ that this setting uses to connect to │
│ │ │ │ its network. i.e. │
│ │ │ │ org.freedesktop.NetworkManager.vpnc │
│ │ │ │ for the vpnc plugin. │
├──────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ timeout │ uint32 │ 0 │ Timeout for the VPN service to │
│ │ │ │ establish the connection. Some │
│ │ │ │ services may take quite a long time to │
│ │ │ │ connect. Value of 0 means a default │
│ │ │ │ timeout, which is 60 seconds (unless │
│ │ │ │ overridden by vpn.timeout in │
│ │ │ │ configuration file). Values greater │
│ │ │ │ than zero mean timeout in seconds. │
├──────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ user-name │ string │ │ If the VPN connection requires a user │
│ │ │ │ name for authentication, that name │
│ │ │ │ should be provided here. If the │
│ │ │ │ connection is available to more than │
│ │ │ │ one user, and the VPN requires each │
│ │ │ │ user to supply a different name, then │
│ │ │ │ leave this property empty. If this │
│ │ │ │ property is empty, NetworkManager will │
│ │ │ │ automatically supply the username of │
│ │ │ │ the user which requested the VPN │
│ │ │ │ connection. │
└──────────────┴──────────────────────────┴───────────────┴────────────────────────────────────────┘vrf setting
VRF settings.
┌──────────┬────────────┬───────────────┬─────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├──────────┼────────────┼───────────────┼─────────────────────────────────┤
│ table │ uint32 │ 0 │ The routing table for this VRF. │
└──────────┴────────────┴───────────────┴─────────────────────────────────┘vxlan setting
VXLAN Settings.
┌──────────────────┬────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├──────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ ageing │ uint32 │ 300 │ Specifies the lifetime in seconds of │
│ │ │ │ FDB entries learnt by the kernel. │
├──────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ destination-port │ uint32 │ 8472 │ Specifies the UDP destination port to │
│ │ │ │ communicate to the remote VXLAN tunnel │
│ │ │ │ endpoint. │
├──────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ id │ uint32 │ 0 │ Specifies the VXLAN Network Identifier │
│ │ │ │ (or VXLAN Segment Identifier) to use. │
├──────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ l2-miss │ boolean │ FALSE │ Specifies whether netlink LL ADDR miss │
│ │ │ │ notifications are generated. │
├──────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ l3-miss │ boolean │ FALSE │ Specifies whether netlink IP ADDR miss │
│ │ │ │ notifications are generated. │
├──────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ learning │ boolean │ TRUE │ Specifies whether unknown source link │
│ │ │ │ layer addresses and IP addresses are │
│ │ │ │ entered into the VXLAN device │
│ │ │ │ forwarding database. │
├──────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ limit │ uint32 │ 0 │ Specifies the maximum number of FDB │
│ │ │ │ entries. A value of zero means that │
│ │ │ │ the kernel will store unlimited │
│ │ │ │ entries. │
├──────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ local │ string │ │ If given, specifies the source IP │
│ │ │ │ address to use in outgoing packets. │
├──────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ parent │ string │ │ If given, specifies the parent │
│ │ │ │ interface name or parent connection │
│ │ │ │ UUID. │
├──────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ proxy │ boolean │ FALSE │ Specifies whether ARP proxy is turned │
│ │ │ │ on. │
├──────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ remote │ string │ │ Specifies the unicast destination IP │
│ │ │ │ address to use in outgoing packets │
│ │ │ │ when the destination link layer │
│ │ │ │ address is not known in the VXLAN │
│ │ │ │ device forwarding database, or the │
│ │ │ │ multicast IP address to join. │
├──────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ rsc │ boolean │ FALSE │ Specifies whether route short circuit │
│ │ │ │ is turned on. │
├──────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ source-port-max │ uint32 │ 0 │ Specifies the maximum UDP source port │
│ │ │ │ to communicate to the remote VXLAN │
│ │ │ │ tunnel endpoint. │
├──────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ source-port-min │ uint32 │ 0 │ Specifies the minimum UDP source port │
│ │ │ │ to communicate to the remote VXLAN │
│ │ │ │ tunnel endpoint. │
├──────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ tos │ uint32 │ 0 │ Specifies the TOS value to use in │
│ │ │ │ outgoing packets. │
├──────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ ttl │ uint32 │ 0 │ Specifies the time-to-live value to │
│ │ │ │ use in outgoing packets. │
└──────────────────┴────────────┴───────────────┴────────────────────────────────────────┘wifi-p2p setting
Wi-Fi P2P Settings.
┌────────────┬────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ peer │ string │ │ The P2P device that should be │
│ │ │ │ connected to. Currently, this is the │
│ │ │ │ only way to create or join a group. │
├────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ wfd-ies │ byte array │ │ The Wi-Fi Display (WFD) Information │
│ │ │ │ Elements (IEs) to set. │
│ │ │ │ │
│ │ │ │ Wi-Fi Display requires a protocol │
│ │ │ │ specific information element to be set │
│ │ │ │ in certain Wi-Fi frames. These can be │
│ │ │ │ specified here for the purpose of │
│ │ │ │ establishing a connection. This │
│ │ │ │ setting is only useful when │
│ │ │ │ implementing a Wi-Fi Display client. │
├────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ wps-method │ uint32 │ 0 │ Flags indicating which mode of WPS is │
│ │ │ │ to be used. │
│ │ │ │ │
│ │ │ │ There's little point in changing the │
│ │ │ │ default setting as NetworkManager will │
│ │ │ │ automatically determine the best │
│ │ │ │ method to use. │
└────────────┴────────────┴───────────────┴────────────────────────────────────────┘wimax setting
WiMax Settings.
┌──────────────┬────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├──────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ mac-address │ byte array │ │ If specified, this connection will │
│ │ │ │ only apply to the WiMAX device whose │
│ │ │ │ MAC address matches. This property │
│ │ │ │ does not change the MAC address of the │
│ │ │ │ device (known as MAC spoofing). │
│ │ │ │ │
│ │ │ │ This property is deprecated since │
│ │ │ │ version 1.2.WiMAX is no longer │
│ │ │ │ supported. │
├──────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ network-name │ string │ │ Network Service Provider (NSP) name of │
│ │ │ │ the WiMAX network this connection │
│ │ │ │ should use. │
│ │ │ │ │
│ │ │ │ This property is deprecated since │
│ │ │ │ version 1.2.WiMAX is no longer │
│ │ │ │ supported. │
└──────────────┴────────────┴───────────────┴────────────────────────────────────────┘802-3-ethernet setting
Wired Ethernet Settings.
