nm-settings

NM-SETTINGS-NMCLI(5) Configuration NM-SETTINGS-NMCLI(5)

NAME

   nm-settings-nmcli - Description of settings and properties of NetworkManager connection profiles for nmcli

DESCRIPTION

   NetworkManager is based on a concept of connection profiles, sometimes referred to as connections only. These connection profiles contain a network configuration. When NetworkManager
   activates a connection profile on a network device the configuration will be applied and an active network connection will be established. Users are free to create as many connection
   profiles as they see fit. Thus they are flexible in having various network configurations for different networking needs.

   NetworkManager provides an API for configuring connection profiles, for activating them to configure the network, and inspecting the current network configuration. The command line
   tool nmcli is a client application to NetworkManager that uses this API. See nmcli(1) for details.

   With commands like nmcli connection add, nmcli connection modify and nmcli connection show, connection profiles can be created, modified and inspected. A profile consists of
   properties. On D-Bus this follows the format as described by nm-settings-dbus(5), while this manual page describes the settings format how they are expected by nmcli.

   The settings and properties shown in tables below list all available connection configuration options. However, note that not all settings are applicable to all connection types.
   nmcli connection editor has also a built-in describe command that can display description of particular settings and properties of this page.

   The setting and property can be abbreviated provided they are unique. The list below also shows aliases that can be used unqualified instead of the full name. For example
   connection.interface-name and ifname refer to the same property.

connection setting

   General Connection Profile Settings.

   Properties:

   connection.auth-retries
       The number of retries for the authentication. Zero means to try indefinitely; -1 means to use a global default. If the global default is not set, the authentication retries for 3
       times before failing the connection.

       Currently, this only applies to 802-1x authentication.

       Format: integer

       Valid values: -1 - 2147483647

   connection.autoconnect
       Alias: autoconnect

       Whether or not the connection should be automatically connected by NetworkManager when the resources for the connection are available. TRUE to automatically activate the
       connection, FALSE to require manual intervention to activate the connection.

       Autoconnect happens when the circumstances are suitable. That means for example that the device is currently managed and not active. Autoconnect thus never replaces or competes
       with an already active profile.

       Note that autoconnect is not implemented for VPN profiles. See "secondaries" as an alternative to automatically connect VPN profiles.

       If multiple profiles are ready to autoconnect on the same device, the one with the better "connection.autoconnect-priority" is chosen. If the priorities are equal, then the most
       recently connected profile is activated. If the profiles were not connected earlier or their "connection.timestamp" is identical, the choice is undefined.

       Depending on "connection.multi-connect", a profile can (auto)connect only once at a time or multiple times.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   connection.autoconnect-ports
       Whether or not ports of this connection should be automatically brought up when NetworkManager activates this connection. This only has a real effect for controller connections.
       The properties "autoconnect", "autoconnect-priority" and "autoconnect-retries" are unrelated to this setting. The permitted values are: 0: leave port connections untouched, 1:
       activate all the port connections with this connection, -1: default. If -1 (default) is set, global connection.autoconnect-ports is read to determine the real value. If it is
       default as well, this fallbacks to 0.

       Format: choice (NMTernary)

       Valid values: default (-1), false (0), true (1)

   connection.autoconnect-priority
       The autoconnect priority in range -999 to 999. If the connection is set to autoconnect, connections with higher priority will be preferred. The higher number means higher
       priority. Defaults to 0. Note that this property only matters if there are more than one candidate profile to select for autoconnect. In case of equal priority, the profile used
       most recently is chosen.

       Format: integer

       Valid values: -999 - 999

   connection.autoconnect-retries
       The number of times a connection should be tried when autoactivating before giving up. Zero means forever, -1 means the global default (4 times if not overridden). Setting this to
       1 means to try activation only once before blocking autoconnect. Note that after a timeout, NetworkManager will try to autoconnect again.

       Format: integer

       Valid values: -1 - 2147483647

       Special values: default (-1), forever (0)

   connection.autoconnect-slaves
       Whether or not ports of this connection should be automatically brought up when NetworkManager activates this connection. This only has a real effect for controller connections.
       The properties "autoconnect", "autoconnect-priority" and "autoconnect-retries" are unrelated to this setting. The permitted values are: 0: leave port connections untouched, 1:
       activate all the port connections with this connection, -1: default. If -1 (default) is set, global connection.autoconnect-slaves is read to determine the real value. If it is
       default as well, this fallbacks to 0.

       Deprecated 1.46. Use "autoconnect-ports" instead, this is just an alias.

       Format: choice (NMSettingConnectionAutoconnectSlaves)

       Valid values: default (-1), no (0), yes (1)

   connection.controller
       Alias: controller

       Interface name of the controller device or UUID of the controller connection.

       Format: string

   connection.dns-over-tls
       Whether DNSOverTls (dns-over-tls) is enabled for the connection. DNSOverTls is a technology which uses TLS to encrypt dns traffic.

       The permitted values are: "yes" (2) use DNSOverTls and disabled fallback, "opportunistic" (1) use DNSOverTls but allow fallback to unencrypted resolution, "no" (0) don't ever use
       DNSOverTls. If unspecified "default" depends on the plugin used. Systemd-resolved uses global setting.

       This feature requires a plugin which supports DNSOverTls. Otherwise, the setting has no effect. One such plugin is dns-systemd-resolved.

       Format: choice (NMSettingConnectionDnsOverTls)

       Valid values: default (-1), no (0), opportunistic (1), yes (2)

   connection.down-on-poweroff
       Whether the connection will be brought down before the system is powered off. The default value is "default" (-1). When the default value is specified, then the global value from
       NetworkManager configuration is looked up, if not set, it is considered as "no" (0).

       Format: choice (NMSettingConnectionDownOnPoweroff)

       Valid values: default (-1), no (0), yes (1)

   connection.gateway-ping-timeout
       If greater than zero, delay success of IP addressing until either the timeout is reached, or an IP gateway replies to a ping.

       Format: integer

       Valid values: 0 - 600

   connection.id
       Alias: con-name

       A human readable unique identifier for the connection, like "Work Wi-Fi" or "T-Mobile 3G".

       Format: string

   connection.interface-name
       Alias: ifname

       The name of the network interface this connection is bound to. If not set, then the connection can be attached to any interface of the appropriate type (subject to restrictions
       imposed by other settings).

       For software devices this specifies the name of the created device.

       For connection types where interface names cannot easily be made persistent (e.g. mobile broadband or USB Ethernet), this property should not be used. Setting this property
       restricts the interfaces a connection can be used with, and if interface names change or are reordered the connection may be applied to the wrong interface.

       Format: string

   connection.ip-ping-addresses
       The property specifies a list of target IP addresses for pinging. When multiple targets are set, NetworkManager will start multiple ping processes in parallel. This property can
       only be set if connection.ip-ping-timeout is set. The ip-ping-timeout is used to delay the success of IP addressing until either the specified timeout (in seconds) is reached, or
       an target IP address replies to a ping. Configuring "ip-ping-addresses" may delay reaching the systemd's network-online.target due to waiting for the ping operations to complete
       or timeout.

       Format: list of IPv4 or IPv6 addresses

   connection.ip-ping-addresses-require-all
       The property determines whether it is sufficient for any ping check to succeed among "ip-ping-addresses", or if all ping checks must succeed for "ip-ping-addresses".

       Format: choice (NMTernary)

       Valid values: default (-1), false/no (0), true/yes (1)

   connection.ip-ping-timeout
       If greater than zero, delay success of IP addressing until either the specified timeout (in seconds) is reached, or a target IP address replies to a ping. The property specifies
       the timeout for the "ip-ping-addresses". This property is incompatible with "gateway-ping-timeout", you cannot set these two properties at the same time.

       Format: integer

       Valid values: 0 - 600

   connection.lldp
       Whether LLDP is enabled for the connection.

       Format: choice (NMSettingConnectionLldp)

       Valid values: default (-1), disable (0), enable-rx/enable (1)

   connection.llmnr
       Whether Link-Local Multicast Name Resolution (LLMNR) is enabled for the connection. LLMNR is a protocol based on the Domain Name System (DNS) packet format that allows both IPv4
       and IPv6 hosts to perform name resolution for hosts on the same local link.

       The permitted values are: "yes" (2) register hostname and resolving for the connection, "no" (0) disable LLMNR for the interface, "resolve" (1) do not register hostname but allow
       resolving of LLMNR host names If unspecified, "default" ultimately depends on the DNS plugin (which for systemd-resolved currently means "yes").

       This feature requires a plugin which supports LLMNR. Otherwise, the setting has no effect. One such plugin is dns-systemd-resolved.

       Format: choice (NMSettingConnectionLlmnr)

       Valid values: default (-1), no (0), resolve (1), yes (2)

   connection.master
       Alias: master

       Interface name of the controller device or UUID of the controller connection.

       Deprecated 1.46. Use "controller" instead, this is just an alias.

       Format: string

   connection.mdns
       Whether mDNS is enabled for the connection.

       The permitted values are: "yes" (2) register hostname and resolving for the connection, "no" (0) disable mDNS for the interface, "resolve" (1) do not register hostname but allow
       resolving of mDNS host names and "default" (-1) to allow lookup of a global default in NetworkManager.conf. If unspecified, "default" ultimately depends on the DNS plugin.

       This feature requires a plugin which supports mDNS. Otherwise, the setting has no effect. Currently the only supported DNS plugin is systemd-resolved. For systemd-resolved, the
       default is configurable via MulticastDNS= setting in resolved.conf.

       Format: choice (NMSettingConnectionMdns)

       Valid values: default (-1), no (0), resolve (1), yes (2)

   connection.metered
       Whether the connection is metered.

       When updating this property on a currently activated connection, the change takes effect immediately.

       Format: ternary

       Valid values: true/yes/on, false/no/off, default/unknown

   connection.mptcp-flags
       Whether to configure MPTCP endpoints and the address flags. If MPTCP is enabled in NetworkManager, it will configure the addresses of the interface as MPTCP endpoints. Note that
       IPv4 loopback addresses (127.0.0.0/8), IPv4 link local addresses (169.254.0.0/16), the IPv6 loopback address (::1), IPv6 link local addresses (fe80::/10), IPv6 unique local
       addresses (ULA, fc00::/7) and IPv6 privacy extension addresses (rfc3041, ipv6.ip6-privacy) will be excluded from being configured as endpoints.

       If "disabled" (0x1), MPTCP handling for the interface is disabled and no endpoints are registered.

       The "enabled" (0x2) flag means that MPTCP handling is enabled. This flag can also be implied from the presence of other flags.

       Even when enabled, MPTCP handling will by default still be disabled unless "/proc/sys/net/mptcp/enabled" sysctl is on. NetworkManager does not change the sysctl and this is up to
       the administrator or distribution. To configure endpoints even if the sysctl is disabled, "also-without-sysctl" (0x4) flag can be used. In that case, NetworkManager doesn't look
       at the sysctl and configures endpoints regardless.

       Even when enabled, NetworkManager will only configure MPTCP endpoints for a certain address family, if there is a unicast default route (0.0.0.0/0 or ::/0) in the main routing
       table. The flag "also-without-default-route" (0x8) can override that.

       When MPTCP handling is enabled then endpoints are configured with the specified address flags "signal" (0x10), "subflow" (0x20), "backup" (0x40), "fullmesh" (0x80). See
       ip-mptcp(8) manual for additional information about the flags.

       If the flags are zero (0x0), the global connection default from NetworkManager.conf is honored. If still unspecified, the fallback is "enabled,subflow". Note that this means that
       MPTCP is by default done depending on the "/proc/sys/net/mptcp/enabled" sysctl.

       NetworkManager does not change the MPTCP limits nor enable MPTCP via "/proc/sys/net/mptcp/enabled". That is a host configuration which the admin can change via sysctl and
       ip-mptcp.

       Strict reverse path filtering (rp_filter) breaks many MPTCP use cases, so when MPTCP handling for IPv4 addresses on the interface is enabled, NetworkManager would loosen the
       strict reverse path filtering (1) to the loose setting (2).

       Format: flags (NMMptcpFlags)

       Valid values: none/default (0x0), disabled (0x1), enabled (0x2), also-without-sysctl (0x4), also-without-default-route (0x8), signal (0x10), subflow (0x20), backup (0x40),
       fullmesh (0x80)

   connection.mud-url
       If configured, set to a Manufacturer Usage Description (MUD) URL that points to manufacturer-recommended network policies for IoT devices. It is transmitted as a DHCPv4 or DHCPv6
       option. The value must be a valid URL starting with "https://".

       The special value "none" is allowed to indicate that no MUD URL is used.

       If the per-profile value is unspecified (the default), a global connection default gets consulted. If still unspecified, the ultimate default is "none".

       Format: string

   connection.multi-connect
       Specifies whether the profile can be active multiple times at a particular moment. The value is of type NMConnectionMultiConnect.

       Format: choice (NMConnectionMultiConnect)

       Valid values: default (0), single (1), manual-multiple (2), multiple (3)

   connection.permissions
       An array of strings defining what access a given user has to this connection. If this is NULL or empty, all users are allowed to access this connection; otherwise users are
       allowed if and only if they are in this list. When this is not empty, the connection can be active only when one of the specified users is logged into an active session. Each
       entry is of the form "[type]:[id]:[reserved]"; for example, "user:dcbw:blah".

       At this time only the "user" [type] is allowed. Any other values are ignored and reserved for future use. [id] is the username that this permission refers to, which may not
       contain the ":" character. Any [reserved] information present must be ignored and is reserved for future use. All of [type], [id], and [reserved] must be valid UTF-8.

       Format: list of strings

   connection.port-type
       Alias: port-type

       Setting name of the device type of this port's controller connection (eg, "bond"), or NULL if this connection is not a port.

       Format: string

       Valid values: bond, bridge, ovs-bridge, ovs-port, team, vrf

   connection.secondaries
       List of connection UUIDs that should be activated when the base connection itself is activated. Currently, only VPN connections are supported.

       Format: list of strings

   connection.slave-type
       Alias: slave-type

       Setting name of the device type of this port's controller connection (eg, "bond"), or NULL if this connection is not a port.

       Deprecated 1.46. Use "port-type" instead, this is just an alias.

       Format: string

       Valid values: bond, bridge, ovs-bridge, ovs-port, team, vrf

   connection.stable-id
       This represents the identity of the connection used for various purposes. It allows to configure multiple profiles to share the identity. Also, the stable-id can contain
       placeholders that are substituted dynamically and deterministically depending on the context.

       The stable-id is used for generating IPv6 stable private addresses with ipv6.addr-gen-mode=stable-privacy. It is also used to seed the generated cloned MAC address for
       ethernet.cloned-mac-address=stable and wifi.cloned-mac-address=stable. It is also used to derive the DHCP client identifier with ipv4.dhcp-client-id=stable, the DHCPv6 DUID with
       ipv6.dhcp-duid=stable-[llt,ll,uuid] and the DHCP IAID with ipv4.iaid=stable and ipv6.iaid=stable.

       Note that depending on the context where it is used, other parameters are also seeded into the generation algorithm. For example, a per-host key is commonly also included, so that
       different systems end up generating different IDs. Or with ipv6.addr-gen-mode=stable-privacy, also the device's name is included, so that different interfaces yield different
       addresses. The per-host key is the identity of your machine and stored in /var/lib/NetworkManager/secret_key. See NetworkManager(8) manual about the secret-key and the host
       identity.

       The '$' character is treated special to perform dynamic substitutions at activation time. Currently, supported are "${CONNECTION}", "${DEVICE}", "${MAC}", "${NETWORK_SSID}",
       "${BOOT}", "${RANDOM}". These effectively create unique IDs per-connection, per-device, per-SSID, per-boot, or every time. The "${CONNECTION}" uses the profile's connection.uuid,
       the "${DEVICE}" uses the interface name of the device and "${MAC}" the permanent MAC address of the device. "${NETWORK_SSID}" uses the SSID for Wi-Fi networks and falls back to
       "${CONNECTION}" on other networks. Any unrecognized patterns following '$' are treated verbatim, however are reserved for future use. You are thus advised to avoid '$' or escape
       it as "$$". For example, set it to "${CONNECTION}-${BOOT}-${DEVICE}" to create a unique id for this connection that changes with every reboot and differs depending on the
       interface where the profile activates.

       If the value is unset, a global connection default is consulted. If the value is still unset, the default is "default${CONNECTION}" go generate an ID unique per connection
       profile.

       Format: string

   connection.timestamp
       The time, in seconds since the Unix Epoch, that the connection was last _successfully_ fully activated.

       NetworkManager updates the connection timestamp periodically when the connection is active to ensure that an active connection has the latest timestamp. The property is only meant
       for reading (changes to this property will not be preserved).

       Format: read only

   connection.type
       Alias: type

       Base type of the connection. For hardware-dependent connections, should contain the setting name of the hardware-type specific setting (ie, "802-3-ethernet" or "802-11-wireless"
       or "bluetooth", etc), and for non-hardware dependent connections like VPN or otherwise, should contain the setting name of that setting type (ie, "vpn" or "bridge", etc).

       Format: string

       Valid values: 6lowpan, 802-11-olpc-mesh, 802-11-wireless, 802-3-ethernet, adsl, bluetooth, bond, bridge, cdma, dummy, generic, gsm, hsr, infiniband, ip-tunnel, ipvlan, loopback,
       macsec, macvlan, ovs-bridge, ovs-interface, ovs-port, pppoe, team, tun, veth, vlan, vpn, vrf, vxlan, wifi-p2p, wimax, wireguard, wpan

   connection.uuid
       The connection.uuid is the real identifier of a profile. It cannot change and it must be unique. It is therefore often best to refer to a profile by UUID, for example with `nmcli
       connection up uuid $UUID`.

       The UUID cannot be changed, except in offline mode. In that case, the special values "new", "generate" and "" are allowed to generate a new random UUID.

       Format: a valid RFC4122 universally unique identifier (UUID).

   connection.wait-activation-delay
       Time in milliseconds to wait for connection to be considered activated. The wait will start after the pre-up dispatcher event.

       The value 0 means no wait time. The default value is -1, which currently has the same meaning as no wait time.

       Format: integer

       Valid values: -1 - 2147483647

   connection.wait-device-timeout
       Timeout in milliseconds to wait for device at startup. During boot, devices may take a while to be detected by the driver. This property will cause to delay
       NetworkManager-wait-online.service and nm-online to give the device a chance to appear. This works by waiting for the given timeout until a compatible device for the profile is
       available and managed.

       The value 0 means no wait time. The default value is -1, which currently has the same meaning as no wait time.

       Format: integer

       Valid values: -1 - 2147483647

   connection.zone
       The trust level of a the connection. Free form case-insensitive string (for example "Home", "Work", "Public"). NULL or unspecified zone means the connection will be placed in the
       default zone as defined by the firewall.

       When updating this property on a currently activated connection, the change takes effect immediately.

       Format: string

6lowpan setting

   6LoWPAN Settings.

   Properties:

   6lowpan.parent
       Alias: dev

       If given, specifies the parent interface name or parent connection UUID from which this 6LowPAN interface should be created.

       Format: string

802-1x setting

   IEEE 802.1x Authentication Settings.

   Properties:

   802-1x.altsubject-matches
       List of strings to be matched against the altSubjectName of the certificate presented by the authentication server. If the list is empty, no verification of the server
       certificate's altSubjectName is performed.

       Format: list of strings

   802-1x.anonymous-identity
       Anonymous identity string for EAP authentication methods. Used as the unencrypted identity with EAP types that support different tunneled identity like EAP-TTLS.

       Format: string

   802-1x.auth-timeout
       A timeout for the authentication. Zero means the global default; if the global default is not set, the authentication timeout is 25 seconds.

       Format: integer

       Valid values: 0 - 2147483647

   802-1x.ca-cert
       Contains the path to the CA certificate if used by the EAP method specified in the 802-1x.eap property.

       This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended.

       Note that enabling 802-1x.system-ca-certs will override this setting to use the built-in path, if the built-in path is not a directory.

       Format: filesystem path

   802-1x.ca-cert-password
       The password used to access the CA certificate stored in "ca-cert" property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.

       Format: string

   802-1x.ca-cert-password-flags
       Flags indicating how to handle the "ca-cert-password" property.

       Format: flags (NMSettingSecretFlags)

       Valid values: none (0x0), agent-owned (0x1), not-saved (0x2), not-required (0x4)

   802-1x.ca-path
       UTF-8 encoded path to a directory containing PEM or DER formatted certificates to be added to the verification chain in addition to the certificate specified in the "ca-cert"
       property.

       If NMSetting8021x:system-ca-certs is enabled and the built-in CA path is an existing directory, then this setting is ignored.

       Format: string

   802-1x.client-cert
       Contains the path to the client certificate if used by the EAP method specified in the 802-1x.eap property.

       Format: filesystem path

   802-1x.client-cert-password
       The password used to access the client certificate stored in "client-cert" property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.

       Format: string

   802-1x.client-cert-password-flags
       Flags indicating how to handle the "client-cert-password" property.

       Format: flags (NMSettingSecretFlags)

       Valid values: none (0x0), agent-owned (0x1), not-saved (0x2), not-required (0x4)

   802-1x.domain-match
       Constraint for server domain name. If set, this list of FQDNs is used as a match requirement for dNSName element(s) of the certificate presented by the authentication server. If a
       matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using the same comparison. Multiple valid
       FQDNs can be passed as a ";" delimited list.

       Format: string

   802-1x.domain-suffix-match
       Constraint for server domain name. If set, this FQDN is used as a suffix match requirement for dNSName element(s) of the certificate presented by the authentication server. If a
       matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using same suffix match comparison. Since
       version 1.24, multiple valid FQDNs can be passed as a ";" delimited list.

       Format: string

   802-1x.eap
       The allowed EAP method to be used when authenticating to the network with 802.1x. Valid methods are: "leap", "md5", "tls", "peap", "ttls", "pwd", and "fast". Each method requires
       different configuration using the properties of this setting; refer to wpa_supplicant documentation for the allowed combinations.

