nm-settings-dbus

NM-SETTINGS-DBUS(5) Configuration NM-SETTINGS-DBUS(5)

NAME

   nm-settings-dbus - Description of settings and properties of NetworkManager connection profiles on the D-Bus API

DESCRIPTION

   NetworkManager is based on a concept of connection profiles, sometimes referred to as connections only. These connection profiles contain a network configuration. When NetworkManager
   activates a connection profile on a network device the configuration will be applied and an active network connection will be established. Users are free to create as many connection
   profiles as they see fit. Thus they are flexible in having various network configurations for different networking needs. The connection profiles are handled by NetworkManager via
   settings service and are exported on D-Bus (/org/freedesktop/NetworkManager/Settings/<num> objects). The conceptual objects can be described as follows:

   Connection (profile)
       A specific, encapsulated, independent group of settings describing all the configuration required to connect to a specific network. It is referred to by a unique identifier called
       the UUID. A connection is tied to a one specific device type, but not necessarily a specific hardware device. It is composed of one or more Settings objects.

   Setting
       A group of related key/value pairs describing a specific piece of a Connection (profile). Settings keys and allowed values are described in the tables below. Keys are also
       referred to as properties. Developers can find the setting objects and their properties in the libnm-core sources. Look for the *_class_init functions near the bottom of each
       setting source file.

   The settings and properties shown in tables below list all available connection configuration options. However, note that not all settings are applicable to all connection types.
   NetworkManager provides a command-line tool nmcli that allows direct configuration of the settings and properties according to a connection profile type.  nmcli connection editor has
   also a built-in describe command that can display description of particular settings and properties of this page.

connection setting

   General Connection Profile Settings.
   
    Key Name                       Value Type                            Default Value  Value Description                      
   
    auth-retries                   int32                                 -1             The number of retries for the          
                                                                                        authentication. Zero means to try      
                                                                                        indefinitely; -1 means to use a global 
                                                                                        default. If the global default is not  
                                                                                        set, the authentication retries for 3  
                                                                                        times before failing the connection.   
                                                                                                                               
                                                                                        Currently, this only applies to 802-1x 
                                                                                        authentication.                        
   
    autoconnect                    boolean                               TRUE           Whether or not the connection should   
                                                                                        be automatically connected by          
                                                                                        NetworkManager when the resources for  
                                                                                        the connection are available. TRUE to  
                                                                                        automatically activate the connection, 
                                                                                        FALSE to require manual intervention   
                                                                                        to activate the connection.            
                                                                                                                               
                                                                                        Autoconnect happens when the           
                                                                                        circumstances are suitable. That means 
                                                                                        for example that the device is         
                                                                                        currently managed and not active.      
                                                                                        Autoconnect thus never replaces or     
                                                                                        competes with an already active        
                                                                                        profile.                               
                                                                                                                               
                                                                                        Note that autoconnect is not           
                                                                                        implemented for VPN profiles. See      
                                                                                        "secondaries" as an alternative to     
                                                                                        automatically connect VPN profiles.    
                                                                                                                               
                                                                                        If multiple profiles are ready to      
                                                                                        autoconnect on the same device, the    
                                                                                        one with the better                    
                                                                                        "connection.autoconnect-priority" is   
                                                                                        chosen. If the priorities are equal,   
                                                                                        then the most recently connected       
                                                                                        profile is activated. If the profiles  
                                                                                        were not connected earlier or their    
                                                                                        "connection.timestamp" is identical,   
                                                                                        the choice is undefined.               
                                                                                                                               
                                                                                        Depending on                           
                                                                                        "connection.multi-connect", a profile  
                                                                                        can (auto)connect only once at a time  
                                                                                        or multiple times.                     
   
    autoconnect-ports              int32                                 -1             Whether or not ports of this           
                                                                                        connection should be automatically     
                                                                                        brought up when NetworkManager         
                                                                                        activates this connection. This only   
                                                                                        has a real effect for controller       
                                                                                        connections. The properties            
                                                                                        "autoconnect", "autoconnect-priority"  
                                                                                        and "autoconnect-retries" are          
                                                                                        unrelated to this setting. The         
                                                                                        permitted values are: 0: leave port    
                                                                                        connections untouched, 1: activate all 
                                                                                        the port connections with this         
                                                                                        connection, -1: default. If -1         
                                                                                        (default) is set, global               
                                                                                        connection.autoconnect-ports is read   
                                                                                        to determine the real value. If it is  
                                                                                        default as well, this fallbacks to 0.  
   
    autoconnect-priority           int32                                 0              The autoconnect priority in range -999 
                                                                                        to 999. If the connection is set to    
                                                                                        autoconnect, connections with higher   
                                                                                        priority will be preferred. The higher 
                                                                                        number means higher priority. Defaults 
                                                                                        to 0. Note that this property only     
                                                                                        matters if there are more than one     
                                                                                        candidate profile to select for        
                                                                                        autoconnect. In case of equal          
                                                                                        priority, the profile used most        
                                                                                        recently is chosen.                    
   
    autoconnect-retries            int32                                 -1             The number of times a connection       
                                                                                        should be tried when autoactivating    
                                                                                        before giving up. Zero means forever,  
                                                                                        -1 means the global default (4 times   
                                                                                        if not overridden). Setting this to 1  
                                                                                        means to try activation only once      
                                                                                        before blocking autoconnect. Note that 
                                                                                        after a timeout, NetworkManager will   
                                                                                        try to autoconnect again.              
   
    autoconnect-slaves             NMSettingConnectionAutoconnectSlaves                 Whether or not ports of this           
                                   (int32)                                              connection should be automatically     
                                                                                        brought up when NetworkManager         
                                                                                        activates this connection. This only   
                                                                                        has a real effect for controller       
                                                                                        connections. The properties            
                                                                                        "autoconnect", "autoconnect-priority"  
                                                                                        and "autoconnect-retries" are          
                                                                                        unrelated to this setting. The         
                                                                                        permitted values are: 0: leave port    
                                                                                        connections untouched, 1: activate all 
                                                                                        the port connections with this         
                                                                                        connection, -1: default. If -1         
                                                                                        (default) is set, global               
                                                                                        connection.autoconnect-slaves is read  
                                                                                        to determine the real value. If it is  
                                                                                        default as well, this fallbacks to 0.  
                                                                                                                               
                                                                                        Deprecated 1.46. Use                   
                                                                                        "autoconnect-ports" instead, this is   
                                                                                        just an alias.                         
   
    controller                     string                                               Interface name of the controller       
                                                                                        device or UUID of the controller       
                                                                                        connection.                            
   
    dns-over-tls                   int32                                 -1             Whether DNSOverTls (dns-over-tls) is   
                                                                                        enabled for the connection. DNSOverTls 
                                                                                        is a technology which uses TLS to      
                                                                                        encrypt dns traffic.                   
                                                                                                                               
                                                                                        The permitted values are: "yes" (2)    
                                                                                        use DNSOverTls and disabled fallback,  
                                                                                        "opportunistic" (1) use DNSOverTls but 
                                                                                        allow fallback to unencrypted          
                                                                                        resolution, "no" (0) don't ever use    │
   │                               │                                      │               │ DNSOverTls. If unspecified "default"   │
   │                               │                                      │               │ depends on the plugin used.            │
   │                               │                                      │               │ Systemd-resolved uses global setting.  │
   │                               │                                      │               │                                        │
   │                               │                                      │               │ This feature requires a plugin which   │
   │                               │                                      │               │ supports DNSOverTls. Otherwise, the    │
   │                               │                                      │               │ setting has no effect. One such plugin │
   │                               │                                      │               │ is dns-systemd-resolved.               │
   ├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ down-on-poweroff              │ int32                                │ -1            │ Whether the connection will be brought │
   │                               │                                      │               │ down before the system is powered off. │
   │                               │                                      │               │ The default value is -1 (default).     │
   │                               │                                      │               │ When the default value is specified,   │
   │                               │                                      │               │ then the global value from             │
   │                               │                                      │               │ NetworkManager configuration is looked │
   │                               │                                      │               │ up, if not set, it is considered as 0  │
   │                               │                                      │               │ (no).                                  │
   ├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ gateway-ping-timeout          │ uint32                               │ 0             │ If greater than zero, delay success of │
   │                               │                                      │               │ IP addressing until either the timeout │
   │                               │                                      │               │ is reached, or an IP gateway replies   │
   │                               │                                      │               │ to a ping.                             │
   ├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ id                            │ string                               │               │ A human readable unique identifier for │
   │                               │                                      │               │ the connection, like "Work Wi-Fi" or   │
   │                               │                                      │               │ "T-Mobile 3G".                         │
   ├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ interface-name                │ string                               │               │ The name of the network interface this │
   │                               │                                      │               │ connection is bound to. If not set,    │
   │                               │                                      │               │ then the connection can be attached to │
   │                               │                                      │               │ any interface of the appropriate type  │
   │                               │                                      │               │ (subject to restrictions imposed by    │
   │                               │                                      │               │ other settings).                       │
   │                               │                                      │               │                                        │
   │                               │                                      │               │ For software devices this specifies    │
   │                               │                                      │               │ the name of the created device.        │
   │                               │                                      │               │                                        │
   │                               │                                      │               │ For connection types where interface   │
   │                               │                                      │               │ names cannot easily be made persistent │
   │                               │                                      │               │ (e.g. mobile broadband or USB          │
   │                               │                                      │               │ Ethernet), this property should not be │
   │                               │                                      │               │ used. Setting this property restricts  │
   │                               │                                      │               │ the interfaces a connection can be     │
   │                               │                                      │               │ used with, and if interface names      │
   │                               │                                      │               │ change or are reordered the connection │
   │                               │                                      │               │ may be applied to the wrong interface. │
   ├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ ip-ping-addresses             │ array of string                      │               │ The property specifies a list of       │
   │                               │                                      │               │ target IP addresses for pinging. When  │
   │                               │                                      │               │ multiple targets are set,              │
   │                               │                                      │               │ NetworkManager will start multiple     │
   │                               │                                      │               │ ping processes in parallel. This       │
   │                               │                                      │               │ property can only be set if            │
   │                               │                                      │               │ connection.ip-ping-timeout is set. The │
   │                               │                                      │               │ ip-ping-timeout is used to delay the   │
   │                               │                                      │               │ success of IP addressing until either  │
   │                               │                                      │               │ the specified timeout (in seconds) is  │
   │                               │                                      │               │ reached, or an target IP address       │
   │                               │                                      │               │ replies to a ping. Configuring         │
   │                               │                                      │               │ "ip-ping-addresses" may delay reaching │
   │                               │                                      │               │ the systemd's network-online.target    
                                                                                        due to waiting for the ping operations 
                                                                                        to complete or timeout.                
   
    ip-ping-addresses-require-all  int32                                 -1             The property determines whether it is  
                                                                                        sufficient for any ping check to       
                                                                                        succeed among "ip-ping-addresses", or  
                                                                                        if all ping checks must succeed for    
                                                                                        "ip-ping-addresses".                   
   
    ip-ping-timeout                uint32                                0              If greater than zero, delay success of 
                                                                                        IP addressing until either the         
                                                                                        specified timeout (in seconds) is      
                                                                                        reached, or a target IP address        
                                                                                        replies to a ping. The property        
                                                                                        specifies the timeout for the          
                                                                                        "ip-ping-addresses". This property is  
                                                                                        incompatible with                      
                                                                                        "gateway-ping-timeout", you cannot set 
                                                                                        these two properties at the same time. 
   
    lldp                           int32                                 -1             Whether LLDP is enabled for the        
                                                                                        connection.                            
   
    llmnr                          int32                                 -1             Whether Link-Local Multicast Name      
                                                                                        Resolution (LLMNR) is enabled for the  
                                                                                        connection. LLMNR is a protocol based  
                                                                                        on the Domain Name System (DNS) packet 
                                                                                        format that allows both IPv4 and IPv6  
                                                                                        hosts to perform name resolution for   
                                                                                        hosts on the same local link.          
                                                                                                                               
                                                                                        The permitted values are: "yes" (2)    
                                                                                        register hostname and resolving for    
                                                                                        the connection, "no" (0) disable LLMNR 
                                                                                        for the interface, "resolve" (1) do    
                                                                                        not register hostname but allow        
                                                                                        resolving of LLMNR host names If       
                                                                                        unspecified, "default" ultimately      
                                                                                        depends on the DNS plugin (which for   
                                                                                        systemd-resolved currently means       
                                                                                        "yes").                                
                                                                                                                               
                                                                                        This feature requires a plugin which   
                                                                                        supports LLMNR. Otherwise, the setting 
                                                                                        has no effect. One such plugin is      
                                                                                        dns-systemd-resolved.                  
   
    master                         string                                               Interface name of the controller       
                                                                                        device or UUID of the controller       
                                                                                        connection.                            
                                                                                                                               
                                                                                        Deprecated 1.46. Use "controller"      
                                                                                        instead, this is just an alias.        
   
    mdns                           int32                                 -1             Whether mDNS is enabled for the        
                                                                                        connection.                            
                                                                                                                               
                                                                                        The permitted values are: "yes" (2)    
                                                                                        register hostname and resolving for    
                                                                                        the connection, "no" (0) disable mDNS  
                                                                                        for the interface, "resolve" (1) do    
                                                                                        not register hostname but allow        
                                                                                        resolving of mDNS host names and       
                                                                                        "default" (-1) to allow lookup of a    
                                                                                        global default in NetworkManager.conf. 
                                                                                        If unspecified, "default" ultimately   
                                                                                        depends on the DNS plugin.             
                                                                                                                               
                                                                                        This feature requires a plugin which   
                                                                                        supports mDNS. Otherwise, the setting  
                                                                                        has no effect. Currently the only      
                                                                                        supported DNS plugin is                
                                                                                        systemd-resolved. For                  
                                                                                        systemd-resolved, the default is       
                                                                                        configurable via MulticastDNS= setting 
                                                                                        in resolved.conf.                      
   
    metered                        NMMetered (int32)                                    Whether the connection is metered.     
                                                                                                                               
                                                                                        When updating this property on a       
                                                                                        currently activated connection, the    
                                                                                        change takes effect immediately.       
   
    mptcp-flags                    uint32                                0              Whether to configure MPTCP endpoints   
                                                                                        and the address flags. If MPTCP is     
                                                                                        enabled in NetworkManager, it will     
                                                                                        configure the addresses of the         
                                                                                        interface as MPTCP endpoints. Note     
                                                                                        that IPv4 loopback addresses           
                                                                                        (127.0.0.0/8), IPv4 link local         
                                                                                        addresses (169.254.0.0/16), the IPv6   
                                                                                        loopback address (::1), IPv6 link      
                                                                                        local addresses (fe80::/10), IPv6      
                                                                                        unique local addresses (ULA, fc00::/7) 
                                                                                        and IPv6 privacy extension addresses   
                                                                                        (rfc3041, ipv6.ip6-privacy) will be    
                                                                                        excluded from being configured as      
                                                                                        endpoints.                             
                                                                                                                               
                                                                                        If "disabled" (0x1), MPTCP handling    
                                                                                        for the interface is disabled and no   
                                                                                        endpoints are registered.              
                                                                                                                               
                                                                                        The "enabled" (0x2) flag means that    
                                                                                        MPTCP handling is enabled. This flag   
                                                                                        can also be implied from the presence  
                                                                                        of other flags.                        
                                                                                                                               