┌───────────────────────────┬──────────────────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├───────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ accept-all-mac-addresses │ NMTernary (int32) │ │ When TRUE, setup the interface to │
│ │ │ │ accept packets for all MAC addresses. │
│ │ │ │ This is enabling the kernel interface │
│ │ │ │ flag IFF_PROMISC. When FALSE, the │
│ │ │ │ interface will only accept the packets │
│ │ │ │ with the interface destination mac │
│ │ │ │ address or broadcast. │
├───────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ assigned-mac-address │ string │ │ The new field for the cloned MAC │
│ │ │ │ address. It can be either a hardware │
│ │ │ │ address in ASCII representation, or │
│ │ │ │ one of the special values "preserve", │
│ │ │ │ "permanent", "random" or "stable". │
│ │ │ │ This field replaces the deprecated │
│ │ │ │ "cloned-mac-address" on D-Bus, which │
│ │ │ │ can only contain explicit hardware │
│ │ │ │ addresses. Note that this property │
│ │ │ │ only exists in D-Bus API. libnm and │
│ │ │ │ nmcli continue to call this property │
│ │ │ │ "cloned-mac-address". │
├───────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ auto-negotiate │ boolean │ FALSE │ When TRUE, enforce auto-negotiation of │
│ │ │ │ speed and duplex mode. If "speed" and │
│ │ │ │ "duplex" properties are both │
│ │ │ │ specified, only that single mode will │
│ │ │ │ be advertised and accepted during the │
│ │ │ │ link auto-negotiation process: this │
│ │ │ │ works only for BASE-T 802.3 │
│ │ │ │ specifications and is useful for │
│ │ │ │ enforcing gigabits modes, as in these │
│ │ │ │ cases link negotiation is mandatory. │
│ │ │ │ When FALSE, "speed" and "duplex" │
│ │ │ │ properties should be both set or link │
│ │ │ │ configuration will be skipped. │
├───────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ cloned-mac-address │ byte array │ │ This D-Bus field is deprecated in │
│ │ │ │ favor of "assigned-mac-address" which │
│ │ │ │ is more flexible and allows specifying │
│ │ │ │ special variants like "random". For │
│ │ │ │ libnm and nmcli, this field is called │
│ │ │ │ "cloned-mac-address". │
├───────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ duplex │ string │ │ When a value is set, either "half" or │
│ │ │ │ "full", configures the device to use │
│ │ │ │ the specified duplex mode. If │
│ │ │ │ "auto-negotiate" is "yes" the │
│ │ │ │ specified duplex mode will be the only │
│ │ │ │ one advertised during link │
│ │ │ │ negotiation: this works only for │
│ │ │ │ BASE-T 802.3 specifications and is │
│ │ │ │ useful for enforcing gigabits modes, │
│ │ │ │ as in these cases link negotiation is │
│ │ │ │ mandatory. If the value is unset (the │
│ │ │ │ default), the link configuration will │
│ │ │ │ be either skipped (if "auto-negotiate" │
│ │ │ │ is "no", the default) or will be │
│ │ │ │ auto-negotiated (if "auto-negotiate" │
│ │ │ │ is "yes") and the local device will │
│ │ │ │ advertise all the supported duplex │
│ │ │ │ modes. Must be set together with the │
│ │ │ │ "speed" property if specified. Before │
│ │ │ │ specifying a duplex mode be sure your │
│ │ │ │ device supports it. │
├───────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ generate-mac-address-mask │ string │ │ With "cloned-mac-address" setting │
│ │ │ │ "random" or "stable", by default all │
│ │ │ │ bits of the MAC address are scrambled │
│ │ │ │ and a locally-administered, unicast │
│ │ │ │ MAC address is created. This property │
│ │ │ │ allows to specify that certain bits │
│ │ │ │ are fixed. Note that the least │
│ │ │ │ significant bit of the first MAC │
│ │ │ │ address will always be unset to create │
│ │ │ │ a unicast MAC address. │
│ │ │ │ │
│ │ │ │ If the property is NULL, it is │
│ │ │ │ eligible to be overwritten by a │
│ │ │ │ default connection setting. If the │
│ │ │ │ value is still NULL or an empty │
│ │ │ │ string, the default is to create a │
│ │ │ │ locally-administered, unicast MAC │
│ │ │ │ address. │
│ │ │ │ │
│ │ │ │ If the value contains one MAC address, │
│ │ │ │ this address is used as mask. The set │
│ │ │ │ bits of the mask are to be filled with │
│ │ │ │ the current MAC address of the device, │
│ │ │ │ while the unset bits are subject to │
│ │ │ │ randomization. Setting │
│ │ │ │ "FE:FF:FF:00:00:00" means to preserve │
│ │ │ │ the OUI of the current MAC address and │
│ │ │ │ only randomize the lower 3 bytes using │
│ │ │ │ the "random" or "stable" algorithm. │
│ │ │ │ │
│ │ │ │ If the value contains one additional │
│ │ │ │ MAC address after the mask, this │
│ │ │ │ address is used instead of the current │
│ │ │ │ MAC address to fill the bits that │
│ │ │ │ shall not be randomized. For example, │
│ │ │ │ a value of "FE:FF:FF:00:00:00 │
│ │ │ │ 68:F7:28:00:00:00" will set the OUI of │
│ │ │ │ the MAC address to 68:F7:28, while the │
│ │ │ │ lower bits are randomized. A value of │
│ │ │ │ "02:00:00:00:00:00 00:00:00:00:00:00" │
│ │ │ │ will create a fully scrambled │
│ │ │ │ globally-administered, burned-in MAC │
│ │ │ │ address. │
│ │ │ │ │
│ │ │ │ If the value contains more than one │
│ │ │ │ additional MAC addresses, one of them │
│ │ │ │ is chosen randomly. For example, │
│ │ │ │ "02:00:00:00:00:00 00:00:00:00:00:00 │
│ │ │ │ 02:00:00:00:00:00" will create a fully │
│ │ │ │ scrambled MAC address, randomly │
│ │ │ │ locally or globally administered. │
├───────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ mac-address │ byte array │ │ If specified, this connection will │
│ │ │ │ only apply to the Ethernet device │
│ │ │ │ whose permanent MAC address matches. │
│ │ │ │ This property does not change the MAC │
│ │ │ │ address of the device (i.e. MAC │
│ │ │ │ spoofing). │
├───────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ mac-address-blacklist │ array of string │ │ If specified, this connection will │
│ │ │ │ never apply to the Ethernet device │
│ │ │ │ whose permanent MAC address matches an │
│ │ │ │ address in the list. Each MAC address │
│ │ │ │ is in the standard │
│ │ │ │ hex-digits-and-colons notation │
│ │ │ │ (00:11:22:33:44:55). │