       Format: list of strings

       Valid values: leap, md5, tls, peap, ttls, sim, fast, pwd

   802-1x.identity
       Identity string for EAP authentication methods. Often the user's user or login name.

       Format: string

   802-1x.openssl-ciphers
       Define openssl_ciphers for wpa_supplicant. Openssl sometimes moves ciphers among SECLEVELs, thus compiled-in default value in wpa_supplicant (as modified by some linux
       distributions) sometimes prevents to connect to old servers that do not support new protocols.

       Format: string

   802-1x.optional
       Whether the 802.1X authentication is optional. If TRUE, the activation will continue even after a timeout or an authentication failure. Setting the property to TRUE is currently
       allowed only for Ethernet connections. If set to FALSE, the activation can continue only after a successful authentication.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   802-1x.pac-file
       UTF-8 encoded file path containing PAC for EAP-FAST.

       Format: string

   802-1x.password
       UTF-8 encoded password used for EAP authentication methods. If both the "password" property and the "password-raw" property are specified, "password" is preferred.

       Format: string

   802-1x.password-flags
       Flags indicating how to handle the "password" property.

       Format: flags (NMSettingSecretFlags)

       Valid values: none (0x0), agent-owned (0x1), not-saved (0x2), not-required (0x4)

   802-1x.password-raw
       Password used for EAP authentication methods, given as a byte array to allow passwords in other encodings than UTF-8 to be used. If both the "password" property and the
       "password-raw" property are specified, "password" is preferred.

       Format: bytes

   802-1x.password-raw-flags
       Flags indicating how to handle the "password-raw" property.

       Format: flags (NMSettingSecretFlags)

       Valid values: none (0x0), agent-owned (0x1), not-saved (0x2), not-required (0x4)

   802-1x.phase1-auth-flags
       Specifies authentication flags to use in "phase 1" outer authentication using NMSetting8021xAuthFlags options. The individual TLS versions can be explicitly disabled. TLS time
       checks can be also disabled. If a certain TLS disable flag is not set, it is up to the supplicant to allow or forbid it. The TLS options map to tls_disable_tlsv1_x and
       tls_disable_time_checks settings. See the wpa_supplicant documentation for more details.

       Format: flags (NMSetting8021xAuthFlags)

       Valid values: none (0x0), tls-1-0-disable (0x1), tls-1-1-disable (0x2), tls-1-2-disable (0x4), tls-disable-time-checks (0x8), tls-1-3-disable (0x10), tls-1-0-enable (0x20),
       tls-1-1-enable (0x40), tls-1-2-enable (0x80), tls-1-3-enable (0x100), all (0x1ff)

   802-1x.phase1-fast-provisioning
       Enables or disables in-line provisioning of EAP-FAST credentials when FAST is specified as the EAP method in the "eap" property. Recognized values are "0" (disabled), "1" (allow
       unauthenticated provisioning), "2" (allow authenticated provisioning), and "3" (allow both authenticated and unauthenticated provisioning). See the wpa_supplicant documentation
       for more details.

       Format: string

       Valid values: 0, 1, 2, 3

   802-1x.phase1-peaplabel
       Forces use of the new PEAP label during key derivation. Some RADIUS servers may require forcing the new PEAP label to interoperate with PEAPv1. Set to "1" to force use of the new
       PEAP label. See the wpa_supplicant documentation for more details.

       Format: string

       Valid values: 0, 1

   802-1x.phase1-peapver
       Forces which PEAP version is used when PEAP is set as the EAP method in the "eap" property. When unset, the version reported by the server will be used. Sometimes when using older
       RADIUS servers, it is necessary to force the client to use a particular PEAP version. To do so, this property may be set to "0" or "1" to force that specific PEAP version.

       Format: string

       Valid values: 0, 1

   802-1x.phase2-altsubject-matches
       List of strings to be matched against the altSubjectName of the certificate presented by the authentication server during the inner "phase 2" authentication. If the list is empty,
       no verification of the server certificate's altSubjectName is performed.

       Format: list of strings

   802-1x.phase2-auth
       Specifies the allowed "phase 2" inner authentication method when an EAP method that uses an inner TLS tunnel is specified in the "eap" property. For TTLS this property selects one
       of the supported non-EAP inner methods: "pap", "chap", "mschap", "mschapv2" while "phase2-autheap" selects an EAP inner method. For PEAP this selects an inner EAP method, one of:
       "gtc", "otp", "md5" and "tls". Each "phase 2" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details. Both
       "phase2-auth" and "phase2-autheap" cannot be specified.

       Format: string

       Valid values: pap, chap, mschap, mschapv2, gtc, otp, md5, tls

   802-1x.phase2-autheap
       Specifies the allowed "phase 2" inner EAP-based authentication method when TTLS is specified in the "eap" property. Recognized EAP-based "phase 2" methods are "md5", "mschapv2",
       "otp", "gtc", and "tls". Each "phase 2" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details.

       Format: string

       Valid values: md5, mschapv2, otp, gtc, tls

   802-1x.phase2-ca-cert
       Contains the path to the "phase 2" CA certificate if used by the EAP method specified in the 802-1x.phase2-auth or 802-1x.phase2-autheap properties.

       This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended.

       Note that enabling 802-1x.system-ca-certs will override this setting to use the built-in path, if the built-in path is not a directory.

       Format: filesystem path

   802-1x.phase2-ca-cert-password
       The password used to access the "phase2" CA certificate stored in "phase2-ca-cert" property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a
       login.

       Format: string

   802-1x.phase2-ca-cert-password-flags
       Flags indicating how to handle the "phase2-ca-cert-password" property.

       Format: flags (NMSettingSecretFlags)

       Valid values: none (0x0), agent-owned (0x1), not-saved (0x2), not-required (0x4)

   802-1x.phase2-ca-path
       UTF-8 encoded path to a directory containing PEM or DER formatted certificates to be added to the verification chain in addition to the certificate specified in the
       "phase2-ca-cert" property.

       If NMSetting8021x:system-ca-certs is enabled and the built-in CA path is an existing directory, then this setting is ignored.

       Format: filesystem path

   802-1x.phase2-client-cert
       Contains the path to the "phase 2" client certificate if used by the EAP method specified in the 802-1x.phase2-auth or 802-1x.phase2-autheap properties.

       Format: filesystem path

   802-1x.phase2-client-cert-password
       The password used to access the "phase2" client certificate stored in "phase2-client-cert" property. Only makes sense if the certificate is stored on a PKCS#11 token that requires
       a login.

       Format: string

   802-1x.phase2-client-cert-password-flags
       Flags indicating how to handle the "phase2-client-cert-password" property.

       Format: flags (NMSettingSecretFlags)

       Valid values: none (0x0), agent-owned (0x1), not-saved (0x2), not-required (0x4)

   802-1x.phase2-domain-match
       Constraint for server domain name. If set, this list of FQDNs is used as a match requirement for dNSName element(s) of the certificate presented by the authentication server
       during the inner "phase 2" authentication. If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName
       CN using the same comparison. Multiple valid FQDNs can be passed as a ";" delimited list.

       Format: string

   802-1x.phase2-domain-suffix-match
       Constraint for server domain name. If set, this FQDN is used as a suffix match requirement for dNSName element(s) of the certificate presented by the authentication server during
       the inner "phase 2" authentication. If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN
       using same suffix match comparison. Since version 1.24, multiple valid FQDNs can be passed as a ";" delimited list.

       Format: string

   802-1x.phase2-private-key
       The path to the "phase 2" inner private key when the 802-1x.phase2-auth or 802-1x.phase2-autheap property is set to "tls".

       Format: filesystem path

   802-1x.phase2-private-key-password
       The password used to decrypt the "phase 2" private key specified in the 802-1x.phase2-private-key property. This is normally used by secret agents, not directly by users.

       Format: string

   802-1x.phase2-private-key-password-flags
       Flags indicating how to handle the "phase2-private-key-password" property.

       Format: flags (NMSettingSecretFlags)

       Valid values: none (0x0), agent-owned (0x1), not-saved (0x2), not-required (0x4)

   802-1x.phase2-subject-match
       Substring to be matched against the subject of the certificate presented by the authentication server during the inner "phase 2" authentication. When unset, no verification of the
       authentication server certificate's subject is performed. This property provides little security, if any, and should not be used.

       This property is deprecated since version 1.2. Use "phase2-domain-suffix-match" instead.

       Format: string

   802-1x.pin
       PIN used for EAP authentication methods.

       Format: string

   802-1x.pin-flags
       Flags indicating how to handle the "pin" property.

       Format: flags (NMSettingSecretFlags)

       Valid values: none (0x0), agent-owned (0x1), not-saved (0x2), not-required (0x4)

   802-1x.private-key
       The path to the private key when the 802-1.eap property is set to "tls".

       Format: filesystem path

   802-1x.private-key-password
       The password used to decrypt the private key specified in the 802-1x.private-key property. This is normally used by secret agents, not directly by users.

       Format: string

   802-1x.private-key-password-flags
       Flags indicating how to handle the "private-key-password" property.

       Format: flags (NMSettingSecretFlags)

       Valid values: none (0x0), agent-owned (0x1), not-saved (0x2), not-required (0x4)

   802-1x.subject-match
       Substring to be matched against the subject of the certificate presented by the authentication server. When unset, no verification of the authentication server certificate's
       subject is performed. This property provides little security, if any, and should not be used.

       This property is deprecated since version 1.2. Use "phase2-domain-suffix-match" instead.

       Format: string

   802-1x.system-ca-certs
       When TRUE, overrides the "ca-path" and "phase2-ca-path" properties using the system CA directory specified at configure time with the --system-ca-path switch. The certificates in
       this directory are added to the verification chain in addition to any certificates specified by the "ca-cert" and "phase2-ca-cert" properties. If the path provided with
       --system-ca-path is rather a file name (bundle of trusted CA certificates), it overrides "ca-cert" and "phase2-ca-cert" properties instead (sets ca_cert/ca_cert2 options for
       wpa_supplicant).

       Format: boolean

       Valid values: true/yes/on, false/no/off

adsl setting

   ADSL Settings.

   Properties:

   adsl.encapsulation
       Alias: encapsulation

       Encapsulation of ADSL connection. Can be "vcmux" or "llc".

       Format: string

       Valid values: vcmux, llc

   adsl.password
       Alias: password

       Password used to authenticate with the ADSL service.

       Format: string

   adsl.password-flags
       Flags indicating how to handle the "password" property.

       Format: flags (NMSettingSecretFlags)

       Valid values: none (0x0), agent-owned (0x1), not-saved (0x2), not-required (0x4)

   adsl.protocol
       Alias: protocol

       ADSL connection protocol. Can be "pppoa", "pppoe" or "ipoatm".

       Format: string

       Valid values: pppoa, pppoe, ipoatm

   adsl.username
       Alias: username

       Username used to authenticate with the ADSL service.

       Format: string

   adsl.vci
       VCI of ADSL connection

       Format: integer

       Valid values: 0 - 65536

   adsl.vpi
       VPI of ADSL connection

       Format: integer

       Valid values: 0 - 65536

bluetooth setting

   Bluetooth Settings.

   Properties:

   bluetooth.bdaddr
       Alias: addr

       The Bluetooth address of the device.

       Format: MAC address

   bluetooth.type
       Alias: bt-type

       Either "dun" for Dial-Up Networking connections or "panu" for Personal Area Networking connections to devices supporting the NAP profile.

       Format: string

       Valid values: dun, panu, nap

bond setting

   Bonding Settings.

   Properties:

   bond.options
       Dictionary of key/value pairs of bonding options. Both keys and values must be strings. Option names must contain only alphanumeric characters (ie, [a-zA-Z0-9]).

       Format: list of key/value options

bridge setting

   Bridging Settings.

   Properties:

   bridge.ageing-time
       Alias: ageing-time

       The Ethernet MAC address aging time, in seconds.

       Format: integer

       Valid values: 0 - 1000000

   bridge.forward-delay
       Alias: forward-delay

       The Spanning Tree Protocol (STP) forwarding delay, in seconds.

       Format: integer

       Valid values: 0 - 30

   bridge.group-address
       If specified, The MAC address of the multicast group this bridge uses for STP.

       The address must be a link-local address in standard Ethernet MAC address format, ie an address of the form 01:80:C2:00:00:0X, with X in [0, 4..F]. If not specified the default
       value is 01:80:C2:00:00:00.

       Format: MAC address

   bridge.group-forward-mask
       Alias: group-forward-mask

       A mask of group addresses to forward. Usually, group addresses in the range from 01:80:C2:00:00:00 to 01:80:C2:00:00:0F are not forwarded according to standards. This property is
       a mask of 16 bits, each corresponding to a group address in that range that must be forwarded. The mask can't have bits 0, 1 or 2 set because they are used for STP, MAC pause
       frames and LACP.

       Format: integer

       Valid values: 0 - 65535

   bridge.hello-time
       Alias: hello-time

       The Spanning Tree Protocol (STP) hello time, in seconds.

       Format: integer

       Valid values: 0 - 10

   bridge.mac-address
       Alias: mac

       If specified, the MAC address of bridge. When creating a new bridge, this MAC address will be set.

       If this field is left unspecified, the "ethernet.cloned-mac-address" is referred instead to generate the initial MAC address. Note that setting "ethernet.cloned-mac-address"
       anyway overwrites the MAC address of the bridge later while activating the bridge.

       This property is deprecated since version 1.12. Use the "cloned-mac-address" property instead.

       Format: MAC address

   bridge.max-age
       Alias: max-age

       The Spanning Tree Protocol (STP) maximum message age, in seconds.

       Format: integer

       Valid values: 0 - 40

   bridge.multicast-hash-max
       Set maximum size of multicast hash table (value must be a power of 2).

       Format: integer

       Valid values: 1 - 4294967295

   bridge.multicast-last-member-count
       Set the number of queries the bridge will send before stopping forwarding a multicast group after a "leave" message has been received.

       Format: integer

       Valid values: 0 - 4294967295

   bridge.multicast-last-member-interval
       Set interval (in deciseconds) between queries to find remaining members of a group, after a "leave" message is received.

       Format: integer

       Valid values: 0 - 18446744073709551615

   bridge.multicast-membership-interval
       Set delay (in deciseconds) after which the bridge will leave a group, if no membership reports for this group are received.

       Format: integer

       Valid values: 0 - 18446744073709551615

   bridge.multicast-querier
       Enable or disable sending of multicast queries by the bridge. If not specified the option is disabled.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   bridge.multicast-querier-interval
       If no queries are seen after this delay (in deciseconds) has passed, the bridge will start to send its own queries.

       Format: integer

       Valid values: 0 - 18446744073709551615

   bridge.multicast-query-interval
       Interval (in deciseconds) between queries sent by the bridge after the end of the startup phase.

       Format: integer

       Valid values: 0 - 18446744073709551615

   bridge.multicast-query-response-interval
       Set the Max Response Time/Max Response Delay (in deciseconds) for IGMP/MLD queries sent by the bridge.

       Format: integer

       Valid values: 0 - 18446744073709551615

   bridge.multicast-query-use-ifaddr
       If enabled the bridge's own IP address is used as the source address for IGMP queries otherwise the default of 0.0.0.0 is used.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   bridge.multicast-router
       Sets bridge's multicast router. Multicast-snooping must be enabled for this option to work.

       Supported values are: 'auto', 'disabled', 'enabled' to which kernel assigns the numbers 1, 0, and 2, respectively. If not specified the default value is 'auto' (1).

       Format: string

       Valid values: auto, disabled, enabled

   bridge.multicast-snooping
       Alias: multicast-snooping

       Controls whether IGMP snooping is enabled for this bridge. Note that if snooping was automatically disabled due to hash collisions, the system may refuse to enable the feature
       until the collisions are resolved.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   bridge.multicast-startup-query-count
       Set the number of IGMP queries to send during startup phase.

       Format: integer

       Valid values: 0 - 4294967295

   bridge.multicast-startup-query-interval
       Sets the time (in deciseconds) between queries sent out at startup to determine membership information.

       Format: integer

       Valid values: 0 - 18446744073709551615

   bridge.priority
       Alias: priority

       Sets the Spanning Tree Protocol (STP) priority for this bridge. Lower values are "better"; the lowest priority bridge will be elected the root bridge.

       Format: integer

       Valid values: 0 - 65535

   bridge.stp
       Alias: stp

       Controls whether Spanning Tree Protocol (STP) is enabled for this bridge.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   bridge.vlan-default-pvid
       The default PVID for the ports of the bridge, that is the VLAN id assigned to incoming untagged frames.

       Format: integer

       Valid values: 0 - 4094

   bridge.vlan-filtering
       Control whether VLAN filtering is enabled on the bridge.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   bridge.vlan-protocol
       If specified, the protocol used for VLAN filtering.

       Supported values are: '802.1Q', '802.1ad'. If not specified the default value is '802.1Q'.

       Format: string

       Valid values: 802.1Q, 802.1ad

   bridge.vlan-stats-enabled
       Controls whether per-VLAN stats accounting is enabled.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   bridge.vlans
       Array of bridge VLAN objects. In addition to the VLANs specified here, the bridge will also have the default-pvid VLAN configured by the bridge.vlan-default-pvid property.

       In nmcli the VLAN list can be specified with the following syntax:

       $vid [pvid] [untagged] [, $vid [pvid] [untagged]]...

       where $vid is either a single id between 1 and 4094 or a range, represented as a couple of ids separated by a dash.

       Format: list of bridge.vlans objects

bridge-port setting

   Bridge Port Settings.

   Properties:

   bridge-port.hairpin-mode
       Alias: hairpin

       Enables or disables "hairpin mode" for the port, which allows frames to be sent back out through the port the frame was received on.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   bridge-port.path-cost
       Alias: path-cost

       The Spanning Tree Protocol (STP) port cost for destinations via this port.

       Format: integer

       Valid values: 0 - 65535

   bridge-port.priority
       Alias: priority

       The Spanning Tree Protocol (STP) priority of this bridge port.

       Format: integer

       Valid values: 0 - 63

   bridge-port.vlans
       Array of bridge VLAN objects. In addition to the VLANs specified here, the port will also have the default-pvid VLAN configured on the bridge by the bridge.vlan-default-pvid
       property.

       In nmcli the VLAN list can be specified with the following syntax:

       $vid [pvid] [untagged] [, $vid [pvid] [untagged]]...

       where $vid is either a single id between 1 and 4094 or a range, represented as a couple of ids separated by a dash.

       Format: list of bridge-port.vlans objects

cdma setting

   CDMA-based Mobile Broadband Settings.

   Properties:

   cdma.mtu
       If non-zero, only transmit packets of the specified size or smaller, breaking larger packets up into multiple frames.

       Format: integer

       Special values: auto

   cdma.number
       The number to dial to establish the connection to the CDMA-based mobile broadband network, if any. If not specified, the default number (#777) is used when required.

       Format: string

   cdma.password
       Alias: password

       The password used to authenticate with the network, if required. Many providers do not require a password, or accept any password. But if a password is required, it is specified
       here.

       Format: string

   cdma.password-flags
       Flags indicating how to handle the "password" property.

       Format: flags (NMSettingSecretFlags)

       Valid values: none (0x0), agent-owned (0x1), not-saved (0x2), not-required (0x4)

   cdma.username
       Alias: user

       The username used to authenticate with the network, if required. Many providers do not require a username, or accept any username. But if a username is required, it is specified
       here.

       Format: string

dcb setting

   Data Center Bridging Settings.

   Properties:

   dcb.app-fcoe-flags
       Specifies the NMSettingDcbFlags for the DCB FCoE application. Flags may be any combination of "enable" (0x1), "advertise" (0x2), and "willing" (0x4).

       Format: flags (NMSettingDcbFlags)

       Valid values: none (0x0), enable (0x1), advertise (0x2), willing (0x4)

   dcb.app-fcoe-mode
       The FCoE controller mode; either "fabric" or "vn2vn".

       Since 1.34, NULL is the default and means "fabric". Before 1.34, NULL was rejected as invalid and the default was "fabric".

       Format: string

       Valid values: fabric, vn2vn

   dcb.app-fcoe-priority
       The highest User Priority (0 - 7) which FCoE frames should use, or -1 for default priority. Only used when the "app-fcoe-flags" property includes the "enable" (0x1) flag.

       Format: integer

       Valid values: -1 - 7

       Special values: unset (-1)

   dcb.app-fip-flags
       Specifies the NMSettingDcbFlags for the DCB FIP application. Flags may be any combination of "enable" (0x1), "advertise" (0x2), and "willing" (0x4).

       Format: flags (NMSettingDcbFlags)

       Valid values: none (0x0), enable (0x1), advertise (0x2), willing (0x4)

   dcb.app-fip-priority
       The highest User Priority (0 - 7) which FIP frames should use, or -1 for default priority. Only used when the "app-fip-flags" property includes the "enable" (0x1) flag.

       Format: integer

       Valid values: -1 - 7

       Special values: unset (-1)

   dcb.app-iscsi-flags
       Specifies the NMSettingDcbFlags for the DCB iSCSI application. Flags may be any combination of "enable" (0x1), "advertise" (0x2), and "willing" (0x4).

       Format: flags (NMSettingDcbFlags)

       Valid values: none (0x0), enable (0x1), advertise (0x2), willing (0x4)

   dcb.app-iscsi-priority
       The highest User Priority (0 - 7) which iSCSI frames should use, or -1 for default priority. Only used when the "app-iscsi-flags" property includes the "enable" (0x1) flag.

       Format: integer

       Valid values: -1 - 7

       Special values: unset (-1)

   dcb.priority-bandwidth
       An array of 8 uint values, where the array index corresponds to the User Priority (0 - 7) and the value indicates the percentage of bandwidth of the priority's assigned group that
       the priority may use. The sum of all percentages for priorities which belong to the same group must total 100 percents.

       Format: list of integers

       Valid values: 0 - 100

   dcb.priority-flow-control
       An array of 8 boolean values, where the array index corresponds to the User Priority (0 - 7) and the value indicates whether or not the corresponding priority should transmit
       priority pause.