                                                                                        Even when enabled, MPTCP handling will 
                                                                                        by default still be disabled unless    
                                                                                        "/proc/sys/net/mptcp/enabled" sysctl   
                                                                                        is on. NetworkManager does not change  
                                                                                        the sysctl and this is up to the       
                                                                                        administrator or distribution. To      
                                                                                        configure endpoints even if the sysctl 
                                                                                        is disabled, "also-without-sysctl"     
                                                                                        (0x4) flag can be used. In that case,  
                                                                                        NetworkManager doesn't look at the     │
   │                               │                                      │               │ sysctl and configures endpoints        │
   │                               │                                      │               │ regardless.                            │
   │                               │                                      │               │                                        │
   │                               │                                      │               │ Even when enabled, NetworkManager will │
   │                               │                                      │               │ only configure MPTCP endpoints for a   │
   │                               │                                      │               │ certain address family, if there is a  │
   │                               │                                      │               │ unicast default route (0.0.0.0/0 or    │
   │                               │                                      │               │ ::/0) in the main routing table. The   │
   │                               │                                      │               │ flag "also-without-default-route"      │
   │                               │                                      │               │ (0x8) can override that.               │
   │                               │                                      │               │                                        │
   │                               │                                      │               │ When MPTCP handling is enabled then    │
   │                               │                                      │               │ endpoints are configured with the      │
   │                               │                                      │               │ specified address flags "signal"       │
   │                               │                                      │               │ (0x10), "subflow" (0x20), "backup"     │
   │                               │                                      │               │ (0x40), "fullmesh" (0x80). See         │
   │                               │                                      │               │ ip-mptcp(8) manual for additional      │
   │                               │                                      │               │ information about the flags.           │
   │                               │                                      │               │                                        │
   │                               │                                      │               │ If the flags are zero (0x0), the       │
   │                               │                                      │               │ global connection default from         │
   │                               │                                      │               │ NetworkManager.conf is honored. If     │
   │                               │                                      │               │ still unspecified, the fallback is     │
   │                               │                                      │               │ "enabled,subflow". Note that this      │
   │                               │                                      │               │ means that MPTCP is by default done    │
   │                               │                                      │               │ depending on the                       │
   │                               │                                      │               │ "/proc/sys/net/mptcp/enabled" sysctl.  │
   │                               │                                      │               │                                        │
   │                               │                                      │               │ NetworkManager does not change the     │
   │                               │                                      │               │ MPTCP limits nor enable MPTCP via      │
   │                               │                                      │               │ "/proc/sys/net/mptcp/enabled". That is │
   │                               │                                      │               │ a host configuration which the admin   │
   │                               │                                      │               │ can change via sysctl and ip-mptcp.    │
   │                               │                                      │               │                                        │
   │                               │                                      │               │ Strict reverse path filtering          │
   │                               │                                      │               │ (rp_filter) breaks many MPTCP use      │
   │                               │                                      │               │ cases, so when MPTCP handling for IPv4 │
   │                               │                                      │               │ addresses on the interface is enabled, │
   │                               │                                      │               │ NetworkManager would loosen the strict │
   │                               │                                      │               │ reverse path filtering (1) to the      │
   │                               │                                      │               │ loose setting (2).                     │
   ├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ mud-url                       │ string                               │               │ If configured, set to a Manufacturer   │
   │                               │                                      │               │ Usage Description (MUD) URL that       │
   │                               │                                      │               │ points to manufacturer-recommended     │
   │                               │                                      │               │ network policies for IoT devices. It   │
   │                               │                                      │               │ is transmitted as a DHCPv4 or DHCPv6   │
   │                               │                                      │               │ option. The value must be a valid URL  │
   │                               │                                      │               │ starting with "https://".              │
   │                               │                                      │               │                                        │
   │                               │                                      │               │ The special value "none" is allowed to │
   │                               │                                      │               │ indicate that no MUD URL is used.      │
   │                               │                                      │               │                                        │
   │                               │                                      │               │ If the per-profile value is            │
   │                               │                                      │               │ unspecified (the default), a global    │
   │                               │                                      │               │ connection default gets consulted. If  │
   │                               │                                      │               │ still unspecified, the ultimate        │
   │                               │                                      │               │ default is "none".                     │
   ├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ multi-connect                 │ int32                                │ 0             │ Specifies whether the profile can be   │
   │                               │                                      │               │ active multiple times at a particular  │
   │                               │                                      │               │ moment. The value is of type           │
   │                               │                                      │               │ NMConnectionMultiConnect.              │
   ├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ permissions                   │ array of string                      │               │ An array of strings defining what      │
   │                               │                                      │               │ access a given user has to this        │
   │                               │                                      │               │ connection.  If this is NULL or empty, │
   │                               │                                      │               │ all users are allowed to access this   │
   │                               │                                      │               │ connection; otherwise users are        │
   │                               │                                      │               │ allowed if and only if they are in     │
   │                               │                                      │               │ this list.  When this is not empty,    │
   │                               │                                      │               │ the connection can be active only when │
   │                               │                                      │               │ one of the specified users is logged   │
   │                               │                                      │               │ into an active session.  Each entry is │
   │                               │                                      │               │ of the form "[type]:[id]:[reserved]";  │
   │                               │                                      │               │ for example, "user:dcbw:blah".         │
   │                               │                                      │               │                                        │
   │                               │                                      │               │ At this time only the "user" [type] is │
   │                               │                                      │               │ allowed.  Any other values are ignored │
   │                               │                                      │               │ and reserved for future use.  [id] is  │
   │                               │                                      │               │ the username that this permission      │
   │                               │                                      │               │ refers to, which may not contain the   │
   │                               │                                      │               │ ":" character. Any [reserved]          │
   │                               │                                      │               │ information present must be ignored    │
   │                               │                                      │               │ and is reserved for future use.  All   │
   │                               │                                      │               │ of [type], [id], and [reserved] must   │
   │                               │                                      │               │ be valid UTF-8.                        │
   ├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ port-type                     │ string                               │               │ Setting name of the device type of     │
   │                               │                                      │               │ this port's controller connection (eg, 
                                                                                        "bond"), or NULL if this connection is 
                                                                                        not a port.                            
   
    read-only                      boolean                               FALSE          This property is deprecated and has no 
                                                                                        meaning.                               
                                                                                                                               
                                                                                        This property is deprecated since      
                                                                                        version 1.44.This property is          
                                                                                        deprecated and has no meaning.         
   
    secondaries                    array of string                                      List of connection UUIDs that should   
                                                                                        be activated when the base connection  
                                                                                        itself is activated. Currently, only   
                                                                                        VPN connections are supported.         
   
    slave-type                     string                                               Setting name of the device type of     
                                                                                        this port's controller connection (eg, │
   │                               │                                      │               │ "bond"), or NULL if this connection is │
   │                               │                                      │               │ not a port.                            │
   │                               │                                      │               │                                        │
   │                               │                                      │               │ Deprecated 1.46. Use "port-type"       │
   │                               │                                      │               │ instead, this is just an alias.        │
   ├───────────────────────────────┼──────────────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ stable-id                     │ string                               │               │ This represents the identity of the    │
   │                               │                                      │               │ connection used for various purposes.  │
   │                               │                                      │               │ It allows to configure multiple        │
   │                               │                                      │               │ profiles to share the identity. Also,  │
   │                               │                                      │               │ the stable-id can contain placeholders │
   │                               │                                      │               │ that are substituted dynamically and   │
   │                               │                                      │               │ deterministically depending on the     │
   │                               │                                      │               │ context.                               │
   │                               │                                      │               │                                        │
   │                               │                                      │               │ The stable-id is used for generating   │
   │                               │                                      │               │ IPv6 stable private addresses with     │
   │                               │                                      │               │ ipv6.addr-gen-mode=stable-privacy. It  │
   │                               │                                      │               │ is also used to seed the generated     │
   │                               │                                      │               │ cloned MAC address for                 │
   │                               │                                      │               │ ethernet.cloned-mac-address=stable and │
   │                               │                                      │               │ wifi.cloned-mac-address=stable. It is  │
   │                               │                                      │               │ also used to derive the DHCP client    │
   │                               │                                      │               │ identifier with                        │
   │                               │                                      │               │ ipv4.dhcp-client-id=stable, the DHCPv6 │
   │                               │                                      │               │ DUID with                              │
   │                               │                                      │               │ ipv6.dhcp-duid=stable-[llt,ll,uuid]    │
   │                               │                                      │               │ and the DHCP IAID with                 │
   │                               │                                      │               │ ipv4.iaid=stable and ipv6.iaid=stable. │
   │                               │                                      │               │                                        │
   │                               │                                      │               │ Note that depending on the context     │
   │                               │                                      │               │ where it is used, other parameters are │
   │                               │                                      │               │ also seeded into the generation        │
   │                               │                                      │               │ algorithm. For example, a per-host key │
   │                               │                                      │               │ is commonly also included, so that     │
   │                               │                                      │               │ different systems end up generating    │
   │                               │                                      │               │ different IDs. Or with                 │
   │                               │                                      │               │ ipv6.addr-gen-mode=stable-privacy,     │
   │                               │                                      │               │ also the device's name is included, so 
                                                                                        that different interfaces yield        
                                                                                        different addresses. The per-host key  
                                                                                        is the identity of your machine and    
                                                                                        stored in                              
                                                                                        /var/lib/NetworkManager/secret_key.    
                                                                                        See NetworkManager(8) manual about the 
                                                                                        secret-key and the host identity.      
                                                                                                                               
                                                                                        The '$' character is treated special   
                                                                                        to perform dynamic substitutions at    
                                                                                        activation time. Currently, supported  
                                                                                        are "${CONNECTION}", "${DEVICE}",      
                                                                                        "${MAC}", "${NETWORK_SSID}",           
                                                                                        "${BOOT}", "${RANDOM}".  These         
                                                                                        effectively create unique IDs          
                                                                                        per-connection, per-device, per-SSID,  
                                                                                        per-boot, or every time.  The          
                                                                                        "${CONNECTION}" uses the profile's     │
   │                               │                                      │               │ connection.uuid, the "${DEVICE}" uses  │
   │                               │                                      │               │ the interface name of the device and   │
   │                               │                                      │               │ "${MAC}" the permanent MAC address of  │
   │                               │                                      │               │ the device. "${NETWORK_SSID}" uses the │
   │                               │                                      │               │ SSID for Wi-Fi networks and falls back │
   │                               │                                      │               │ to "${CONNECTION}" on other networks.  │
   │                               │                                      │               │ Any unrecognized patterns following    │
   │                               │                                      │               │ '$' are treated verbatim, however are  │
   │                               │                                      │               │ reserved for future use. You are thus  │
   │                               │                                      │               │ advised to avoid '$' or escape it as   
                                                                                        "$$".  For example, set it to          
                                                                                        "${CONNECTION}-${BOOT}-${DEVICE}" to   
                                                                                        create a unique id for this connection 
                                                                                        that changes with every reboot and     
                                                                                        differs depending on the interface     
                                                                                        where the profile activates.           
                                                                                                                               
                                                                                        If the value is unset, a global        
                                                                                        connection default is consulted. If    
                                                                                        the value is still unset, the default  
                                                                                        is "default${CONNECTION}" go generate  
                                                                                        an ID unique per connection profile.   
   
    timestamp                      uint64                                0              The time, in seconds since the Unix    
                                                                                        Epoch, that the connection was last    
                                                                                        _successfully_ fully activated.        
                                                                                                                               
                                                                                        NetworkManager updates the connection  
                                                                                        timestamp periodically when the        
                                                                                        connection is active to ensure that an 
                                                                                        active connection has the latest       
                                                                                        timestamp. The property is only meant  
                                                                                        for reading (changes to this property  
                                                                                        will not be preserved).                
   
    type                           string                                               Base type of the connection. For       
                                                                                        hardware-dependent connections, should 
                                                                                        contain the setting name of the        
                                                                                        hardware-type specific setting (ie,    
                                                                                        "802-3-ethernet" or "802-11-wireless"  
                                                                                        or "bluetooth", etc), and for          
                                                                                        non-hardware dependent connections     
                                                                                        like VPN or otherwise, should contain  
                                                                                        the setting name of that setting type  
                                                                                        (ie, "vpn" or "bridge", etc).          
   
    uuid                           string                                               A universally unique identifier for    
                                                                                        the connection, for example generated  
                                                                                        with libuuid.  It should be assigned   
                                                                                        when the connection is created, and    
                                                                                        never changed as long as the           
                                                                                        connection still applies to the same   
                                                                                        network.  For example, it should not   
                                                                                        be changed when the "id" property or   
                                                                                        NMSettingIP4Config changes, but might  
                                                                                        need to be re-created when the Wi-Fi   
                                                                                        SSID, mobile broadband network         
                                                                                        provider, or "type" property changes.  
                                                                                                                               
                                                                                        The UUID must be in the format         
                                                                                        "2815492f-7e56-435e-b2e9-246bd7cdc664" 
                                                                                        (ie, contains only hexadecimal         
                                                                                        characters and "-").                   
   
    wait-activation-delay          int32                                 -1             Time in milliseconds to wait for       
                                                                                        connection to be considered activated. 
                                                                                        The wait will start after the pre-up   
                                                                                        dispatcher event.                      
                                                                                                                               
                                                                                        The value 0 means no wait time. The    
                                                                                        default value is -1, which currently   
                                                                                        has the same meaning as no wait time.  
   
    wait-device-timeout            int32                                 -1             Timeout in milliseconds to wait for    
                                                                                        device at startup. During boot,        
                                                                                        devices may take a while to be         
                                                                                        detected by the driver. This property  
                                                                                        will cause to delay                    
                                                                                        NetworkManager-wait-online.service and 
                                                                                        nm-online to give the device a chance  
                                                                                        to appear. This works by waiting for   
                                                                                        the given timeout until a compatible   
                                                                                        device for the profile is available    
                                                                                        and managed.                           
                                                                                                                               
                                                                                        The value 0 means no wait time. The    
                                                                                        default value is -1, which currently   
                                                                                        has the same meaning as no wait time.  
   
    zone                           string                                               The trust level of a the connection.   
                                                                                        Free form case-insensitive string (for 
                                                                                        example "Home", "Work", "Public").     
                                                                                        NULL or unspecified zone means the     
                                                                                        connection will be placed in the       
                                                                                        default zone as defined by the         
                                                                                        firewall.                              
                                                                                                                               
                                                                                        When updating this property on a       
                                                                                        currently activated connection, the    
                                                                                        change takes effect immediately.       
   

6lowpan setting

   6LoWPAN Settings.
   
    Key Name  Value Type  Default Value  Value Description                      
   
    parent    string                     If given, specifies the parent         
                                         interface name or parent connection    
                                         UUID from which this 6LowPAN interface 
                                         should be created.                     
   

802-1x setting

   IEEE 802.1x Authentication Settings.
   
    Key Name                           Value Type                     Default Value  Value Description                      
   
    altsubject-matches                 array of string                               List of strings to be matched against  
                                                                                     the altSubjectName of the certificate  
                                                                                     presented by the authentication        
                                                                                     server. If the list is empty, no       
                                                                                     verification of the server             
                                                                                     certificate's altSubjectName is        │
   │                                   │                               │               │ performed.                             │
   ├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ anonymous-identity                │ string                        │               │ Anonymous identity string for EAP      │
   │                                   │                               │               │ authentication methods.  Used as the   │
   │                                   │                               │               │ unencrypted identity with EAP types    │
   │                                   │                               │               │ that support different tunneled        │
   │                                   │                               │               │ identity like EAP-TTLS.                │
   ├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ auth-timeout                      │ int32                         │ 0             │ A timeout for the authentication. Zero │
   │                                   │                               │               │ means the global default; if the       │
   │                                   │                               │               │ global default is not set, the         │
   │                                   │                               │               │ authentication timeout is 25 seconds.  │
   ├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ ca-cert                           │ byte array                    │               │ Contains the CA certificate if used by │
   │                                   │                               │               │ the EAP method specified in the "eap"  │
   │                                   │                               │               │ property.                              │
   │                                   │                               │               │                                        │
   │                                   │                               │               │ Certificate data is specified using a  │
   │                                   │                               │               │ "scheme"; three are currently          │
   │                                   │                               │               │ supported: blob, path and pkcs#11 URL. │
   │                                   │                               │               │ When using the blob scheme this        │
   │                                   │                               │               │ property should be set to the          │
   │                                   │                               │               │ certificate's DER encoded data. When   
                                                                                     using the path scheme, this property   
                                                                                     should be set to the full UTF-8        
                                                                                     encoded path of the certificate,       
                                                                                     prefixed with the string "file://" and 
                                                                                     ending with a terminating NUL byte.    
                                                                                     This property can be unset even if the 
                                                                                     EAP method supports CA certificates,   
                                                                                     but this allows man-in-the-middle      
                                                                                     attacks and is NOT recommended.        
                                                                                                                            
                                                                                     Note that enabling                     
                                                                                     NMSetting8021x:system-ca-certs will    
                                                                                     override this setting to use the       
                                                                                     built-in path, if the built-in path is 
                                                                                     not a directory.                       
   
    ca-cert-password                   string                                        The password used to access the CA     
                                                                                     certificate stored in "ca-cert"        
                                                                                     property. Only makes sense if the      
                                                                                     certificate is stored on a PKCS#11     │
                                                                                     token that requires a login.           
   
    ca-cert-password-flags             NMSettingSecretFlags (uint32)                 Flags indicating how to handle the     
                                                                                     "ca-cert-password" property.           
   
    ca-path                            string                                        UTF-8 encoded path to a directory      
                                                                                     containing PEM or DER formatted        
                                                                                     certificates to be added to the        
                                                                                     verification chain in addition to the  
                                                                                     certificate specified in the "ca-cert" 
                                                                                     property.                              
                                                                                                                            
                                                                                     If NMSetting8021x:system-ca-certs is   
                                                                                     enabled and the built-in CA path is an 
                                                                                     existing directory, then this setting  
                                                                                     is ignored.                            
   
    client-cert                        byte array                                    Contains the client certificate if     
                                                                                     used by the EAP method specified in    
                                                                                     the "eap" property.                    
                                                                                                                            
                                                                                     Certificate data is specified using a  
                                                                                     "scheme"; two are currently supported: 
                                                                                     blob and path. When using the blob     
                                                                                     scheme (which is backwards compatible  
                                                                                     with NM 0.7.x) this property should be 
                                                                                     set to the certificate's DER encoded   │
   │                                   │                               │               │ data. When using the path scheme, this │
   │                                   │                               │               │ property should be set to the full     │
   │                                   │                               │               │ UTF-8 encoded path of the certificate, │
   │                                   │                               │               │ prefixed with the string "file://" and │
   │                                   │                               │               │ ending with a terminating NUL byte.    │
   ├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ client-cert-password              │ string                        │               │ The password used to access the client │
   │                                   │                               │               │ certificate stored in "client-cert"    │
   │                                   │                               │               │ property. Only makes sense if the      │
   │                                   │                               │               │ certificate is stored on a PKCS#11     │
   │                                   │                               │               │ token that requires a login.           │
   ├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ client-cert-password-flags        │ NMSettingSecretFlags (uint32) │               │ Flags indicating how to handle the     │
   │                                   │                               │               │ "client-cert-password" property.       │
   ├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ domain-match                      │ string                        │               │ Constraint for server domain name. If  │
   │                                   │                               │               │ set, this list of FQDNs is used as a   │
   │                                   │                               │               │ match requirement for dNSName          │
   │                                   │                               │               │ element(s) of the certificate          │
   │                                   │                               │               │ presented by the authentication        │
   │                                   │                               │               │ server.  If a matching dNSName is      │
   │                                   │                               │               │ found, this constraint is met.  If no  │
   │                                   │                               │               │ dNSName values are present, this       │
   │                                   │                               │               │ constraint is matched against          │
   │                                   │                               │               │ SubjectName CN using the same          │
   │                                   │                               │               │ comparison. Multiple valid FQDNs can   │
   │                                   │                               │               │ be passed as a ";" delimited list.     │
   ├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ domain-suffix-match               │ string                        │               │ Constraint for server domain name. If  │
   │                                   │                               │               │ set, this FQDN is used as a suffix     │
   │                                   │                               │               │ match requirement for dNSName          │
   │                                   │                               │               │ element(s) of the certificate          │
   │                                   │                               │               │ presented by the authentication        │
   │                                   │                               │               │ server.  If a matching dNSName is      │
   │                                   │                               │               │ found, this constraint is met.  If no  │
   │                                   │                               │               │ dNSName values are present, this       │
   │                                   │                               │               │ constraint is matched against          │
   │                                   │                               │               │ SubjectName CN using same suffix match │
   │                                   │                               │               │ comparison. Since version 1.24,        │
   │                                   │                               │               │ multiple valid FQDNs can be passed as  │
   │                                   │                               │               │ a ";" delimited list.                  │
   ├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ eap                               │ array of string               │               │ The allowed EAP method to be used when │
   │                                   │                               │               │ authenticating to the network with     │
   │                                   │                               │               │ 802.1x.  Valid methods are: "leap",    │
   │                                   │                               │               │ "md5", "tls", "peap", "ttls", "pwd",   │
   │                                   │                               │               │ and "fast".  Each method requires      │
   │                                   │                               │               │ different configuration using the      │
   │                                   │                               │               │ properties of this setting; refer to   │
   │                                   │                               │               │ wpa_supplicant documentation for the   │
   │                                   │                               │               │ allowed combinations.                  │
   ├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ identity                          │ string                        │               │ Identity string for EAP authentication │
   │                                   │                               │               │ methods.  Often the user's user or     
                                                                                     login name.                            
   