├───────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ mac-address-denylist │ array of string │ │ If specified, this connection will │
│ │ │ │ never apply to the Ethernet device │
│ │ │ │ whose permanent MAC address matches an │
│ │ │ │ address in the list. Each MAC address │
│ │ │ │ is in the standard │
│ │ │ │ hex-digits-and-colons notation │
│ │ │ │ (00:11:22:33:44:55). │
├───────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ mtu │ uint32 │ 0 │ If non-zero, only transmit packets of │
│ │ │ │ the specified size or smaller, │
│ │ │ │ breaking larger packets up into │
│ │ │ │ multiple Ethernet frames. │
├───────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ port │ string │ │ Specific port type to use if the │
│ │ │ │ device supports multiple attachment │
│ │ │ │ methods. One of "tp" (Twisted Pair), │
│ │ │ │ "aui" (Attachment Unit Interface), │
│ │ │ │ "bnc" (Thin Ethernet) or "mii" (Media │
│ │ │ │ Independent Interface). If the device │
│ │ │ │ supports only one port type, this │
│ │ │ │ setting is ignored. │
├───────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ s390-nettype │ string │ │ s390 network device type; one of │
│ │ │ │ "qeth", "lcs", or "ctc", representing │
│ │ │ │ the different types of virtual network │
│ │ │ │ devices available on s390 systems. │
├───────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ s390-options │ dict of string to string │ {} │ Dictionary of key/value pairs of │
│ │ │ │ s390-specific device options. Both │
│ │ │ │ keys and values must be strings. │
│ │ │ │ Allowed keys include "portno", │
│ │ │ │ "layer2", "portname", "protocol", │
│ │ │ │ among others. Key names must contain │
│ │ │ │ only alphanumeric characters (ie, │
│ │ │ │ [a-zA-Z0-9]). │
│ │ │ │ │
│ │ │ │ Currently, NetworkManager itself does │
│ │ │ │ nothing with this information. │
│ │ │ │ However, s390utils ships a udev rule │
│ │ │ │ which parses this information and │
│ │ │ │ applies it to the interface. │
├───────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ s390-subchannels │ array of string │ │ Identifies specific subchannels that │
│ │ │ │ this network device uses for │
│ │ │ │ communication with z/VM or s390 host. │
│ │ │ │ Like the "mac-address" property for │
│ │ │ │ non-z/VM devices, this property can be │
│ │ │ │ used to ensure this connection only │
│ │ │ │ applies to the network device that │
│ │ │ │ uses these subchannels. The list │
│ │ │ │ should contain exactly 3 strings, and │
│ │ │ │ each string may only be composed of │
│ │ │ │ hexadecimal characters and the period │
│ │ │ │ (.) character. │
├───────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ speed │ uint32 │ 0 │ When a value greater than 0 is set, │
│ │ │ │ configures the device to use the │
│ │ │ │ specified speed. If "auto-negotiate" │
│ │ │ │ is "yes" the specified speed will be │
│ │ │ │ the only one advertised during link │
│ │ │ │ negotiation: this works only for │
│ │ │ │ BASE-T 802.3 specifications and is │
│ │ │ │ useful for enforcing gigabit speeds, │
│ │ │ │ as in this case link negotiation is │
│ │ │ │ mandatory. If the value is unset (0, │
│ │ │ │ the default), the link configuration │
│ │ │ │ will be either skipped (if │
│ │ │ │ "auto-negotiate" is "no", the default) │
│ │ │ │ or will be auto-negotiated (if │
│ │ │ │ "auto-negotiate" is "yes") and the │
│ │ │ │ local device will advertise all the │
│ │ │ │ supported speeds. In Mbit/s, ie 100 == │
│ │ │ │ 100Mbit/s. Must be set together with │
│ │ │ │ the "duplex" property when non-zero. │
│ │ │ │ Before specifying a speed value be │
│ │ │ │ sure your device supports it. │
├───────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ wake-on-lan │ uint32 │ 1 │ The NMSettingWiredWakeOnLan options to │
│ │ │ │ enable. Not all devices support all │
│ │ │ │ options. May be any combination of 0x2 │
│ │ │ │ (phy), 0x4 (unicast), 0x8 (multicast), │
│ │ │ │ 0x10 (broadcast), 0x20 (arp), 0x40 │
│ │ │ │ (magic) or the special values 0x1 │
│ │ │ │ (default) (to use global settings) and │
│ │ │ │ 0x8000 (ignore) (to disable management │
│ │ │ │ of Wake-on-LAN in NetworkManager). │
├───────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
│ wake-on-lan-password │ string │ │ If specified, the password used with │
│ │ │ │ magic-packet-based Wake-on-LAN, │
│ │ │ │ represented as an Ethernet MAC │
│ │ │ │ address. If NULL, no password will be │
│ │ │ │ required. │
└───────────────────────────┴──────────────────────────┴───────────────┴────────────────────────────────────────┘wireguard setting
WireGuard Settings.
┌────────────────────────┬───────────────────────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ fwmark │ uint32 │ 0 │ The use of fwmark is optional and is │
│ │ │ │ by default off. Setting it to 0 │
│ │ │ │ disables it. Otherwise, it is a 32-bit │
│ │ │ │ fwmark for outgoing packets. │
│ │ │ │ │
│ │ │ │ Note that "ip4-auto-default-route" or │
│ │ │ │ "ip6-auto-default-route" enabled, │
│ │ │ │ implies to automatically choose a │
│ │ │ │ fwmark. │
├────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ ip4-auto-default-route │ NMTernary (int32) │ │ Whether to enable special handling of │
│ │ │ │ the IPv4 default route. If enabled, │
│ │ │ │ the IPv4 default route from │
│ │ │ │ wireguard.peer-routes will be placed │
│ │ │ │ to a dedicated routing-table and two │
│ │ │ │ policy routing rules will be added. │
│ │ │ │ The fwmark number is also used as │
│ │ │ │ routing-table for the default-route, │
│ │ │ │ and if fwmark is zero, an unused │
│ │ │ │ fwmark/table is chosen automatically. │
│ │ │ │ This corresponds to what wg-quick does │
│ │ │ │ with Table=auto and what WireGuard │
│ │ │ │ calls "Improved Rule-based Routing". │
│ │ │ │ │
│ │ │ │ Note that for this automatism to work, │
│ │ │ │ you usually don't want to set │
│ │ │ │ ipv4.gateway, because that will result │
│ │ │ │ in a conflicting default route. │
│ │ │ │ │
│ │ │ │ Leaving this at the default will │
│ │ │ │ enable this option automatically if │
│ │ │ │ ipv4.never-default is not set and │
│ │ │ │ there are any peers that use a │
│ │ │ │ default-route as allowed-ips. Since │
│ │ │ │ this automatism only makes sense if │