       Format: list of booleans

       Valid values: true/yes/on, false/no/off

   dcb.priority-flow-control-flags
       Specifies the NMSettingDcbFlags for DCB Priority Flow Control (PFC). Flags may be any combination of "enable" (0x1), "advertise" (0x2), and "willing" (0x4).

       Format: flags (NMSettingDcbFlags)

       Valid values: none (0x0), enable (0x1), advertise (0x2), willing (0x4)

   dcb.priority-group-bandwidth
       An array of 8 uint values, where the array index corresponds to the Priority Group ID (0 - 7) and the value indicates the percentage of link bandwidth allocated to that group.
       Allowed values are 0 - 100, and the sum of all values must total 100 percents.

       Format: list of integers

       Valid values: 0 - 100

   dcb.priority-group-flags
       Specifies the NMSettingDcbFlags for DCB Priority Groups. Flags may be any combination of "enable" (0x1), "advertise" (0x2), and "willing" (0x4).

       Format: flags (NMSettingDcbFlags)

       Valid values: none (0x0), enable (0x1), advertise (0x2), willing (0x4)

   dcb.priority-group-id
       An array of 8 uint values, where the array index corresponds to the User Priority (0 - 7) and the value indicates the Priority Group ID. Allowed Priority Group ID values are 0 - 7
       or 15 for the unrestricted group.

       Format: list of integers

       Valid values: 0 - 7, 15

   dcb.priority-strict-bandwidth
       An array of 8 boolean values, where the array index corresponds to the User Priority (0 - 7) and the value indicates whether or not the priority may use all of the bandwidth
       allocated to its assigned group.

       Format: list of booleans

       Valid values: true/yes/on, false/no/off

   dcb.priority-traffic-class
       An array of 8 uint values, where the array index corresponds to the User Priority (0 - 7) and the value indicates the traffic class (0 - 7) to which the priority is mapped.

       Format: list of integers

       Valid values: 0 - 7

ethtool setting

   Ethtool Ethernet Settings.

   Properties:

   ethtool.channels-combined
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.channels-other
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.channels-rx
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.channels-tx
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.coalesce-adaptive-rx
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.coalesce-adaptive-tx
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.coalesce-pkt-rate-high
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.coalesce-pkt-rate-low
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.coalesce-rx-frames
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.coalesce-rx-frames-high
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.coalesce-rx-frames-irq
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.coalesce-rx-frames-low
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.coalesce-rx-usecs
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.coalesce-rx-usecs-high
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.coalesce-rx-usecs-irq
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.coalesce-rx-usecs-low
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.coalesce-sample-interval
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.coalesce-stats-block-usecs
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.coalesce-tx-frames
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.coalesce-tx-frames-high
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.coalesce-tx-frames-irq
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.coalesce-tx-frames-low
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.coalesce-tx-usecs
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.coalesce-tx-usecs-high
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.coalesce-tx-usecs-irq
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.coalesce-tx-usecs-low
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.eee-enabled
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-esp-hw-offload
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-esp-tx-csum-hw-offload
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-fcoe-mtu
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-gro
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-gso
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-highdma
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-hw-tc-offload
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-l2-fwd-offload
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-loopback
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-lro
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-macsec-hw-offload
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-ntuple
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-rx
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-rx-all
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-rx-fcs
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-rx-gro-hw
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-rx-gro-list
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-rx-udp-gro-forwarding
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-rx-udp_tunnel-port-offload
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-rx-vlan-filter
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-rx-vlan-stag-filter
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-rx-vlan-stag-hw-parse
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-rxhash
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-rxvlan
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-sg
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tls-hw-record
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tls-hw-rx-offload
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tls-hw-tx-offload
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tso
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx-checksum-fcoe-crc
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx-checksum-ip-generic
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx-checksum-ipv4
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx-checksum-ipv6
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx-checksum-sctp
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx-esp-segmentation
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx-fcoe-segmentation
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx-gre-csum-segmentation
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx-gre-segmentation
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx-gso-list
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx-gso-partial
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx-gso-robust
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx-ipxip4-segmentation
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx-ipxip6-segmentation
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx-nocache-copy
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx-scatter-gather
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx-scatter-gather-fraglist
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx-sctp-segmentation
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx-tcp-ecn-segmentation
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx-tcp-mangleid-segmentation
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx-tcp-segmentation
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx-tcp6-segmentation
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx-tunnel-remcsum-segmentation
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx-udp-segmentation
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx-udp_tnl-csum-segmentation
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx-udp_tnl-segmentation
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-tx-vlan-stag-hw-insert
       Format: ternary

       Valid values: on, off, ignore

   ethtool.feature-txvlan
       Format: ternary

       Valid values: on, off, ignore

   ethtool.fec-mode
       Format: flags (NMSettingEthtoolFecMode)

       Valid values: auto (0x2), off (0x4), rs (0x8), baser (0x10), llrs (0x20)

   ethtool.pause-autoneg
       Format: ternary

       Valid values: on, off, ignore

   ethtool.pause-rx
       Format: ternary

       Valid values: on, off, ignore

   ethtool.pause-tx
       Format: ternary

       Valid values: on, off, ignore

   ethtool.ring-rx
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.ring-rx-jumbo
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.ring-rx-mini
       Format: integer

       Valid values: 0 - 4294967295

   ethtool.ring-tx
       Format: integer

       Valid values: 0 - 4294967295

generic setting

   Generic Link Settings.

   Properties:

   generic.device-handler
       Name of the device handler that will be invoked to add and delete the device for this connection. The name can only contain ASCII alphanumeric characters and '-', '_', '.'. It
       cannot start with '.'.

       See the NetworkManager-dispatcher(8) man page for more details about how to write the device handler.

       By setting this property the generic connection becomes "virtual", meaning that it can be activated without an existing device; the device will be created at the time the
       connection is started by invoking the device-handler.

       Format: string

gsm setting

   GSM-based Mobile Broadband Settings.

   Properties:

   gsm.apn
       Alias: apn

       The GPRS Access Point Name specifying the APN used when establishing a data session with the GSM-based network. The APN often determines how the user will be billed for their
       network usage and whether the user has access to the Internet or just a provider-specific walled-garden, so it is important to use the correct APN for the user's mobile broadband
       plan. The APN may only be composed of the characters a-z, 0-9, ., and - per GSM 03.60 Section 14.9.

       If the APN is unset (the default) then it may be detected based on "auto-config" setting. The property can be explicitly set to the empty string to prevent that and use no APN.

       Format: string

   gsm.auto-config
       When TRUE, the settings such as APN, username, or password will default to values that match the network the modem will register to in the Mobile Broadband Provider database.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   gsm.device-id
       The device unique identifier (as given by the WWAN management service) which this connection applies to. If given, the connection will only apply to the specified device.

       Format: string

   gsm.home-only
       When TRUE, only connections to the home network will be allowed. Connections to roaming networks will not be made.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   gsm.initial-eps-bearer-apn
       For LTE modems, this sets the APN for the initial EPS bearer that is set up when attaching to the network. Setting this parameter implies initial-eps-bearer-configure to be TRUE.

       Format: string

   gsm.initial-eps-bearer-configure
       For LTE modems, this setting determines whether the initial EPS bearer shall be configured when bringing up the connection. It is inferred TRUE if initial-eps-bearer-apn is set.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   gsm.initial-eps-bearer-noauth
       For LTE modems, this sets NOAUTH authentication method for the initial EPS bearer that is set up when attaching to the network. If TRUE, do not require the other side to
       authenticate itself to the client. If FALSE, require authentication from the remote side. In almost all cases, this should be TRUE.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   gsm.initial-eps-bearer-password
       For LTE modems, this sets the password for the initial EPS bearer that is set up when attaching to the network. Setting this parameter implies initial-eps-bearer-configure to be
       TRUE.

       Format: string

   gsm.initial-eps-bearer-password-flags
       Flags indicating how to handle the "initial-eps-bearer-password" property.

       Format: flags (NMSettingSecretFlags)

       Valid values: none (0x0), agent-owned (0x1), not-saved (0x2), not-required (0x4)

   gsm.initial-eps-bearer-refuse-chap
       For LTE modems, this disables CHAP authentication method for the initial EPS bearer that is set up when attaching to the network.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   gsm.initial-eps-bearer-refuse-eap
       For LTE modems, this disables EAP authentication method for the initial EPS bearer that is set up when attaching to the network.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   gsm.initial-eps-bearer-refuse-mschap
       For LTE modems, this disables MSCHAP authentication method for the initial EPS bearer that is set up when attaching to the network.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   gsm.initial-eps-bearer-refuse-mschapv2
       For LTE modems, this disables MSCHAPV2 authentication method for the initial EPS bearer that is set up when attaching to the network.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   gsm.initial-eps-bearer-refuse-pap
       For LTE modems, this disables PAP authentication method for the initial EPS bearer that is set up when attaching to the network.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   gsm.initial-eps-bearer-username
       For LTE modems, this sets the username for the initial EPS bearer that is set up when attaching to the network. Setting this parameter implies initial-eps-bearer-configure to be
       TRUE.

       Format: string

   gsm.mtu
       If non-zero, only transmit packets of the specified size or smaller, breaking larger packets up into multiple frames.

       Format: integer

       Special values: auto

   gsm.network-id
       The Network ID (GSM LAI format, ie MCC-MNC) to force specific network registration. If the Network ID is specified, NetworkManager will attempt to force the device to register
       only on the specified network. This can be used to ensure that the device does not roam when direct roaming control of the device is not otherwise possible.

       Format: string

   gsm.number
       Legacy setting that used to help establishing PPP data sessions for GSM-based modems.

       This property is deprecated since version 1.16. User-provided values for this setting are no longer used.

       Format: string

   gsm.password
       Alias: password

       The password used to authenticate with the network, if required. Many providers do not require a password, or accept any password. But if a password is required, it is specified
       here.

       Format: string

   gsm.password-flags
       Flags indicating how to handle the "password" property.

       Format: flags (NMSettingSecretFlags)

       Valid values: none (0x0), agent-owned (0x1), not-saved (0x2), not-required (0x4)

   gsm.pin
       If the SIM is locked with a PIN it must be unlocked before any other operations are requested. Specify the PIN here to allow operation of the device.

       Format: string

   gsm.pin-flags
       Flags indicating how to handle the "pin" property.

       Format: flags (NMSettingSecretFlags)

       Valid values: none (0x0), agent-owned (0x1), not-saved (0x2), not-required (0x4)

   gsm.sim-id
       The SIM card unique identifier (as given by the WWAN management service) which this connection applies to. If given, the connection will apply to any device also allowed by
       "device-id" which contains a SIM card matching the given identifier.

       Format: string

   gsm.sim-operator-id
       A MCC/MNC string like "310260" or "21601" identifying the specific mobile network operator which this connection applies to. If given, the connection will apply to any device also
       allowed by "device-id" and "sim-id" which contains a SIM card provisioned by the given operator.

       Format: string

   gsm.username
       Alias: user

       The username used to authenticate with the network, if required. Many providers do not require a username, or accept any username. But if a username is required, it is specified
       here.

       Format: string

hsr setting

   HSR/PRP Settings.

   Properties:

   hsr.multicast-spec
       Alias: multicast-spec

       The last byte of supervision address.

       Format: integer

       Valid values: 0 - 255

   hsr.port1
       Alias: port1

       The port1 interface name of the HSR. This property is mandatory.

       Format: string

   hsr.port2
       Alias: port2

       The port2 interface name of the HSR. This property is mandatory.

       Format: string

   hsr.prp
       The protocol used by the interface, whether it is PRP or HSR.

       Format: boolean

       Valid values: true/yes/on, false/no/off

infiniband setting

   Infiniband Settings.

   Properties:

   infiniband.mac-address
       Alias: mac

       If specified, this connection will only apply to the IPoIB device whose permanent MAC address matches. This property does not change the MAC address of the device (i.e. MAC
       spoofing).

       Format: Infiniband MAC address

   infiniband.mtu
       Alias: mtu

       If non-zero, only transmit packets of the specified size or smaller, breaking larger packets up into multiple frames.

       Format: integer

       Special values: auto

   infiniband.p-key
       Alias: p-key

       The InfiniBand p-key to use for this device. A value of -1 means to use the default p-key (aka "the p-key at index 0"). Otherwise, it is a 16-bit unsigned integer, whose high bit
       0x8000 is set if it is a "full membership" p-key. The values 0 and 0x8000 are not allowed.

       With the p-key set, the interface name is always "$parent.$p_key". Setting "connection.interface-name" to another name is not supported.

       Note that kernel will internally always set the full membership bit, although the interface name does not reflect that. Usually the user would want to configure a full membership
       p-key with 0x8000 flag set.

       Format: integer

       Valid values: -1 - 65535

       Special values: default (-1)

   infiniband.parent
       Alias: parent

       The interface name of the parent device of this device. Normally NULL, but if the "p_key" property is set, then you must specify the base device by setting either this property or
       "mac-address".

       Format: string

   infiniband.transport-mode
       Alias: transport-mode

       The IP-over-InfiniBand transport mode. Either "datagram" or "connected".

       Format: string

       Valid values: datagram, connected

ipv4 setting

   IPv4 Settings.

   Properties:

   ipv4.addresses
       Alias: ip4

       A list of IPv4 addresses and their prefix length. Multiple addresses can be separated by comma. For example "192.168.1.5/24, 10.1.0.5/24". The addresses are listed in decreasing
       priority, meaning the first address will be the primary address.

       Format: a comma separated list of addresses

   ipv4.auto-route-ext-gw
       VPN connections will default to add the route automatically unless this setting is set to FALSE.

       For other connection types, adding such an automatic route is currently not supported and setting this to TRUE has no effect.

       Format: ternary

       Valid values: true/yes/on, false/no/off, default/unknown

   ipv4.dad-timeout
       Maximum timeout in milliseconds used to check for the presence of duplicate IP addresses on the network. If an address conflict is detected, the activation will fail. The property
       is currently implemented only for IPv4.

       A zero value means that no duplicate address detection is performed, -1 means the default value (either the value configured globally in NetworkManger.conf or 200ms). A value
       greater than zero is a timeout in milliseconds. Note that the time intervals are subject to randomization as per RFC 5227 and so the actual duration can be between half and the
       full time specified in this property.

       Format: integer

       Valid values: -1 - 30000

       Special values: default (-1), off (0)

   ipv4.dhcp-client-id
       A string sent to the DHCP server to identify the local machine which the DHCP server may use to customize the DHCP lease and options. When the property is a hex string
       ('aa:bb:cc') it is interpreted as a binary client ID, in which case the first byte is assumed to be the 'type' field as per RFC 2132 section 9.14 and the remaining bytes may be an
       hardware address (e.g. '01:xx:xx:xx:xx:xx:xx' where 1 is the Ethernet ARP type and the rest is a MAC address). If the property is not a hex string it is considered as a
       non-hardware-address client ID and the 'type' field is set to 0.

       The special values "mac" and "perm-mac" are supported, which use the current or permanent MAC address of the device to generate a client identifier with type ethernet (01).
       Currently, these options only work for ethernet type of links.

       The special value "ipv6-duid" uses the DUID from "ipv6.dhcp-duid" property as an RFC4361-compliant client identifier. As IAID it uses "ipv4.dhcp-iaid" and falls back to
       "ipv6.dhcp-iaid" if unset.

       The special value "duid" generates a RFC4361-compliant client identifier based on "ipv4.dhcp-iaid" and uses a DUID generated by hashing /etc/machine-id.

       The special value "stable" is supported to generate a type 0 client identifier based on the stable-id (see connection.stable-id) and a per-host key. If you set the stable-id, you
       may want to include the "${DEVICE}" or "${MAC}" specifier to get a per-device key.

       The special value "none" prevents any client identifier from being sent. Note that this is normally not recommended.

       If unset, a globally configured default from NetworkManager.conf is used. If still unset, the default depends on the DHCP plugin. The internal dhcp client will default to "mac"
       and the dhclient plugin will try to use one from its config file if present, or won't sent any client-id otherwise.

       Format: string

       Special values: mac, perm-mac, duid, ipv6-duid, stable, none

   ipv4.dhcp-dscp
       Specifies the value for the DSCP field (traffic class) of the IP header. When empty, the global default value is used; if no global default is specified, it is assumed to be
       "CS0". Allowed values are: "CS0", "CS4" and "CS6".

       The property is currently valid only for IPv4, and it is supported only by the "internal" DHCP plugin.

       Format: string

       Valid values: CS0, CS4, CS6

   ipv4.dhcp-fqdn
       If the "dhcp-send-hostname" property is TRUE, then the specified FQDN will be sent to the DHCP server when acquiring a lease. This property and "dhcp-hostname" are mutually
       exclusive and cannot be set at the same time.

       Format: string

   ipv4.dhcp-hostname
       If the "dhcp-send-hostname" property is TRUE, then the specified name will be sent to the DHCP server when acquiring a lease. This property and "dhcp-fqdn" are mutually exclusive
       and cannot be set at the same time.

       Format: string

   ipv4.dhcp-hostname-flags
       Flags for the DHCP hostname and FQDN.

       Currently, this property only includes flags to control the FQDN flags set in the DHCP FQDN option. Supported FQDN flags are "fqdn-serv-update" (0x1), "fqdn-encoded" (0x2) and
       "fqdn-no-update" (0x4). When no FQDN flag is set and "fqdn-clear-flags" (0x8) is set, the DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag is set and
       "fqdn-clear-flags" (0x8) is not set, the standard FQDN flags are set in the request: "fqdn-serv-update" (0x1), "fqdn-encoded" (0x2) for IPv4 and "fqdn-serv-update" (0x1) for IPv6.

       When this property is set to the default value "none" (0x0), a global default is looked up in NetworkManager configuration. If that value is unset or also "none" (0x0), then the
       standard FQDN flags described above are sent in the DHCP requests.

       Format: flags (NMDhcpHostnameFlags)

       Valid values: none (0x0), fqdn-serv-update (0x1), fqdn-encoded (0x2), fqdn-no-update (0x4), fqdn-clear-flags (0x8)

   ipv4.dhcp-iaid
       A string containing the "Identity Association Identifier" (IAID) used by the DHCP client. The string can be a 32-bit number (either decimal, hexadecimal or as colon separated
       hexadecimal numbers). Alternatively it can be set to the special values "mac", "perm-mac", "ifname" or "stable". When set to "mac" (or "perm-mac"), the last 4 bytes of the current
       (or permanent) MAC address are used as IAID. When set to "ifname", the IAID is computed by hashing the interface name. The special value "stable" can be used to generate an IAID
       based on the stable-id (see connection.stable-id), a per-host key and the interface name. When the property is unset, the value from global configuration is used; if no global
       default is set then the IAID is assumed to be "ifname".

       For DHCPv4, the IAID is only used with "ipv4.dhcp-client-id" values "duid" and "ipv6-duid" to generate the client-id.

       For DHCPv6, note that at the moment this property is only supported by the "internal" DHCPv6 plugin. The "dhclient" DHCPv6 plugin always derives the IAID from the MAC address.

       The actually used DHCPv6 IAID for a currently activated interface is exposed in the lease information of the device.

       Format: string

   ipv4.dhcp-ipv6-only-preferred
       Controls the "IPv6-Only Preferred" DHCPv4 option (RFC 8925).

       When set to "yes" (1), the host adds the option to the parameter request list; if the DHCP server sends the option back, the host stops the DHCP client for the time interval
       specified in the option.

       Enable this feature if the host supports an IPv6-only mode, i.e. either all applications are IPv6-only capable or there is a form of 464XLAT deployed.

       When set to "default" (-1), the actual value is looked up in the global configuration; if not specified, it defaults to "no" (0).

       If the connection has IPv6 method set to "disabled", this property does not have effect and the "IPv6-Only Preferred" option is always disabled.

       Format: choice (NMSettingIP4DhcpIpv6OnlyPreferred)

       Valid values: default (-1), no (0), yes (1)

   ipv4.dhcp-reject-servers
       Array of servers from which DHCP offers must be rejected. This property is useful to avoid getting a lease from misconfigured or rogue servers.

       For DHCPv4, each element must be an IPv4 address, optionally followed by a slash and a prefix length (e.g. "192.168.122.0/24").

       This property is currently not implemented for DHCPv6.

       Format: list of IPv4 addresses

   ipv4.dhcp-send-hostname-deprecated
       Since 1.52 this property is deprecated and is only used as fallback value for dhcp-send-hostname if it's set to 'default'. This is only done to avoid breaking existing
       configurations, the new property should be used from now on.

       This property is deprecated since version 1.52. use the new version of dhcp-send-hostname instead.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   ipv4.dhcp-send-hostname
       If TRUE, a hostname is sent to the DHCP server when acquiring a lease. Some DHCP servers use this hostname to update DNS databases, essentially providing a static hostname for the
       computer. If the dhcp-hostname property is NULL and this property is TRUE, the current persistent hostname of the computer is sent.

       The default value is default (-1). In this case the global value from NetworkManager configuration is looked up. If it's not set, the value from dhcp-send-hostname-deprecated,
       which defaults to TRUE, is used for backwards compatibility. In the future this will change and, in absence of a global default, it will always fallback to TRUE.

       Format: choice (NMTernary)

       Valid values: default (-1), false/no (0), true/yes (1)

   ipv4.dhcp-send-release
       Whether the DHCP client will send RELEASE message when bringing the connection down. The default value is "default" (-1). When the default value is specified, then the global
       value from NetworkManager configuration is looked up, if not set, it is considered as FALSE.

       Format: ternary

       Valid values: true/yes/on, false/no/off, default/unknown

   ipv4.dhcp-timeout
       A timeout for a DHCP transaction in seconds. If zero (the default), a globally configured default is used. If still unspecified, a device specific timeout is used (usually 45
       seconds).

       Set to 2147483647 (MAXINT32) for infinity.

       Format: integer

       Valid values: 0 - 2147483647

       Special values: default (0), infinity (2147483647)

   ipv4.dhcp-vendor-class-identifier
       The Vendor Class Identifier DHCP option (60). Special characters in the data string may be escaped using C-style escapes, nevertheless this property cannot contain nul bytes. If
       the per-profile value is unspecified (the default), a global connection default gets consulted. If still unspecified, the DHCP option is not sent to the server.