    openssl-ciphers                    string                                        Define openssl_ciphers for             
                                                                                     wpa_supplicant. Openssl sometimes      
                                                                                     moves ciphers among SECLEVELs, thus    
                                                                                     compiled-in default value in           
                                                                                     wpa_supplicant (as modified by some    
                                                                                     linux distributions) sometimes         
                                                                                     prevents to connect to old servers     
                                                                                     that do not support new protocols.     
   
    optional                           boolean                        FALSE          Whether the 802.1X authentication is   
                                                                                     optional. If TRUE, the activation will 
                                                                                     continue even after a timeout or an    
                                                                                     authentication failure. Setting the    
                                                                                     property to TRUE is currently allowed  
                                                                                     only for Ethernet connections. If set  
                                                                                     to FALSE, the activation can continue  
                                                                                     only after a successful                
                                                                                     authentication.                        
   
    pac-file                           string                                        UTF-8 encoded file path containing PAC 
                                                                                     for EAP-FAST.                          
   
    password                           string                                        UTF-8 encoded password used for EAP    
                                                                                     authentication methods. If both the    
                                                                                     "password" property and the            
                                                                                     "password-raw" property are specified, 
                                                                                     "password" is preferred.               
   
    password-flags                     NMSettingSecretFlags (uint32)                 Flags indicating how to handle the     
                                                                                     "password" property.                   
   
    password-raw                       byte array                                    Password used for EAP authentication   
                                                                                     methods, given as a byte array to      
                                                                                     allow passwords in other encodings     
                                                                                     than UTF-8 to be used. If both the     
                                                                                     "password" property and the            
                                                                                     "password-raw" property are specified, 
                                                                                     "password" is preferred.               
   
    password-raw-flags                 NMSettingSecretFlags (uint32)                 Flags indicating how to handle the     
                                                                                     "password-raw" property.               
   
    phase1-auth-flags                  uint32                         0              Specifies authentication flags to use  
                                                                                     in "phase 1" outer authentication      
                                                                                     using NMSetting8021xAuthFlags options. 
                                                                                     The individual TLS versions can be     
                                                                                     explicitly disabled. TLS time checks   
                                                                                     can be also disabled. If a certain TLS 
                                                                                     disable flag is not set, it is up to   
                                                                                     the supplicant to allow or forbid it.  
                                                                                     The TLS options map to                 
                                                                                     tls_disable_tlsv1_x and                
                                                                                     tls_disable_time_checks settings. See  
                                                                                     the wpa_supplicant documentation for   
                                                                                     more details.                          
   
    phase1-fast-provisioning           string                                        Enables or disables in-line            
                                                                                     provisioning of EAP-FAST credentials   
                                                                                     when FAST is specified as the EAP      
                                                                                     method in the "eap" property.          
                                                                                     Recognized values are "0" (disabled),  
                                                                                     "1" (allow unauthenticated             
                                                                                     provisioning), "2" (allow              
                                                                                     authenticated provisioning), and "3"   
                                                                                     (allow both authenticated and          
                                                                                     unauthenticated provisioning).  See    
                                                                                     the wpa_supplicant documentation for   
                                                                                     more details.                          
   
    phase1-peaplabel                   string                                        Forces use of the new PEAP label       
                                                                                     during key derivation.  Some RADIUS    
                                                                                     servers may require forcing the new    
                                                                                     PEAP label to interoperate with        
                                                                                     PEAPv1.  Set to "1" to force use of    
                                                                                     the new PEAP label.  See the           
                                                                                     wpa_supplicant documentation for more  
                                                                                     details.                               
   
    phase1-peapver                     string                                        Forces which PEAP version is used when 
                                                                                     PEAP is set as the EAP method in the   
                                                                                     "eap" property.  When unset, the       
                                                                                     version reported by the server will be 
                                                                                     used.  Sometimes when using older      
                                                                                     RADIUS servers, it is necessary to     
                                                                                     force the client to use a particular   
                                                                                     PEAP version.  To do so, this property 
                                                                                     may be set to "0" or "1" to force that 
                                                                                     specific PEAP version.                 
   
    phase2-altsubject-matches          array of string                               List of strings to be matched against  
                                                                                     the altSubjectName of the certificate  
                                                                                     presented by the authentication server 
                                                                                     during the inner "phase 2"             
                                                                                     authentication. If the list is empty,  
                                                                                     no verification of the server          
                                                                                     certificate's altSubjectName is        │
   │                                   │                               │               │ performed.                             │
   ├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ phase2-auth                       │ string                        │               │ Specifies the allowed "phase 2" inner  │
   │                                   │                               │               │ authentication method when an EAP      │
   │                                   │                               │               │ method that uses an inner TLS tunnel   │
   │                                   │                               │               │ is specified in the "eap" property.    │
   │                                   │                               │               │ For TTLS this property selects one of  │
   │                                   │                               │               │ the supported non-EAP inner methods:   │
   │                                   │                               │               │ "pap", "chap", "mschap", "mschapv2"    │
   │                                   │                               │               │ while "phase2-autheap" selects an EAP  │
   │                                   │                               │               │ inner method.  For PEAP this selects   │
   │                                   │                               │               │ an inner EAP method, one of: "gtc",    │
   │                                   │                               │               │ "otp", "md5" and "tls". Each "phase 2" │
   │                                   │                               │               │ inner method requires specific         │
   │                                   │                               │               │ parameters for successful              │
   │                                   │                               │               │ authentication; see the wpa_supplicant │
   │                                   │                               │               │ documentation for more details. Both   │
   │                                   │                               │               │ "phase2-auth" and "phase2-autheap"     │
   │                                   │                               │               │ cannot be specified.                   │
   ├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ phase2-autheap                    │ string                        │               │ Specifies the allowed "phase 2" inner  │
   │                                   │                               │               │ EAP-based authentication method when   │
   │                                   │                               │               │ TTLS is specified in the "eap"         │
   │                                   │                               │               │ property.  Recognized EAP-based "phase │
   │                                   │                               │               │ 2" methods are "md5", "mschapv2",      │
   │                                   │                               │               │ "otp", "gtc", and "tls". Each "phase   │
   │                                   │                               │               │ 2" inner method requires specific      │
   │                                   │                               │               │ parameters for successful              │
   │                                   │                               │               │ authentication; see the wpa_supplicant │
   │                                   │                               │               │ documentation for more details.        │
   ├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ phase2-ca-cert                    │ byte array                    │               │ Contains the "phase 2" CA certificate  │
   │                                   │                               │               │ if used by the EAP method specified in │
   │                                   │                               │               │ the "phase2-auth" or "phase2-autheap"  │
   │                                   │                               │               │ properties.                            │
   │                                   │                               │               │                                        │
   │                                   │                               │               │ Certificate data is specified using a  │
   │                                   │                               │               │ "scheme"; three are currently          │
   │                                   │                               │               │ supported: blob, path and pkcs#11 URL. │
   │                                   │                               │               │ When using the blob scheme this        │
   │                                   │                               │               │ property should be set to the          │
   │                                   │                               │               │ certificate's DER encoded data. When   
                                                                                     using the path scheme, this property   
                                                                                     should be set to the full UTF-8        
                                                                                     encoded path of the certificate,       
                                                                                     prefixed with the string "file://" and 
                                                                                     ending with a terminating NUL byte.    
                                                                                     This property can be unset even if the 
                                                                                     EAP method supports CA certificates,   
                                                                                     but this allows man-in-the-middle      
                                                                                     attacks and is NOT recommended.        
                                                                                                                            
                                                                                     Note that enabling                     
                                                                                     NMSetting8021x:system-ca-certs will    
                                                                                     override this setting to use the       
                                                                                     built-in path, if the built-in path is 
                                                                                     not a directory.                       
   
    phase2-ca-cert-password            string                                        The password used to access the        
                                                                                     "phase2" CA certificate stored in      
                                                                                     "phase2-ca-cert" property. Only makes  
                                                                                     sense if the certificate is stored on  
                                                                                     a PKCS#11 token that requires a login. │
   
    phase2-ca-cert-password-flags      NMSettingSecretFlags (uint32)                 Flags indicating how to handle the     
                                                                                     "phase2-ca-cert-password" property.    
   
    phase2-ca-path                     string                                        UTF-8 encoded path to a directory      
                                                                                     containing PEM or DER formatted        
                                                                                     certificates to be added to the        
                                                                                     verification chain in addition to the  
                                                                                     certificate specified in the           
                                                                                     "phase2-ca-cert" property.             
                                                                                                                            
                                                                                     If NMSetting8021x:system-ca-certs is   
                                                                                     enabled and the built-in CA path is an 
                                                                                     existing directory, then this setting  
                                                                                     is ignored.                            
   
    phase2-client-cert                 byte array                                    Contains the "phase 2" client          
                                                                                     certificate if used by the EAP method  
                                                                                     specified in the "phase2-auth" or      
                                                                                     "phase2-autheap" properties.           
                                                                                                                            
                                                                                     Certificate data is specified using a  
                                                                                     "scheme"; two are currently supported: 
                                                                                     blob and path. When using the blob     
                                                                                     scheme (which is backwards compatible  
                                                                                     with NM 0.7.x) this property should be 
                                                                                     set to the certificate's DER encoded   │
   │                                   │                               │               │ data. When using the path scheme, this │
   │                                   │                               │               │ property should be set to the full     │
   │                                   │                               │               │ UTF-8 encoded path of the certificate, │
   │                                   │                               │               │ prefixed with the string "file://" and │
   │                                   │                               │               │ ending with a terminating NUL byte.    │
   │                                   │                               │               │ This property can be unset even if the │
   │                                   │                               │               │ EAP method supports CA certificates,   │
   │                                   │                               │               │ but this allows man-in-the-middle      │
   │                                   │                               │               │ attacks and is NOT recommended.        │
   ├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ phase2-client-cert-password       │ string                        │               │ The password used to access the        │
   │                                   │                               │               │ "phase2" client certificate stored in  │
   │                                   │                               │               │ "phase2-client-cert" property. Only    │
   │                                   │                               │               │ makes sense if the certificate is      │
   │                                   │                               │               │ stored on a PKCS#11 token that         │
   │                                   │                               │               │ requires a login.                      │
   ├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ phase2-client-cert-password-flags │ NMSettingSecretFlags (uint32) │               │ Flags indicating how to handle the     │
   │                                   │                               │               │ "phase2-client-cert-password"          │
   │                                   │                               │               │ property.                              │
   ├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ phase2-domain-match               │ string                        │               │ Constraint for server domain name. If  │
   │                                   │                               │               │ set, this list of FQDNs is used as a   │
   │                                   │                               │               │ match requirement for dNSName          │
   │                                   │                               │               │ element(s) of the certificate          │
   │                                   │                               │               │ presented by the authentication server │
   │                                   │                               │               │ during the inner "phase 2"             │
   │                                   │                               │               │ authentication. If a matching dNSName  │
   │                                   │                               │               │ is found, this constraint is met.  If  │
   │                                   │                               │               │ no dNSName values are present, this    │
   │                                   │                               │               │ constraint is matched against          │
   │                                   │                               │               │ SubjectName CN using the same          │
   │                                   │                               │               │ comparison. Multiple valid FQDNs can   │
   │                                   │                               │               │ be passed as a ";" delimited list.     │
   ├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ phase2-domain-suffix-match        │ string                        │               │ Constraint for server domain name. If  │
   │                                   │                               │               │ set, this FQDN is used as a suffix     │
   │                                   │                               │               │ match requirement for dNSName          │
   │                                   │                               │               │ element(s) of the certificate          │
   │                                   │                               │               │ presented by the authentication server │
   │                                   │                               │               │ during the inner "phase 2"             │
   │                                   │                               │               │ authentication.  If a matching dNSName │
   │                                   │                               │               │ is found, this constraint is met.  If  │
   │                                   │                               │               │ no dNSName values are present, this    │
   │                                   │                               │               │ constraint is matched against          │
   │                                   │                               │               │ SubjectName CN using same suffix match │
   │                                   │                               │               │ comparison. Since version 1.24,        │
   │                                   │                               │               │ multiple valid FQDNs can be passed as  │
   │                                   │                               │               │ a ";" delimited list.                  │
   ├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ phase2-private-key                │ byte array                    │               │ Contains the "phase 2" inner private   │
   │                                   │                               │               │ key when the "phase2-auth" or          │
   │                                   │                               │               │ "phase2-autheap" property is set to    │
   │                                   │                               │               │ "tls".                                 │
   │                                   │                               │               │                                        │
   │                                   │                               │               │ Key data is specified using a          │
   │                                   │                               │               │ "scheme"; two are currently supported: │
   │                                   │                               │               │ blob and path. When using the blob     │
   │                                   │                               │               │ scheme and private keys, this property │
   │                                   │                               │               │ should be set to the key's encrypted   
                                                                                     PEM encoded data. When using private   
                                                                                     keys with the path scheme, this        
                                                                                     property should be set to the full     
                                                                                     UTF-8 encoded path of the key,         
                                                                                     prefixed with the string "file://" and 
                                                                                     ending with a terminating NUL byte.    
                                                                                     When using PKCS#12 format private keys │
                                                                                     and the blob scheme, this property     
                                                                                     should be set to the PKCS#12 data and  │
                                                                                     the "phase2-private-key-password"      
                                                                                     property must be set to password used  
                                                                                     to decrypt the PKCS#12 certificate and │
                                                                                     key. When using PKCS#12 files and the  │
                                                                                     path scheme, this property should be   
                                                                                     set to the full UTF-8 encoded path of  
                                                                                     the key, prefixed with the string      
                                                                                     "file://" and ending with a            
                                                                                     terminating NUL byte, and as with the  
                                                                                     blob scheme the                        
                                                                                     "phase2-private-key-password" property 
                                                                                     must be set to the password used to    
                                                                                     decode the PKCS#12 private key and     │
                                                                                     certificate.                           
   
    phase2-private-key-password        string                                        The password used to decrypt the       
                                                                                     "phase 2" private key specified in the 
                                                                                     "phase2-private-key" property when the 
                                                                                     private key either uses the path       
                                                                                     scheme, or is a PKCS#12 format key.    │
   
    phase2-private-key-password-flags  NMSettingSecretFlags (uint32)                 Flags indicating how to handle the     
                                                                                     "phase2-private-key-password"          
                                                                                     property.                              
   
    phase2-subject-match               string                                        Substring to be matched against the    
                                                                                     subject of the certificate presented   
                                                                                     by the authentication server during    
                                                                                     the inner "phase 2" authentication.    
                                                                                     When unset, no verification of the     
                                                                                     authentication server certificate's    │
   │                                   │                               │               │ subject is performed. This property    │
   │                                   │                               │               │ provides little security, if any, and  │
   │                                   │                               │               │ should not be used.                    │
   │                                   │                               │               │                                        │
   │                                   │                               │               │ This property is deprecated since      │
   │                                   │                               │               │ version 1.2.Use                        │
   │                                   │                               │               │ "phase2-domain-suffix-match" instead.  │
   ├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ pin                               │ string                        │               │ PIN used for EAP authentication        │
   │                                   │                               │               │ methods.                               │
   ├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ pin-flags                         │ NMSettingSecretFlags (uint32) │               │ Flags indicating how to handle the     │
   │                                   │                               │               │ "pin" property.                        │
   ├───────────────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ private-key                       │ byte array                    │               │ Contains the private key when the      │
   │                                   │                               │               │ "eap" property is set to "tls".        │
   │                                   │                               │               │                                        │
   │                                   │                               │               │ Key data is specified using a          │
   │                                   │                               │               │ "scheme"; two are currently supported: │
   │                                   │                               │               │ blob and path. When using the blob     │
   │                                   │                               │               │ scheme and private keys, this property │
   │                                   │                               │               │ should be set to the key's encrypted   
                                                                                     PEM encoded data. When using private   
                                                                                     keys with the path scheme, this        
                                                                                     property should be set to the full     
                                                                                     UTF-8 encoded path of the key,         
                                                                                     prefixed with the string "file://" and 
                                                                                     ending with a terminating NUL byte.    
                                                                                     When using PKCS#12 format private keys │
                                                                                     and the blob scheme, this property     
                                                                                     should be set to the PKCS#12 data and  │
                                                                                     the "private-key-password" property    
                                                                                     must be set to password used to        
                                                                                     decrypt the PKCS#12 certificate and    │
                                                                                     key. When using PKCS#12 files and the  │
                                                                                     path scheme, this property should be   
                                                                                     set to the full UTF-8 encoded path of  
                                                                                     the key, prefixed with the string      
                                                                                     "file://" and ending with a            
                                                                                     terminating NUL byte, and as with the  
                                                                                     blob scheme the "private-key-password" 
                                                                                     property must be set to the password   
                                                                                     used to decode the PKCS#12 private key │
                                                                                     and certificate.                       
                                                                                                                            
                                                                                     WARNING: "private-key" is not a        
                                                                                     "secret" property, and thus            
                                                                                     unencrypted private key data using the 
                                                                                     BLOB scheme may be readable by         
                                                                                     unprivileged users.  Private keys      
                                                                                     should always be encrypted with a      
                                                                                     private key password to prevent        
                                                                                     unauthorized access to unencrypted     
                                                                                     private key data.                      
   
    private-key-password               string                                        The password used to decrypt the       
                                                                                     private key specified in the           
                                                                                     "private-key" property when the        
                                                                                     private key either uses the path       
                                                                                     scheme, or if the private key is a     
                                                                                     PKCS#12 format key.                    │
   
    private-key-password-flags         NMSettingSecretFlags (uint32)                 Flags indicating how to handle the     
                                                                                     "private-key-password" property.       
   
    subject-match                      string                                        Substring to be matched against the    
                                                                                     subject of the certificate presented   
                                                                                     by the authentication server. When     
                                                                                     unset, no verification of the          
                                                                                     authentication server certificate's    
                                                                                     subject is performed. This property    
                                                                                     provides little security, if any, and  
                                                                                     should not be used.                    
                                                                                                                            
                                                                                     This property is deprecated since      
                                                                                     version 1.2.Use                        
                                                                                     "phase2-domain-suffix-match" instead.  
   
    system-ca-certs                    boolean                        FALSE          When TRUE, overrides the "ca-path" and 
                                                                                     "phase2-ca-path" properties using the  
                                                                                     system CA directory specified at       
                                                                                     configure time with the                
                                                                                     --system-ca-path switch.  The          
                                                                                     certificates in this directory are     
                                                                                     added to the verification chain in     
                                                                                     addition to any certificates specified 
                                                                                     by the "ca-cert" and "phase2-ca-cert"  
                                                                                     properties. If the path provided with  
                                                                                     --system-ca-path is rather a file name 
                                                                                     (bundle of trusted CA certificates),   
                                                                                     it overrides "ca-cert" and             
                                                                                     "phase2-ca-cert" properties instead    
                                                                                     (sets ca_cert/ca_cert2 options for     
                                                                                     wpa_supplicant).                       
   

adsl setting

   ADSL Settings.
   