│ │ │ │ you also have a peer with an /0 │
│ │ │ │ allowed-ips, it is usually not │
│ │ │ │ necessary to enable this explicitly. │
│ │ │ │ However, you can disable it if you │
│ │ │ │ want to configure your own routing and │
│ │ │ │ rules. │
├────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ ip6-auto-default-route │ NMTernary (int32) │ │ Like ip4-auto-default-route, but for │
│ │ │ │ the IPv6 default route. │
├────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ listen-port │ uint32 │ 0 │ The listen-port. If listen-port is not │
│ │ │ │ specified, the port will be chosen │
│ │ │ │ randomly when the interface comes up. │
├────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ mtu │ uint32 │ 0 │ If non-zero, only transmit packets of │
│ │ │ │ the specified size or smaller, │
│ │ │ │ breaking larger packets up into │
│ │ │ │ multiple fragments. │
│ │ │ │ │
│ │ │ │ If zero a default MTU is used. Note │
│ │ │ │ that contrary to wg-quick's MTU │
│ │ │ │ setting, this does not take into │
│ │ │ │ account the current routes at the time │
│ │ │ │ of activation. │
├────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ peer-routes │ boolean │ TRUE │ Whether to automatically add routes │
│ │ │ │ for the AllowedIPs ranges of the │
│ │ │ │ peers. If TRUE (the default), │
│ │ │ │ NetworkManager will automatically add │
│ │ │ │ routes in the routing tables according │
│ │ │ │ to ipv4.route-table and │
│ │ │ │ ipv6.route-table. Usually you want │
│ │ │ │ this automatism enabled. If FALSE, no │
│ │ │ │ such routes are added automatically. │
│ │ │ │ In this case, the user may want to │
│ │ │ │ configure static routes in ipv4.routes │
│ │ │ │ and ipv6.routes, respectively. │
│ │ │ │ │
│ │ │ │ Note that if the peer's AllowedIPs is │
│ │ │ │ "0.0.0.0/0" or "::/0" and the │
│ │ │ │ profile's ipv4.never-default or │
│ │ │ │ ipv6.never-default setting is enabled, │
│ │ │ │ the peer route for this peer won't be │
│ │ │ │ added automatically. │
├────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ peers │ array of 'a{sv}' │ │ Array of dictionaries for the │
│ │ │ │ WireGuard peers. │
├────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ private-key │ string │ │ The 256 bit private-key in base64 │
│ │ │ │ encoding. │
├────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ private-key-flags │ NMSettingSecretFlags (uint32) │ │ Flags indicating how to handle the │
│ │ │ │ "private-key" property. │
└────────────────────────┴───────────────────────────────┴───────────────┴────────────────────────────────────────┘802-11-wireless setting
Wi-Fi Settings.
┌───────────────────────────┬───────────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ ap-isolation │ NMTernary (int32) │ │ Configures AP isolation, which │
│ │ │ │ prevents communication between │
│ │ │ │ wireless devices connected to this AP. │
│ │ │ │ This property can be set to a value │
│ │ │ │ different from -1 (default) only when │
│ │ │ │ the interface is configured in AP │
│ │ │ │ mode. │
│ │ │ │ │
│ │ │ │ If set to 1 (true), devices are not │
│ │ │ │ able to communicate with each other. │
│ │ │ │ This increases security because it │
│ │ │ │ protects devices against attacks from │
│ │ │ │ other clients in the network. At the │
│ │ │ │ same time, it prevents devices to │
│ │ │ │ access resources on the same wireless │
│ │ │ │ networks as file shares, printers, │
│ │ │ │ etc. │
│ │ │ │ │
│ │ │ │ If set to 0 (false), devices can talk │
│ │ │ │ to each other. │
│ │ │ │ │
│ │ │ │ When set to -1 (default), the global │
│ │ │ │ default is used; in case the global │
│ │ │ │ default is unspecified it is assumed │
│ │ │ │ to be 0 (false). │
├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ assigned-mac-address │ string │ │ The new field for the cloned MAC │
│ │ │ │ address. It can be either a hardware │
│ │ │ │ address in ASCII representation, or │
│ │ │ │ one of the special values "preserve", │
│ │ │ │ "permanent", "random" or "stable". │
│ │ │ │ This field replaces the deprecated │
│ │ │ │ "cloned-mac-address" on D-Bus, which │
│ │ │ │ can only contain explicit hardware │
│ │ │ │ addresses. Note that this property │
│ │ │ │ only exists in D-Bus API. libnm and │
│ │ │ │ nmcli continue to call this property │
│ │ │ │ "cloned-mac-address". │
├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ band │ string │ │ 802.11 frequency band of the network. │
│ │ │ │ One of "a" for 5GHz 802.11a or "bg" │
│ │ │ │ for 2.4GHz 802.11. This will lock │
│ │ │ │ associations to the Wi-Fi network to │
│ │ │ │ the specific band, i.e. if "a" is │
│ │ │ │ specified, the device will not │
│ │ │ │ associate with the same network in the │
│ │ │ │ 2.4GHz band even if the network's │
│ │ │ │ settings are compatible. This setting │
│ │ │ │ depends on specific driver capability │
│ │ │ │ and may not work with all drivers. │
├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ bssid │ byte array │ │ If specified, directs the device to │
│ │ │ │ only associate with the given access │
│ │ │ │ point. This capability is highly │
│ │ │ │ driver dependent and not supported by │
│ │ │ │ all devices. Note: this property does │
│ │ │ │ not control the BSSID used when │
│ │ │ │ creating an Ad-Hoc network and is │
│ │ │ │ unlikely to in the future. │
│ │ │ │ │
│ │ │ │ Locking a client profile to a certain │
│ │ │ │ BSSID will prevent roaming and also │
│ │ │ │ disable background scanning. That can │
│ │ │ │ be useful, if there is only one access │
│ │ │ │ point for the SSID. │
├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ channel │ uint32 │ 0 │ Wireless channel to use for the Wi-Fi │
│ │ │ │ connection. The device will only join │
│ │ │ │ (or create for Ad-Hoc networks) a │
│ │ │ │ Wi-Fi network on the specified │
│ │ │ │ channel. Because channel numbers │
│ │ │ │ overlap between bands, this property │
│ │ │ │ also requires the "band" property to │
│ │ │ │ be set. │
├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ channel-width │ int32 │ 0 │ Specifies width of the wireless │
│ │ │ │ channel in Access Point (AP) mode. │
│ │ │ │ │
│ │ │ │ When set to 0 (auto) (the default), │