       Format: string

   ipv4.dns
       Array of DNS servers.

       Each server can be specified either as a plain IP address (optionally followed by a "#" and the SNI server name for DNS over TLS) or with a URI syntax.

       When it is specified as an URI, the following forms are supported: dns+udp://ADDRESS[:PORT], dns+tls://ADDRESS[:PORT][SERVERNAME] .

       When using the URI syntax, IPv6 addresses must be enclosed in square brackets ('[', ']').

       Format: list of IPv4 addresses

   ipv4.dns-options
       DNS options for /etc/resolv.conf as described in resolv.conf(5) manual.

       The currently supported options are "attempts", "debug", "edns0", "ndots", "no-aaaa", "no-check-names", "no-reload", "no-tld-query", "rotate", "single-request",
       "single-request-reopen", "timeout", "trust-ad", "use-vc". See the resolv.conf(5) manual.

       Note that there is a distinction between an unset (default) list and an empty list. In nmcli, to unset the list set the value to "". To set an empty list, set it to " ".
       Currently, an unset list has the same meaning as an empty list. That might change in the future.

       The "trust-ad" setting is only honored if the profile contributes name servers to resolv.conf, and if all contributing profiles have "trust-ad" enabled.

       When using a caching DNS plugin (dnsmasq or systemd-resolved in NetworkManager.conf) then "edns0" and "trust-ad" are automatically added.

       The valid "ipv4.dns-options" and "ipv6.dns-options" get merged together.

       Format: a comma separated list of DNS options

   ipv4.dns-priority
       DNS servers priority.

       The relative priority for DNS servers specified by this setting. A lower numerical value is better (higher priority).

       Negative values have the special effect of excluding other configurations with a greater numerical priority value; so in presence of at least one negative priority, only DNS
       servers from connections with the lowest priority value will be used. To avoid all DNS leaks, set the priority of the profile that should be used to the most negative value of all
       active connections profiles.

       Zero selects a globally configured default value. If the latter is missing or zero too, it defaults to 50 for VPNs (including WireGuard) and 100 for other connections.

       Note that the priority is to order DNS settings for multiple active connections. It does not disambiguate multiple DNS servers within the same connection profile.

       When multiple devices have configurations with the same priority, VPNs will be considered first, then devices with the best (lowest metric) default route and then all other
       devices.

       When using dns=default, servers with higher priority will be on top of resolv.conf. To prioritize a given server over another one within the same connection, just specify them in
       the desired order. Note that commonly the resolver tries name servers in /etc/resolv.conf in the order listed, proceeding with the next server in the list on failure. See for
       example the "rotate" option of the dns-options setting. If there are any negative DNS priorities, then only name servers from the devices with that lowest priority will be
       considered.

       When using a DNS resolver that supports Conditional Forwarding or Split DNS (with dns=dnsmasq or dns=systemd-resolved settings), each connection is used to query domains in its
       search list. The search domains determine which name servers to ask, and the DNS priority is used to prioritize name servers based on the domain. Queries for domains not present
       in any search list are routed through connections having the '~.' special wildcard domain, which is added automatically to connections with the default route (or can be added
       manually). When multiple connections specify the same domain, the one with the best priority (lowest numerical value) wins. If a sub domain is configured on another interface it
       will be accepted regardless the priority, unless parent domain on the other interface has a negative priority, which causes the sub domain to be shadowed. With Split DNS one can
       avoid undesired DNS leaks by properly configuring DNS priorities and the search domains, so that only name servers of the desired interface are configured.

       Format: integer

       Valid values: -2147483648 - 2147483647

   ipv4.dns-search
       List of DNS search domains. Domains starting with a tilde ('~') are considered 'routing' domains and are used only to decide the interface over which a query must be forwarded;
       they are not used to complete unqualified host names.

       When using a DNS plugin that supports Conditional Forwarding or Split DNS, then the search domains specify which name servers to query. This makes the behavior different from
       running with plain /etc/resolv.conf. For more information see also the dns-priority setting.

       When set on a profile that also enabled DHCP, the DNS search list received automatically (option 119 for DHCPv4 and option 24 for DHCPv6) gets merged with the manual list. This
       can be prevented by setting "ignore-auto-dns". Note that if no DNS searches are configured, the fallback will be derived from the domain from DHCP (option 15).

       Format: list of strings

   ipv4.gateway
       Alias: gw4

       The gateway associated with this configuration. This is only meaningful if "addresses" is also set.

       Setting the gateway causes NetworkManager to configure a standard default route with the gateway as next hop. This is ignored if "never-default" is set. An alternative is to
       configure the default route explicitly with a manual route and /0 as prefix length.

       Note that the gateway usually conflicts with routing that NetworkManager configures for WireGuard interfaces, so usually it should not be set in that case. See
       "ip4-auto-default-route".

       Format: IPv4 address

   ipv4.ignore-auto-dns
       When "method" is set to "auto" and this property to TRUE, automatically configured name servers and search domains are ignored and only name servers and search domains specified
       in the "dns" and "dns-search" properties, if any, are used.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   ipv4.ignore-auto-routes
       When "method" is set to "auto" and this property to TRUE, automatically configured routes are ignored and only routes specified in the "routes" property, if any, are used.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   ipv4.link-local
       Enable and disable the IPv4 link-local configuration independently of the ipv4.method configuration. This allows a link-local address (169.254.x.y/16) to be obtained in addition
       to other addresses, such as those manually configured or obtained from a DHCP server.

       When set to "auto", the value is dependent on "ipv4.method". When set to "default", it honors the global connection default, before falling back to "auto". Note that if
       "ipv4.method" is "disabled", then link local addressing is always disabled too. The default is "default". Since 1.52, when set to "fallback", a link-local address is obtained if
       no other IPv4 address is set.

       Format: choice (NMSettingIP4LinkLocal)

       Valid values: default (0), auto (1), disabled (2), enabled (3), fallback (4)

   ipv4.may-fail
       If TRUE, allow overall network configuration to proceed even if the configuration specified by this property times out. Note that at least one IP configuration must succeed or
       overall network configuration will still fail. For example, in IPv6-only networks, setting this property to TRUE on the NMSettingIP4Config allows the overall network configuration
       to succeed if IPv4 configuration fails but IPv6 configuration completes successfully.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   ipv4.method
       Sets the IPv4 connection method. You can set one of the following values:

       •   "auto" - Enables automatic IPv4 address assignment from DHCP, PPP, or similar services.

       •   "manual" - Enables the configuration of static IPv4 addresses on the interface. Note that you must set at least one IP address and subnet mask in the "ipv4.addresses"
           property.

       •   "disabled" - Disables the IPv4 protocol in this connection profile.

       •   "shared" - Provides network access to other computers. If you do not specify an IP address and subnet mask in "ipv4.addresses", NetworkManager assigns 10.42.x.1/24 to the
           interface. Additionally, NetworkManager starts a DHCP server and DNS forwarder. Hosts that connect to this interface will then receive an IP address from the configured range,
           and NetworkManager configures NAT to map client addresses to the one of the current default network connection.

       •   "link-local" - Enables link-local addresses according to RFC 3927. NetworkManager assigns a random link-local address from the 169.254.0.0/16 subnet to the interface.

       Format: string

       Valid values: auto, link-local, manual, shared, disabled

   ipv4.never-default
       If TRUE, this connection will never be the default connection for this IP type, meaning it will never be assigned the default route by NetworkManager.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   ipv4.replace-local-rule
       Connections will default to keep the autogenerated priority 0 local rule unless this setting is set to TRUE.

       Format: ternary

       Valid values: true/yes/on, false/no/off, default/unknown

   ipv4.required-timeout
       The minimum time interval in milliseconds for which dynamic IP configuration should be tried before the connection succeeds.

       This property is useful for example if both IPv4 and IPv6 are enabled and are allowed to fail. Normally the connection succeeds as soon as one of the two address families
       completes; by setting a required timeout for e.g. IPv4, one can ensure that even if IP6 succeeds earlier than IPv4, NetworkManager waits some time for IPv4 before the connection
       becomes active.

       Note that if "may-fail" is FALSE for the same address family, this property has no effect as NetworkManager needs to wait for the full DHCP timeout.

       A zero value means that no required timeout is present, -1 means the default value (either configuration ipvx.required-timeout override or zero).

       Format: integer

       Valid values: -1 - 2147483647

       Special values: default (-1), infinity (2147483647)

   ipv4.route-metric
       The default metric for routes that don't explicitly specify a metric. The default value -1 means that the metric is chosen automatically based on the device type. The metric
       applies to dynamic routes, manual (static) routes that don't have an explicit metric setting, address prefix routes, and the default route. Note that for IPv6, the kernel accepts
       zero (0) but coerces it to 1024 (user default). Hence, setting this property to zero effectively mean setting it to 1024. For IPv4, zero is a regular value for the metric.

       Format: integer

       Valid values: -1 - 4294967295

   ipv4.route-table
       Enable policy routing (source routing) and set the routing table used when adding routes.

       This affects all routes, including device-routes, IPv4LL, DHCP, SLAAC, default-routes and static routes. But note that static routes can individually overwrite the setting by
       explicitly specifying a non-zero routing table.

       If the table setting is left at zero, it is eligible to be overwritten via global configuration. If the property is zero even after applying the global configuration value, policy
       routing is disabled for the address family of this connection.

       Policy routing disabled means that NetworkManager will add all routes to the main table (except static routes that explicitly configure a different table). Additionally,
       NetworkManager will not delete any extraneous routes from tables except the main table. This is to preserve backward compatibility for users who manage routing tables outside of
       NetworkManager.

       Format: integer

       Valid values: 0 - 4294967295

       Special values: unspec (0), main (254)

   ipv4.routed-dns
       Whether to add routes for DNS servers. When enabled, NetworkManager adds a route for each DNS server that is associated with this connection either statically (defined in the
       connection profile) or dynamically (for example, retrieved via DHCP). The route guarantees that the DNS server is reached via this interface. When set to "default" (-1), the value
       from global configuration is used; if no global default is defined, this feature is disabled.

       Format: choice (NMSettingIPConfigRoutedDns)

       Valid values: default (-1), no (0), yes (1)

   ipv4.routes
       A list of IPv4 destination addresses, prefix length, optional IPv4 next hop addresses, optional route metric, optional attribute. The valid syntax is: "ip[/prefix] [next-hop]
       [metric] [attribute=val]...[,ip[/prefix]...]". For example "192.0.2.0/24 10.1.1.1 77, 198.51.100.0/24".

       Various attributes are supported:

       •   "advmss" - an unsigned 32 bit integer.

       •   "cwnd" - an unsigned 32 bit integer.

       •   "initcwnd" - an unsigned 32 bit integer.

       •   "initrwnd" - an unsigned 32 bit integer.

       •   "lock-advmss" - a boolean value.

       •   "lock-cwnd" - a boolean value.

       •   "lock-initcwnd" - a boolean value.

       •   "lock-initrwnd" - a boolean value.

       •   "lock-mtu" - a boolean value.

       •   "lock-window" - a boolean value.

       •   "mtu" - an unsigned 32 bit integer.

       •   "onlink" - a boolean value. The onlink flag is ignored for IPv4 routes without a gateway. That also means, with a positive "weight" the route cannot merge with ECMP routes
           which are onlink and have a gateway.

       •   "quickack" - a boolean value.

       •   "rto_min" - an unsigned 32 bit integer. The value is in milliseconds.

       •   "scope" - an unsigned 8 bit integer. IPv4 only.

       •   "src" - an IPv4 address.

       •   "table" - an unsigned 32 bit integer. The default depends on ipv4.route-table.

       •   "tos" - an unsigned 8 bit integer. IPv4 only.

       •   "type" - one of unicast, local, blackhole, unreachable, prohibit, throw. The default is unicast.

       •   "weight" - an unsigned 32 bit integer ranging from 0 to 256. A non-zero weight indicates that the IPv4 route is an ECMP IPv4 route. NetworkManager will automatically merge
           compatible ECMP routes into multi-hop routes. Setting to zero or omitting the attribute configures single hop routes that won't get merged. If the route finds no merge
           partner, it is configured as single hop route.

           Note that in NetworkManager, currently all nexthops of a ECMP route must share the same "onlink" flag in order to be mergable.

          "window" - an unsigned 32 bit integer.

       For details see also `man ip-route`.

       Format: a comma separated list of routes

   ipv4.routing-rules
       A comma separated list of routing rules for policy routing. The format is based on ip rule add syntax and mostly compatible. One difference is that routing rules in NetworkManager
       always need a fixed priority. Also, the "lookup" and "table" options don't support a table name, only a number.

       Example: priority 5 from 192.167.4.0/24 table 45

       Format: a comma separated list of routing rules

   ipv4.shared-dhcp-lease-time
       This option allows you to specify a custom DHCP lease time for the shared connection method in seconds. The value should be either a number between 120 and 31536000 (one year) If
       this option is not specified, 3600 (one hour) is used.

       Special values are 0 for default value of 1 hour and 2147483647 (MAXINT32) for infinite lease time.

       Format: integer

       Valid values: 0 - 2147483647

       Special values: default (0), infinity (2147483647)

   ipv4.shared-dhcp-range
       This option allows you to specify a custom DHCP range for the shared connection method. The value is expected to be in `<START_ADDRESS>,<END_ADDRESS>` format. The range should be
       part of network set by ipv4.address option and it should not contain network address or broadcast address. If this option is not specified, the DHCP range will be automatically
       determined based on the interface address. The range will be selected to be adjacent to the interface address, either before or after it, with the larger possible range being
       preferred. The range will be adjusted to fill the available address space, except for networks with a prefix length greater than 24, which will be treated as if they have a prefix
       length of 24.

       Format: string

ipv6 setting

   IPv6 Settings.

   Properties:

   ipv6.addr-gen-mode
       Configure method for creating the IPv6 interface identifier of addresses with RFC4862 IPv6 Stateless Address Autoconfiguration and Link Local addresses.

       The permitted values are: "eui64" (0), "stable-privacy" (1), "default" (3) or "default-or-eui64" (2).

       If the property is set to "eui64", the addresses will be generated using the interface token derived from hardware address. This makes the host part of the address to stay
       constant, making it possible to track the host's presence when it changes networks. The address changes when the interface hardware is replaced. If a duplicate address is
       detected, there is also no fallback to generate another address. When configured, the "ipv6.token" is used instead of the MAC address to generate addresses for stateless
       autoconfiguration.

       If the property is set to "stable-privacy", the interface identifier is generated as specified by RFC7217. This works by hashing a host specific key (see NetworkManager(8)
       manual), the interface name, the connection's "connection.stable-id" property and the address prefix. This improves privacy by making it harder to use the address to track the
       host's presence and the address is stable when the network interface hardware is replaced.

       The special values "default" and "default-or-eui64" will fallback to the global connection default as documented in the NetworkManager.conf(5) manual. If the global default is not
       specified, the fallback value is "stable-privacy" or "eui64", respectively.

       If not specified, when creating a new profile the default is "default".

       Note that this setting is distinct from the Privacy Extensions as configured by "ip6-privacy" property and it does not affect the temporary addresses configured with this option.

       Format: one of "eui64" (0), "stable-privacy" (1), "default" (3) or "default-or-eui64" (2)

       Valid values: eui64 (0), stable-privacy (1), default-or-eui64 (2), default (3)

   ipv6.addresses
       Alias: ip6

       A list of IPv6 addresses and their prefix length. Multiple addresses can be separated by comma. For example "2001:db8:85a3::8a2e:370:7334/64, 2001:db8:85a3::5/64". The addresses
       are listed in decreasing priority, meaning the first address will be the primary address. This can make a difference with IPv6 source address selection (RFC 6724, section 5).

       Format: a comma separated list of addresses

   ipv6.auto-route-ext-gw
       VPN connections will default to add the route automatically unless this setting is set to FALSE.

       For other connection types, adding such an automatic route is currently not supported and setting this to TRUE has no effect.

       Format: ternary

       Valid values: true/yes/on, false/no/off, default/unknown

   ipv6.dhcp-duid
       A string containing the DHCPv6 Unique Identifier (DUID) used by the dhcp client to identify itself to DHCPv6 servers (RFC 3315). The DUID is carried in the Client Identifier
       option. If the property is a hex string ('aa:bb:cc') it is interpreted as a binary DUID and filled as an opaque value in the Client Identifier option.

       The special value "lease" will retrieve the DUID previously used from the lease file belonging to the connection. If no DUID is found and "dhclient" is the configured dhcp client,
       the DUID is searched in the system-wide dhclient lease file. If still no DUID is found, or another dhcp client is used, a global and permanent DUID-UUID (RFC 6355) will be
       generated based on the machine-id.

       The special values "llt" and "ll" will generate a DUID of type LLT or LL (see RFC 3315) based on the current MAC address of the device. In order to try providing a stable
       DUID-LLT, the time field will contain a constant timestamp that is used globally (for all profiles) and persisted to disk.

       The special values "stable-llt", "stable-ll" and "stable-uuid" will generate a DUID of the corresponding type, derived from the connection's stable-id and a per-host unique key.
       You may want to include the "${DEVICE}" or "${MAC}" specifier in the stable-id, in case this profile gets activated on multiple devices. So, the link-layer address of "stable-ll"
       and "stable-llt" will be a generated address derived from the stable id. The DUID-LLT time value in the "stable-llt" option will be picked among a static timespan of three years
       (the upper bound of the interval is the same constant timestamp used in "llt").

       When the property is unset, the global value provided for "ipv6.dhcp-duid" is used. If no global value is provided, the default "lease" value is assumed.

       Format: string

   ipv6.dhcp-hostname
       If the "dhcp-send-hostname" property is TRUE, then the specified name will be sent to the DHCP server when acquiring a lease. This property and "dhcp-fqdn" are mutually exclusive
       and cannot be set at the same time.

       Format: string

   ipv6.dhcp-hostname-flags
       Flags for the DHCP hostname and FQDN.

       Currently, this property only includes flags to control the FQDN flags set in the DHCP FQDN option. Supported FQDN flags are "fqdn-serv-update" (0x1), "fqdn-encoded" (0x2) and
       "fqdn-no-update" (0x4). When no FQDN flag is set and "fqdn-clear-flags" (0x8) is set, the DHCP FQDN option will contain no flag. Otherwise, if no FQDN flag is set and
       "fqdn-clear-flags" (0x8) is not set, the standard FQDN flags are set in the request: "fqdn-serv-update" (0x1), "fqdn-encoded" (0x2) for IPv4 and "fqdn-serv-update" (0x1) for IPv6.

       When this property is set to the default value "none" (0x0), a global default is looked up in NetworkManager configuration. If that value is unset or also "none" (0x0), then the
       standard FQDN flags described above are sent in the DHCP requests.

       Format: flags (NMDhcpHostnameFlags)

       Valid values: none (0x0), fqdn-serv-update (0x1), fqdn-encoded (0x2), fqdn-no-update (0x4), fqdn-clear-flags (0x8)

   ipv6.dhcp-iaid
       A string containing the "Identity Association Identifier" (IAID) used by the DHCP client. The string can be a 32-bit number (either decimal, hexadecimal or as colon separated
       hexadecimal numbers). Alternatively it can be set to the special values "mac", "perm-mac", "ifname" or "stable". When set to "mac" (or "perm-mac"), the last 4 bytes of the current
       (or permanent) MAC address are used as IAID. When set to "ifname", the IAID is computed by hashing the interface name. The special value "stable" can be used to generate an IAID
       based on the stable-id (see connection.stable-id), a per-host key and the interface name. When the property is unset, the value from global configuration is used; if no global
       default is set then the IAID is assumed to be "ifname".

       For DHCPv4, the IAID is only used with "ipv4.dhcp-client-id" values "duid" and "ipv6-duid" to generate the client-id.

       For DHCPv6, note that at the moment this property is only supported by the "internal" DHCPv6 plugin. The "dhclient" DHCPv6 plugin always derives the IAID from the MAC address.

       The actually used DHCPv6 IAID for a currently activated interface is exposed in the lease information of the device.

       Format: string

   ipv6.dhcp-pd-hint
       A IPv6 address followed by a slash and a prefix length. If set, the value is sent to the DHCPv6 server as hint indicating the prefix delegation (IA_PD) we want to receive. To only
       hint a prefix length without prefix, set the address part to the zero address (for example "::/60").

       Format: string

   ipv6.dhcp-send-hostname-deprecated
       Since 1.52 this property is deprecated and is only used as fallback value for dhcp-send-hostname if it's set to 'default'. This is only done to avoid breaking existing
       configurations, the new property should be used from now on.

       This property is deprecated since version 1.52. use the new version of dhcp-send-hostname instead.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   ipv6.dhcp-send-hostname
       If TRUE, a hostname is sent to the DHCP server when acquiring a lease. Some DHCP servers use this hostname to update DNS databases, essentially providing a static hostname for the
       computer. If the dhcp-hostname property is NULL and this property is TRUE, the current persistent hostname of the computer is sent.

       The default value is default (-1). In this case the global value from NetworkManager configuration is looked up. If it's not set, the value from dhcp-send-hostname-deprecated,
       which defaults to TRUE, is used for backwards compatibility. In the future this will change and, in absence of a global default, it will always fallback to TRUE.

       Format: choice (NMTernary)

       Valid values: default (-1), false/no (0), true/yes (1)

   ipv6.dhcp-send-release
       Whether the DHCP client will send RELEASE message when bringing the connection down. The default value is "default" (-1). When the default value is specified, then the global
       value from NetworkManager configuration is looked up, if not set, it is considered as FALSE.

       Format: ternary

       Valid values: true/yes/on, false/no/off, default/unknown

   ipv6.dhcp-timeout
       A timeout for a DHCP transaction in seconds. If zero (the default), a globally configured default is used. If still unspecified, a device specific timeout is used (usually 45
       seconds).

       Set to 2147483647 (MAXINT32) for infinity.