    Key Name        Value Type                     Default Value  Value Description                      
   
    encapsulation   string                                        Encapsulation of ADSL connection.  Can 
                                                                  be "vcmux" or "llc".                   
   
    password        string                                        Password used to authenticate with the 
                                                                  ADSL service.                          
   
    password-flags  NMSettingSecretFlags (uint32)                 Flags indicating how to handle the     
                                                                  "password" property.                   
   
    protocol        string                                        ADSL connection protocol.  Can be      
                                                                  "pppoa", "pppoe" or "ipoatm".          
   
    username        string                                        Username used to authenticate with the 
                                                                  ADSL service.                          
   
    vci             uint32                         0              VCI of ADSL connection                 
   
    vpi             uint32                         0              VPI of ADSL connection                 
   

bluetooth setting

   Bluetooth Settings.
   
    Key Name  Value Type  Default Value  Value Description                      
   
    bdaddr    byte array                 The Bluetooth address of the device.   
   
    type      string                     Either "dun" for Dial-Up Networking    
                                         connections or "panu" for Personal     
                                         Area Networking connections to devices 
                                         supporting the NAP profile.            
   

bond setting

   Bonding Settings.
   
    Key Name        Value Type                Default Value           Value Description                      
   
    interface-name  string                                            Deprecated in favor of                 
                                                                      connection.interface-name, but can be  
                                                                      used for backward-compatibility with   
                                                                      older daemons, to set the bond's       │
   │                │                          │                        │ interface name.                        │
   ├────────────────┼──────────────────────────┼────────────────────────┼────────────────────────────────────────┤
   │ options        │ dict of string to string │ {'mode': 'balance-rr'}  Dictionary of key/value pairs of       
                                                                      bonding options.  Both keys and values 
                                                                      must be strings. Option names must     
                                                                      contain only alphanumeric characters   
                                                                      (ie, [a-zA-Z0-9]).                     
   

bridge setting

   Bridging Settings.
   
    Key Name                           Value Type        Default Value  Value Description                      
   
    ageing-time                        uint32            300            The Ethernet MAC address aging time,   
                                                                        in seconds.                            
   
    forward-delay                      uint32            15             The Spanning Tree Protocol (STP)       
                                                                        forwarding delay, in seconds.          
   
    group-address                      byte array                       If specified, The MAC address of the   
                                                                        multicast group this bridge uses for   
                                                                        STP.                                   
                                                                                                               
                                                                        The address must be a link-local       
                                                                        address in standard Ethernet MAC       
                                                                        address format, ie an address of the   
                                                                        form 01:80:C2:00:00:0X, with X in [0,  
                                                                        4..F]. If not specified the default    
                                                                        value is 01:80:C2:00:00:00.            
   
    group-forward-mask                 uint32            0              A mask of group addresses to forward.  
                                                                        Usually, group addresses in the range  
                                                                        from 01:80:C2:00:00:00 to              
                                                                        01:80:C2:00:00:0F are not forwarded    
                                                                        according to standards. This property  
                                                                        is a mask of 16 bits, each             
                                                                        corresponding to a group address in    
                                                                        that range that must be forwarded. The 
                                                                        mask can't have bits 0, 1 or 2 set     │
   │                                   │                  │               │ because they are used for STP, MAC     │
   │                                   │                  │               │ pause frames and LACP.                 │
   ├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
   │ hello-time                        │ uint32           │ 2             │ The Spanning Tree Protocol (STP) hello │
   │                                   │                  │               │ time, in seconds.                      │
   ├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
   │ interface-name                    │ string           │               │ Deprecated in favor of                 │
   │                                   │                  │               │ connection.interface-name, but can be  │
   │                                   │                  │               │ used for backward-compatibility with   │
   │                                   │                  │               │ older daemons, to set the bridge's     
                                                                        interface name.                        
   
    mac-address                        byte array                       If specified, the MAC address of       
                                                                        bridge. When creating a new bridge,    
                                                                        this MAC address will be set.          
                                                                                                               
                                                                        If this field is left unspecified, the 
                                                                        "ethernet.cloned-mac-address" is       
                                                                        referred instead to generate the       
                                                                        initial MAC address. Note that setting 
                                                                        "ethernet.cloned-mac-address" anyway   
                                                                        overwrites the MAC address of the      
                                                                        bridge later while activating the      
                                                                        bridge.                                
                                                                                                               
                                                                        This property is deprecated since      
                                                                        version 1.12.Use the                   
                                                                        "cloned-mac-address" property instead. 
   
    max-age                            uint32            20             The Spanning Tree Protocol (STP)       
                                                                        maximum message age, in seconds.       
   
    multicast-hash-max                 uint32            4096           Set maximum size of multicast hash     
                                                                        table (value must be a power of 2).    
   
    multicast-last-member-count        uint32            2              Set the number of queries the bridge   
                                                                        will send before stopping forwarding a 
                                                                        multicast group after a "leave"        
                                                                        message has been received.             
   
    multicast-last-member-interval     uint64            100            Set interval (in deciseconds) between  
                                                                        queries to find remaining members of a 
                                                                        group, after a "leave" message is      
                                                                        received.                              
   
    multicast-membership-interval      uint64            26000          Set delay (in deciseconds) after which 
                                                                        the bridge will leave a group, if no   
                                                                        membership reports for this group are  
                                                                        received.                              
   
    multicast-querier                  boolean           FALSE          Enable or disable sending of multicast 
                                                                        queries by the bridge. If not          
                                                                        specified the option is disabled.      
   
    multicast-querier-interval         uint64            25500          If no queries are seen after this      
                                                                        delay (in deciseconds) has passed, the 
                                                                        bridge will start to send its own      
                                                                        queries.                               
   
    multicast-query-interval           uint64            12500          Interval (in deciseconds) between      
                                                                        queries sent by the bridge after the   
                                                                        end of the startup phase.              
   
    multicast-query-response-interval  uint64            1000           Set the Max Response Time/Max Response 
                                                                        Delay (in deciseconds) for IGMP/MLD    
                                                                        queries sent by the bridge.            
   
    multicast-query-use-ifaddr         boolean           FALSE          If enabled the bridge's own IP address │
   │                                   │                  │               │ is used as the source address for IGMP │
   │                                   │                  │               │ queries otherwise the default of       │
   │                                   │                  │               │ 0.0.0.0 is used.                       │
   ├───────────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
   │ multicast-router                  │ string           │               │ Sets bridge's multicast router.        
                                                                        Multicast-snooping must be enabled for 
                                                                        this option to work.                   
                                                                                                               
                                                                        Supported values are: 'auto',          
                                                                        'disabled', 'enabled' to which kernel  
                                                                        assigns the numbers 1, 0, and 2,       
                                                                        respectively. If not specified the     
                                                                        default value is 'auto' (1).           
   
    multicast-snooping                 boolean           TRUE           Controls whether IGMP snooping is      
                                                                        enabled for this bridge. Note that if  
                                                                        snooping was automatically disabled    
                                                                        due to hash collisions, the system may 
                                                                        refuse to enable the feature until the 
                                                                        collisions are resolved.               
   
    multicast-startup-query-count      uint32            2              Set the number of IGMP queries to send 
                                                                        during startup phase.                  
   
    multicast-startup-query-interval   uint64            3125           Sets the time (in deciseconds) between 
                                                                        queries sent out at startup to         
                                                                        determine membership information.      
   
    priority                           uint32            32768          Sets the Spanning Tree Protocol (STP)  
                                                                        priority for this bridge.  Lower       
                                                                        values are "better"; the lowest        
                                                                        priority bridge will be elected the    
                                                                        root bridge.                           
   
    stp                                boolean           TRUE           Controls whether Spanning Tree         
                                                                        Protocol (STP) is enabled for this     
                                                                        bridge.                                
   
    vlan-default-pvid                  uint32            1              The default PVID for the ports of the  
                                                                        bridge, that is the VLAN id assigned   
                                                                        to incoming untagged frames.           
   
    vlan-filtering                     boolean           FALSE          Control whether VLAN filtering is      
                                                                        enabled on the bridge.                 
   
    vlan-protocol                      string                           If specified, the protocol used for    
                                                                        VLAN filtering.                        
                                                                                                               
                                                                        Supported values are: '802.1Q',        
                                                                        '802.1ad'. If not specified the        
                                                                        default value is '802.1Q'.             
   
    vlan-stats-enabled                 boolean           FALSE          Controls whether per-VLAN stats        
                                                                        accounting is enabled.                 
   
    vlans                              array of vardict                 Array of bridge VLAN objects. In       
                                                                        addition to the VLANs specified here,  
                                                                        the bridge will also have the          
                                                                        default-pvid VLAN configured  by the   
                                                                        bridge.vlan-default-pvid property.     
                                                                                                               
                                                                        In nmcli the VLAN list can be          
                                                                        specified with the following syntax:   
                                                                                                               
                                                                        $vid [pvid] [untagged] [, $vid [pvid]  
                                                                        [untagged]]...                         
                                                                                                               
                                                                        where $vid is either a single id       
                                                                        between 1 and 4094 or a range,         
                                                                        represented as a couple of ids         
                                                                        separated by a dash.                   
   

bridge-port setting

   Bridge Port Settings.
   
    Key Name      Value Type        Default Value  Value Description                      
   
    hairpin-mode  boolean           FALSE          Enables or disables "hairpin mode" for 
                                                   the port, which allows frames to be    
                                                   sent back out through the port the     
                                                   frame was received on.                 
   
    path-cost     uint32            100            The Spanning Tree Protocol (STP) port  
                                                   cost for destinations via this port.   
   
    priority      uint32            32             The Spanning Tree Protocol (STP)       
                                                   priority of this bridge port.          
   
    vlans         array of vardict                 Array of bridge VLAN objects. In       
                                                   addition to the VLANs specified here,  
                                                   the port will also have the            
                                                   default-pvid VLAN configured on the    
                                                   bridge by the bridge.vlan-default-pvid 
                                                   property.                              
                                                                                          
                                                   In nmcli the VLAN list can be          
                                                   specified with the following syntax:   
                                                                                          
                                                   $vid [pvid] [untagged] [, $vid [pvid]  
                                                   [untagged]]...                         
                                                                                          
                                                   where $vid is either a single id       
                                                   between 1 and 4094 or a range,         
                                                   represented as a couple of ids         
                                                   separated by a dash.                   
   

cdma setting

   CDMA-based Mobile Broadband Settings.
   
    Key Name        Value Type                     Default Value  Value Description                      
   
    mtu             uint32                         0              If non-zero, only transmit packets of  
                                                                  the specified size or smaller,         
                                                                  breaking larger packets up into        
                                                                  multiple frames.                       
   
    number          string                                        The number to dial to establish the    
                                                                  connection to the CDMA-based mobile    
                                                                  broadband network, if any.  If not     
                                                                  specified, the default number (#777)   │
                                                                  is used when required.                 
   
    password        string                                        The password used to authenticate with 
                                                                  the network, if required.  Many        
                                                                  providers do not require a password,   
                                                                  or accept any password.  But if a      
                                                                  password is required, it is specified  
                                                                  here.                                  
   
    password-flags  NMSettingSecretFlags (uint32)                 Flags indicating how to handle the     
                                                                  "password" property.                   
   
    username        string                                        The username used to authenticate with 
                                                                  the network, if required.  Many        
                                                                  providers do not require a username,   
                                                                  or accept any username.  But if a      
                                                                  username is required, it is specified  
                                                                  here.                                  
   

dcb setting

   Data Center Bridging Settings.
   
    Key Name                     Value Type                  Default Value  Value Description                      
   
    app-fcoe-flags               NMSettingDcbFlags (uint32)                 Specifies the NMSettingDcbFlags for    
                                                                            the DCB FCoE application.  Flags may   
                                                                            be any combination of 0x1 (enable),    
                                                                            0x2 (advertise), and 0x4 (willing).    
   
    app-fcoe-mode                string                                     The FCoE controller mode; either       
                                                                            "fabric" or "vn2vn".                   
                                                                                                                   
                                                                            Since 1.34, NULL is the default and    
                                                                            means "fabric". Before 1.34, NULL was  
                                                                            rejected as invalid and the default    
                                                                            was "fabric".                          
   
    app-fcoe-priority            int32                       -1             The highest User Priority (0 - 7)      
                                                                            which FCoE frames should use, or -1    
                                                                            for default priority.  Only used when  
                                                                            the "app-fcoe-flags" property includes 
                                                                            the 0x1 (enable) flag.                 
   
    app-fip-flags                NMSettingDcbFlags (uint32)                 Specifies the NMSettingDcbFlags for    
                                                                            the DCB FIP application.  Flags may be 
                                                                            any combination of 0x1 (enable), 0x2   
                                                                            (advertise), and 0x4 (willing).        
   
    app-fip-priority             int32                       -1             The highest User Priority (0 - 7)      
                                                                            which FIP frames should use, or -1 for 
                                                                            default priority.  Only used when the  
                                                                            "app-fip-flags" property includes the  
                                                                            0x1 (enable) flag.                     
   
    app-iscsi-flags              NMSettingDcbFlags (uint32)                 Specifies the NMSettingDcbFlags for    
                                                                            the DCB iSCSI application.  Flags may  
                                                                            be any combination of 0x1 (enable),    
                                                                            0x2 (advertise), and 0x4 (willing).    
   
    app-iscsi-priority           int32                       -1             The highest User Priority (0 - 7)      
                                                                            which iSCSI frames should use, or -1   
                                                                            for default priority. Only used when   
                                                                            the "app-iscsi-flags" property         
                                                                            includes the 0x1 (enable) flag.        
   
    priority-bandwidth           array of uint32                            An array of 8 uint values, where the   
                                                                            array index corresponds to the User    
                                                                            Priority (0 - 7) and the value         
                                                                            indicates the percentage of bandwidth  
                                                                            of the priority's assigned group that  
                                                                            the priority may use.  The sum of all  
                                                                            percentages for priorities which       
                                                                            belong to the same group must total    
                                                                            100 percents.                          
   
    priority-flow-control        array of uint32                            An array of 8 boolean values, where    
                                                                            the array index corresponds to the     
                                                                            User Priority (0 - 7) and the value    
                                                                            indicates whether or not the           
                                                                            corresponding priority should transmit 
                                                                            priority pause.                        
   
    priority-flow-control-flags  NMSettingDcbFlags (uint32)                 Specifies the NMSettingDcbFlags for    
                                                                            DCB Priority Flow Control (PFC). Flags 
                                                                            may be any combination of 0x1          
                                                                            (enable), 0x2 (advertise), and 0x4     
                                                                            (willing).                             
   
    priority-group-bandwidth     array of uint32                            An array of 8 uint values, where the   
                                                                            array index corresponds to the         
                                                                            Priority Group ID (0 - 7) and the      
                                                                            value indicates the percentage of link 
                                                                            bandwidth allocated to that group.     
                                                                            Allowed values are 0 - 100, and the    
                                                                            sum of all values must total 100       
                                                                            percents.                              
   
    priority-group-flags         NMSettingDcbFlags (uint32)                 Specifies the NMSettingDcbFlags for    
                                                                            DCB Priority Groups.  Flags may be any 
                                                                            combination of 0x1 (enable), 0x2       
                                                                            (advertise), and 0x4 (willing).        
   
    priority-group-id            array of uint32                            An array of 8 uint values, where the   
                                                                            array index corresponds to the User    
                                                                            Priority (0 - 7) and the value         
                                                                            indicates the Priority Group ID.       
                                                                            Allowed Priority Group ID values are 0 
                                                                            - 7 or 15 for the unrestricted group.  
   
    priority-strict-bandwidth    array of uint32                            An array of 8 boolean values, where    
                                                                            the array index corresponds to the     
                                                                            User Priority (0 - 7) and the value    
                                                                            indicates whether or not the priority  
                                                                            may use all of the bandwidth allocated 
                                                                            to its assigned group.                 
   
    priority-traffic-class       array of uint32                            An array of 8 uint values, where the   
                                                                            array index corresponds to the User    
                                                                            Priority (0 - 7) and the value         
                                                                            indicates the traffic class (0 - 7) to 
                                                                            which the priority is mapped.          
   

dummy setting

   Dummy Link Settings.

ethtool setting

   Ethtool Ethernet Settings.

generic setting

   Generic Link Settings.
   
    Key Name        Value Type  Default Value  Value Description                      
   
    device-handler  string                     Name of the device handler that will   
                                               be invoked to add and delete the       
                                               device for this connection. The name   
                                               can only contain ASCII alphanumeric    
                                               characters and '-', '_', '.'. It       
                                               cannot start with '.'.                 
                                                                                      
                                               See the NetworkManager-dispatcher(8)   
                                               man page for more details about how to 
                                               write the device handler.              
                                                                                      
                                               By setting this property the generic   
                                               connection becomes "virtual", meaning  
                                               that it can be activated without an    
                                               existing device; the device will be    
                                               created at the time the connection is  
                                               started by invoking the                
                                               device-handler.                        
   

gsm setting

   GSM-based Mobile Broadband Settings.
   