│ │ │ │ the channel width is automatically │
│ │ │ │ determined. At the moment, this means │
│ │ │ │ that the safest (smallest) width is │
│ │ │ │ chosen. │
│ │ │ │ │
│ │ │ │ If the value is not 0 (auto), then the │
│ │ │ │ 'channel' property must also be set. │
│ │ │ │ When using the 2.4GHz band, the width │
│ │ │ │ can be at most 40MHz. │
│ │ │ │ │
│ │ │ │ This property can be set to a value │
│ │ │ │ different from 0 (auto) only when the │
│ │ │ │ interface is configured in AP mode. │
├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ cloned-mac-address │ byte array │ │ This D-Bus field is deprecated in │
│ │ │ │ favor of "assigned-mac-address" which │
│ │ │ │ is more flexible and allows specifying │
│ │ │ │ special variants like "random". For │
│ │ │ │ libnm and nmcli, this field is called │
│ │ │ │ "cloned-mac-address". │
├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ generate-mac-address-mask │ string │ │ With "cloned-mac-address" setting │
│ │ │ │ "random" or "stable", by default all │
│ │ │ │ bits of the MAC address are scrambled │
│ │ │ │ and a locally-administered, unicast │
│ │ │ │ MAC address is created. This property │
│ │ │ │ allows to specify that certain bits │
│ │ │ │ are fixed. Note that the least │
│ │ │ │ significant bit of the first MAC │
│ │ │ │ address will always be unset to create │
│ │ │ │ a unicast MAC address. │
│ │ │ │ │
│ │ │ │ If the property is NULL, it is │
│ │ │ │ eligible to be overwritten by a │
│ │ │ │ default connection setting. If the │
│ │ │ │ value is still NULL or an empty │
│ │ │ │ string, the default is to create a │
│ │ │ │ locally-administered, unicast MAC │
│ │ │ │ address. │
│ │ │ │ │
│ │ │ │ If the value contains one MAC address, │
│ │ │ │ this address is used as mask. The set │
│ │ │ │ bits of the mask are to be filled with │
│ │ │ │ the current MAC address of the device, │
│ │ │ │ while the unset bits are subject to │
│ │ │ │ randomization. Setting │
│ │ │ │ "FE:FF:FF:00:00:00" means to preserve │
│ │ │ │ the OUI of the current MAC address and │
│ │ │ │ only randomize the lower 3 bytes using │
│ │ │ │ the "random" or "stable" algorithm. │
│ │ │ │ │
│ │ │ │ If the value contains one additional │
│ │ │ │ MAC address after the mask, this │
│ │ │ │ address is used instead of the current │
│ │ │ │ MAC address to fill the bits that │
│ │ │ │ shall not be randomized. For example, │
│ │ │ │ a value of "FE:FF:FF:00:00:00 │
│ │ │ │ 68:F7:28:00:00:00" will set the OUI of │
│ │ │ │ the MAC address to 68:F7:28, while the │
│ │ │ │ lower bits are randomized. A value of │
│ │ │ │ "02:00:00:00:00:00 00:00:00:00:00:00" │
│ │ │ │ will create a fully scrambled │
│ │ │ │ globally-administered, burned-in MAC │
│ │ │ │ address. │
│ │ │ │ │
│ │ │ │ If the value contains more than one │
│ │ │ │ additional MAC addresses, one of them │
│ │ │ │ is chosen randomly. For example, │
│ │ │ │ "02:00:00:00:00:00 00:00:00:00:00:00 │
│ │ │ │ 02:00:00:00:00:00" will create a fully │
│ │ │ │ scrambled MAC address, randomly │
│ │ │ │ locally or globally administered. │
├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ hidden │ boolean │ FALSE │ If TRUE, indicates that the network is │
│ │ │ │ a non-broadcasting network that hides │
│ │ │ │ its SSID. This works both in │
│ │ │ │ infrastructure and AP mode. │
│ │ │ │ │
│ │ │ │ In infrastructure mode, various │
│ │ │ │ workarounds are used for a more │
│ │ │ │ reliable discovery of hidden networks, │
│ │ │ │ such as probe-scanning the SSID. │
│ │ │ │ However, these workarounds expose │
│ │ │ │ inherent insecurities with hidden SSID │
│ │ │ │ networks, and thus hidden SSID │
│ │ │ │ networks should be used with caution. │
│ │ │ │ │
│ │ │ │ In AP mode, the created network does │
│ │ │ │ not broadcast its SSID. │
│ │ │ │ │
│ │ │ │ Note that marking the network as │
│ │ │ │ hidden may be a privacy issue for you │
│ │ │ │ (in infrastructure mode) or client │
│ │ │ │ stations (in AP mode), as the explicit │
│ │ │ │ probe-scans are distinctly │
│ │ │ │ recognizable on the air. │
├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ mac-address │ byte array │ │ If specified, this connection will │
│ │ │ │ only apply to the Wi-Fi device whose │
│ │ │ │ permanent MAC address matches. This │
│ │ │ │ property does not change the MAC │
│ │ │ │ address of the device (i.e. MAC │
│ │ │ │ spoofing). │
├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ mac-address-blacklist │ array of string │ │ A list of permanent MAC addresses of │
│ │ │ │ Wi-Fi devices to which this connection │
│ │ │ │ should never apply. Each MAC address │
│ │ │ │ should be given in the standard │
│ │ │ │ hex-digits-and-colons notation (eg │
│ │ │ │ "00:11:22:33:44:55"). │
├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ mac-address-denylist │ array of string │ │ A list of permanent MAC addresses of │
│ │ │ │ Wi-Fi devices to which this connection │
│ │ │ │ should never apply. Each MAC address │
│ │ │ │ should be given in the standard │
│ │ │ │ hex-digits-and-colons notation (eg │
│ │ │ │ "00:11:22:33:44:55"). │
├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ mac-address-randomization │ uint32 │ 0 │ One of 0 (default) (never randomize │
│ │ │ │ unless the user has set a global │
│ │ │ │ default to randomize and the │
│ │ │ │ supplicant supports randomization), 1 │
│ │ │ │ (never) (never randomize the MAC │
│ │ │ │ address), or 2 (always) (always │
│ │ │ │ randomize the MAC address). │
│ │ │ │ │
│ │ │ │ This property is deprecated since │
│ │ │ │ version 1.4.Use the │
│ │ │ │ "cloned-mac-address" property instead. │
├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ mode │ string │ │ Wi-Fi network mode; one of │
│ │ │ │ "infrastructure", "mesh", "adhoc" or │
│ │ │ │ "ap". If blank, infrastructure is │
│ │ │ │ assumed. │
├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ mtu │ uint32 │ 0 │ If non-zero, only transmit packets of │
│ │ │ │ the specified size or smaller, │
│ │ │ │ breaking larger packets up into │
│ │ │ │ multiple Ethernet frames. │
├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ powersave │ uint32 │ 0 │ One of 2 (disable) (disable Wi-Fi │
│ │ │ │ power saving), 3 (enable) (enable │