       Format: integer

       Valid values: 0 - 2147483647

       Special values: default (0), infinity (2147483647)

   ipv6.dns
       Array of DNS servers.

       Each server can be specified either as a plain IP address (optionally followed by a "#" and the SNI server name for DNS over TLS) or with a URI syntax.

       When it is specified as an URI, the following forms are supported: dns+udp://ADDRESS[:PORT], dns+tls://ADDRESS[:PORT][SERVERNAME] .

       When using the URI syntax, IPv6 addresses must be enclosed in square brackets ('[', ']').

       Format: list of IPv6 addresses

   ipv6.dns-options
       DNS options for /etc/resolv.conf as described in resolv.conf(5) manual.

       The currently supported options are "attempts", "debug", "edns0", "ndots", "no-aaaa", "no-check-names", "no-reload", "no-tld-query", "rotate", "single-request",
       "single-request-reopen", "timeout", "trust-ad", "use-vc" and "inet6", "ip6-bytestring", "ip6-dotint", "no-ip6-dotint". See the resolv.conf(5) manual.

       Note that there is a distinction between an unset (default) list and an empty list. In nmcli, to unset the list set the value to "". To set an empty list, set it to " ".
       Currently, an unset list has the same meaning as an empty list. That might change in the future.

       The "trust-ad" setting is only honored if the profile contributes name servers to resolv.conf, and if all contributing profiles have "trust-ad" enabled.

       When using a caching DNS plugin (dnsmasq or systemd-resolved in NetworkManager.conf) then "edns0" and "trust-ad" are automatically added.

       The valid "ipv4.dns-options" and "ipv6.dns-options" get merged together.

       Format: a comma separated list of DNS options

   ipv6.dns-priority
       DNS servers priority.

       The relative priority for DNS servers specified by this setting. A lower numerical value is better (higher priority).

       Negative values have the special effect of excluding other configurations with a greater numerical priority value; so in presence of at least one negative priority, only DNS
       servers from connections with the lowest priority value will be used. To avoid all DNS leaks, set the priority of the profile that should be used to the most negative value of all
       active connections profiles.

       Zero selects a globally configured default value. If the latter is missing or zero too, it defaults to 50 for VPNs (including WireGuard) and 100 for other connections.

       Note that the priority is to order DNS settings for multiple active connections. It does not disambiguate multiple DNS servers within the same connection profile.

       When multiple devices have configurations with the same priority, VPNs will be considered first, then devices with the best (lowest metric) default route and then all other
       devices.

       When using dns=default, servers with higher priority will be on top of resolv.conf. To prioritize a given server over another one within the same connection, just specify them in
       the desired order. Note that commonly the resolver tries name servers in /etc/resolv.conf in the order listed, proceeding with the next server in the list on failure. See for
       example the "rotate" option of the dns-options setting. If there are any negative DNS priorities, then only name servers from the devices with that lowest priority will be
       considered.

       When using a DNS resolver that supports Conditional Forwarding or Split DNS (with dns=dnsmasq or dns=systemd-resolved settings), each connection is used to query domains in its
       search list. The search domains determine which name servers to ask, and the DNS priority is used to prioritize name servers based on the domain. Queries for domains not present
       in any search list are routed through connections having the '~.' special wildcard domain, which is added automatically to connections with the default route (or can be added
       manually). When multiple connections specify the same domain, the one with the best priority (lowest numerical value) wins. If a sub domain is configured on another interface it
       will be accepted regardless the priority, unless parent domain on the other interface has a negative priority, which causes the sub domain to be shadowed. With Split DNS one can
       avoid undesired DNS leaks by properly configuring DNS priorities and the search domains, so that only name servers of the desired interface are configured.

       Format: integer

       Valid values: -2147483648 - 2147483647

   ipv6.dns-search
       List of DNS search domains. Domains starting with a tilde ('~') are considered 'routing' domains and are used only to decide the interface over which a query must be forwarded;
       they are not used to complete unqualified host names.

       When using a DNS plugin that supports Conditional Forwarding or Split DNS, then the search domains specify which name servers to query. This makes the behavior different from
       running with plain /etc/resolv.conf. For more information see also the dns-priority setting.

       When set on a profile that also enabled DHCP, the DNS search list received automatically (option 119 for DHCPv4 and option 24 for DHCPv6) gets merged with the manual list. This
       can be prevented by setting "ignore-auto-dns". Note that if no DNS searches are configured, the fallback will be derived from the domain from DHCP (option 15).

       Format: list of strings

   ipv6.gateway
       Alias: gw6

       The gateway associated with this configuration. This is only meaningful if "addresses" is also set.

       Setting the gateway causes NetworkManager to configure a standard default route with the gateway as next hop. This is ignored if "never-default" is set. An alternative is to
       configure the default route explicitly with a manual route and /0 as prefix length.

       Note that the gateway usually conflicts with routing that NetworkManager configures for WireGuard interfaces, so usually it should not be set in that case. See
       "ip4-auto-default-route".

       Format: IPv6 address

   ipv6.ignore-auto-dns
       When "method" is set to "auto" and this property to TRUE, automatically configured name servers and search domains are ignored and only name servers and search domains specified
       in the "dns" and "dns-search" properties, if any, are used.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   ipv6.ignore-auto-routes
       When "method" is set to "auto" and this property to TRUE, automatically configured routes are ignored and only routes specified in the "routes" property, if any, are used.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   ipv6.ip6-privacy
       Configure IPv6 Privacy Extensions for SLAAC, described in RFC4941. If enabled, it makes the kernel generate a temporary IPv6 address in addition to the public one generated from
       MAC address via modified EUI-64. This enhances privacy, but could cause problems in some applications, on the other hand. The permitted values are: -1: unknown, 0: disabled, 1:
       enabled (prefer public address), 2: enabled (prefer temporary addresses).

       Having a per-connection setting set to "-1" (default) means fallback to global configuration "ipv6.ip6-privacy". If it's also unspecified or set to "-1", fallback to read
       "/proc/sys/net/ipv6/conf/default/use_tempaddr".

       Note that this setting is distinct from the Stable Privacy addresses that can be enabled with the "addr-gen-mode" property's "stable-privacy" setting as another way of avoiding
       host tracking with IPv6 addresses.

       Format: choice (NMSettingIP6ConfigPrivacy)

       Valid values: unknown/default (-1), disabled (0), prefer-public-addr (1), prefer-temp-addr (2)

   ipv6.may-fail
       If TRUE, allow overall network configuration to proceed even if the configuration specified by this property times out. Note that at least one IP configuration must succeed or
       overall network configuration will still fail. For example, in IPv6-only networks, setting this property to TRUE on the NMSettingIP4Config allows the overall network configuration
       to succeed if IPv4 configuration fails but IPv6 configuration completes successfully.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   ipv6.method
       Sets the IPv6 connection method. You can set one of the following values:

          "auto" - Enables IPv6 auto-configuration. By default, NetworkManager uses Router Advertisements and, if the router announces the "managed" flag, NetworkManager requests an
           IPv6 address and prefix from a DHCPv6 server.

          "dhcp" - Requests an IPv6 address and prefix from a DHCPv6 server. Note that DHCPv6 does not have options to provide routes and the default gateway. As a consequence, by using
           the "dhcp" method, connections are limited to their own subnet.

          "manual" - Enables the configuration of static IPv6 addresses on the interface. Note that you must set at least one IP address and prefix in the "ipv6.addresses" property.

          "disabled" - Disables the IPv6 protocol in this connection profile.

          "ignore" - Configures NetworkManager to make no changes to the IPv6 configuration on the interface. For example, you can then use the "accept_ra" feature of the kernel to
           accept Router Advertisements.

          "shared" - Provides network access to other computers. NetworkManager requests a prefix from an upstream DHCPv6 server, assigns an address to the interface, and announces the
           prefix to clients that connect to this interface.

          "link-local" - Assigns a random link-local address from the fe80::/64 subnet to the interface.

       If you set "auto", "dhcp", "manual", "ignore", or "shared", NetworkManager assigns, in addition to the global address, an IPv6 link-local address to the interface. This is
       compliant with RFC 4291.

       Format: string

       Valid values: ignore, auto, dhcp, link-local, manual, shared, disabled

   ipv6.mtu
       Maximum transmission unit size, in bytes. If zero (the default), the MTU is set automatically from router advertisements or is left equal to the link-layer MTU. If greater than
       the link-layer MTU, or greater than zero but less than the minimum IPv6 MTU of 1280, this value has no effect.

       Format: integer

       Special values: auto

   ipv6.never-default
       If TRUE, this connection will never be the default connection for this IP type, meaning it will never be assigned the default route by NetworkManager.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   ipv6.ra-timeout
       A timeout for waiting Router Advertisements in seconds. If zero (the default), a globally configured default is used. If still unspecified, the timeout depends on the sysctl
       settings of the device.

       Set to 2147483647 (MAXINT32) for infinity.

       Format: integer

       Valid values: 0 - 2147483647

       Special values: default (0), infinity (2147483647)

   ipv6.replace-local-rule
       Connections will default to keep the autogenerated priority 0 local rule unless this setting is set to TRUE.

       Format: ternary

       Valid values: true/yes/on, false/no/off, default/unknown

   ipv6.required-timeout
       The minimum time interval in milliseconds for which dynamic IP configuration should be tried before the connection succeeds.

       This property is useful for example if both IPv4 and IPv6 are enabled and are allowed to fail. Normally the connection succeeds as soon as one of the two address families
       completes; by setting a required timeout for e.g. IPv4, one can ensure that even if IP6 succeeds earlier than IPv4, NetworkManager waits some time for IPv4 before the connection
       becomes active.

       Note that if "may-fail" is FALSE for the same address family, this property has no effect as NetworkManager needs to wait for the full DHCP timeout.

       A zero value means that no required timeout is present, -1 means the default value (either configuration ipvx.required-timeout override or zero).

       Format: integer

       Valid values: -1 - 2147483647

       Special values: default (-1), infinity (2147483647)

   ipv6.route-metric
       The default metric for routes that don't explicitly specify a metric. The default value -1 means that the metric is chosen automatically based on the device type. The metric
       applies to dynamic routes, manual (static) routes that don't have an explicit metric setting, address prefix routes, and the default route. Note that for IPv6, the kernel accepts
       zero (0) but coerces it to 1024 (user default). Hence, setting this property to zero effectively mean setting it to 1024. For IPv4, zero is a regular value for the metric.

       Format: integer

       Valid values: -1 - 4294967295

   ipv6.route-table
       Enable policy routing (source routing) and set the routing table used when adding routes.

       This affects all routes, including device-routes, IPv4LL, DHCP, SLAAC, default-routes and static routes. But note that static routes can individually overwrite the setting by
       explicitly specifying a non-zero routing table.

       If the table setting is left at zero, it is eligible to be overwritten via global configuration. If the property is zero even after applying the global configuration value, policy
       routing is disabled for the address family of this connection.

       Policy routing disabled means that NetworkManager will add all routes to the main table (except static routes that explicitly configure a different table). Additionally,
       NetworkManager will not delete any extraneous routes from tables except the main table. This is to preserve backward compatibility for users who manage routing tables outside of
       NetworkManager.

       Format: integer

       Valid values: 0 - 4294967295

       Special values: unspec (0), main (254)

   ipv6.routed-dns
       Whether to add routes for DNS servers. When enabled, NetworkManager adds a route for each DNS server that is associated with this connection either statically (defined in the
       connection profile) or dynamically (for example, retrieved via DHCP). The route guarantees that the DNS server is reached via this interface. When set to "default" (-1), the value
       from global configuration is used; if no global default is defined, this feature is disabled.

       Format: choice (NMSettingIPConfigRoutedDns)

       Valid values: default (-1), no (0), yes (1)

   ipv6.routes
       A list of IPv6 destination addresses, prefix length, optional IPv6 next hop addresses, optional route metric, optional attribute. The valid syntax is: "ip[/prefix] [next-hop]
       [metric] [attribute=val]...[,ip[/prefix]...]".

       Various attributes are supported:

          "advmss" - an unsigned 32 bit integer.

          "cwnd" - an unsigned 32 bit integer.

          "from" - an IPv6 address with optional prefix. IPv6 only.

          "initcwnd" - an unsigned 32 bit integer.

          "initrwnd" - an unsigned 32 bit integer.

          "lock-advmss" - a boolean value.

          "lock-cwnd" - a boolean value.

          "lock-initcwnd" - a boolean value.

          "lock-initrwnd" - a boolean value.

          "lock-mtu" - a boolean value.

          "lock-window" - a boolean value.

          "mtu" - an unsigned 32 bit integer.

          "onlink" - a boolean value.

          "quickack" - a boolean value.

          "rto_min" - an unsigned 32 bit integer. The value is in milliseconds.

          "src" - an IPv6 address.

          "table" - an unsigned 32 bit integer. The default depends on ipv6.route-table.

          "type" - one of unicast, local, blackhole, unreachable, prohibit, throw. The default is unicast.

          "window" - an unsigned 32 bit integer.

       For details see also `man ip-route`.

       Format: a comma separated list of routes

   ipv6.routing-rules
       A comma separated list of routing rules for policy routing. The format is based on ip rule add syntax and mostly compatible. One difference is that routing rules in NetworkManager
       always need a fixed priority.

       Example: priority 5 from 1:2:3::5/128 table 45

       Format: a comma separated list of routing rules

   ipv6.temp-preferred-lifetime
       The preferred lifetime of autogenerated temporary addresses, in seconds.

       Having a per-connection setting set to "0" (default) means fallback to global configuration "ipv6.temp-preferred-lifetime" setting". If it's also unspecified or set to "0",
       fallback to read "/proc/sys/net/ipv6/conf/default/temp_prefered_lft".

       Format: integer

       Valid values: 0 - 2147483647

       Special values: default (0)

   ipv6.temp-valid-lifetime
       The valid lifetime of autogenerated temporary addresses, in seconds.

       Having a per-connection setting set to "0" (default) means fallback to global configuration "ipv6.temp-valid-lifetime" setting". If it's also unspecified or set to "0", fallback
       to read "/proc/sys/net/ipv6/conf/default/temp_valid_lft".

       Format: integer

       Valid values: 0 - 2147483647

       Special values: default (0)

   ipv6.token
       Configure the token for draft-chown-6man-tokenised-ipv6-identifiers-02 IPv6 tokenized interface identifiers. Useful with eui64 addr-gen-mode.

       When set, the token is used as IPv6 interface identifier instead of the hardware address. This only applies to addresses from stateless autoconfiguration, not to IPv6 link local
       addresses.

       Format: string

ip-tunnel setting

   IP Tunneling Settings.

   Properties:

   ip-tunnel.encapsulation-limit
       How many additional levels of encapsulation are permitted to be prepended to packets. This property applies only to IPv6 tunnels. To disable this option, add 0x1
       (ip6-ign-encap-limit) to ip-tunnel flags.

       Format: integer

       Valid values: 0 - 255

   ip-tunnel.flags
       Tunnel flags. Currently, the following values are supported: 0x1 (ip6-ign-encap-limit), 0x2 (ip6-use-orig-tclass), 0x4 (ip6-use-orig-flowlabel), 0x8 (ip6-mip6-dev), 0x10
       (ip6-rcv-dscp-copy) and 0x20 (ip6-use-orig-fwmark). They are valid only for IPv6 tunnels.

       Format: flags (NMIPTunnelFlags)

       Valid values: none (0x0), ip6-ign-encap-limit (0x1), ip6-use-orig-tclass (0x2), ip6-use-orig-flowlabel (0x4), ip6-mip6-dev (0x8), ip6-rcv-dscp-copy (0x10), ip6-use-orig-fwmark
       (0x20)

   ip-tunnel.flow-label
       The flow label to assign to tunnel packets. This property applies only to IPv6 tunnels.

       Format: integer

       Valid values: 0 - 1048575

   ip-tunnel.fwmark
       The fwmark value to assign to tunnel packets. This property can be set to a non zero value only on VTI and VTI6 tunnels.

       Format: integer

       Valid values: 0 - 4294967295

   ip-tunnel.input-key
       The key used for tunnel input packets; the property is valid only for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.

       Format: string

   ip-tunnel.local
       Alias: local

       The local endpoint of the tunnel; the value can be empty, otherwise it must contain an IPv4 or IPv6 address.

       Format: string

   ip-tunnel.mode
       Alias: mode

       The tunneling mode. Valid values: ipip (1), gre (2), sit (3), isatap (4), vti (5), ip6ip6 (6), ipip6 (7), ip6gre (8), vti6 (9), gretap (10) and ip6gretap (11)

       Format: choice (NMIPTunnelMode)

       Valid values: ipip (1), gre (2), sit (3), isatap (4), vti (5), ip6ip6 (6), ipip6 (7), ip6gre (8), vti6 (9), gretap (10), ip6gretap (11)

   ip-tunnel.mtu
       If non-zero, only transmit packets of the specified size or smaller, breaking larger packets up into multiple fragments.

       Format: integer

       Special values: auto

   ip-tunnel.output-key
       The key used for tunnel output packets; the property is valid only for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.

       Format: string

   ip-tunnel.parent
       Alias: dev

       If given, specifies the parent interface name or parent connection UUID the new device will be bound to so that tunneled packets will only be routed via that interface.

       Format: string

   ip-tunnel.path-mtu-discovery
       Whether to enable Path MTU Discovery on this tunnel.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   ip-tunnel.remote
       Alias: remote

       The remote endpoint of the tunnel; the value must contain an IPv4 or IPv6 address.

       Format: string

   ip-tunnel.tos
       The type of service (IPv4) or traffic class (IPv6) field to be set on tunneled packets.

       Format: integer

       Valid values: 0 - 255

   ip-tunnel.ttl
       The TTL to assign to tunneled packets. 0 is a special value meaning that packets inherit the TTL value.

       Format: integer

       Valid values: 0 - 255

ipvlan setting

   IPVLAN Settings.

   Properties:

   ipvlan.mode
       Alias: mode

       The IPVLAN mode. Valid values: l2 (1), l3 (2), l3s (3)

       Format: choice (NMSettingIpvlanMode)

       Valid values: l2 (1), l3 (2), l3s (3)

   ipvlan.parent
       Alias: dev

       If given, specifies the parent interface name or parent connection UUID from which this IPVLAN interface should be created. If this property is not specified, the connection must
       contain an "802-3-ethernet" setting with a "mac-address" property.

       Format: string

   ipvlan.private
       Whether the interface should be put in private mode.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   ipvlan.vepa
       Whether the interface should be put in VEPA mode.

       Format: boolean

       Valid values: true/yes/on, false/no/off

macsec setting

   MACSec Settings.

   Properties:

   macsec.encrypt
       Alias: encrypt

       Whether the transmitted traffic must be encrypted.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   macsec.mka-cak
       Alias: cak

       The pre-shared CAK (Connectivity Association Key) for MACsec Key Agreement. Must be a string of 32 hexadecimal characters.

       Format: string

   macsec.mka-cak-flags
       Flags indicating how to handle the "mka-cak" property.

       Format: flags (NMSettingSecretFlags)

       Valid values: none (0x0), agent-owned (0x1), not-saved (0x2), not-required (0x4)

   macsec.mka-ckn
       Alias: ckn

       The pre-shared CKN (Connectivity-association Key Name) for MACsec Key Agreement. Must be a string of hexadecimal characters with a even length between 2 and 64.

       Format: string

   macsec.mode
       Alias: mode

       Specifies how the CAK (Connectivity Association Key) for MKA (MACsec Key Agreement) is obtained.

       Format: choice (NMSettingMacsecMode)

       Valid values: psk (0), eap (1)

   macsec.offload
       Specifies the MACsec offload mode.

       "off" (0) disables MACsec offload.

       "phy" (1) and "mac" (2) request offload respectively to the PHY or to the MAC; if the selected mode is not available, the connection will fail.

       "default" (-1) uses the global default value specified in NetworkManager configuration; if no global default is defined, the built-in default is "off" (0).

       Format: choice (NMSettingMacsecOffload)

       Valid values: default (-1), off (0), phy (1), mac (2)

   macsec.parent
       Alias: dev

       If given, specifies the parent interface name or parent connection UUID from which this MACSEC interface should be created. If this property is not specified, the connection must
       contain an "802-3-ethernet" setting with a "mac-address" property.

       Format: string

   macsec.port
       Alias: port

       The port component of the SCI (Secure Channel Identifier), between 1 and 65534.

       Format: integer

       Valid values: 1 - 65534

   macsec.send-sci
       Specifies whether the SCI (Secure Channel Identifier) is included in every packet.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   macsec.validation
       Specifies the validation mode for incoming frames.

       Format: choice (NMSettingMacsecValidation)

       Valid values: disable (0), check (1), strict (2)

macvlan setting

   MAC VLAN Settings.

   Properties:

   macvlan.mode
       Alias: mode

       The macvlan mode, which specifies the communication mechanism between multiple macvlans on the same lower device.

       Format: choice (NMSettingMacvlanMode)

       Valid values: vepa (1), bridge (2), private (3), passthru (4), source (5)

   macvlan.parent
       Alias: dev

       If given, specifies the parent interface name or parent connection UUID from which this MAC-VLAN interface should be created. If this property is not specified, the connection
       must contain an "802-3-ethernet" setting with a "mac-address" property.

       Format: string

   macvlan.promiscuous
       Whether the parent interface should be put in promiscuous mode (true by default).

       Format: boolean

       Valid values: true/yes/on, false/no/off

   macvlan.tap
       Alias: tap

       Whether the interface should be a MACVTAP.

       Format: boolean

       Valid values: true/yes/on, false/no/off

match setting

   Match settings.

   Properties:

   match.driver
       A list of driver names to match. Each element is a shell wildcard pattern.

       See NMSettingMatch:interface-name for how special characters '|', '&', '!' and '\\' are used for optional and mandatory matches and inverting the pattern.

       Format: list of strings

   match.interface-name
       A list of interface names to match. Each element is a shell wildcard pattern.