    Key Name                            Value Type                     Default Value  Value Description                      
   
    apn                                 string                                        The GPRS Access Point Name specifying  
                                                                                      the APN used when establishing a data  
                                                                                      session with the GSM-based network.    
                                                                                      The APN often determines how the user  
                                                                                      will be billed for their network usage 
                                                                                      and whether the user has access to the 
                                                                                      Internet or just a provider-specific   
                                                                                      walled-garden, so it is important to   
                                                                                      use the correct APN for the user's     
                                                                                      mobile broadband plan. The APN may     
                                                                                      only be composed of the characters     
                                                                                      a-z, 0-9, ., and - per GSM 03.60       
                                                                                      Section 14.9.                          
                                                                                                                             
                                                                                      If the APN is unset (the default) then 
                                                                                      it may be detected based on            
                                                                                      "auto-config" setting. The property    
                                                                                      can be explicitly set to the empty     
                                                                                      string to prevent that and use no APN. 
   
    auto-config                         boolean                        FALSE          When TRUE, the settings such as APN,   
                                                                                      username, or password will default to  
                                                                                      values that match the network the      
                                                                                      modem will register to in the Mobile   
                                                                                      Broadband Provider database.           
   
    device-id                           string                                        The device unique identifier (as given 
                                                                                      by the WWAN management service) which  
                                                                                      this connection applies to.  If given, 
                                                                                      the connection will only apply to the  
                                                                                      specified device.                      
   
    home-only                           boolean                        FALSE          When TRUE, only connections to the     
                                                                                      home network will be allowed.          
                                                                                      Connections to roaming networks will   
                                                                                      not be made.                           
   
    initial-eps-bearer-apn              string                                        For LTE modems, this sets the APN for  
                                                                                      the initial EPS bearer that is set up  
                                                                                      when attaching to the network.         
                                                                                      Setting this parameter implies         
                                                                                      initial-eps-bearer-configure to be     
                                                                                      TRUE.                                  
   
    initial-eps-bearer-configure        boolean                        FALSE          For LTE modems, this setting           
                                                                                      determines whether the initial EPS     
                                                                                      bearer shall be configured when        
                                                                                      bringing up the connection.  It is     
                                                                                      inferred TRUE if                       
                                                                                      initial-eps-bearer-apn is set.         
   
    initial-eps-bearer-noauth           boolean                        TRUE           For LTE modems, this sets NOAUTH       
                                                                                      authentication method for the initial  
                                                                                      EPS bearer that is set up when         
                                                                                      attaching to the network. If TRUE, do  
                                                                                      not require the other side to          
                                                                                      authenticate itself to the client. If  
                                                                                      FALSE, require authentication from the 
                                                                                      remote side.  In almost all cases,     
                                                                                      this should be TRUE.                   
   
    initial-eps-bearer-password         string                                        For LTE modems, this sets the password 
                                                                                      for the initial EPS bearer that is set 
                                                                                      up when attaching to the network.      
                                                                                      Setting this parameter implies         
                                                                                      initial-eps-bearer-configure to be     
                                                                                      TRUE.                                  
   
    initial-eps-bearer-password-flags   NMSettingSecretFlags (uint32)                 Flags indicating how to handle the     
                                                                                      "initial-eps-bearer-password"          
                                                                                      property.                              
   
    initial-eps-bearer-refuse-chap      boolean                        FALSE          For LTE modems, this disables CHAP     
                                                                                      authentication method for the initial  
                                                                                      EPS bearer that is set up when         
                                                                                      attaching to the network.              
   
    initial-eps-bearer-refuse-eap       boolean                        FALSE          For LTE modems, this disables EAP      
                                                                                      authentication method for the initial  
                                                                                      EPS bearer that is set up when         
                                                                                      attaching to the network.              
   
    initial-eps-bearer-refuse-mschap    boolean                        FALSE          For LTE modems, this disables MSCHAP   
                                                                                      authentication method for the initial  
                                                                                      EPS bearer that is set up when         
                                                                                      attaching to the network.              
   
    initial-eps-bearer-refuse-mschapv2  boolean                        FALSE          For LTE modems, this disables MSCHAPV2 
                                                                                      authentication method for the initial  
                                                                                      EPS bearer that is set up when         
                                                                                      attaching to the network.              
   
    initial-eps-bearer-refuse-pap       boolean                        FALSE          For LTE modems, this disables PAP      
                                                                                      authentication method for the initial  
                                                                                      EPS bearer that is set up when         
                                                                                      attaching to the network.              
   
    initial-eps-bearer-username         string                                        For LTE modems, this sets the username 
                                                                                      for the initial EPS bearer that is set 
                                                                                      up when attaching to the network.      
                                                                                      Setting this parameter implies         
                                                                                      initial-eps-bearer-configure to be     
                                                                                      TRUE.                                  
   
    mtu                                 uint32                         0              If non-zero, only transmit packets of  
                                                                                      the specified size or smaller,         
                                                                                      breaking larger packets up into        
                                                                                      multiple frames.                       
   
    network-id                          string                                        The Network ID (GSM LAI format, ie     
                                                                                      MCC-MNC) to force specific network     
                                                                                      registration.  If the Network ID is    
                                                                                      specified, NetworkManager will attempt 
                                                                                      to force the device to register only   
                                                                                      on the specified network. This can be  
                                                                                      used to ensure that the device does    
                                                                                      not roam when direct roaming control   
                                                                                      of the device is not otherwise         
                                                                                      possible.                              
   
    number                              string                                        Legacy setting that used to help       
                                                                                      establishing PPP data sessions for     
                                                                                      GSM-based modems.                      
                                                                                                                             
                                                                                      This property is deprecated since      
                                                                                      version 1.16.User-provided values for  
                                                                                      this setting are no longer used.       
   
    password                            string                                        The password used to authenticate with 
                                                                                      the network, if required.  Many        
                                                                                      providers do not require a password,   
                                                                                      or accept any password.  But if a      
                                                                                      password is required, it is specified  
                                                                                      here.                                  
   
    password-flags                      NMSettingSecretFlags (uint32)                 Flags indicating how to handle the     
                                                                                      "password" property.                   
   
    pin                                 string                                        If the SIM is locked with a PIN it     
                                                                                      must be unlocked before any other      
                                                                                      operations are requested.  Specify the 
                                                                                      PIN here to allow operation of the     
                                                                                      device.                                
   
    pin-flags                           NMSettingSecretFlags (uint32)                 Flags indicating how to handle the     
                                                                                      "pin" property.                        
   
    sim-id                              string                                        The SIM card unique identifier (as     
                                                                                      given by the WWAN management service)  
                                                                                      which this connection applies to.  If  
                                                                                      given, the connection will apply to    
                                                                                      any device also allowed by "device-id" 
                                                                                      which contains a SIM card matching the 
                                                                                      given identifier.                      
   
    sim-operator-id                     string                                        A MCC/MNC string like "310260" or      
                                                                                      "21601" identifying the specific       
                                                                                      mobile network operator which this     
                                                                                      connection applies to.  If given, the  
                                                                                      connection will apply to any device    
                                                                                      also allowed by "device-id" and        
                                                                                      "sim-id" which contains a SIM card     
                                                                                      provisioned by the given operator.     
   
    username                            string                                        The username used to authenticate with 
                                                                                      the network, if required.  Many        
                                                                                      providers do not require a username,   
                                                                                      or accept any username.  But if a      
                                                                                      username is required, it is specified  
                                                                                      here.                                  
   

hsr setting

   HSR/PRP Settings.
   
    Key Name        Value Type  Default Value  Value Description                     
   
    multicast-spec  uint32      0              The last byte of supervision address. 
   
    port1           string                     The port1 interface name of the HSR.  
                                               This property is mandatory.           
   
    port2           string                     The port2 interface name of the HSR.  
                                               This property is mandatory.           
   
    prp             boolean     FALSE          The protocol used by the interface,   
                                               whether it is PRP or HSR.             
   

infiniband setting

   Infiniband Settings.
   
    Key Name        Value Type  Default Value  Value Description                      
   
    mac-address     byte array                 If specified, this connection will     
                                               only apply to the IPoIB device whose   
                                               permanent MAC address matches. This    
                                               property does not change the MAC       
                                               address of the device (i.e. MAC        
                                               spoofing).                             
   
    mtu             uint32      0              If non-zero, only transmit packets of  
                                               the specified size or smaller,         
                                               breaking larger packets up into        
                                               multiple frames.                       
   
    p-key           int32       -1             The InfiniBand p-key to use for this   
                                               device. A value of -1 means to use the 
                                               default p-key (aka "the p-key at index │
   │                │            │               │ 0"). Otherwise, it is a 16-bit         
                                               unsigned integer, whose high bit       
                                               0x8000 is set if it is a "full         │
   │                │            │               │ membership" p-key. The values 0 and    
                                               0x8000 are not allowed.                
                                                                                      
                                               With the p-key set, the interface name 
                                               is always "$parent.$p_key". Setting    
                                               "connection.interface-name" to another 
                                               name is not supported.                 
                                                                                      
                                               Note that kernel will internally       
                                               always set the full membership bit,    
                                               although the interface name does not   
                                               reflect that. Usually the user would   
                                               want to configure a full membership    
                                               p-key with 0x8000 flag set.            
   
    parent          string                     The interface name of the parent       
                                               device of this device. Normally NULL,  
                                               but if the "p_key" property is set,    
                                               then you must specify the base device  
                                               by setting either this property or     
                                               "mac-address".                         
   
    transport-mode  string                     The IP-over-InfiniBand transport mode. 
                                               Either "datagram" or "connected".      
   

ipv4 setting

   IPv4 Settings.
   
    Key Name                      Value Type                Default Value  Value Description                      
   
    address-data                  array of vardict                         Array of IPv4 addresses. Each address  
                                                                           dictionary contains at least 'address' 
                                                                           and 'prefix' entries, containing the   
                                                                           IP address as a string, and the prefix 
                                                                           length as a uint32. Additional         
                                                                           attributes may also exist on some      
                                                                           addresses.                             
   
    addresses                     array of array of uint32                 Deprecated in favor of the             
                                                                           'address-data' and 'gateway'           
                                                                           properties, but this can be used for   
                                                                           backward-compatibility with older      
                                                                           daemons. Note that if you send this    
                                                                           property the daemon will ignore        
                                                                           'address-data' and 'gateway'.  Array   
                                                                           of IPv4 address structures.  Each IPv4 
                                                                           address structure is composed of 3     
                                                                           32-bit values; the first being the     
                                                                           IPv4 address (network byte order), the 
                                                                           second the prefix (1 - 32), and last   
                                                                           the IPv4 gateway (network byte order). 
                                                                           The gateway may be left as 0 if no     
                                                                           gateway exists for that subnet.        
   
    auto-route-ext-gw             NMTernary (int32)                        VPN connections will default to add    
                                                                           the route automatically unless this    
                                                                           setting is set to FALSE.               
                                                                                                                  
                                                                           For other connection types, adding     
                                                                           such an automatic route is currently   
                                                                           not supported and setting this to TRUE 
                                                                           has no effect.                         
   
    dad-timeout                   int32                     -1             Maximum timeout in milliseconds used   
                                                                           to check for the presence of duplicate 
                                                                           IP addresses on the network.  If an    
                                                                           address conflict is detected, the      
                                                                           activation will fail. The property is  
                                                                           currently implemented only for IPv4.   
                                                                                                                  
                                                                           A zero value means that no duplicate   
                                                                           address detection is performed, -1     
                                                                           means the default value (either the    
                                                                           value configured globally in           
                                                                           NetworkManger.conf or 200ms).  A value 
                                                                           greater than zero is a timeout in      
                                                                           milliseconds.  Note that the time      
                                                                           intervals are subject to randomization 
                                                                           as per RFC 5227 and so the actual      
                                                                           duration can be between half and the   
                                                                           full time specified in this property.  
   
    dhcp-client-id                string                                   A string sent to the DHCP server to    
                                                                           identify the local machine which the   
                                                                           DHCP server may use to customize the   
                                                                           DHCP lease and options. When the       
                                                                           property is a hex string ('aa:bb:cc')  
                                                                           it is interpreted as a binary client   
                                                                           ID, in which case the first byte is    
                                                                           assumed to be the 'type' field as per  
                                                                           RFC 2132 section 9.14 and the          
                                                                           remaining bytes may be an hardware     
                                                                           address (e.g. '01:xx:xx:xx:xx:xx:xx'   
                                                                           where 1 is the Ethernet ARP type and   
                                                                           the rest is a MAC address). If the     
                                                                           property is not a hex string it is     
                                                                           considered as a non-hardware-address   
                                                                           client ID and the 'type' field is set  
                                                                           to 0.                                  
                                                                                                                  
                                                                           The special values "mac" and           
                                                                           "perm-mac" are supported, which use    
                                                                           the current or permanent MAC address   
                                                                           of the device to generate a client     
                                                                           identifier with type ethernet (01).    
                                                                           Currently, these options only work for 
                                                                           ethernet type of links.                
                                                                                                                  
                                                                           The special value "ipv6-duid" uses the 
                                                                           DUID from "ipv6.dhcp-duid" property as 
                                                                           an RFC4361-compliant client            
                                                                           identifier. As IAID it uses            
                                                                           "ipv4.dhcp-iaid" and falls back to     
                                                                           "ipv6.dhcp-iaid" if unset.             
                                                                                                                  
                                                                           The special value "duid" generates a   
                                                                           RFC4361-compliant client identifier    
                                                                           based on "ipv4.dhcp-iaid" and uses a   
                                                                           DUID generated by hashing              
                                                                           /etc/machine-id.                       
                                                                                                                  
                                                                           The special value "stable" is          
                                                                           supported to generate a type 0 client  
                                                                           identifier based on the stable-id (see 
                                                                           connection.stable-id) and a per-host   
                                                                           key. If you set the stable-id, you may 
                                                                           want to include the "${DEVICE}" or     
                                                                           "${MAC}" specifier to get a per-device 
                                                                           key.                                   
                                                                                                                  
                                                                           The special value "none" prevents any  
                                                                           client identifier from being sent.     
                                                                           Note that this is normally not         
                                                                           recommended.                           
                                                                                                                  