│ │ │ │ Wi-Fi power saving), 1 (ignore) (don't │
│ │ │ │ touch currently configure setting) or │
│ │ │ │ 0 (default) (use the globally │
│ │ │ │ configured value). All other values │
│ │ │ │ are reserved. │
├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ rate │ uint32 │ 0 │ This property is not implemented and │
│ │ │ │ has no effect. │
│ │ │ │ │
│ │ │ │ This property is deprecated since │
│ │ │ │ version 1.44.This property is not │
│ │ │ │ implemented and has no effect. │
├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ security │ │ │ This property is deprecated and has no │
│ │ │ │ effect. For backwards compatibility, │
│ │ │ │ it can be set to │
│ │ │ │ "802-11-wireless-security" if the │
│ │ │ │ profile has a wireless security │
│ │ │ │ setting. │
├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ seen-bssids │ array of string │ │ A list of BSSIDs (each BSSID formatted │
│ │ │ │ as a MAC address like │
│ │ │ │ "00:11:22:33:44:55") that have been │
│ │ │ │ detected as part of the Wi-Fi network. │
│ │ │ │ NetworkManager internally tracks │
│ │ │ │ previously seen BSSIDs. The property │
│ │ │ │ is only meant for reading and reflects │
│ │ │ │ the BSSID list of NetworkManager. The │
│ │ │ │ changes you make to this property will │
│ │ │ │ not be preserved. │
│ │ │ │ │
│ │ │ │ This is not a regular property that │
│ │ │ │ the user would configure. Instead, │
│ │ │ │ NetworkManager automatically sets the │
│ │ │ │ seen BSSIDs and tracks them internally │
│ │ │ │ in │
│ │ │ │ "/var/lib/NetworkManager/seen-bssids" │
│ │ │ │ file. │
├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ ssid │ byte array │ │ SSID of the Wi-Fi network. Must be │
│ │ │ │ specified. │
├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ tx-power │ uint32 │ 0 │ This property is not implemented and │
│ │ │ │ has no effect. │
│ │ │ │ │
│ │ │ │ This property is deprecated since │
│ │ │ │ version 1.44.This property is not │
│ │ │ │ implemented and has no effect. │
├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ wake-on-wlan │ uint32 │ 1 │ The NMSettingWirelessWakeOnWLan │
│ │ │ │ options to enable. Not all devices │
│ │ │ │ support all options. May be any │
│ │ │ │ combination of 0x2 (any), 0x4 │
│ │ │ │ (disconnect), 0x8 (magic), 0x10 │
│ │ │ │ (gtk-rekey-failure), 0x20 │
│ │ │ │ (eap-identity-request), 0x40 │
│ │ │ │ (4way-handshake), 0x80 │
│ │ │ │ (rfkill-release), 0x100 (tcp) or the │
│ │ │ │ special values 0x1 (default) (to use │
│ │ │ │ global settings) and 0x8000 (ignore) │
│ │ │ │ (to disable management of Wake-on-LAN │
│ │ │ │ in NetworkManager). │
└───────────────────────────┴───────────────────┴───────────────┴────────────────────────────────────────┘802-11-wireless-security setting
Wi-Fi Security Settings.
┌─────────────────────┬───────────────────────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ auth-alg │ string │ │ When WEP is used (ie, key-mgmt = │
│ │ │ │ "none" or "ieee8021x") indicate the │
│ │ │ │ 802.11 authentication algorithm │
│ │ │ │ required by the AP here. One of │
│ │ │ │ "open" for Open System, "shared" for │
│ │ │ │ Shared Key, or "leap" for Cisco LEAP. │
│ │ │ │ When using Cisco LEAP (ie, key-mgmt = │
│ │ │ │ "ieee8021x" and auth-alg = "leap") the │
│ │ │ │ "leap-username" and "leap-password" │
│ │ │ │ properties must be specified. │
├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ fils │ int32 │ 0 │ Indicates whether Fast Initial Link │
│ │ │ │ Setup (802.11ai) must be enabled for │
│ │ │ │ the connection. One of 0 (default) │
│ │ │ │ (use global default value), 1 │
│ │ │ │ (disable) (disable FILS), 2 (optional) │
│ │ │ │ (enable FILS if the supplicant and the │
│ │ │ │ access point support it) or 3 │
│ │ │ │ (required) (enable FILS and fail if │
│ │ │ │ not supported). When set to 0 │
│ │ │ │ (default) and no global default is │
│ │ │ │ set, FILS will be optionally enabled. │
├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ group │ array of string │ │ A list of group/broadcast encryption │
│ │ │ │ algorithms which prevents connections │
│ │ │ │ to Wi-Fi networks that do not utilize │
│ │ │ │ one of the algorithms in the list. │
│ │ │ │ For maximum compatibility leave this │
│ │ │ │ property empty. Each list element may │
│ │ │ │ be one of "wep40", "wep104", "tkip", │
│ │ │ │ or "ccmp". │
├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ key-mgmt │ string │ │ Key management used for the │
│ │ │ │ connection. One of "none" (WEP or no │
│ │ │ │ password protection), "ieee8021x" │
│ │ │ │ (Dynamic WEP), "owe" (Opportunistic │
│ │ │ │ Wireless Encryption), "wpa-psk" (WPA2 │
│ │ │ │ + WPA3 personal), "sae" (WPA3 personal │
│ │ │ │ only), "wpa-eap" (WPA2 + WPA3 │
│ │ │ │ enterprise) or "wpa-eap-suite-b-192" │
│ │ │ │ (WPA3 enterprise only). │
│ │ │ │ │
│ │ │ │ This property must be set for any │
│ │ │ │ Wi-Fi connection that uses security. │
├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ leap-password │ string │ │ The login password for legacy LEAP │
│ │ │ │ connections (ie, key-mgmt = │
│ │ │ │ "ieee8021x" and auth-alg = "leap"). │
├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ leap-password-flags │ NMSettingSecretFlags (uint32) │ │ Flags indicating how to handle the │
│ │ │ │ "leap-password" property. │
├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ leap-username │ string │ │ The login username for legacy LEAP │
│ │ │ │ connections (ie, key-mgmt = │
│ │ │ │ "ieee8021x" and auth-alg = "leap"). │
├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ pairwise │ array of string │ │ A list of pairwise encryption │
│ │ │ │ algorithms which prevents connections │
│ │ │ │ to Wi-Fi networks that do not utilize │
│ │ │ │ one of the algorithms in the list. For │
│ │ │ │ maximum compatibility leave this │
│ │ │ │ property empty. Each list element may │
│ │ │ │ be one of "tkip" or "ccmp". │
├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ pmf │ int32 │ 0 │ Indicates whether Protected Management │
│ │ │ │ Frames (802.11w) must be enabled for │
│ │ │ │ the connection. One of 0 (default) │
│ │ │ │ (use global default value), 1 │
│ │ │ │ (disable) (disable PMF), 2 (optional) │