       An element can be prefixed with a pipe symbol (|) or an ampersand (&). The former means that the element is optional and the latter means that it is mandatory. If there are any
       optional elements, than the match evaluates to true if at least one of the optional element matches (logical OR). If there are any mandatory elements, then they all must match
       (logical AND). By default, an element is optional. This means that an element "foo" behaves the same as "|foo". An element can also be inverted with exclamation mark (!) between
       the pipe symbol (or the ampersand) and before the pattern. Note that "!foo" is a shortcut for the mandatory match "&!foo". Finally, a backslash can be used at the beginning of the
       element (after the optional special characters) to escape the start of the pattern. For example, "&\\!a" is an mandatory match for literally "!a".

       Format: list of strings

   match.kernel-command-line
       A list of kernel command line arguments to match. This may be used to check whether a specific kernel command line option is set (or unset, if prefixed with the exclamation mark).
       The argument must either be a single word, or an assignment (i.e. two words, joined by "="). In the former case the kernel command line is searched for the word appearing as is,
       or as left hand side of an assignment. In the latter case, the exact assignment is looked for with right and left hand side matching. Wildcard patterns are not supported.

       See NMSettingMatch:interface-name for how special characters '|', '&', '!' and '\\' are used for optional and mandatory matches and inverting the match.

       Format: list of strings

   match.path
       A list of paths to match against the ID_PATH udev property of devices. ID_PATH represents the topological persistent path of a device. It typically contains a subsystem string
       (pci, usb, platform, etc.) and a subsystem-specific identifier.

       For PCI devices the path has the form "pci-$domain:$bus:$device.$function", where each variable is an hexadecimal value; for example "pci-0000:0a:00.0".

       The path of a device can be obtained with "udevadm info /sys/class/net/$dev | grep ID_PATH=" or by looking at the "path" property exported by NetworkManager ("nmcli -f
       general.path device show $dev").

       Each element of the list is a shell wildcard pattern.

       See NMSettingMatch:interface-name for how special characters '|', '&', '!' and '\\' are used for optional and mandatory matches and inverting the pattern.

       Format: list of strings

802-11-olpc-mesh setting

   Alias: olpc-mesh

   OLPC Wireless Mesh Settings.

   Properties:

   802-11-olpc-mesh.channel
       Alias: channel

       Channel on which the mesh network to join is located.

       Format: integer

       Valid values: 0 - 4294967295

   802-11-olpc-mesh.dhcp-anycast-address
       Alias: dhcp-anycast

       Anycast DHCP MAC address used when requesting an IP address via DHCP. The specific anycast address used determines which DHCP server class answers the request.

       This is currently only implemented by dhclient DHCP plugin.

       Format: MAC address

   802-11-olpc-mesh.ssid
       Alias: ssid

       SSID of the mesh network to join.

       Format: string

ovs-bridge setting

   OvsBridge Link Settings.

   Properties:

   ovs-bridge.datapath-type
       The data path type. One of "system", "netdev" or empty.

       Format: string

       Valid values: system, netdev

   ovs-bridge.fail-mode
       The bridge failure mode. One of "secure", "standalone" or empty.

       Format: string

       Valid values: secure, standalone

   ovs-bridge.mcast-snooping-enable
       Enable or disable multicast snooping.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   ovs-bridge.rstp-enable
       Enable or disable RSTP.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   ovs-bridge.stp-enable
       Enable or disable STP.

       Format: boolean

       Valid values: true/yes/on, false/no/off

ovs-dpdk setting

   OvsDpdk Link Settings.

   Properties:

   ovs-dpdk.devargs
       Open vSwitch DPDK device arguments.

       Format: string

   ovs-dpdk.n-rxq
       Open vSwitch DPDK number of rx queues. Defaults to zero which means to leave the parameter in OVS unspecified and effectively configures one queue.

       Format: integer

       Valid values: 0 - 4294967295

   ovs-dpdk.n-rxq-desc
       The rx queue size (number of rx descriptors) for DPDK ports. Must be zero or a power of 2 between 1 and 4096, and supported by the hardware. Defaults to zero which means to leave
       the parameter in OVS unspecified and effectively configures 2048 descriptors.

       Format: integer

       Valid values: 0 - 4096

   ovs-dpdk.n-txq-desc
       The tx queue size (number of tx descriptors) for DPDK ports. Must be zero or a power of 2 between 1 and 4096, and supported by the hardware. Defaults to zero which means to leave
       the parameter in OVS unspecified and effectively configures 2048 descriptors.

       Format: integer

       Valid values: 0 - 4096

ovs-interface setting

   Open vSwitch Interface Settings.

   Properties:

   ovs-interface.ofport-request
       Open vSwitch openflow port number. Defaults to zero which means that port number will not be specified and it will be chosen randomly by ovs. OpenFlow ports are the network
       interfaces for passing packets between OpenFlow processing and the rest of the network. OpenFlow switches connect logically to each other via their OpenFlow ports.

       Format: integer

       Valid values: 0 - 65279

   ovs-interface.type
       The interface type. Either "internal", "system", "patch", "dpdk", or empty.

       Format: string

       Valid values: internal, system, patch, dpdk

ovs-patch setting

   OvsPatch Link Settings.

   Properties:

   ovs-patch.peer
       Specifies the name of the interface for the other side of the patch. The patch on the other side must also set this interface as peer.

       Format: string

ovs-port setting

   OvsPort Link Settings.

   Properties:

   ovs-port.bond-downdelay
       The time port must be inactive in order to be considered down.

       Format: integer

       Valid values: 0 - 4294967295

   ovs-port.bond-mode
       Bonding mode. One of "active-backup", "balance-slb", or "balance-tcp".

       Format: string

       Valid values: active-backup, balance-slb, balance-tcp

   ovs-port.bond-updelay
       The time port must be active before it starts forwarding traffic.

       Format: integer

       Valid values: 0 - 4294967295

   ovs-port.lacp
       LACP mode. One of "active", "off", or "passive".

       Format: string

       Valid values: active, off, passive

   ovs-port.tag
       The VLAN tag in the range 0-4095.

       Format: integer

       Valid values: 0 - 4095

   ovs-port.trunks
       A list of VLAN ranges that this port trunks.

       The property is valid only for ports with mode "trunk", "native-tagged", or "native-untagged port". If it is empty, the port trunks all VLANs.

       Format: list of ovs-port.trunks objects

   ovs-port.vlan-mode
       The VLAN mode. One of "access", "native-tagged", "native-untagged", "trunk", "dot1q-tunnel" or unset.

       Format: string

       Valid values: access, native-tagged, native-untagged, trunk, dot1q-tunnel

ppp setting

   Point-to-Point Protocol Settings.

   Properties:

   ppp.baud
       If non-zero, instruct pppd to set the serial port to the specified baudrate. This value should normally be left as 0 to automatically choose the speed.

       Format: integer

       Valid values: 0 - 4294967295

   ppp.crtscts
       If TRUE, specify that pppd should set the serial port to use hardware flow control with RTS and CTS signals. This value should normally be set to FALSE.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   ppp.lcp-echo-failure
       If non-zero, instruct pppd to presume the connection to the peer has failed if the specified number of LCP echo-requests go unanswered by the peer. The "lcp-echo-interval"
       property must also be set to a non-zero value if this property is used.

       Format: integer

       Valid values: 0 - 4294967295

   ppp.lcp-echo-interval
       If non-zero, instruct pppd to send an LCP echo-request frame to the peer every n seconds (where n is the specified value). Note that some PPP peers will respond to echo requests
       and some will not, and it is not possible to autodetect this.

       Format: integer

       Valid values: 0 - 4294967295

   ppp.mppe-stateful
       If TRUE, stateful MPPE is used. See pppd documentation for more information on stateful MPPE.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   ppp.mru
       If non-zero, instruct pppd to request that the peer send packets no larger than the specified size. If non-zero, the MRU should be between 128 and 16384.

       Format: integer

       Valid values: 0 - 16384

   ppp.mtu
       If non-zero, instruct pppd to send packets no larger than the specified size.

       Format: integer

       Special values: auto

   ppp.no-vj-comp
       If TRUE, Van Jacobsen TCP header compression will not be requested.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   ppp.noauth
       If TRUE, do not require the other side (usually the PPP server) to authenticate itself to the client. If FALSE, require authentication from the remote side. In almost all cases,
       this should be TRUE.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   ppp.nobsdcomp
       If TRUE, BSD compression will not be requested.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   ppp.nodeflate
       If TRUE, "deflate" compression will not be requested.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   ppp.refuse-chap
       If TRUE, the CHAP authentication method will not be used.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   ppp.refuse-eap
       If TRUE, the EAP authentication method will not be used.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   ppp.refuse-mschap
       If TRUE, the MSCHAP authentication method will not be used.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   ppp.refuse-mschapv2
       If TRUE, the MSCHAPv2 authentication method will not be used.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   ppp.refuse-pap
       If TRUE, the PAP authentication method will not be used.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   ppp.require-mppe
       If TRUE, MPPE (Microsoft Point-to-Point Encryption) will be required for the PPP session. If either 64-bit or 128-bit MPPE is not available the session will fail. Note that MPPE
       is not used on mobile broadband connections.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   ppp.require-mppe-128
       If TRUE, 128-bit MPPE (Microsoft Point-to-Point Encryption) will be required for the PPP session, and the "require-mppe" property must also be set to TRUE. If 128-bit MPPE is not
       available the session will fail.

       Format: boolean

       Valid values: true/yes/on, false/no/off

pppoe setting

   PPP-over-Ethernet Settings.

   Properties:

   pppoe.parent
       Alias: parent

       If given, specifies the parent interface name on which this PPPoE connection should be created. If this property is not specified, the connection is activated on the interface
       specified in "interface-name" of NMSettingConnection.

       Format: string

   pppoe.password
       Alias: password

       Password used to authenticate with the PPPoE service.

       Format: string

   pppoe.password-flags
       Flags indicating how to handle the "password" property.

       Format: flags (NMSettingSecretFlags)

       Valid values: none (0x0), agent-owned (0x1), not-saved (0x2), not-required (0x4)

   pppoe.service
       Alias: service

       If specified, instruct PPPoE to only initiate sessions with access concentrators that provide the specified service. For most providers, this should be left blank. It is only
       required if there are multiple access concentrators or a specific service is known to be required.

       Format: string

   pppoe.username
       Alias: username

       Username used to authenticate with the PPPoE service.

       Format: string

proxy setting

   WWW Proxy Settings.

   Properties:

   proxy.browser-only
       Alias: browser-only

       Whether the proxy configuration is for browser only.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   proxy.method
       Alias: method

       Method for proxy configuration, Default is "none" (0)

       Format: choice (NMSettingProxyMethod)

       Valid values: none (0), auto (1)

   proxy.pac-script
       Alias: pac-script

       The PAC script. In the profile this must be an UTF-8 encoded javascript code that defines a FindProxyForURL() function. When setting the property in nmcli, a filename is accepted
       too. In that case, nmcli will read the content of the file and set the script. The prefixes "file://" and "js://" are supported to explicitly differentiate between the two.

       Format: string

   proxy.pac-url
       Alias: pac-url

       PAC URL for obtaining PAC file.

       Format: string

serial setting

   Serial Link Settings.

   Properties:

   serial.baud
       Speed to use for communication over the serial port. Note that this value usually has no effect for mobile broadband modems as they generally ignore speed settings and use the
       highest available speed.

       Format: integer

       Valid values: 0 - 4294967295

   serial.bits
       Byte-width of the serial communication. The 8 in "8n1" for example.

       Format: integer

       Valid values: 5 - 8

   serial.parity
       Parity setting of the serial port.

       Format: choice (NMSettingSerialParity)

       Valid values: none/N/n (0), even/E/e (1), odd/O/o (2)

   serial.send-delay
       Time to delay between each byte sent to the modem, in microseconds.

       Format: integer

       Valid values: 0 - 18446744073709551615

   serial.stopbits
       Number of stop bits for communication on the serial port. Either 1 or 2. The 1 in "8n1" for example.

       Format: integer

       Valid values: 1 - 2

sriov setting

   SR-IOV settings.

   Properties:

   sriov.autoprobe-drivers
       Whether to autoprobe virtual functions by a compatible driver.

       If set to "true" (1), the kernel will try to bind VFs to a compatible driver and if this succeeds a new network interface will be instantiated for each VF.

       If set to "false" (0), VFs will not be claimed and no network interfaces will be created for them.

       When set to "default" (-1), the global default is used; in case the global default is unspecified it is assumed to be "true" (1).

       Format: ternary

       Valid values: true/yes/on, false/no/off, default/unknown

   sriov.eswitch-encap-mode
       Select the eswitch encapsulation support.

       Currently it's only supported for PCI PF devices, and only if the eswitch device is managed from the same PCI address than the PF.

       If set to "preserve" (-1) (default) the eswitch encap-mode won't be modified by NetworkManager.

       Format: choice (NMSriovEswitchEncapMode)

       Valid values: preserve (-1), none (0), basic (1)

   sriov.eswitch-inline-mode
       Select the eswitch inline-mode of the device. Some HWs need the VF driver to put part of the packet headers on the TX descriptor so the e-switch can do proper matching and
       steering.

       Currently it's only supported for PCI PF devices, and only if the eswitch device is managed from the same PCI address than the PF.

       If set to "preserve" (-1) (default) the eswitch inline-mode won't be modified by NetworkManager.

       Format: choice (NMSriovEswitchInlineMode)

       Valid values: preserve (-1), none (0), link (1), network (2), transport (3)

   sriov.eswitch-mode
       Select the eswitch mode of the device. Currently it's only supported for PCI PF devices, and only if the eswitch device is managed from the same PCI address than the PF.

       If set to "preserve" (-1) (default) the eswitch mode won't be modified by NetworkManager.

       Format: choice (NMSriovEswitchMode)

       Valid values: preserve (-1), legacy (0), switchdev (1)

   sriov.total-vfs
       The total number of virtual functions to create.

       Note that when the sriov setting is present NetworkManager enforces the number of virtual functions on the interface (also when it is zero) during activation and resets it upon
       deactivation. To prevent any changes to SR-IOV parameters don't add a sriov setting to the connection.

       Format: integer

       Valid values: 0 - 4294967295

   sriov.vfs
       Array of virtual function descriptors.

       Each VF descriptor is a dictionary mapping attribute names to GVariant values. The 'index' entry is mandatory for each VF.

       When represented as string a VF is in the form:

       "INDEX [ATTR=VALUE[ ATTR=VALUE]...]".

       for example:

       "2 mac=00:11:22:33:44:55 spoof-check=true".

       Multiple VFs can be specified using a comma as separator. Currently, the following attributes are supported: mac, spoof-check, trust, min-tx-rate, max-tx-rate, vlans.

       The "vlans" attribute is represented as a semicolon-separated list of VLAN descriptors, where each descriptor has the form

       "ID[.PRIORITY[.PROTO]]".

       PROTO can be either 'q' for 802.1Q (the default) or 'ad' for 802.1ad.

       Format: list of sriov.vfs objects

tc setting

   Linux Traffic Control Settings.

   Properties:

   tc.qdiscs
       Array of TC queueing disciplines. qdisc is a basic block in the Linux traffic control subsystem

       Each qdisc can be specified by the following attributes:

       handle HANDLE
           specifies the qdisc handle. A qdisc, which potentially can have children, gets assigned a major number, called a 'handle', leaving the minor number namespace available for
           classes. The handle is expressed as '10:'. It is customary to explicitly assign a handle to qdiscs expected to have children.

       parent HANDLE
           specifies the handle of the parent qdisc the current qdisc must be attached to.

       root
           specifies that the qdisc is attached to the root of device.

       KIND
           this is the qdisc kind. NetworkManager currently supports the following kinds: fq_codel, sfq, tbf. Each qdisc kind has a different set of parameters, described below. There
           are also some kinds like pfifo, pfifo_fast, prio supported by NetworkManager but their parameters are not supported by NetworkManager.

       Parameters for 'fq_codel':

       limit U32
           the hard limit on the real queue size. When this limit is reached, incoming packets are dropped. Default is 10240 packets.

       memory_limit U32
           sets a limit on the total number of bytes that can be queued in this FQ-CoDel instance. The lower of the packet limit of the limit parameter and the memory limit will be
           enforced. Default is 32 MB.

       flows U32
           the number of flows into which the incoming packets are classified. Due to the stochastic nature of hashing, multiple flows may end up being hashed into the same slot. Newer
           flows have priority over older ones. This parameter can be set only at load time since memory has to be allocated for the hash table. Default value is 1024.

       target U32
           the acceptable minimum standing/persistent queue delay. This minimum delay is identified by tracking the local minimum queue delay that packets experience. The unit of
           measurement is microsecond(us). Default value is 5ms.

       interval U32
           used to ensure that the measured minimum delay does not become too stale. The minimum delay must be experienced in the last epoch of length .B interval. It should be set on
           the order of the worst-case RTT through the bottleneck to give endpoints sufficient time to react. Default value is 100ms.

       quantum U32
           the number of bytes used as 'deficit' in the fair queuing algorithm. Default is set to 1514 bytes which corresponds to the Ethernet MTU plus the hardware header length of 14
           bytes.

       ecn BOOL
           can be used to mark packets instead of dropping them. ecn is turned on by default.

       ce_threshold U32
           sets a threshold above which all packets are marked with ECN Congestion Experienced. This is useful for DCTCP-style congestion control algorithms that require marking at very
           shallow queueing thresholds.

       Parameters for 'sfq':

       divisor U32
           can be used to set a different hash table size, available from kernel 2.6.39 onwards. The specified divisor must be a power of two and cannot be larger than 65536. Default
           value: 1024.

       limit U32
           Upper limit of the SFQ. Can be used to reduce the default length of 127 packets.

       depth U32
           Limit of packets per flow. Default to 127 and can be lowered.

       perturb_period U32
           Interval in seconds for queue algorithm perturbation. Defaults to 0, which means that no perturbation occurs. Do not set too low for each perturbation may cause some packet
           reordering or losses. Advised value: 60 This value has no effect when external flow classification is used. Its better to increase divisor value to lower risk of hash
           collisions.

       quantum U32
           Amount of bytes a flow is allowed to dequeue during a round of the round robin process. Defaults to the MTU of the interface which is also the advised value and the minimum
           value.

       flows U32
           Default value is 127.

       Parameters for 'tbf':

       rate U64
           Bandwidth or rate. These parameters accept a floating point number, possibly followed by either a unit (both SI and IEC units supported), or a float followed by a percent
           character to specify the rate as a percentage of the device's speed.

       burst U32
           Also known as buffer or maxburst. Size of the bucket, in bytes. This is the maximum amount of bytes that tokens can be available for instantaneously. In general, larger
           shaping rates require a larger buffer. For 10mbit/s on Intel, you need at least 10kbyte buffer if you want to reach your configured rate!

           If your buffer is too small, packets may be dropped because more tokens arrive per timer tick than fit in your bucket. The minimum buffer size can be calculated by dividing
           the rate by HZ.

           Token usage calculations are performed using a table which by default has a resolution of 8 packets. This resolution can be changed by specifying the cell size with the burst.
           For example, to specify a 6000 byte buffer with a 16 byte cell size, set a burst of 6000/16. You will probably never have to set this. Must be an integral power of 2.

       limit U32
           Limit is the number of bytes that can be queued waiting for tokens to become available.

       latency U32
           specifies the maximum amount of time a packet can sit in the TBF. The latency calculation takes into account the size of the bucket, the rate and possibly the peakrate (if
           set). The latency and limit are mutually exclusive.

       Format: GPtrArray(NMTCQdisc)

   tc.tfilters
       Array of TC traffic filters. Traffic control can manage the packet content during classification by using filters.

       Each tfilters can be specified by the following attributes:

       handle HANDLE
           specifies the tfilters handle. A filter is used by a classful qdisc to determine in which class a packet will be enqueued. It is important to notice that filters reside within
           qdiscs. Therefore, see qdiscs handle for detailed information.

       parent HANDLE
           specifies the handle of the parent qdisc the current qdisc must be attached to.

       root
           specifies that the qdisc is attached to the root of device.

       KIND
           this is the tfilters kind. NetworkManager currently supports following kinds: mirred, simple. Each filter kind has a different set of actions, described below. There are also
           some other kinds like matchall, basic, u32 supported by NetworkManager.

       Actions for 'mirred':

       egress bool
           Define whether the packet should exit from the interface.

       ingress bool
           Define whether the packet should come into the interface.

       mirror bool
           Define whether the packet should be copied to the destination space.

       redirect bool
           Define whether the packet should be moved to the destination space.

       Action for 'simple':

       sdata char[32]
           The actual string to print.

       Format: GPtrArray(NMTCTfilter)

team setting

   Teaming Settings.

   Properties:

   team.config
       Alias: config

       The JSON configuration for the team network interface. The property should contain raw JSON configuration data suitable for teamd, because the value is passed directly to teamd.
       If not specified, the default configuration is used. See man teamd.conf for the format details.

       Format: string

   team.link-watchers
       Link watchers configuration for the connection: each link watcher is defined by a dictionary, whose keys depend upon the selected link watcher. Available link watchers are
       'ethtool', 'nsna_ping' and 'arp_ping' and it is specified in the dictionary with the key 'name'. Available keys are: ethtool: 'delay-up', 'delay-down', 'init-wait'; nsna_ping:
       'init-wait', 'interval', 'missed-max', 'target-host'; arp_ping: all the ones in nsna_ping and 'source-host', 'validate-active', 'validate-inactive', 'send-always'. See teamd.conf
       man for more details.

       Format: list of team.link-watchers objects

   team.mcast-rejoin-count
       Corresponds to the teamd mcast_rejoin.count.

       Format: integer

       Valid values: -2147483648 - 2147483647

       Special values: unset (-1), disabled (0)

   team.mcast-rejoin-interval
       Corresponds to the teamd mcast_rejoin.interval.

       Format: integer

       Valid values: -2147483648 - 2147483647

       Special values: unset (-1), default (0)

   team.notify-peers-count
       Corresponds to the teamd notify_peers.count.

       Format: integer

       Valid values: -2147483648 - 2147483647

       Special values: unset (-1), disabled (0)

   team.notify-peers-interval
       Corresponds to the teamd notify_peers.interval.