                                                                           If unset, a globally configured        
                                                                           default from NetworkManager.conf is    
                                                                           used. If still unset, the default      
                                                                           depends on the DHCP plugin. The        
                                                                           internal dhcp client will default to   
                                                                           "mac" and the dhclient plugin will try 
                                                                           to use one from its config file if     
                                                                           present, or won't sent any client-id   │
   │                              │                          │               │ otherwise.                             │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ dhcp-dscp                    │ string                   │               │ Specifies the value for the DSCP field │
   │                              │                          │               │ (traffic class) of the IP header. When │
   │                              │                          │               │ empty, the global default value is     │
   │                              │                          │               │ used; if no global default is          │
   │                              │                          │               │ specified, it is assumed to be "CS0".  │
   │                              │                          │               │ Allowed values are: "CS0", "CS4" and   │
   │                              │                          │               │ "CS6".                                 │
   │                              │                          │               │                                        │
   │                              │                          │               │ The property is currently valid only   │
   │                              │                          │               │ for IPv4, and it is supported only by  │
   │                              │                          │               │ the "internal" DHCP plugin.            │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ dhcp-fqdn                    │ string                   │               │ If the "dhcp-send-hostname" property   │
   │                              │                          │               │ is TRUE, then the specified FQDN will  │
   │                              │                          │               │ be sent to the DHCP server when        │
   │                              │                          │               │ acquiring a lease. This property and   │
   │                              │                          │               │ "dhcp-hostname" are mutually exclusive │
   │                              │                          │               │ and cannot be set at the same time.    │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ dhcp-hostname                │ string                   │               │ If the "dhcp-send-hostname" property   │
   │                              │                          │               │ is TRUE, then the specified name will  │
   │                              │                          │               │ be sent to the DHCP server when        │
   │                              │                          │               │ acquiring a lease. This property and   │
   │                              │                          │               │ "dhcp-fqdn" are mutually exclusive and │
   │                              │                          │               │ cannot be set at the same time.        │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ dhcp-hostname-flags          │ uint32                   │ 0             │ Flags for the DHCP hostname and FQDN.  │
   │                              │                          │               │                                        │
   │                              │                          │               │ Currently, this property only includes │
   │                              │                          │               │ flags to control the FQDN flags set in │
   │                              │                          │               │ the DHCP FQDN option. Supported FQDN   │
   │                              │                          │               │ flags are 0x1 (fqdn-serv-update), 0x2  │
   │                              │                          │               │ (fqdn-encoded) and 0x4                 │
   │                              │                          │               │ (fqdn-no-update).  When no FQDN flag   │
   │                              │                          │               │ is set and 0x8 (fqdn-clear-flags) is   │
   │                              │                          │               │ set, the DHCP FQDN option will contain │
   │                              │                          │               │ no flag. Otherwise, if no FQDN flag is │
   │                              │                          │               │ set and 0x8 (fqdn-clear-flags) is not  │
   │                              │                          │               │ set, the standard FQDN flags are set   │
   │                              │                          │               │ in the request: 0x1                    │
   │                              │                          │               │ (fqdn-serv-update), 0x2 (fqdn-encoded) │
   │                              │                          │               │ for IPv4 and 0x1 (fqdn-serv-update)    │
   │                              │                          │               │ for IPv6.                              │
   │                              │                          │               │                                        │
   │                              │                          │               │ When this property is set to the       │
   │                              │                          │               │ default value 0x0 (none), a global     │
   │                              │                          │               │ default is looked up in NetworkManager │
   │                              │                          │               │ configuration. If that value is unset  │
   │                              │                          │               │ or also 0x0 (none), then the standard  │
   │                              │                          │               │ FQDN flags described above are sent in │
   │                              │                          │               │ the DHCP requests.                     │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ dhcp-iaid                    │ string                   │               │ A string containing the "Identity      │
   │                              │                          │               │ Association Identifier" (IAID) used by │
   │                              │                          │               │ the DHCP client. The string can be a   │
   │                              │                          │               │ 32-bit number (either decimal,         │
   │                              │                          │               │ hexadecimal or as colon separated      │
   │                              │                          │               │ hexadecimal numbers). Alternatively it │
   │                              │                          │               │ can be set to the special values       │
   │                              │                          │               │ "mac", "perm-mac", "ifname" or         │
   │                              │                          │               │ "stable". When set to "mac" (or        │
   │                              │                          │               │ "perm-mac"), the last 4 bytes of the   │
   │                              │                          │               │ current (or permanent) MAC address are │
   │                              │                          │               │ used as IAID. When set to "ifname",    │
   │                              │                          │               │ the IAID is computed by hashing the    │
   │                              │                          │               │ interface name. The special value      │
   │                              │                          │               │ "stable" can be used to generate an    │
   │                              │                          │               │ IAID based on the stable-id (see       │
   │                              │                          │               │ connection.stable-id), a per-host key  │
   │                              │                          │               │ and the interface name. When the       │
   │                              │                          │               │ property is unset, the value from      │
   │                              │                          │               │ global configuration is used; if no    │
   │                              │                          │               │ global default is set then the IAID is │
   │                              │                          │               │ assumed to be "ifname".                │
   │                              │                          │               │                                        │
   │                              │                          │               │ For DHCPv4, the IAID is only used with │
   │                              │                          │               │ "ipv4.dhcp-client-id" values "duid"    │
   │                              │                          │               │ and "ipv6-duid" to generate the        │
   │                              │                          │               │ client-id.                             │
   │                              │                          │               │                                        │
   │                              │                          │               │ For DHCPv6, note that at the moment    │
   │                              │                          │               │ this property is only supported by the │
   │                              │                          │               │ "internal" DHCPv6 plugin. The          │
   │                              │                          │               │ "dhclient" DHCPv6 plugin always        │
   │                              │                          │               │ derives the IAID from the MAC address. │
   │                              │                          │               │                                        │
   │                              │                          │               │ The actually used DHCPv6 IAID for a    │
   │                              │                          │               │ currently activated interface is       │
   │                              │                          │               │ exposed in the lease information of    │
   │                              │                          │               │ the device.                            │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ dhcp-ipv6-only-preferred     │ int32                    │ -1            │ Controls the "IPv6-Only Preferred"     │
   │                              │                          │               │ DHCPv4 option (RFC 8925).              │
   │                              │                          │               │                                        │
   │                              │                          │               │ When set to 1 (yes), the host adds the │
   │                              │                          │               │ option to the parameter request list;  │
   │                              │                          │               │ if the DHCP server sends the option    │
   │                              │                          │               │ back, the host stops the DHCP client   │
   │                              │                          │               │ for the time interval specified in the │
   │                              │                          │               │ option.                                │
   │                              │                          │               │                                        │
   │                              │                          │               │ Enable this feature if the host        │
   │                              │                          │               │ supports an IPv6-only mode, i.e.       │
   │                              │                          │               │ either all applications are IPv6-only  │
   │                              │                          │               │ capable or there is a form of 464XLAT  │
   │                              │                          │               │ deployed.                              │
   │                              │                          │               │                                        │
   │                              │                          │               │ When set to -1 (default), the actual   │
   │                              │                          │               │ value is looked up in the global       │
   │                              │                          │               │ configuration; if not specified, it    │
   │                              │                          │               │ defaults to 0 (no).                    │
   │                              │                          │               │                                        │
   │                              │                          │               │ If the connection has IPv6 method set  │
   │                              │                          │               │ to "disabled", this property does not  │
   │                              │                          │               │ have effect and the "IPv6-Only         │
   │                              │                          │               │ Preferred" option is always disabled.  │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ dhcp-reject-servers          │ array of string          │               │ Array of servers from which DHCP       │
   │                              │                          │               │ offers must be rejected. This property │
   │                              │                          │               │ is useful to avoid getting a lease     │
   │                              │                          │               │ from misconfigured or rogue servers.   │
   │                              │                          │               │                                        │
   │                              │                          │               │ For DHCPv4, each element must be an    │
   │                              │                          │               │ IPv4 address, optionally followed by a │
   │                              │                          │               │ slash and a prefix length (e.g.        │
   │                              │                          │               │ "192.168.122.0/24").                   │
   │                              │                          │               │                                        │
   │                              │                          │               │ This property is currently not         │
   │                              │                          │               │ implemented for DHCPv6.                │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ dhcp-send-hostname           │ boolean                  │ TRUE          │ Since 1.52 this property is deprecated │
   │                              │                          │               │ and is only used as fallback value for │
   │                              │                          │               │ "dhcp-send-hostname-v2" if it's set to 
                                                                           'default'. This is only done to avoid  
                                                                           breaking existing configurations, the  
                                                                           new property should be used from now   
                                                                           on.                                    
                                                                                                                  
                                                                           This property is deprecated since      
                                                                           version 1.52.use the new version of    
                                                                           dhcp-send-hostname instead.            
   
    dhcp-send-hostname-v2         int32                     -1             If TRUE, a hostname is sent to the     
                                                                           DHCP server when acquiring a lease.    
                                                                           Some DHCP servers use this hostname to 
                                                                           update DNS databases, essentially      
                                                                           providing a static hostname for the    
                                                                           computer.  If the "dhcp-hostname"      
                                                                           property is NULL and this property is  
                                                                           TRUE, the current persistent hostname  
                                                                           of the computer is sent.               
                                                                                                                  
                                                                           The default value is -1 (default). In  
                                                                           this case the global value from        
                                                                           NetworkManager configuration is looked 
                                                                           up. If it's not set, the value from    │
   │                              │                          │               │ "dhcp-send-hostname", which defaults   │
   │                              │                          │               │ to TRUE, is used for backwards         │
   │                              │                          │               │ compatibility. In the future this will │
   │                              │                          │               │ change and, in absence of a global     │
   │                              │                          │               │ default, it will always fallback to    │
   │                              │                          │               │ TRUE.                                  │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ dhcp-send-release            │ NMTernary (int32)        │               │ Whether the DHCP client will send      │
   │                              │                          │               │ RELEASE message when bringing the      │
   │                              │                          │               │ connection down. The default value is  │
   │                              │                          │               │ -1 (default). When the default value   │
   │                              │                          │               │ is specified, then the global value    │
   │                              │                          │               │ from NetworkManager configuration is   │
   │                              │                          │               │ looked up, if not set, it is           │
   │                              │                          │               │ considered as FALSE.                   │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ dhcp-timeout                 │ int32                    │ 0             │ A timeout for a DHCP transaction in    │
   │                              │                          │               │ seconds. If zero (the default), a      │
   │                              │                          │               │ globally configured default is used.   │
   │                              │                          │               │ If still unspecified, a device         │
   │                              │                          │               │ specific timeout is used (usually 45   │
   │                              │                          │               │ seconds).                              │
   │                              │                          │               │                                        │
   │                              │                          │               │ Set to 2147483647 (MAXINT32) for       │
   │                              │                          │               │ infinity.                              │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ dhcp-vendor-class-identifier │ string                   │               │ The Vendor Class Identifier DHCP       │
   │                              │                          │               │ option (60). Special characters in the │
   │                              │                          │               │ data string may be escaped using       │
   │                              │                          │               │ C-style escapes, nevertheless this     │
   │                              │                          │               │ property cannot contain nul bytes. If  │
   │                              │                          │               │ the per-profile value is unspecified   │
   │                              │                          │               │ (the default), a global connection     │
   │                              │                          │               │ default gets consulted. If still       │
   │                              │                          │               │ unspecified, the DHCP option is not    │
   │                              │                          │               │ sent to the server.                    │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ dns                          │ array of uint32          │               │ Array of IP addresses of DNS servers   │
   │                              │                          │               │ (as network-byte-order integers)       │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ dns-data                     │ array of strings         │               │ Array of DNS name servers. This        │
   │                              │                          │               │ replaces the deprecated "dns"          │
   │                              │                          │               │ property. Each name server can also    │
   │                              │                          │               │ contain a DoT server name.             │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ dns-options                  │ array of string          │               │ Array of DNS options to be added to    │
   │                              │                          │               │ resolv.conf.                           │
   │                              │                          │               │                                        │
   │                              │                          │               │ NULL means that the options are unset  │
   │                              │                          │               │ and left at the default. In this case  │
   │                              │                          │               │ NetworkManager will use default        │
   │                              │                          │               │ options. This is distinct from an      │
   │                              │                          │               │ empty list of properties.              │
   │                              │                          │               │                                        │
   │                              │                          │               │ The following options are directly     │
   │                              │                          │               │ added to resolv.conf: "attempts",      │
   │                              │                          │               │ "debug", "edns0", "inet6",             │
   │                              │                          │               │ "ip6-bytestring", "ip6-dotint",        │
   │                              │                          │               │ "ndots", "no-aaaa", "no-check-names",  │
   │                              │                          │               │ "no-ip6-dotint", "no-reload",          │
   │                              │                          │               │ "no-tld-query", "rotate",              │
   │                              │                          │               │ "single-request",                      │
   │                              │                          │               │ "single-request-reopen", "timeout",    │
   │                              │                          │               │ "trust-ad", "use-vc". See the          │
   │                              │                          │               │ resolv.conf(5) man page for a detailed │
   │                              │                          │               │ description of these options.          │
   │                              │                          │               │                                        │
   │                              │                          │               │ In addition, NetworkManager supports   │
   │                              │                          │               │ the special options "_no-add-edns0"    │
   │                              │                          │               │ and "_no-add-trust-ad". They are not   │
   │                              │                          │               │ added to resolv.conf, and can be used  │
   │                              │                          │               │ to prevent the automatic addition of   │
   │                              │                          │               │ options "edns0" and "trust-ad" when    │
   │                              │                          │               │ using caching DNS plugins (see below). │
   │                              │                          │               │                                        │
   │                              │                          │               │ The "trust-ad" setting is only honored │
   │                              │                          │               │ if the profile contributes name        │
   │                              │                          │               │ servers to resolv.conf, and if all     │
   │                              │                          │               │ contributing profiles have "trust-ad"  │
   │                              │                          │               │ enabled.                               │
   │                              │                          │               │                                        │
   │                              │                          │               │ When using a caching DNS plugin        │
   │                              │                          │               │ (dnsmasq or systemd-resolved in        │
   │                              │                          │               │ NetworkManager.conf) then "edns0" and  │
   │                              │                          │               │ "trust-ad" are automatically added,    │
   │                              │                          │               │ unless "_no-add-edns0" and             │
   │                              │                          │               │ "_no-add-trust-ad" are present.        │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ dns-priority                 │ int32                    │ 0             │ DNS servers priority.                  │
   │                              │                          │               │                                        │
   │                              │                          │               │ The relative priority for DNS servers  │
   │                              │                          │               │ specified by this setting.  A lower    │
   │                              │                          │               │ numerical value is better (higher      │
   │                              │                          │               │ priority).                             │
   │                              │                          │               │                                        │
   │                              │                          │               │ Negative values have the special       │
   │                              │                          │               │ effect of excluding other              │
   │                              │                          │               │ configurations with a greater          │
   │                              │                          │               │ numerical priority value; so in        │
   │                              │                          │               │ presence of at least one negative      │
   │                              │                          │               │ priority, only DNS servers from        │
   │                              │                          │               │ connections with the lowest priority   │
   │                              │                          │               │ value will be used. To avoid all DNS   │
   │                              │                          │               │ leaks, set the priority of the profile │
   │                              │                          │               │ that should be used to the most        │
   │                              │                          │               │ negative value of all active           │
   │                              │                          │               │ connections profiles.                  │
   │                              │                          │               │                                        │
   │                              │                          │               │ Zero selects a globally configured     │
   │                              │                          │               │ default value. If the latter is        │
   │                              │                          │               │ missing or zero too, it defaults to 50 │
   │                              │                          │               │ for VPNs (including WireGuard) and 100 │
   │                              │                          │               │ for other connections.                 │
   │                              │                          │               │                                        │
   │                              │                          │               │ Note that the priority is to order DNS │
   │                              │                          │               │ settings for multiple active           │
   │                              │                          │               │ connections.  It does not disambiguate │
   │                              │                          │               │ multiple DNS servers within the same   │
   │                              │                          │               │ connection profile.                    │
   │                              │                          │               │                                        │
   │                              │                          │               │ When multiple devices have             │
   │                              │                          │               │ configurations with the same priority, │
   │                              │                          │               │ VPNs will be considered first, then    │
   │                              │                          │               │ devices with the best (lowest metric)  │
   │                              │                          │               │ default route and then all other       │
   │                              │                          │               │ devices.                               │
   │                              │                          │               │                                        │
   │                              │                          │               │ When using dns=default, servers with   │
   │                              │                          │               │ higher priority will be on top of      │
   │                              │                          │               │ resolv.conf. To prioritize a given     │
   │                              │                          │               │ server over another one within the     │
   │                              │                          │               │ same connection, just specify them in  │
   │                              │                          │               │ the desired order. Note that commonly  │
   │                              │                          │               │ the resolver tries name servers in     │
   │                              │                          │               │ /etc/resolv.conf in the order listed,  │
   │                              │                          │               │ proceeding with the next server in the │
   │                              │                          │               │ list on failure. See for example the   │
   │                              │                          │               │ "rotate" option of the dns-options     │
   │                              │                          │               │ setting. If there are any negative DNS │
   │                              │                          │               │ priorities, then only name servers     │
   │                              │                          │               │ from the devices with that lowest      │
   │                              │                          │               │ priority will be considered.           │
   │                              │                          │               │                                        │
   │                              │                          │               │ When using a DNS resolver that         │
   │                              │                          │               │ supports Conditional Forwarding or     │
   │                              │                          │               │ Split DNS (with dns=dnsmasq or         │
   │                              │                          │               │ dns=systemd-resolved settings), each   │
   │                              │                          │               │ connection is used to query domains in │
   │                              │                          │               │ its search list. The search domains    │
   │                              │                          │               │ determine which name servers to ask,   │
   │                              │                          │               │ and the DNS priority is used to        │
   │                              │                          │               │ prioritize name servers based on the   │
   │                              │                          │               │ domain.  Queries for domains not       │
   │                              │                          │               │ present in any search list are routed  │
   │                              │                          │               │ through connections having the '~.'    │
   │                              │                          │               │ special wildcard domain, which is      │
   │                              │                          │               │ added automatically to connections     │
   │                              │                          │               │ with the default route (or can be      │
   │                              │                          │               │ added manually).  When multiple        │
   │                              │                          │               │ connections specify the same domain,   │
   │                              │                          │               │ the one with the best priority (lowest │
   │                              │                          │               │ numerical value) wins.  If a sub       │
   │                              │                          │               │ domain is configured on another        │
   │                              │                          │               │ interface it will be accepted          │
   │                              │                          │               │ regardless the priority, unless parent │
   │                              │                          │               │ domain on the other interface has a    │
   │                              │                          │               │ negative priority, which causes the    │
   │                              │                          │               │ sub domain to be shadowed. With Split  │
   │                              │                          │               │ DNS one can avoid undesired DNS leaks  │
   │                              │                          │               │ by properly configuring DNS priorities │
   │                              │                          │               │ and the search domains, so that only   │
   │                              │                          │               │ name servers of the desired interface  │
   │                              │                          │               │ are configured.                        │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ dns-search                   │ array of string          │               │ List of DNS search domains. Domains    │
   │                              │                          │               │ starting with a tilde ('~') are        │
   │                              │                          │               │ considered 'routing' domains and are   │
   │                              │                          │               │ used only to decide the interface over │
   │                              │                          │               │ which a query must be forwarded; they  │
   │                              │                          │               │ are not used to complete unqualified   │
   │                              │                          │               │ host names.                            │
   │                              │                          │               │                                        │
   │                              │                          │               │ When using a DNS plugin that supports  │
   │                              │                          │               │ Conditional Forwarding or Split DNS,   │
   │                              │                          │               │ then the search domains specify which  │
   │                              │                          │               │ name servers to query. This makes the  │
   │                              │                          │               │ behavior different from running with   │
   │                              │                          │               │ plain /etc/resolv.conf. For more       │
   │                              │                          │               │ information see also the dns-priority  │
   │                              │                          │               │ setting.                               │
   │                              │                          │               │                                        │
   │                              │                          │               │ When set on a profile that also        │
   │                              │                          │               │ enabled DHCP, the DNS search list      │
   │                              │                          │               │ received automatically (option 119 for │
   │                              │                          │               │ DHCPv4 and option 24 for DHCPv6) gets  │
   │                              │                          │               │ merged with the manual list. This can  │
   │                              │                          │               │ be prevented by setting                │
   │                              │                          │               │ "ignore-auto-dns". Note that if no DNS │
   │                              │                          │               │ searches are configured, the fallback  │
   │                              │                          │               │ will be derived from the domain from   │
   │                              │                          │               │ DHCP (option 15).                      │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ gateway                      │ string                   │               │ The gateway associated with this       │
   │                              │                          │               │ configuration. This is only meaningful │
   │                              │                          │               │ if "addresses" is also set.            │
   │                              │                          │               │                                        │
   │                              │                          │               │ Setting the gateway causes             │
   │                              │                          │               │ NetworkManager to configure a standard │
   │                              │                          │               │ default route with the gateway as next │
   │                              │                          │               │ hop. This is ignored if                │
   │                              │                          │               │ "never-default" is set. An alternative │
   │                              │                          │               │ is to configure the default route      │
   │                              │                          │               │ explicitly with a manual route and /0  │
   │                              │                          │               │ as prefix length.                      │
   │                              │                          │               │                                        │
   │                              │                          │               │ Note that the gateway usually          │
   │                              │                          │               │ conflicts with routing that            │
   │                              │                          │               │ NetworkManager configures for          │
   │                              │                          │               │ WireGuard interfaces, so usually it    │
   │                              │                          │               │ should not be set in that case. See    │
   │                              │                          │               │ "ip4-auto-default-route".              │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ ignore-auto-dns              │ boolean                  │ FALSE         │ When "method" is set to "auto" and     │
   │                              │                          │               │ this property to TRUE, automatically   │
   │                              │                          │               │ configured name servers and search     │
   │                              │                          │               │ domains are ignored and only name      │
   │                              │                          │               │ servers and search domains specified   │
   │                              │                          │               │ in the "dns" and "dns-search"          │
   │                              │                          │               │ properties, if any, are used.          │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ ignore-auto-routes           │ boolean                  │ FALSE         │ When "method" is set to "auto" and     │
   │                              │                          │               │ this property to TRUE, automatically   │
   │                              │                          │               │ configured routes are ignored and only │
   │                              │                          │               │ routes specified in the "routes"       │
   │                              │                          │               │ property, if any, are used.            │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ link-local                   │ int32                    │ 0             │ Enable and disable the IPv4 link-local │
   │                              │                          │               │ configuration independently of the     │
   │                              │                          │               │ ipv4.method configuration. This allows │
   │                              │                          │               │ a link-local address (169.254.x.y/16)  │
   │                              │                          │               │ to be obtained in addition to other    │
   │                              │                          │               │ addresses, such as those manually      │
   │                              │                          │               │ configured or obtained from a DHCP     │
   │                              │                          │               │ server.                                │
   │                              │                          │               │                                        │
   │                              │                          │               │ When set to "auto", the value is       │
   │                              │                          │               │ dependent on "ipv4.method". When set   │
   │                              │                          │               │ to "default", it honors the global     │
   │                              │                          │               │ connection default, before falling     │
   │                              │                          │               │ back to "auto". Note that if           │
   │                              │                          │               │ "ipv4.method" is "disabled", then link │
   │                              │                          │               │ local addressing is always disabled    │
   │                              │                          │               │ too. The default is "default". Since   │
   │                              │                          │               │ 1.52, when set to "fallback", a        │
   │                              │                          │               │ link-local address is obtained if no   │
   │                              │                          │               │ other IPv4 address is set.             │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ may-fail                     │ boolean                  │ TRUE          │ If TRUE, allow overall network         │
   │                              │                          │               │ configuration to proceed even if the   │
   │                              │                          │               │ configuration specified by this        │
   │                              │                          │               │ property times out.  Note that at      │
   │                              │                          │               │ least one IP configuration must        │
   │                              │                          │               │ succeed or overall network             │
   │                              │                          │               │ configuration will still fail.  For    │
   │                              │                          │               │ example, in IPv6-only networks,        │
   │                              │                          │               │ setting this property to TRUE on the   │
   │                              │                          │               │ NMSettingIP4Config allows the overall  │
   │                              │                          │               │ network configuration to succeed if    │
   │                              │                          │               │ IPv4 configuration fails but IPv6      │
   │                              │                          │               │ configuration completes successfully.  │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ method                       │ string                   │               │ IP configuration method.               │
   │                              │                          │               │                                        │
   │                              │                          │               │ NMSettingIP4Config and                 │
   │                              │                          │               │ NMSettingIP6Config both support        │
   │                              │                          │               │ "disabled", "auto", "manual", and      │
   │                              │                          │               │ "link-local". See the                  │
   │                              │                          │               │ subclass-specific documentation for    │
   │                              │                          │               │ other values.                          │
   │                              │                          │               │                                        │
   │                              │                          │               │ In general, for the "auto" method,     │
   │                              │                          │               │ properties such as "dns" and "routes"  │
   │                              │                          │               │ specify information that is added on   │
   │                              │                          │               │ to the information returned from       │
   │                              │                          │               │ automatic configuration.  The          │
   │                              │                          │               │ "ignore-auto-routes" and               │
   │                              │                          │               │ "ignore-auto-dns" properties modify    │
   │                              │                          │               │ this behavior.                         │
   │                              │                          │               │                                        │
   │                              │                          │               │ For methods that imply no upstream     │
   │                              │                          │               │ network, such as "shared" or           │
   │                              │                          │               │ "link-local", these properties must be │
   │                              │                          │               │ empty.                                 │
   │                              │                          │               │                                        │
   │                              │                          │               │ For IPv4 method "shared", the IP       │
   │                              │                          │               │ subnet can be configured by adding one │
   │                              │                          │               │ manual IPv4 address or otherwise       │
   │                              │                          │               │ 10.42.x.0/24 is chosen. Note that the  │
   │                              │                          │               │ shared method must be configured on    │
   │                              │                          │               │ the interface which shares the         │
   │                              │                          │               │ internet to a subnet, not on the       │
   │                              │                          │               │ uplink which is shared.                │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ never-default                │ boolean                  │ FALSE         │ If TRUE, this connection will never be │
   │                              │                          │               │ the default connection for this IP     │
   │                              │                          │               │ type, meaning it will never be         │
   │                              │                          │               │ assigned the default route by          │
   │                              │                          │               │ NetworkManager.                        │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ replace-local-rule           │ NMTernary (int32)        │               │ Connections will default to keep the   │
   │                              │                          │               │ autogenerated priority 0 local rule    │
   │                              │                          │               │ unless this setting is set to TRUE.    │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ required-timeout             │ int32                    │ -1            │ The minimum time interval in           │
   │                              │                          │               │ milliseconds for which dynamic IP      │
   │                              │                          │               │ configuration should be tried before   │
   │                              │                          │               │ the connection succeeds.               │
   │                              │                          │               │                                        │
   │                              │                          │               │ This property is useful for example if │
   │                              │                          │               │ both IPv4 and IPv6 are enabled and are │
   │                              │                          │               │ allowed to fail. Normally the          │
   │                              │                          │               │ connection succeeds as soon as one of  │
   │                              │                          │               │ the two address families completes; by │
   │                              │                          │               │ setting a required timeout for e.g.    │
   │                              │                          │               │ IPv4, one can ensure that even if IP6  │
   │                              │                          │               │ succeeds earlier than IPv4,            │
   │                              │                          │               │ NetworkManager waits some time for     │
   │                              │                          │               │ IPv4 before the connection becomes     │
   │                              │                          │               │ active.                                │
   │                              │                          │               │                                        │
   │                              │                          │               │ Note that if "may-fail" is FALSE for   │
   │                              │                          │               │ the same address family, this property │
   │                              │                          │               │ has no effect as NetworkManager needs  │
   │                              │                          │               │ to wait for the full DHCP timeout.     │
   │                              │                          │               │                                        │
   │                              │                          │               │ A zero value means that no required    │
   │                              │                          │               │ timeout is present, -1 means the       │
   │                              │                          │               │ default value (either configuration    │
   │                              │                          │               │ ipvx.required-timeout override or      │
   │                              │                          │               │ zero).                                 │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ route-data                   │ array of vardict         │               │ Array of IPv4 routes. Each route       │
   │                              │                          │               │ dictionary contains at least 'dest'    │
   │                              │                          │               │ and 'prefix' entries, containing the   │
   │                              │                          │               │ destination IP address as a string,    │
   │                              │                          │               │ and the prefix length as a uint32.     │
   │                              │                          │               │ Most routes will also have a           │
   │                              │                          │               │ 'next-hop' entry, containing the next  │
   │                              │                          │               │ hop IP address as a string. If the     │
   │                              │                          │               │ route has a 'metric' entry (containing │
   │                              │                          │               │ a uint32), that will be used as the    │
   │                              │                          │               │ metric for the route (otherwise NM     │
   │                              │                          │               │ will pick a default value appropriate  │
   │                              │                          │               │ to the device). Additional attributes  │
   │                              │                          │               │ may also exist on some routes.         │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ route-metric                 │ int64                    │ -1            │ The default metric for routes that     │
   │                              │                          │               │ don't explicitly specify a metric. The 
                                                                           default value -1 means that the metric 
                                                                           is chosen automatically based on the   
                                                                           device type. The metric applies to     
                                                                           dynamic routes, manual (static) routes 
                                                                           that don't have an explicit metric     │
   │                              │                          │               │ setting, address prefix routes, and    │
   │                              │                          │               │ the default route. Note that for IPv6, │
   │                              │                          │               │ the kernel accepts zero (0) but        │
   │                              │                          │               │ coerces it to 1024 (user default).     │
   │                              │                          │               │ Hence, setting this property to zero   │
   │                              │                          │               │ effectively mean setting it to 1024.   │
   │                              │                          │               │ For IPv4, zero is a regular value for  │
   │                              │                          │               │ the metric.                            │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ route-table                  │ uint32                   │ 0             │ Enable policy routing (source routing) │
   │                              │                          │               │ and set the routing table used when    │
   │                              │                          │               │ adding routes.                         │
   │                              │                          │               │                                        │
   │                              │                          │               │ This affects all routes, including     │
   │                              │                          │               │ device-routes, IPv4LL, DHCP, SLAAC,    │
   │                              │                          │               │ default-routes and static routes. But  │
   │                              │                          │               │ note that static routes can            │
   │                              │                          │               │ individually overwrite the setting by  │
   │                              │                          │               │ explicitly specifying a non-zero       │
   │                              │                          │               │ routing table.                         │
   │                              │                          │               │                                        │
   │                              │                          │               │ If the table setting is left at zero,  │
   │                              │                          │               │ it is eligible to be overwritten via   │
   │                              │                          │               │ global configuration. If the property  │
   │                              │                          │               │ is zero even after applying the global │
   │                              │                          │               │ configuration value, policy routing is │
   │                              │                          │               │ disabled for the address family of     │
   │                              │                          │               │ this connection.                       │
   │                              │                          │               │                                        │
   │                              │                          │               │ Policy routing disabled means that     │
   │                              │                          │               │ NetworkManager will add all routes to  │
   │                              │                          │               │ the main table (except static routes   │
   │                              │                          │               │ that explicitly configure a different  │
   │                              │                          │               │ table). Additionally, NetworkManager   │
   │                              │                          │               │ will not delete any extraneous routes  │
   │                              │                          │               │ from tables except the main table.     │
   │                              │                          │               │ This is to preserve backward           │
   │                              │                          │               │ compatibility for users who manage     │
   │                              │                          │               │ routing tables outside of              │
   │                              │                          │               │ NetworkManager.                        │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ routed-dns                   │ int32                    │ -1            │ Whether to add routes for DNS servers. │
   │                              │                          │               │ When enabled, NetworkManager adds a    │
   │                              │                          │               │ route for each DNS server that is      │
   │                              │                          │               │ associated with this connection either │
   │                              │                          │               │ statically (defined in the connection  │
   │                              │                          │               │ profile) or dynamically (for example,  │
   │                              │                          │               │ retrieved via DHCP). The route         │
   │                              │                          │               │ guarantees that the DNS server is      │
   │                              │                          │               │ reached via this interface. When set   │
   │                              │                          │               │ to -1 (default), the value from global │
   │                              │                          │               │ configuration is used; if no global    │
   │                              │                          │               │ default is defined, this feature is    │
   │                              │                          │               │ disabled.                              │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ routes                       │ array of array of uint32 │               │ Deprecated in favor of the             │
   │                              │                          │               │ 'route-data' property, but this can be │
   │                              │                          │               │ used for backward-compatibility with   │
   │                              │                          │               │ older daemons. Note that if you send   │
   │                              │                          │               │ this property the daemon will ignore   │
   │                              │                          │               │ 'route-data'.  Array of IPv4 route     │
   │                              │                          │               │ structures.  Each IPv4 route structure │
   │                              │                          │               │ is composed of 4 32-bit values; the    │
   │                              │                          │               │ first being the destination IPv4       │
   │                              │                          │               │ network or address (network byte       │
   │                              │                          │               │ order), the second the destination     │
   │                              │                          │               │ network or address prefix (1 - 32),    │
   │                              │                          │               │ the third being the next-hop (network  │
   │                              │                          │               │ byte order) if any, and the fourth     │
   │                              │                          │               │ being the route metric. If the metric  │
   │                              │                          │               │ is 0, NM will choose an appropriate    │
   │                              │                          │               │ default metric for the device. (There  │
   │                              │                          │               │ is no way to explicitly specify an     │
   │                              │                          │               │ actual metric of 0 with this           │
   │                              │                          │               │ property.)                             │
   ├──────────────────────────────┼──────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ routing-rules                │ array of 'a{sv}'                         Array of dictionaries for routing      
                                                                           rules. Each routing rule supports the  
                                                                           following options: action (y),         
                                                                           dport-end (q), dport-start (q), family 
                                                                           (i), from (s), from-len (y), fwmark    
                                                                           (u), fwmask (u), iifname (s), invert   
                                                                           (b), ipproto (s), oifname (s),         
                                                                           priority (u), sport-end (q),           
                                                                           sport-start (q), supress-prefixlength  
                                                                           (i), table (u), to (s), tos (y),       
                                                                           to-len (y), range-end (u), range-start 
                                                                           (u).                                   
   