│ │ │ │ (enable PMF if the supplicant and the │
│ │ │ │ access point support it) or 3 │
│ │ │ │ (required) (enable PMF and fail if not │
│ │ │ │ supported). When set to 0 (default) │
│ │ │ │ and no global default is set, PMF will │
│ │ │ │ be optionally enabled. │
├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ proto │ array of string │ │ List of strings specifying the allowed │
│ │ │ │ WPA protocol versions to use. Each │
│ │ │ │ element may be one "wpa" (allow WPA) │
│ │ │ │ or "rsn" (allow WPA2/RSN). If not │
│ │ │ │ specified, both WPA and RSN │
│ │ │ │ connections are allowed. │
├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ psk │ string │ │ Pre-Shared-Key for WPA networks. For │
│ │ │ │ WPA-PSK, it's either an ASCII │
│ │ │ │ passphrase of 8 to 63 characters that │
│ │ │ │ is (as specified in the 802.11i │
│ │ │ │ standard) hashed to derive the actual │
│ │ │ │ key, or the key in form of 64 │
│ │ │ │ hexadecimal character. The │
│ │ │ │ WPA3-Personal networks use a │
│ │ │ │ passphrase of any length for SAE │
│ │ │ │ authentication. │
├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ psk-flags │ NMSettingSecretFlags (uint32) │ │ Flags indicating how to handle the │
│ │ │ │ "psk" property. │
├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ wep-key-flags │ NMSettingSecretFlags (uint32) │ │ Flags indicating how to handle the │
│ │ │ │ "wep-key0", "wep-key1", "wep-key2", │
│ │ │ │ and "wep-key3" properties. │
├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ wep-key-type │ NMWepKeyType (uint32) │ │ Controls the interpretation of WEP │
│ │ │ │ keys. Allowed values are 1 (key), in │
│ │ │ │ which case the key is either a 10- or │
│ │ │ │ 26-character hexadecimal string, or a │
│ │ │ │ 5- or 13-character ASCII password; or │
│ │ │ │ 2 (passphrase), in which case the │
│ │ │ │ passphrase is provided as a string and │
│ │ │ │ will be hashed using the de-facto MD5 │
│ │ │ │ method to derive the actual WEP key. │
├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ wep-key0 │ string │ │ Index 0 WEP key. This is the WEP key │
│ │ │ │ used in most networks. See the │
│ │ │ │ "wep-key-type" property for a │
│ │ │ │ description of how this key is │
│ │ │ │ interpreted. │
├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ wep-key1 │ string │ │ Index 1 WEP key. This WEP index is │
│ │ │ │ not used by most networks. See the │
│ │ │ │ "wep-key-type" property for a │
│ │ │ │ description of how this key is │
│ │ │ │ interpreted. │
├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ wep-key2 │ string │ │ Index 2 WEP key. This WEP index is │
│ │ │ │ not used by most networks. See the │
│ │ │ │ "wep-key-type" property for a │
│ │ │ │ description of how this key is │
│ │ │ │ interpreted. │
├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ wep-key3 │ string │ │ Index 3 WEP key. This WEP index is │
│ │ │ │ not used by most networks. See the │
│ │ │ │ "wep-key-type" property for a │
│ │ │ │ description of how this key is │
│ │ │ │ interpreted. │
├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ wep-tx-keyidx │ uint32 │ 0 │ When static WEP is used (ie, key-mgmt │
│ │ │ │ = "none") and a non-default WEP key │
│ │ │ │ index is used by the AP, put that WEP │
│ │ │ │ key index here. Valid values are 0 │
│ │ │ │ (default key) through 3. Note that │
│ │ │ │ some consumer access points (like the │
│ │ │ │ Linksys WRT54G) number the keys 1 - 4. │
├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
│ wps-method │ uint32 │ 0 │ Flags indicating which mode of WPS is │
│ │ │ │ to be used if any. │
│ │ │ │ │
│ │ │ │ There's little point in changing the │
│ │ │ │ default setting as NetworkManager will │
│ │ │ │ automatically determine whether it's │
│ │ │ │ feasible to start WPS enrollment from │
│ │ │ │ the Access Point capabilities. │
│ │ │ │ │
│ │ │ │ WPS can be disabled by setting this │
│ │ │ │ property to a value of 1. │
└─────────────────────┴───────────────────────────────┴───────────────┴────────────────────────────────────────┘wpan setting
IEEE 802.15.4 (WPAN) MAC Settings.
┌───────────────┬────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├───────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ channel │ int32 │ -1 │ IEEE 802.15.4 channel. A positive │
│ │ │ │ integer or -1, meaning "do not set, │
│ │ │ │ use whatever the device is already set │
│ │ │ │ to". │
├───────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ mac-address │ string │ │ If specified, this connection will │
│ │ │ │ only apply to the IEEE 802.15.4 (WPAN) │
│ │ │ │ MAC layer device whose permanent MAC │
│ │ │ │ address matches. │
├───────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ page │ int32 │ -1 │ IEEE 802.15.4 channel page. A positive │
│ │ │ │ integer or -1, meaning "do not set, │
│ │ │ │ use whatever the device is already set │
│ │ │ │ to". │
├───────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ pan-id │ uint32 │ 65535 │ IEEE 802.15.4 Personal Area Network │
│ │ │ │ (PAN) identifier. │
├───────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ short-address │ uint32 │ 65535 │ Short IEEE 802.15.4 address to be used │
│ │ │ │ within a restricted environment. │
└───────────────┴────────────┴───────────────┴────────────────────────────────────────┘bond-port setting
Bond Port Settings.
┌──────────┬────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├──────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ prio │ int32 │ 0 │ The port priority for bond active port │
│ │ │ │ re-selection during failover. A higher │
│ │ │ │ number means a higher priority in │
│ │ │ │ selection. The primary port has the │
│ │ │ │ highest priority. This option is only │
│ │ │ │ compatible with active-backup, │
│ │ │ │ balance-tlb and balance-alb modes. │
├──────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ queue-id │ uint32 │ 0 │ The queue ID of this bond port. The │
│ │ │ │ maximum value of queue ID is the │
│ │ │ │ number of TX queues currently active │
│ │ │ │ in device. │
└──────────┴────────────┴───────────────┴────────────────────────────────────────┘hostname setting
Hostname settings.