       Format: integer

       Valid values: -2147483648 - 2147483647

       Special values: unset (-1), default (0)

   team.runner
       Corresponds to the teamd runner.name. Permitted values are: "roundrobin", "broadcast", "activebackup", "loadbalance", "lacp", "random".

       Format: string

       Valid values: broadcast, roundrobin, random, activebackup, loadbalance, lacp

   team.runner-active
       Corresponds to the teamd runner.active.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   team.runner-agg-select-policy
       Corresponds to the teamd runner.agg_select_policy.

       Format: string

       Valid values: lacp_prio, lacp_prio_stable, bandwidth, count, port_config

   team.runner-fast-rate
       Corresponds to the teamd runner.fast_rate.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   team.runner-hwaddr-policy
       Corresponds to the teamd runner.hwaddr_policy.

       Format: string

       Valid values: same_all, by_active, only_active

   team.runner-min-ports
       Corresponds to the teamd runner.min_ports.

       Format: integer

       Valid values: -2147483648 - 2147483647

       Special values: unset (-1), default (1)

   team.runner-sys-prio
       Corresponds to the teamd runner.sys_prio.

       Format: integer

       Valid values: -2147483648 - 2147483647

       Special values: unset (-1), default (65535)

   team.runner-tx-balancer
       Corresponds to the teamd runner.tx_balancer.name.

       Format: string

       Valid values: basic

   team.runner-tx-balancer-interval
       Corresponds to the teamd runner.tx_balancer.interval.

       Format: integer

       Valid values: -2147483648 - 2147483647

       Special values: unset (-1), default (50)

   team.runner-tx-hash
       Corresponds to the teamd runner.tx_hash.

       Format: list of strings

       Valid values: eth, vlan, ipv4, ipv6, ip, l3, tcp, udp, sctp, l4

team-port setting

   Team Port Settings.

   Properties:

   team-port.config
       Alias: config

       The JSON configuration for the team port. The property should contain raw JSON configuration data suitable for teamd, because the value is passed directly to teamd. If not
       specified, the default configuration is used. See man teamd.conf for the format details.

       Format: string

   team-port.lacp-key
       Corresponds to the teamd ports.PORTIFNAME.lacp_key.

       Format: integer

       Valid values: -2147483648 - 2147483647

       Special values: unset (-1), default (0)

   team-port.lacp-prio
       Corresponds to the teamd ports.PORTIFNAME.lacp_prio.

       Format: integer

       Valid values: -2147483648 - 2147483647

       Special values: unset (-1), default (255)

   team-port.link-watchers
       Link watchers configuration for the connection: each link watcher is defined by a dictionary, whose keys depend upon the selected link watcher. Available link watchers are
       'ethtool', 'nsna_ping' and 'arp_ping' and it is specified in the dictionary with the key 'name'. Available keys are: ethtool: 'delay-up', 'delay-down', 'init-wait'; nsna_ping:
       'init-wait', 'interval', 'missed-max', 'target-host'; arp_ping: all the ones in nsna_ping and 'source-host', 'validate-active', 'validate-inactive', 'send-always'. See teamd.conf
       man for more details.

       Format: list of team-port.link-watchers objects

   team-port.prio
       Corresponds to the teamd ports.PORTIFNAME.prio.

       Format: integer

       Valid values: -2147483648 - 2147483647

       Special values: unset (0), default (0)

   team-port.queue-id
       Corresponds to the teamd ports.PORTIFNAME.queue_id. When set to -1 means the parameter is skipped from the json config.

       Format: integer

       Valid values: -2147483648 - 2147483647

       Special values: unset (-1), default (0)

   team-port.sticky
       Corresponds to the teamd ports.PORTIFNAME.sticky.

       Format: boolean

       Valid values: true/yes/on, false/no/off

tun setting

   Tunnel Settings.

   Properties:

   tun.group
       Alias: group

       The group ID which will own the device. If set to NULL everyone will be able to use the device.

       Format: string

   tun.mode
       Alias: mode

       The operating mode of the virtual device. Allowed values are "tun" (1) to create a layer 3 device and "tap" (2) to create an Ethernet-like layer 2 one.

       Format: choice (NMSettingTunMode)

       Valid values: tun (1), tap (2)

   tun.multi-queue
       Alias: multi-queue

       If the property is set to TRUE, the interface will support multiple file descriptors (queues) to parallelize packet sending or receiving. Otherwise, the interface will only
       support a single queue.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   tun.owner
       Alias: owner

       The user ID which will own the device. If set to NULL everyone will be able to use the device.

       Format: string

   tun.pi
       Alias: pi

       If TRUE the interface will prepend a 4 byte header describing the physical interface to the packets.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   tun.vnet-hdr
       Alias: vnet-hdr

       If TRUE the IFF_VNET_HDR the tunnel packets will include a virtio network header.

       Format: boolean

       Valid values: true/yes/on, false/no/off

vlan setting

   VLAN Settings.

   Properties:

   vlan.egress-priority-map
       Alias: egress

       For outgoing packets, a list of mappings from Linux SKB priorities to 802.1p priorities. The mapping is given in the format "from:to" where both "from" and "to" are unsigned
       integers, ie "7:3".

       Format: list of vlan.egress-priority-map objects

   vlan.flags
       Alias: flags

       One or more flags which control the behavior and features of the VLAN interface. Flags include "reorder-headers" (0x1) (reordering of output packet headers), "gvrp" (0x2) (use of
       the GVRP protocol), and "loose-binding" (0x4) (loose binding of the interface to its controller device's operating state). "mvrp" (0x8) (use of the MVRP protocol).

       The default value of this property is NM_VLAN_FLAG_REORDER_HEADERS, but it used to be 0. To preserve backward compatibility, the default-value in the D-Bus API continues to be 0
       and a missing property on D-Bus is still considered as 0.

       Format: flags (NMVlanFlags)

       Valid values: reorder-headers (0x1), gvrp (0x2), loose-binding (0x4), mvrp (0x8)

   vlan.id
       Alias: id

       The VLAN identifier that the interface created by this connection should be assigned. The valid range is from 0 to 4094, without the reserved id 4095.

       Format: integer

       Valid values: 0 - 4095

   vlan.ingress-priority-map
       Alias: ingress

       For incoming packets, a list of mappings from 802.1p priorities to Linux SKB priorities. The mapping is given in the format "from:to" where both "from" and "to" are unsigned
       integers, ie "7:3".

       Format: list of vlan.ingress-priority-map objects

   vlan.parent
       Alias: dev

       If given, specifies the parent interface name or parent connection UUID from which this VLAN interface should be created. If this property is not specified, the connection must
       contain an "802-3-ethernet" setting with a "mac-address" property.

       Format: string

   vlan.protocol
       Specifies the VLAN protocol to use for encapsulation.

       Supported values are: '802.1Q', '802.1ad'. If not specified the default value is '802.1Q'.

       Format: string

       Valid values: 802.1Q, 802.1ad

vpn setting

   VPN Settings.

   Properties:

   vpn.data
       Dictionary of key/value pairs of VPN plugin specific data. Both keys and values must be strings.

       Format: list of key/value options

   vpn.persistent
       If the VPN service supports persistence, and this property is TRUE, the VPN will attempt to stay connected across link changes and outages, until explicitly disconnected.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   vpn.secrets
       Dictionary of key/value pairs of VPN plugin specific secrets like passwords or private keys. Both keys and values must be strings.

       Format: list of key/value options

   vpn.service-type
       Alias: vpn-type

       D-Bus service name of the VPN plugin that this setting uses to connect to its network. i.e. org.freedesktop.NetworkManager.vpnc for the vpnc plugin.

       Format: string

   vpn.timeout
       Timeout for the VPN service to establish the connection. Some services may take quite a long time to connect. Value of 0 means a default timeout, which is 60 seconds (unless
       overridden by vpn.timeout in configuration file). Values greater than zero mean timeout in seconds.

       Format: integer

       Valid values: 0 - 4294967295

   vpn.user-name
       Alias: user

       If the VPN connection requires a user name for authentication, that name should be provided here. If the connection is available to more than one user, and the VPN requires each
       user to supply a different name, then leave this property empty. If this property is empty, NetworkManager will automatically supply the username of the user which requested the
       VPN connection.

       Format: string

vrf setting

   VRF settings.

   Properties:

   vrf.table
       Alias: table

       The routing table for this VRF.

       Format: integer

       Valid values: 0 - 4294967295

vxlan setting

   VXLAN Settings.

   Properties:

   vxlan.ageing
       Specifies the lifetime in seconds of FDB entries learnt by the kernel.

       Format: integer

       Valid values: 0 - 4294967295

   vxlan.destination-port
       Alias: destination-port

       Specifies the UDP destination port to communicate to the remote VXLAN tunnel endpoint.

       Format: integer

       Valid values: 0 - 65535

   vxlan.id
       Alias: id

       Specifies the VXLAN Network Identifier (or VXLAN Segment Identifier) to use.

       Format: integer

       Valid values: 0 - 16777215

   vxlan.l2-miss
       Specifies whether netlink LL ADDR miss notifications are generated.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   vxlan.l3-miss
       Specifies whether netlink IP ADDR miss notifications are generated.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   vxlan.learning
       Specifies whether unknown source link layer addresses and IP addresses are entered into the VXLAN device forwarding database.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   vxlan.limit
       Specifies the maximum number of FDB entries. A value of zero means that the kernel will store unlimited entries.

       Format: integer

       Valid values: 0 - 4294967295

   vxlan.local
       Alias: local

       If given, specifies the source IP address to use in outgoing packets.

       Format: string

   vxlan.parent
       Alias: dev

       If given, specifies the parent interface name or parent connection UUID.

       Format: string

   vxlan.proxy
       Specifies whether ARP proxy is turned on.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   vxlan.remote
       Alias: remote

       Specifies the unicast destination IP address to use in outgoing packets when the destination link layer address is not known in the VXLAN device forwarding database, or the
       multicast IP address to join.

       Format: string

   vxlan.rsc
       Specifies whether route short circuit is turned on.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   vxlan.source-port-max
       Alias: source-port-max

       Specifies the maximum UDP source port to communicate to the remote VXLAN tunnel endpoint.

       Format: integer

       Valid values: 0 - 65535

   vxlan.source-port-min
       Alias: source-port-min

       Specifies the minimum UDP source port to communicate to the remote VXLAN tunnel endpoint.

       Format: integer

       Valid values: 0 - 65535

   vxlan.tos
       Specifies the TOS value to use in outgoing packets.

       Format: integer

       Valid values: 0 - 255

   vxlan.ttl
       Specifies the time-to-live value to use in outgoing packets.

       Format: integer

       Valid values: 0 - 255

wifi-p2p setting

   Wi-Fi P2P Settings.

   Properties:

   wifi-p2p.peer
       Alias: peer

       The P2P device that should be connected to. Currently, this is the only way to create or join a group.

       Format: MAC address

   wifi-p2p.wfd-ies
       The Wi-Fi Display (WFD) Information Elements (IEs) to set.

       Wi-Fi Display requires a protocol specific information element to be set in certain Wi-Fi frames. These can be specified here for the purpose of establishing a connection. This
       setting is only useful when implementing a Wi-Fi Display client.

       Format: bytes

   wifi-p2p.wps-method
       Flags indicating which mode of WPS is to be used.

       There's little point in changing the default setting as NetworkManager will automatically determine the best method to use.

       Format: flags (NMSettingWirelessSecurityWpsMethod)

       Valid values: default (0x0), disabled (0x1), auto (0x2), pbc (0x4), pin (0x8)

wimax setting

   WiMax Settings.

   Properties:

   wimax.mac-address
       Alias: mac

       If specified, this connection will only apply to the WiMAX device whose MAC address matches. This property does not change the MAC address of the device (known as MAC spoofing).

       This property is deprecated since version 1.2. WiMAX is no longer supported.

       Format: string

   wimax.network-name
       Alias: nsp

       Network Service Provider (NSP) name of the WiMAX network this connection should use.

       This property is deprecated since version 1.2. WiMAX is no longer supported.

       Format: MAC address

802-3-ethernet setting

   Alias: ethernet

   Wired Ethernet Settings.

   Properties:

   802-3-ethernet.accept-all-mac-addresses
       When TRUE, setup the interface to accept packets for all MAC addresses. This is enabling the kernel interface flag IFF_PROMISC. When FALSE, the interface will only accept the
       packets with the interface destination mac address or broadcast.

       Format: ternary

       Valid values: true/yes/on, false/no/off, default/unknown

   802-3-ethernet.auto-negotiate
       When TRUE, enforce auto-negotiation of speed and duplex mode. If "speed" and "duplex" properties are both specified, only that single mode will be advertised and accepted during
       the link auto-negotiation process: this works only for BASE-T 802.3 specifications and is useful for enforcing gigabits modes, as in these cases link negotiation is mandatory.
       When FALSE, "speed" and "duplex" properties should be both set or link configuration will be skipped.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   802-3-ethernet.cloned-mac-address
       Alias: cloned-mac

       If specified, request that the device use this MAC address instead. This is known as MAC cloning or spoofing.

       Beside explicitly specifying a MAC address, the special values "preserve", "permanent", "random" and "stable" are supported. "preserve" means not to touch the MAC address on
       activation. "permanent" means to use the permanent hardware address if the device has one (otherwise this is treated as "preserve"). "random" creates a random MAC address on each
       connect. "stable" creates a hashed MAC address based on connection.stable-id and a machine dependent key.

       If unspecified, the value can be overwritten via global defaults, see manual of NetworkManager.conf. If still unspecified, it defaults to "preserve" (older versions of
       NetworkManager may use a different default value).

       On D-Bus, this field is expressed as "assigned-mac-address" or the deprecated "cloned-mac-address".

       Format: MAC address

       Special values: preserve, permanent, random, stable

   802-3-ethernet.duplex
       When a value is set, either "half" or "full", configures the device to use the specified duplex mode. If "auto-negotiate" is "yes" the specified duplex mode will be the only one
       advertised during link negotiation: this works only for BASE-T 802.3 specifications and is useful for enforcing gigabits modes, as in these cases link negotiation is mandatory. If
       the value is unset (the default), the link configuration will be either skipped (if "auto-negotiate" is "no", the default) or will be auto-negotiated (if "auto-negotiate" is
       "yes") and the local device will advertise all the supported duplex modes. Must be set together with the "speed" property if specified. Before specifying a duplex mode be sure
       your device supports it.

       Format: string

       Valid values: half, full

   802-3-ethernet.generate-mac-address-mask
       With "cloned-mac-address" setting "random" or "stable", by default all bits of the MAC address are scrambled and a locally-administered, unicast MAC address is created. This
       property allows to specify that certain bits are fixed. Note that the least significant bit of the first MAC address will always be unset to create a unicast MAC address.

       If the property is NULL, it is eligible to be overwritten by a default connection setting. If the value is still NULL or an empty string, the default is to create a
       locally-administered, unicast MAC address.

       If the value contains one MAC address, this address is used as mask. The set bits of the mask are to be filled with the current MAC address of the device, while the unset bits are
       subject to randomization. Setting "FE:FF:FF:00:00:00" means to preserve the OUI of the current MAC address and only randomize the lower 3 bytes using the "random" or "stable"
       algorithm.

       If the value contains one additional MAC address after the mask, this address is used instead of the current MAC address to fill the bits that shall not be randomized. For
       example, a value of "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set the OUI of the MAC address to 68:F7:28, while the lower bits are randomized. A value of "02:00:00:00:00:00
       00:00:00:00:00:00" will create a fully scrambled globally-administered, burned-in MAC address.

       If the value contains more than one additional MAC addresses, one of them is chosen randomly. For example, "02:00:00:00:00:00 00:00:00:00:00:00 02:00:00:00:00:00" will create a
       fully scrambled MAC address, randomly locally or globally administered.

       Format: string

   802-3-ethernet.mac-address
       Alias: mac

       If specified, this connection will only apply to the Ethernet device whose permanent MAC address matches. This property does not change the MAC address of the device (i.e. MAC
       spoofing).

       Format: MAC address

   802-3-ethernet.mac-address-blacklist
       If specified, this connection will never apply to the Ethernet device whose permanent MAC address matches an address in the list. Each MAC address is in the standard
       hex-digits-and-colons notation (00:11:22:33:44:55).

       Format: list of MAC addresses

   802-3-ethernet.mac-address-denylist
       If specified, this connection will never apply to the Ethernet device whose permanent MAC address matches an address in the list. Each MAC address is in the standard
       hex-digits-and-colons notation (00:11:22:33:44:55).

       Format: list of MAC addresses

   802-3-ethernet.mtu
       Alias: mtu

       If non-zero, only transmit packets of the specified size or smaller, breaking larger packets up into multiple Ethernet frames.

       Format: integer

       Special values: auto

   802-3-ethernet.port
       Specific port type to use if the device supports multiple attachment methods. One of "tp" (Twisted Pair), "aui" (Attachment Unit Interface), "bnc" (Thin Ethernet) or "mii" (Media
       Independent Interface). If the device supports only one port type, this setting is ignored.

       Format: read only

   802-3-ethernet.s390-nettype
       s390 network device type; one of "qeth", "lcs", or "ctc", representing the different types of virtual network devices available on s390 systems.

       Format: string

       Valid values: qeth, lcs, ctc

   802-3-ethernet.s390-options
       Dictionary of key/value pairs of s390-specific device options. Both keys and values must be strings. Allowed keys include "portno", "layer2", "portname", "protocol", among others.
       Key names must contain only alphanumeric characters (ie, [a-zA-Z0-9]).

       Currently, NetworkManager itself does nothing with this information. However, s390utils ships a udev rule which parses this information and applies it to the interface.

       Format: list of key/value options

   802-3-ethernet.s390-subchannels
       Identifies specific subchannels that this network device uses for communication with z/VM or s390 host. Like the "mac-address" property for non-z/VM devices, this property can be
       used to ensure this connection only applies to the network device that uses these subchannels. The list should contain exactly 3 strings, and each string may only be composed of
       hexadecimal characters and the period (.) character.

       Format: list of 802-3-ethernet.s390-subchannels objects

   802-3-ethernet.speed
       When a value greater than 0 is set, configures the device to use the specified speed. If "auto-negotiate" is "yes" the specified speed will be the only one advertised during link
       negotiation: this works only for BASE-T 802.3 specifications and is useful for enforcing gigabit speeds, as in this case link negotiation is mandatory. If the value is unset (0,
       the default), the link configuration will be either skipped (if "auto-negotiate" is "no", the default) or will be auto-negotiated (if "auto-negotiate" is "yes") and the local
       device will advertise all the supported speeds. In Mbit/s, ie 100 == 100Mbit/s. Must be set together with the "duplex" property when non-zero. Before specifying a speed value be
       sure your device supports it.

       Format: integer

       Valid values: 0 - 4294967295

   802-3-ethernet.wake-on-lan
       The NMSettingWiredWakeOnLan options to enable. Not all devices support all options. May be any combination of "phy" (0x2), "unicast" (0x4), "multicast" (0x8), "broadcast" (0x10),
       "arp" (0x20), "magic" (0x40) or the special values "default" (0x1) (to use global settings) and "ignore" (0x8000) (to disable management of Wake-on-LAN in NetworkManager).

       Format: flags (NMSettingWiredWakeOnLan)

       Valid values: phy (0x2), unicast (0x4), multicast (0x8), broadcast (0x10), arp (0x20), magic (0x40), default (0x1), ignore (0x8000)

   802-3-ethernet.wake-on-lan-password
       If specified, the password used with magic-packet-based Wake-on-LAN, represented as an Ethernet MAC address. If NULL, no password will be required.

       Format: MAC address

wireguard setting

   WireGuard Settings.

   Properties:

   wireguard.fwmark
       The use of fwmark is optional and is by default off. Setting it to 0 disables it. Otherwise, it is a 32-bit fwmark for outgoing packets.

       Note that "ip4-auto-default-route" or "ip6-auto-default-route" enabled, implies to automatically choose a fwmark.

       Format: integer

       Valid values: 0 - 4294967295

   wireguard.ip4-auto-default-route
       Whether to enable special handling of the IPv4 default route. If enabled, the IPv4 default route from wireguard.peer-routes will be placed to a dedicated routing-table and two
       policy routing rules will be added. The fwmark number is also used as routing-table for the default-route, and if fwmark is zero, an unused fwmark/table is chosen automatically.
       This corresponds to what wg-quick does with Table=auto and what WireGuard calls "Improved Rule-based Routing".

       Note that for this automatism to work, you usually don't want to set ipv4.gateway, because that will result in a conflicting default route.

       Leaving this at the default will enable this option automatically if ipv4.never-default is not set and there are any peers that use a default-route as allowed-ips. Since this
       automatism only makes sense if you also have a peer with an /0 allowed-ips, it is usually not necessary to enable this explicitly. However, you can disable it if you want to
       configure your own routing and rules.

       Format: ternary

       Valid values: true/yes/on, false/no/off, default/unknown

   wireguard.ip6-auto-default-route
       Like ip4-auto-default-route, but for the IPv6 default route.

       Format: ternary

       Valid values: true/yes/on, false/no/off, default/unknown

   wireguard.listen-port
       The listen-port. If listen-port is not specified, the port will be chosen randomly when the interface comes up.

       Format: integer

       Valid values: 0 - 65535

   wireguard.mtu
       If non-zero, only transmit packets of the specified size or smaller, breaking larger packets up into multiple fragments.

       If zero a default MTU is used. Note that contrary to wg-quick's MTU setting, this does not take into account the current routes at the time of activation.

       Format: integer

       Special values: auto

   wireguard.peer-routes
       Whether to automatically add routes for the AllowedIPs ranges of the peers. If TRUE (the default), NetworkManager will automatically add routes in the routing tables according to
       ipv4.route-table and ipv6.route-table. Usually you want this automatism enabled. If FALSE, no such routes are added automatically. In this case, the user may want to configure
       static routes in ipv4.routes and ipv6.routes, respectively.