    shared-dhcp-lease-time        int32                     0              This option allows you to specify a    
                                                                           custom DHCP lease time for the shared  
                                                                           connection method in seconds. The      
                                                                           value should be either a number        
                                                                           between 120 and 31536000 (one year) If 
                                                                           this option is not specified, 3600     
                                                                           (one hour) is used.                    
                                                                                                                  
                                                                           Special values are 0 for default value 
                                                                           of 1 hour and 2147483647 (MAXINT32)    
                                                                           for infinite lease time.               
   
    shared-dhcp-range             string                                   This option allows you to specify a    
                                                                           custom DHCP range for the shared       
                                                                           connection method. The value is        
                                                                           expected to be in                      
                                                                           `<START_ADDRESS>,<END_ADDRESS>`        
                                                                           format. The range should be part of    
                                                                           network set by ipv4.address option and 
                                                                           it should not contain network address  
                                                                           or broadcast address. If this option   
                                                                           is not specified, the DHCP range will  
                                                                           be automatically determined based on   
                                                                           the interface address. The range will  
                                                                           be selected to be adjacent to the      
                                                                           interface address, either before or    
                                                                           after it, with the larger possible     
                                                                           range being preferred. The range will  
                                                                           be adjusted to fill the available      
                                                                           address space, except for networks     
                                                                           with a prefix length greater than 24,  
                                                                           which will be treated as if they have  
                                                                           a prefix length of 24.                 
   

ipv6 setting

   IPv6 Settings.
   
    Key Name                 Value Type                           Default Value  Value Description                                    
   
    addr-gen-mode            int32                                3              Configure the method for creating the                
                                                                                 IPv6 interface identifier of addresses               
                                                                                 for RFC4862 IPv6 Stateless Address                   
                                                                                 Autoconfiguration and IPv6 Link Local.               
                                                                                                                                      
                                                                                 The permitted values are: 0 (eui64), 1               
                                                                                 (stable-privacy). 2 (default-or-eui64)               
                                                                                 or 3 (default).                                      
                                                                                                                                      
                                                                                 If the property is set to "eui64", the               
                                                                                 addresses will be generated using the                
                                                                                 interface token derived from the                     
                                                                                 hardware address. This makes the host                
                                                                                 part of the address constant, making                 
                                                                                 it possible to track the host's                      │
   │                         │                                     │               │ presence when it changes networks. The               │
   │                         │                                     │               │ address changes when the interface                   │
   │                         │                                     │               │ hardware is replaced. If a duplicate                 │
   │                         │                                     │               │ address is detected, there is no                     │
   │                         │                                     │               │ fallback to generate another address.                │
   │                         │                                     │               │ When configured, the "ipv6.token" is                 │
   │                         │                                     │               │ used instead of the MAC address to                   │
   │                         │                                     │               │ generate addresses for stateless                     │
   │                         │                                     │               │ autoconfiguration.                                   │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ If the property is set to                            │
   │                         │                                     │               │ "stable-privacy", the interface                      │
   │                         │                                     │               │ identifier is generated as specified                 │
   │                         │                                     │               │ by RFC7217. This works by hashing a                  │
   │                         │                                     │               │ host specific key (see                               │
   │                         │                                     │               │ NetworkManager(8) manual), the                       │
   │                         │                                     │               │ interface name, the connection's                     
                                                                                 "connection.stable-id" property and                  
                                                                                 the address prefix.  This improves                   
                                                                                 privacy by making it harder to use the               
                                                                                 address to track the host's presence                 │
   │                         │                                     │               │ as every prefix and network has a                    │
   │                         │                                     │               │ different identifier. Also, the                      │
   │                         │                                     │               │ address is stable when the network                   │
   │                         │                                     │               │ interface hardware is replaced.                      │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ The special values "default" and                     │
   │                         │                                     │               │ "default-or-eui64" will fallback to                  │
   │                         │                                     │               │ the global connection default as                     │
   │                         │                                     │               │ documented in the                                    │
   │                         │                                     │               │ NetworkManager.conf(5) manual. If the                │
   │                         │                                     │               │ global default is not specified, the                 │
   │                         │                                     │               │ fallback value is "stable-privacy" or                │
   │                         │                                     │               │ "eui64", respectively.                               │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ For libnm, the property defaults to                  │
   │                         │                                     │               │ "default" since 1.40.  Previously it                 │
   │                         │                                     │               │ used to default to "stable-privacy".                 │
   │                         │                                     │               │ On D-Bus, the absence of an                          │
   │                         │                                     │               │ addr-gen-mode setting equals                         │
   │                         │                                     │               │ "default". For keyfile plugin, the                   │
   │                         │                                     │               │ absence of the setting on disk means                 │
   │                         │                                     │               │ "default-or-eui64" so that the                       │
   │                         │                                     │               │ property doesn't change on upgrade                   
                                                                                 from older versions.                                 
                                                                                                                                      
                                                                                 Note that this setting is distinct                   
                                                                                 from the Privacy Extensions as                       
                                                                                 configured by "ip6-privacy" property                 
                                                                                 and it does not affect the temporary                 
                                                                                 addresses configured with this option.               
   
    address-data             array of vardict                                    Array of IPv6 addresses. Each address                
                                                                                 dictionary contains at least 'address'               
                                                                                 and 'prefix' entries, containing the                 
                                                                                 IP address as a string, and the prefix               
                                                                                 length as a uint32. Additional                       
                                                                                 attributes may also exist on some                    
                                                                                 addresses.                                           
   
    addresses                array of legacy IPv6 address struct                 Deprecated in favor of the                           
                             (a(ayuay))                                          'address-data' and 'gateway'                         
                                                                                 properties, but this can be used for                 
                                                                                 backward-compatibility with older                    
                                                                                 daemons. Note that if you send this                  
                                                                                 property the daemon will ignore                      
                                                                                 'address-data' and 'gateway'.  Array                 
                                                                                 of IPv6 address structures.  Each IPv6               
                                                                                 address structure is composed of an                  
                                                                                 IPv6 address, a prefix length (0 -                   
                                                                                 128), and an IPv6 gateway address. The               
                                                                                 gateway may be zeroed out if no                      
                                                                                 gateway exists for that subnet.                      
   