┌───────────────────┬───────────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├───────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ from-dhcp │ NMTernary (int32) │ │ Whether the system hostname can be │
│ │ │ │ determined from DHCP on this │
│ │ │ │ connection. │
│ │ │ │ │
│ │ │ │ When set to -1 (default), the value │
│ │ │ │ from global configuration is used. If │
│ │ │ │ the property doesn't have a value in │
│ │ │ │ the global configuration, │
│ │ │ │ NetworkManager assumes the value to be │
│ │ │ │ 1 (true). │
├───────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ from-dns-lookup │ NMTernary (int32) │ │ Whether the system hostname can be │
│ │ │ │ determined from reverse DNS lookup of │
│ │ │ │ addresses on this device. │
│ │ │ │ │
│ │ │ │ When set to -1 (default), the value │
│ │ │ │ from global configuration is used. If │
│ │ │ │ the property doesn't have a value in │
│ │ │ │ the global configuration, │
│ │ │ │ NetworkManager assumes the value to be │
│ │ │ │ 1 (true). │
├───────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ only-from-default │ NMTernary (int32) │ │ If set to 1 (true), NetworkManager │
│ │ │ │ attempts to get the hostname via │
│ │ │ │ DHCPv4/DHCPv6 or reverse DNS lookup on │
│ │ │ │ this device only when the device has │
│ │ │ │ the default route for the given │
│ │ │ │ address family (IPv4/IPv6). │
│ │ │ │ │
│ │ │ │ If set to 0 (false), the hostname can │
│ │ │ │ be set from this device even if it │
│ │ │ │ doesn't have the default route. │
│ │ │ │ │
│ │ │ │ When set to -1 (default), the value │
│ │ │ │ from global configuration is used. If │
│ │ │ │ the property doesn't have a value in │
│ │ │ │ the global configuration, │
│ │ │ │ NetworkManager assumes the value to be │
│ │ │ │ 0 (false). │
├───────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
│ priority │ int32 │ 0 │ The relative priority of this │
│ │ │ │ connection to determine the system │
│ │ │ │ hostname. A lower numerical value is │
│ │ │ │ better (higher priority). A │
│ │ │ │ connection with higher priority is │
│ │ │ │ considered before connections with │
│ │ │ │ lower priority. │
│ │ │ │ │
│ │ │ │ If the value is zero, it can be │
│ │ │ │ overridden by a global value from │
│ │ │ │ NetworkManager configuration. If the │
│ │ │ │ property doesn't have a value in the │
│ │ │ │ global configuration, the value is │
│ │ │ │ assumed to be 100. │
│ │ │ │ │
│ │ │ │ Negative values have the special │
│ │ │ │ effect of excluding other connections │
│ │ │ │ with a greater numerical priority │
│ │ │ │ value; so in presence of at least one │
│ │ │ │ negative priority, only connections │
│ │ │ │ with the lowest priority value will be │
│ │ │ │ used to determine the hostname. │
└───────────────────┴───────────────────┴───────────────┴────────────────────────────────────────┘link setting
Link settings.
┌──────────────────┬────────────┬───────────────┬────────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├──────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ gro-max-size │ int64 │ -1 │ The maximum size of a packet built by │
│ │ │ │ the Generic Receive Offload stack for │
│ │ │ │ this device. The value must be between │
│ │ │ │ 0 and 4294967295. When set to -1, the │
│ │ │ │ existing value is preserved. │
├──────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ gso-max-segments │ int64 │ -1 │ The maximum segments of a Generic │
│ │ │ │ Segment Offload packet the device │
│ │ │ │ should accept. The value must be │
│ │ │ │ between 0 and 4294967295. When set to │
│ │ │ │ -1, the existing value is preserved. │
├──────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ gso-max-size │ int64 │ -1 │ The maximum size of a Generic Segment │
│ │ │ │ Offload packet the device should │
│ │ │ │ accept. The value must be between 0 │
│ │ │ │ and 4294967295. When set to -1, the │
│ │ │ │ existing value is preserved. │
├──────────────────┼────────────┼───────────────┼────────────────────────────────────────┤
│ tx-queue-length │ int64 │ -1 │ The size of the transmit queue for the │
│ │ │ │ device, in number of packets. The │
│ │ │ │ value must be between 0 and │
│ │ │ │ 4294967295. When set to -1, the │
│ │ │ │ existing value is preserved. │
└──────────────────┴────────────┴───────────────┴────────────────────────────────────────┘loopback setting
Loopback Link Settings.
┌──────────┬────────────┬───────────────┬───────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├──────────┼────────────┼───────────────┼───────────────────────────────────────┤
│ mtu │ uint32 │ 0 │ If non-zero, only transmit packets of │
│ │ │ │ the specified size or smaller, │
│ │ │ │ breaking larger packets up into │
│ │ │ │ multiple Ethernet frames. │
└──────────┴────────────┴───────────────┴───────────────────────────────────────┘ovs-external-ids setting
OVS External IDs Settings.
┌──────────┬──────────────────────────┬───────────────┬──────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├──────────┼──────────────────────────┼───────────────┼──────────────────────────────────────┤
│ data │ dict of string to string │ {} │ A dictionary of key/value pairs with │
│ │ │ │ external-ids for OVS. │
└──────────┴──────────────────────────┴───────────────┴──────────────────────────────────────┘ovs-other-config setting
OVS Other Config Settings.
┌──────────┬──────────────────────────┬───────────────┬───────────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├──────────┼──────────────────────────┼───────────────┼───────────────────────────────────────┤
│ data │ dict of string to string │ {} │ A dictionary of key/value pairs with │
│ │ │ │ other_config settings for OVS. See │
│ │ │ │ also "other_config" in the │
│ │ │ │ "ovs-vswitchd.conf.db" manual for the │
│ │ │ │ keys that OVS supports. │
└──────────┴──────────────────────────┴───────────────┴───────────────────────────────────────┘veth setting
Veth Settings.
┌──────────┬────────────┬───────────────┬──────────────────────────────────┐
│ Key Name │ Value Type │ Default Value │ Value Description │
├──────────┼────────────┼───────────────┼──────────────────────────────────┤
│ peer │ string │ │ This property specifies the peer │
│ │ │ │ interface name of the veth. This │
│ │ │ │ property is mandatory. │
└──────────┴────────────┴───────────────┴──────────────────────────────────┘Secret flag types:
Each password or secret property in a setting has an associated flags property that describes how to handle that secret. The flags property is a bitfield that contains zero or more of
the following values logically OR-ed together.
• 0x0 (none) - the system is responsible for providing and storing this secret. This may be required so that secrets are already available before the user logs in. It also commonly
means that the secret will be stored in plain text on disk, accessible to root only. For example via the keyfile settings plugin as described in the "PLUGINS" section in
NetworkManager.conf(5).
• 0x1 (agent-owned) - a user-session secret agent is responsible for providing and storing this secret; when it is required, agents will be asked to provide it.
• 0x2 (not-saved) - this secret should not be saved but should be requested from the user each time it is required. This flag should be used for One-Time-Pad secrets, PIN codes from
hardware tokens, or if the user simply does not want to save the secret.
• 0x4 (not-required) - in some situations it cannot be automatically determined that a secret is required or not. This flag hints that the secret is not required and should not be
requested from the user.FILES
/etc/NetworkManager/system-connections or distro plugin-specific locationSEE ALSO
nm-settings-nmcli(5), nm-settings-keyfile(5), NetworkManager(8), nmcli(1), nmcli-examples(7), NetworkManager.conf(5)NetworkManager 1.52.1 NM-SETTINGS-DBUS(5)