       Note that if the peer's AllowedIPs is "0.0.0.0/0" or "::/0" and the profile's ipv4.never-default or ipv6.never-default setting is enabled, the peer route for this peer won't be
       added automatically.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   wireguard.private-key
       The 256 bit private-key in base64 encoding.

       Format: string

   wireguard.private-key-flags
       Flags indicating how to handle the "private-key" property.

       Format: flags (NMSettingSecretFlags)

       Valid values: none (0x0), agent-owned (0x1), not-saved (0x2), not-required (0x4)

802-11-wireless setting

   Alias: wifi

   Wi-Fi Settings.

   Properties:

   802-11-wireless.ap-isolation
       Configures AP isolation, which prevents communication between wireless devices connected to this AP. This property can be set to a value different from "default" (-1) only when
       the interface is configured in AP mode.

       If set to "true" (1), devices are not able to communicate with each other. This increases security because it protects devices against attacks from other clients in the network.
       At the same time, it prevents devices to access resources on the same wireless networks as file shares, printers, etc.

       If set to "false" (0), devices can talk to each other.

       When set to "default" (-1), the global default is used; in case the global default is unspecified it is assumed to be "false" (0).

       Format: ternary

       Valid values: true/yes/on, false/no/off, default/unknown

   802-11-wireless.band
       802.11 frequency band of the network. One of "a" for 5GHz 802.11a or "bg" for 2.4GHz 802.11. This will lock associations to the Wi-Fi network to the specific band, i.e. if "a" is
       specified, the device will not associate with the same network in the 2.4GHz band even if the network's settings are compatible. This setting depends on specific driver capability
       and may not work with all drivers.

       Format: string

       Valid values: a, bg

   802-11-wireless.bssid
       If specified, directs the device to only associate with the given access point. This capability is highly driver dependent and not supported by all devices. Note: this property
       does not control the BSSID used when creating an Ad-Hoc network and is unlikely to in the future.

       Locking a client profile to a certain BSSID will prevent roaming and also disable background scanning. That can be useful, if there is only one access point for the SSID.

       Format: MAC address

   802-11-wireless.channel
       Wireless channel to use for the Wi-Fi connection. The device will only join (or create for Ad-Hoc networks) a Wi-Fi network on the specified channel. Because channel numbers
       overlap between bands, this property also requires the "band" property to be set.

       Format: integer

       Valid values: 0 - 4294967295

   802-11-wireless.channel-width
       Specifies width of the wireless channel in Access Point (AP) mode.

       When set to "auto" (0) (the default), the channel width is automatically determined. At the moment, this means that the safest (smallest) width is chosen.

       If the value is not "auto" (0), then the 'channel' property must also be set. When using the 2.4GHz band, the width can be at most 40MHz.

       This property can be set to a value different from "auto" (0) only when the interface is configured in AP mode.

       Format: choice (NMSettingWirelessChannelWidth)

       Valid values: auto (0), 20mhz (20), 40mhz (40), 80mhz (80)

   802-11-wireless.cloned-mac-address
       Alias: cloned-mac

       If specified, request that the device use this MAC address instead. This is known as MAC cloning or spoofing.

       Beside explicitly specifying a MAC address, the special values "preserve", "permanent", "random", "stable" and "stable-ssid" are supported. "preserve" means not to touch the MAC
       address on activation. "permanent" means to use the permanent hardware address of the device. "random" creates a random MAC address on each connect. "stable" creates a hashed MAC
       address based on connection.stable-id and a machine dependent key. "stable-ssid" creates a hashed MAC address based on the SSID, the same as setting the stable-id to
       "${NETWORK_SSID}".

       If unspecified, the value can be overwritten via global defaults, see manual of NetworkManager.conf. If still unspecified, it defaults to "preserve" (older versions of
       NetworkManager may use a different default value).

       On D-Bus, this field is expressed as "assigned-mac-address" or the deprecated "cloned-mac-address".

       Format: MAC address

       Special values: preserve, permanent, random, stable, stable-ssid

   802-11-wireless.generate-mac-address-mask
       With "cloned-mac-address" setting "random" or "stable", by default all bits of the MAC address are scrambled and a locally-administered, unicast MAC address is created. This
       property allows to specify that certain bits are fixed. Note that the least significant bit of the first MAC address will always be unset to create a unicast MAC address.

       If the property is NULL, it is eligible to be overwritten by a default connection setting. If the value is still NULL or an empty string, the default is to create a
       locally-administered, unicast MAC address.

       If the value contains one MAC address, this address is used as mask. The set bits of the mask are to be filled with the current MAC address of the device, while the unset bits are
       subject to randomization. Setting "FE:FF:FF:00:00:00" means to preserve the OUI of the current MAC address and only randomize the lower 3 bytes using the "random" or "stable"
       algorithm.

       If the value contains one additional MAC address after the mask, this address is used instead of the current MAC address to fill the bits that shall not be randomized. For
       example, a value of "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set the OUI of the MAC address to 68:F7:28, while the lower bits are randomized. A value of "02:00:00:00:00:00
       00:00:00:00:00:00" will create a fully scrambled globally-administered, burned-in MAC address.

       If the value contains more than one additional MAC addresses, one of them is chosen randomly. For example, "02:00:00:00:00:00 00:00:00:00:00:00 02:00:00:00:00:00" will create a
       fully scrambled MAC address, randomly locally or globally administered.

       Format: string

   802-11-wireless.hidden
       If TRUE, indicates that the network is a non-broadcasting network that hides its SSID. This works both in infrastructure and AP mode.

       In infrastructure mode, various workarounds are used for a more reliable discovery of hidden networks, such as probe-scanning the SSID. However, these workarounds expose inherent
       insecurities with hidden SSID networks, and thus hidden SSID networks should be used with caution.

       In AP mode, the created network does not broadcast its SSID.

       Note that marking the network as hidden may be a privacy issue for you (in infrastructure mode) or client stations (in AP mode), as the explicit probe-scans are distinctly
       recognizable on the air.

       Format: boolean

       Valid values: true/yes/on, false/no/off

   802-11-wireless.mac-address
       Alias: mac

       If specified, this connection will only apply to the Wi-Fi device whose permanent MAC address matches. This property does not change the MAC address of the device (i.e. MAC
       spoofing).

       Format: MAC address

   802-11-wireless.mac-address-blacklist
       A list of permanent MAC addresses of Wi-Fi devices to which this connection should never apply. Each MAC address should be given in the standard hex-digits-and-colons notation (eg
       "00:11:22:33:44:55").

       Format: list of MAC addresses

   802-11-wireless.mac-address-denylist
       A list of permanent MAC addresses of Wi-Fi devices to which this connection should never apply. Each MAC address should be given in the standard hex-digits-and-colons notation (eg
       "00:11:22:33:44:55").

       Format: list of MAC addresses

   802-11-wireless.mac-address-randomization
       One of "default" (0) (never randomize unless the user has set a global default to randomize and the supplicant supports randomization), "never" (1) (never randomize the MAC
       address), or "always" (2) (always randomize the MAC address).

       This property is deprecated since version 1.4. Use the "cloned-mac-address" property instead.

       Format: choice (NMSettingMacRandomization)

       Valid values: default (0), never (1), always (2)

   802-11-wireless.mode
       Alias: mode

       Wi-Fi network mode; one of "infrastructure", "mesh", "adhoc" or "ap". If blank, infrastructure is assumed.

       Format: string

       Valid values: infrastructure, adhoc, ap, mesh

   802-11-wireless.mtu
       Alias: mtu

       If non-zero, only transmit packets of the specified size or smaller, breaking larger packets up into multiple Ethernet frames.

       Format: integer

       Special values: auto

   802-11-wireless.powersave
       One of "disable" (2) (disable Wi-Fi power saving), "enable" (3) (enable Wi-Fi power saving), "ignore" (1) (don't touch currently configure setting) or "default" (0) (use the
       globally configured value). All other values are reserved.

       Format: choice (NMSettingWirelessPowersave)

       Valid values: default (0), ignore (1), disable (2), enable (3)

   802-11-wireless.seen-bssids
       A list of BSSIDs (each BSSID formatted as a MAC address like "00:11:22:33:44:55") that have been detected as part of the Wi-Fi network. NetworkManager internally tracks previously
       seen BSSIDs. The property is only meant for reading and reflects the BSSID list of NetworkManager. The changes you make to this property will not be preserved.

       This is not a regular property that the user would configure. Instead, NetworkManager automatically sets the seen BSSIDs and tracks them internally in
       "/var/lib/NetworkManager/seen-bssids" file.

       Format: read only

   802-11-wireless.ssid
       Alias: ssid

       SSID of the Wi-Fi network. Must be specified.

       Format: string

   802-11-wireless.wake-on-wlan
       The NMSettingWirelessWakeOnWLan options to enable. Not all devices support all options. May be any combination of "any" (0x2), "disconnect" (0x4), "magic" (0x8),
       "gtk-rekey-failure" (0x10), "eap-identity-request" (0x20), "4way-handshake" (0x40), "rfkill-release" (0x80), "tcp" (0x100) or the special values "default" (0x1) (to use global
       settings) and "ignore" (0x8000) (to disable management of Wake-on-LAN in NetworkManager).

       Format: flags (NMSettingWirelessWakeOnWLan)

       Valid values: any (0x2), disconnect (0x4), magic (0x8), gtk-rekey-failure (0x10), eap-identity-request (0x20), 4way-handshake (0x40), rfkill-release (0x80), tcp (0x100), all
       (0x1fe), default (0x1), ignore (0x8000)

802-11-wireless-security setting

   Alias: wifi-sec

   Wi-Fi Security Settings.

   Properties:

   802-11-wireless-security.auth-alg
       When WEP is used (ie, key-mgmt = "none" or "ieee8021x") indicate the 802.11 authentication algorithm required by the AP here. One of "open" for Open System, "shared" for Shared
       Key, or "leap" for Cisco LEAP. When using Cisco LEAP (ie, key-mgmt = "ieee8021x" and auth-alg = "leap") the "leap-username" and "leap-password" properties must be specified.

       Format: string

       Valid values: open, shared, leap

   802-11-wireless-security.fils
       Indicates whether Fast Initial Link Setup (802.11ai) must be enabled for the connection. One of "default" (0) (use global default value), "disable" (1) (disable FILS), "optional"
       (2) (enable FILS if the supplicant and the access point support it) or "required" (3) (enable FILS and fail if not supported). When set to "default" (0) and no global default is
       set, FILS will be optionally enabled.

       Format: choice (NMSettingWirelessSecurityFils)

       Valid values: default (0), disable (1), optional (2), required (3)

   802-11-wireless-security.group
       A list of group/broadcast encryption algorithms which prevents connections to Wi-Fi networks that do not utilize one of the algorithms in the list. For maximum compatibility leave
       this property empty. Each list element may be one of "wep40", "wep104", "tkip", or "ccmp".

       Format: list of strings

       Valid values: wep40, wep104, tkip, ccmp

   802-11-wireless-security.key-mgmt
       Key management used for the connection. One of "none" (WEP or no password protection), "ieee8021x" (Dynamic WEP), "owe" (Opportunistic Wireless Encryption), "wpa-psk" (WPA2 + WPA3
       personal), "sae" (WPA3 personal only), "wpa-eap" (WPA2 + WPA3 enterprise) or "wpa-eap-suite-b-192" (WPA3 enterprise only).

       This property must be set for any Wi-Fi connection that uses security.

       Format: string

       Valid values: none, ieee8021x, wpa-psk, wpa-eap, wpa-eap-suite-b-192, sae, owe

   802-11-wireless-security.leap-password
       The login password for legacy LEAP connections (ie, key-mgmt = "ieee8021x" and auth-alg = "leap").

       Format: string

   802-11-wireless-security.leap-password-flags
       Flags indicating how to handle the "leap-password" property.

       Format: flags (NMSettingSecretFlags)

       Valid values: none (0x0), agent-owned (0x1), not-saved (0x2), not-required (0x4)

   802-11-wireless-security.leap-username
       The login username for legacy LEAP connections (ie, key-mgmt = "ieee8021x" and auth-alg = "leap").

       Format: string

   802-11-wireless-security.pairwise
       A list of pairwise encryption algorithms which prevents connections to Wi-Fi networks that do not utilize one of the algorithms in the list. For maximum compatibility leave this
       property empty. Each list element may be one of "tkip" or "ccmp".

       Format: list of strings

       Valid values: tkip, ccmp

   802-11-wireless-security.pmf
       Indicates whether Protected Management Frames (802.11w) must be enabled for the connection. One of "default" (0) (use global default value), "disable" (1) (disable PMF),
       "optional" (2) (enable PMF if the supplicant and the access point support it) or "required" (3) (enable PMF and fail if not supported). When set to "default" (0) and no global
       default is set, PMF will be optionally enabled.

       Format: choice (NMSettingWirelessSecurityPmf)

       Valid values: default (0), disable (1), optional (2), required (3)

   802-11-wireless-security.proto
       List of strings specifying the allowed WPA protocol versions to use. Each element may be one "wpa" (allow WPA) or "rsn" (allow WPA2/RSN). If not specified, both WPA and RSN
       connections are allowed.

       Format: list of strings

       Valid values: wpa, rsn

   802-11-wireless-security.psk
       Pre-Shared-Key for WPA networks. For WPA-PSK, it's either an ASCII passphrase of 8 to 63 characters that is (as specified in the 802.11i standard) hashed to derive the actual key,
       or the key in form of 64 hexadecimal character. The WPA3-Personal networks use a passphrase of any length for SAE authentication.

       Format: string

   802-11-wireless-security.psk-flags
       Flags indicating how to handle the "psk" property.

       Format: flags (NMSettingSecretFlags)

       Valid values: none (0x0), agent-owned (0x1), not-saved (0x2), not-required (0x4)

   802-11-wireless-security.wep-key-flags
       Flags indicating how to handle the "wep-key0", "wep-key1", "wep-key2", and "wep-key3" properties.

       Format: flags (NMSettingSecretFlags)

       Valid values: none (0x0), agent-owned (0x1), not-saved (0x2), not-required (0x4)

   802-11-wireless-security.wep-key-type
       Controls the interpretation of WEP keys. Allowed values are "key" (1), in which case the key is either a 10- or 26-character hexadecimal string, or a 5- or 13-character ASCII
       password; or "passphrase" (2), in which case the passphrase is provided as a string and will be hashed using the de-facto MD5 method to derive the actual WEP key.

       Format: choice (NMWepKeyType)

       Valid values: unknown (0), key (1), passphrase (2)

   802-11-wireless-security.wep-key0
       Index 0 WEP key. This is the WEP key used in most networks. See the "wep-key-type" property for a description of how this key is interpreted.

       Format: string

   802-11-wireless-security.wep-key1
       Index 1 WEP key. This WEP index is not used by most networks. See the "wep-key-type" property for a description of how this key is interpreted.

       Format: string

   802-11-wireless-security.wep-key2
       Index 2 WEP key. This WEP index is not used by most networks. See the "wep-key-type" property for a description of how this key is interpreted.

       Format: string

   802-11-wireless-security.wep-key3
       Index 3 WEP key. This WEP index is not used by most networks. See the "wep-key-type" property for a description of how this key is interpreted.

       Format: string

   802-11-wireless-security.wep-tx-keyidx
       When static WEP is used (ie, key-mgmt = "none") and a non-default WEP key index is used by the AP, put that WEP key index here. Valid values are 0 (default key) through 3. Note
       that some consumer access points (like the Linksys WRT54G) number the keys 1 - 4.

       Format: integer

       Valid values: 0 - 3

   802-11-wireless-security.wps-method
       Flags indicating which mode of WPS is to be used if any.

       There's little point in changing the default setting as NetworkManager will automatically determine whether it's feasible to start WPS enrollment from the Access Point
       capabilities.

       WPS can be disabled by setting this property to a value of 1.

       Format: flags (NMSettingWirelessSecurityWpsMethod)

       Valid values: default (0x0), disabled (0x1), auto (0x2), pbc (0x4), pin (0x8)

wpan setting

   IEEE 802.15.4 (WPAN) MAC Settings.

   Properties:

   wpan.channel
       Alias: channel

       IEEE 802.15.4 channel. A positive integer or -1, meaning "do not set, use whatever the device is already set to".

       Format: integer

       Valid values: -32768 - 32767

       Special values: default (-1)

   wpan.mac-address
       Alias: mac

       If specified, this connection will only apply to the IEEE 802.15.4 (WPAN) MAC layer device whose permanent MAC address matches.

       Format: WPAN MAC address

   wpan.page
       Alias: page

       IEEE 802.15.4 channel page. A positive integer or -1, meaning "do not set, use whatever the device is already set to".

       Format: integer

       Valid values: -32768 - 32767

       Special values: default (-1)

   wpan.pan-id
       Alias: pan-id

       IEEE 802.15.4 Personal Area Network (PAN) identifier.

       Format: integer

       Valid values: 0 - 65535

       Special values: unset (0xffff)

   wpan.short-address
       Alias: short-addr

       Short IEEE 802.15.4 address to be used within a restricted environment.

       Format: integer

       Valid values: 0 - 65535

       Special values: unset (0xffff)

bond-port setting

   Bond Port Settings.

   Properties:

   bond-port.prio
       Alias: prio

       The port priority for bond active port re-selection during failover. A higher number means a higher priority in selection. The primary port has the highest priority. This option
       is only compatible with active-backup, balance-tlb and balance-alb modes.

       Format: integer

       Valid values: -2147483648 - 2147483647

   bond-port.queue-id
       Alias: queue-id

       The queue ID of this bond port. The maximum value of queue ID is the number of TX queues currently active in device.

       Format: integer

       Valid values: 0 - 65535

hostname setting

   Hostname settings.

   Properties:

   hostname.from-dhcp
       Whether the system hostname can be determined from DHCP on this connection.

       When set to "default" (-1), the value from global configuration is used. If the property doesn't have a value in the global configuration, NetworkManager assumes the value to be
       "true" (1).

       Format: ternary

       Valid values: true/yes/on, false/no/off, default/unknown

   hostname.from-dns-lookup
       Whether the system hostname can be determined from reverse DNS lookup of addresses on this device.

       When set to "default" (-1), the value from global configuration is used. If the property doesn't have a value in the global configuration, NetworkManager assumes the value to be
       "true" (1).

       Format: ternary

       Valid values: true/yes/on, false/no/off, default/unknown

   hostname.only-from-default
       If set to "true" (1), NetworkManager attempts to get the hostname via DHCPv4/DHCPv6 or reverse DNS lookup on this device only when the device has the default route for the given
       address family (IPv4/IPv6).

       If set to "false" (0), the hostname can be set from this device even if it doesn't have the default route.

       When set to "default" (-1), the value from global configuration is used. If the property doesn't have a value in the global configuration, NetworkManager assumes the value to be
       "false" (0).

       Format: ternary

       Valid values: true/yes/on, false/no/off, default/unknown

   hostname.priority
       The relative priority of this connection to determine the system hostname. A lower numerical value is better (higher priority). A connection with higher priority is considered
       before connections with lower priority.

       If the value is zero, it can be overridden by a global value from NetworkManager configuration. If the property doesn't have a value in the global configuration, the value is
       assumed to be 100.

       Negative values have the special effect of excluding other connections with a greater numerical priority value; so in presence of at least one negative priority, only connections
       with the lowest priority value will be used to determine the hostname.

       Format: integer

       Valid values: -2147483648 - 2147483647

link setting

   Link settings.

   Properties:

   link.gro-max-size
       The maximum size of a packet built by the Generic Receive Offload stack for this device. The value must be between 0 and 4294967295. When set to -1, the existing value is
       preserved.

       Format: integer

       Valid values: -1 - 4294967295

       Special values: default (-1)

   link.gso-max-segments
       The maximum segments of a Generic Segment Offload packet the device should accept. The value must be between 0 and 4294967295. When set to -1, the existing value is preserved.

       Format: integer

       Valid values: -1 - 4294967295

       Special values: default (-1)

   link.gso-max-size
       The maximum size of a Generic Segment Offload packet the device should accept. The value must be between 0 and 4294967295. When set to -1, the existing value is preserved.

       Format: integer

       Valid values: -1 - 4294967295

       Special values: default (-1)

   link.tx-queue-length
       The size of the transmit queue for the device, in number of packets. The value must be between 0 and 4294967295. When set to -1, the existing value is preserved.

       Format: integer

       Valid values: -1 - 4294967295

       Special values: default (-1)

loopback setting

   Loopback Link Settings.

   Properties:

   loopback.mtu
       Alias: mtu

       If non-zero, only transmit packets of the specified size or smaller, breaking larger packets up into multiple Ethernet frames.

       Format: integer

       Special values: auto

veth setting

   Veth Settings.

   Properties:

   veth.peer
       Alias: peer

       This property specifies the peer interface name of the veth. This property is mandatory.

       Format: string

Secret flag types:

   Each password or secret property in a setting has an associated flags property that describes how to handle that secret. The flags property is a bitfield that contains zero or more of
   the following values logically OR-ed together.

      0x0 (none) - the system is responsible for providing and storing this secret. This may be required so that secrets are already available before the user logs in. It also commonly
       means that the secret will be stored in plain text on disk, accessible to root only. For example via the keyfile settings plugin as described in the "PLUGINS" section in
       NetworkManager.conf(5).

      0x1 (agent-owned) - a user-session secret agent is responsible for providing and storing this secret; when it is required, agents will be asked to provide it.

      0x2 (not-saved) - this secret should not be saved but should be requested from the user each time it is required. This flag should be used for One-Time-Pad secrets, PIN codes from
       hardware tokens, or if the user simply does not want to save the secret.

      0x4 (not-required) - in some situations it cannot be automatically determined that a secret is required or not. This flag hints that the secret is not required and should not be
       requested from the user.

FILES

   /etc/NetworkManager/system-connections or distro plugin-specific location

SEE ALSO

   nmcli(1), nmcli-examples(7), NetworkManager(8), nm-settings-dbus(5), nm-settings-keyfile(5), NetworkManager.conf(5)

NetworkManager 1.52.1 NM-SETTINGS-NMCLI(5)