    auto-route-ext-gw        NMTernary (int32)                                   VPN connections will default to add                  
                                                                                 the route automatically unless this                  
                                                                                 setting is set to FALSE.                             
                                                                                                                                      
                                                                                 For other connection types, adding                   
                                                                                 such an automatic route is currently                 
                                                                                 not supported and setting this to TRUE               
                                                                                 has no effect.                                       
   
    dad-timeout              int32                                -1             Maximum timeout in milliseconds used                 
                                                                                 to check for the presence of duplicate               
                                                                                 IP addresses on the network.  If an                  
                                                                                 address conflict is detected, the                    
                                                                                 activation will fail. The property is                
                                                                                 currently implemented only for IPv4.                 
                                                                                                                                      
                                                                                 A zero value means that no duplicate                 
                                                                                 address detection is performed, -1                   
                                                                                 means the default value (either the                  
                                                                                 value configured globally in                         
                                                                                 NetworkManger.conf or 200ms).  A value               
                                                                                 greater than zero is a timeout in                    
                                                                                 milliseconds.  Note that the time                    
                                                                                 intervals are subject to randomization               
                                                                                 as per RFC 5227 and so the actual                    
                                                                                 duration can be between half and the                 
                                                                                 full time specified in this property.                
   
    dhcp-dscp                string                                              Specifies the value for the DSCP field               
                                                                                 (traffic class) of the IP header. When               
                                                                                 empty, the global default value is                   
                                                                                 used; if no global default is                        
                                                                                 specified, it is assumed to be "CS0".                
                                                                                 Allowed values are: "CS0", "CS4" and                 
                                                                                 "CS6".                                               
                                                                                                                                      
                                                                                 The property is currently valid only                 
                                                                                 for IPv4, and it is supported only by                
                                                                                 the "internal" DHCP plugin.                          
   
    dhcp-duid                string                                              A string containing the DHCPv6 Unique                
                                                                                 Identifier (DUID) used by the dhcp                   
                                                                                 client to identify itself to DHCPv6                  
                                                                                 servers (RFC 3315). The DUID is                      
                                                                                 carried in the Client Identifier                     
                                                                                 option. If the property is a hex                     
                                                                                 string ('aa:bb:cc') it is interpreted                
                                                                                 as a binary DUID and filled as an                    
                                                                                 opaque value in the Client Identifier                
                                                                                 option.                                              
                                                                                                                                      
                                                                                 The special value "lease" will                       
                                                                                 retrieve the DUID previously used from               
                                                                                 the lease file belonging to the                      
                                                                                 connection. If no DUID is found and                  
                                                                                 "dhclient" is the configured dhcp                    
                                                                                 client, the DUID is searched in the                  
                                                                                 system-wide dhclient lease file. If                  
                                                                                 still no DUID is found, or another                   
                                                                                 dhcp client is used, a global and                    
                                                                                 permanent DUID-UUID (RFC 6355) will be               
                                                                                 generated based on the machine-id.                   
                                                                                                                                      
                                                                                 The special values "llt" and "ll" will               
                                                                                 generate a DUID of type LLT or LL (see               
                                                                                 RFC 3315) based on the current MAC                   
                                                                                 address of the device. In order to try               
                                                                                 providing a stable DUID-LLT, the time                
                                                                                 field will contain a constant                        
                                                                                 timestamp that is used globally (for                 
                                                                                 all profiles) and persisted to disk.                 
                                                                                                                                      
                                                                                 The special values "stable-llt",                     
                                                                                 "stable-ll" and "stable-uuid" will                   
                                                                                 generate a DUID of the corresponding                 
                                                                                 type, derived from the connection's                  │
   │                         │                                     │               │ stable-id and a per-host unique key.                 │
   │                         │                                     │               │ You may want to include the                          │
   │                         │                                     │               │ "${DEVICE}" or "${MAC}" specifier in                 │
   │                         │                                     │               │ the stable-id, in case this profile                  │
   │                         │                                     │               │ gets activated on multiple devices.                  │
   │                         │                                     │               │ So, the link-layer address of                        │
   │                         │                                     │               │ "stable-ll" and "stable-llt" will be a               │
   │                         │                                     │               │ generated address derived from the                   │
   │                         │                                     │               │ stable id. The DUID-LLT time value in                │
   │                         │                                     │               │ the "stable-llt" option will be picked               │
   │                         │                                     │               │ among a static timespan of three years               │
   │                         │                                     │               │ (the upper bound of the interval is                  │
   │                         │                                     │               │ the same constant timestamp used in                  │
   │                         │                                     │               │ "llt").                                              │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ When the property is unset, the global               │
   │                         │                                     │               │ value provided for "ipv6.dhcp-duid" is               │
   │                         │                                     │               │ used. If no global value is provided,                │
   │                         │                                     │               │ the default "lease" value is assumed.                │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ dhcp-hostname           │ string                              │               │ If the "dhcp-send-hostname" property                 │
   │                         │                                     │               │ is TRUE, then the specified name will                │
   │                         │                                     │               │ be sent to the DHCP server when                      │
   │                         │                                     │               │ acquiring a lease. This property and                 │
   │                         │                                     │               │ "dhcp-fqdn" are mutually exclusive and               │
   │                         │                                     │               │ cannot be set at the same time.                      │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ dhcp-hostname-flags     │ uint32                              │ 0             │ Flags for the DHCP hostname and FQDN.                │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ Currently, this property only includes               │
   │                         │                                     │               │ flags to control the FQDN flags set in               │
   │                         │                                     │               │ the DHCP FQDN option. Supported FQDN                 │
   │                         │                                     │               │ flags are 0x1 (fqdn-serv-update), 0x2                │
   │                         │                                     │               │ (fqdn-encoded) and 0x4                               │
   │                         │                                     │               │ (fqdn-no-update).  When no FQDN flag                 │
   │                         │                                     │               │ is set and 0x8 (fqdn-clear-flags) is                 │
   │                         │                                     │               │ set, the DHCP FQDN option will contain               │
   │                         │                                     │               │ no flag. Otherwise, if no FQDN flag is               │
   │                         │                                     │               │ set and 0x8 (fqdn-clear-flags) is not                │
   │                         │                                     │               │ set, the standard FQDN flags are set                 │
   │                         │                                     │               │ in the request: 0x1                                  │
   │                         │                                     │               │ (fqdn-serv-update), 0x2 (fqdn-encoded)               │
   │                         │                                     │               │ for IPv4 and 0x1 (fqdn-serv-update)                  │
   │                         │                                     │               │ for IPv6.                                            │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ When this property is set to the                     │
   │                         │                                     │               │ default value 0x0 (none), a global                   │
   │                         │                                     │               │ default is looked up in NetworkManager               │
   │                         │                                     │               │ configuration. If that value is unset                │
   │                         │                                     │               │ or also 0x0 (none), then the standard                │
   │                         │                                     │               │ FQDN flags described above are sent in               │
   │                         │                                     │               │ the DHCP requests.                                   │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ dhcp-iaid               │ string                              │               │ A string containing the "Identity                    │
   │                         │                                     │               │ Association Identifier" (IAID) used by               │
   │                         │                                     │               │ the DHCP client. The string can be a                 │
   │                         │                                     │               │ 32-bit number (either decimal,                       │
   │                         │                                     │               │ hexadecimal or as colon separated                    │
   │                         │                                     │               │ hexadecimal numbers). Alternatively it               │
   │                         │                                     │               │ can be set to the special values                     │
   │                         │                                     │               │ "mac", "perm-mac", "ifname" or                       │
   │                         │                                     │               │ "stable". When set to "mac" (or                      │
   │                         │                                     │               │ "perm-mac"), the last 4 bytes of the                 │
   │                         │                                     │               │ current (or permanent) MAC address are               │
   │                         │                                     │               │ used as IAID. When set to "ifname",                  │
   │                         │                                     │               │ the IAID is computed by hashing the                  │
   │                         │                                     │               │ interface name. The special value                    │
   │                         │                                     │               │ "stable" can be used to generate an                  │
   │                         │                                     │               │ IAID based on the stable-id (see                     │
   │                         │                                     │               │ connection.stable-id), a per-host key                │
   │                         │                                     │               │ and the interface name. When the                     │
   │                         │                                     │               │ property is unset, the value from                    │
   │                         │                                     │               │ global configuration is used; if no                  │
   │                         │                                     │               │ global default is set then the IAID is               │
   │                         │                                     │               │ assumed to be "ifname".                              │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ For DHCPv4, the IAID is only used with               │
   │                         │                                     │               │ "ipv4.dhcp-client-id" values "duid"                  │
   │                         │                                     │               │ and "ipv6-duid" to generate the                      │
   │                         │                                     │               │ client-id.                                           │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ For DHCPv6, note that at the moment                  │
   │                         │                                     │               │ this property is only supported by the               │
   │                         │                                     │               │ "internal" DHCPv6 plugin. The                        │
   │                         │                                     │               │ "dhclient" DHCPv6 plugin always                      │
   │                         │                                     │               │ derives the IAID from the MAC address.               │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ The actually used DHCPv6 IAID for a                  │
   │                         │                                     │               │ currently activated interface is                     │
   │                         │                                     │               │ exposed in the lease information of                  │
   │                         │                                     │               │ the device.                                          │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ dhcp-pd-hint            │ string                              │               │ A IPv6 address followed by a slash and               │
   │                         │                                     │               │ a prefix length. If set, the value is                │
   │                         │                                     │               │ sent to the DHCPv6 server as hint                    │
   │                         │                                     │               │ indicating the prefix delegation                     │
   │                         │                                     │               │ (IA_PD) we want to receive. To only                  │
   │                         │                                     │               │ hint a prefix length without prefix,                 │
   │                         │                                     │               │ set the address part to the zero                     │
   │                         │                                     │               │ address (for example "::/60").                       │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ dhcp-reject-servers     │ array of string                     │               │ Array of servers from which DHCP                     │
   │                         │                                     │               │ offers must be rejected. This property               │
   │                         │                                     │               │ is useful to avoid getting a lease                   │
   │                         │                                     │               │ from misconfigured or rogue servers.                 │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ For DHCPv4, each element must be an                  │
   │                         │                                     │               │ IPv4 address, optionally followed by a               │
   │                         │                                     │               │ slash and a prefix length (e.g.                      │
   │                         │                                     │               │ "192.168.122.0/24").                                 │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ This property is currently not                       │
   │                         │                                     │               │ implemented for DHCPv6.                              │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ dhcp-send-hostname      │ boolean                             │ TRUE          │ Since 1.52 this property is deprecated               │
   │                         │                                     │               │ and is only used as fallback value for               │
   │                         │                                     │               │ "dhcp-send-hostname-v2" if it's set to               
                                                                                 'default'. This is only done to avoid                
                                                                                 breaking existing configurations, the                
                                                                                 new property should be used from now                 
                                                                                 on.                                                  
                                                                                                                                      
                                                                                 This property is deprecated since                    
                                                                                 version 1.52.use the new version of                  
                                                                                 dhcp-send-hostname instead.                          
   
    dhcp-send-hostname-v2    int32                                -1             If TRUE, a hostname is sent to the                   
                                                                                 DHCP server when acquiring a lease.                  
                                                                                 Some DHCP servers use this hostname to               
                                                                                 update DNS databases, essentially                    
                                                                                 providing a static hostname for the                  
                                                                                 computer.  If the "dhcp-hostname"                    
                                                                                 property is NULL and this property is                
                                                                                 TRUE, the current persistent hostname                
                                                                                 of the computer is sent.                             
                                                                                                                                      
                                                                                 The default value is -1 (default). In                
                                                                                 this case the global value from                      
                                                                                 NetworkManager configuration is looked               
                                                                                 up. If it's not set, the value from                  │
   │                         │                                     │               │ "dhcp-send-hostname", which defaults                 │
   │                         │                                     │               │ to TRUE, is used for backwards                       │
   │                         │                                     │               │ compatibility. In the future this will               │
   │                         │                                     │               │ change and, in absence of a global                   │
   │                         │                                     │               │ default, it will always fallback to                  │
   │                         │                                     │               │ TRUE.                                                │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ dhcp-send-release       │ NMTernary (int32)                   │               │ Whether the DHCP client will send                    │
   │                         │                                     │               │ RELEASE message when bringing the                    │
   │                         │                                     │               │ connection down. The default value is                │
   │                         │                                     │               │ -1 (default). When the default value                 │
   │                         │                                     │               │ is specified, then the global value                  │
   │                         │                                     │               │ from NetworkManager configuration is                 │
   │                         │                                     │               │ looked up, if not set, it is                         │
   │                         │                                     │               │ considered as FALSE.                                 │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ dhcp-timeout            │ int32                               │ 0             │ A timeout for a DHCP transaction in                  │
   │                         │                                     │               │ seconds. If zero (the default), a                    │
   │                         │                                     │               │ globally configured default is used.                 │
   │                         │                                     │               │ If still unspecified, a device                       │
   │                         │                                     │               │ specific timeout is used (usually 45                 │
   │                         │                                     │               │ seconds).                                            │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ Set to 2147483647 (MAXINT32) for                     │
   │                         │                                     │               │ infinity.                                            │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ dns                     │ array of byte array                 │               │ Array of IP addresses of DNS servers                 │
   │                         │                                     │               │ (in network byte order)                              │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ dns-data                │ array of strings                    │               │ Array of DNS name servers. This                      │
   │                         │                                     │               │ replaces the deprecated "dns"                        │
   │                         │                                     │               │ property. Each name server can also                  │
   │                         │                                     │               │ contain a DoT server name.                           │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ dns-options             │ array of string                     │               │ Array of DNS options to be added to                  │
   │                         │                                     │               │ resolv.conf.                                         │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ NULL means that the options are unset                │
   │                         │                                     │               │ and left at the default. In this case                │
   │                         │                                     │               │ NetworkManager will use default                      │
   │                         │                                     │               │ options. This is distinct from an                    │
   │                         │                                     │               │ empty list of properties.                            │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ The following options are directly                   │
   │                         │                                     │               │ added to resolv.conf: "attempts",                    │
   │                         │                                     │               │ "debug", "edns0", "inet6",                           │
   │                         │                                     │               │ "ip6-bytestring", "ip6-dotint",                      │
   │                         │                                     │               │ "ndots", "no-aaaa", "no-check-names",                │
   │                         │                                     │               │ "no-ip6-dotint", "no-reload",                        │
   │                         │                                     │               │ "no-tld-query", "rotate",                            │
   │                         │                                     │               │ "single-request",                                    │
   │                         │                                     │               │ "single-request-reopen", "timeout",                  │
   │                         │                                     │               │ "trust-ad", "use-vc". See the                        │
   │                         │                                     │               │ resolv.conf(5) man page for a detailed               │
   │                         │                                     │               │ description of these options.                        │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ In addition, NetworkManager supports                 │
   │                         │                                     │               │ the special options "_no-add-edns0"                  │
   │                         │                                     │               │ and "_no-add-trust-ad". They are not                 │
   │                         │                                     │               │ added to resolv.conf, and can be used                │
   │                         │                                     │               │ to prevent the automatic addition of                 │
   │                         │                                     │               │ options "edns0" and "trust-ad" when                  │
   │                         │                                     │               │ using caching DNS plugins (see below).               │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ The "trust-ad" setting is only honored               │
   │                         │                                     │               │ if the profile contributes name                      │
   │                         │                                     │               │ servers to resolv.conf, and if all                   │
   │                         │                                     │               │ contributing profiles have "trust-ad"                │
   │                         │                                     │               │ enabled.                                             │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ When using a caching DNS plugin                      │
   │                         │                                     │               │ (dnsmasq or systemd-resolved in                      │
   │                         │                                     │               │ NetworkManager.conf) then "edns0" and                │
   │                         │                                     │               │ "trust-ad" are automatically added,                  │
   │                         │                                     │               │ unless "_no-add-edns0" and                           │
   │                         │                                     │               │ "_no-add-trust-ad" are present.                      │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ dns-priority            │ int32                               │ 0             │ DNS servers priority.                                │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ The relative priority for DNS servers                │
   │                         │                                     │               │ specified by this setting.  A lower                  │
   │                         │                                     │               │ numerical value is better (higher                    │
   │                         │                                     │               │ priority).                                           │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ Negative values have the special                     │
   │                         │                                     │               │ effect of excluding other                            │
   │                         │                                     │               │ configurations with a greater                        │
   │                         │                                     │               │ numerical priority value; so in                      │
   │                         │                                     │               │ presence of at least one negative                    │
   │                         │                                     │               │ priority, only DNS servers from                      │
   │                         │                                     │               │ connections with the lowest priority                 │
   │                         │                                     │               │ value will be used. To avoid all DNS                 │
   │                         │                                     │               │ leaks, set the priority of the profile               │
   │                         │                                     │               │ that should be used to the most                      │
   │                         │                                     │               │ negative value of all active                         │
   │                         │                                     │               │ connections profiles.                                │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ Zero selects a globally configured                   │
   │                         │                                     │               │ default value. If the latter is                      │
   │                         │                                     │               │ missing or zero too, it defaults to 50               │
   │                         │                                     │               │ for VPNs (including WireGuard) and 100               │
   │                         │                                     │               │ for other connections.                               │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ Note that the priority is to order DNS               │
   │                         │                                     │               │ settings for multiple active                         │
   │                         │                                     │               │ connections.  It does not disambiguate               │
   │                         │                                     │               │ multiple DNS servers within the same                 │
   │                         │                                     │               │ connection profile.                                  │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ When multiple devices have                           │
   │                         │                                     │               │ configurations with the same priority,               │
   │                         │                                     │               │ VPNs will be considered first, then                  │
   │                         │                                     │               │ devices with the best (lowest metric)                │
   │                         │                                     │               │ default route and then all other                     │
   │                         │                                     │               │ devices.                                             │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ When using dns=default, servers with                 │
   │                         │                                     │               │ higher priority will be on top of                    │
   │                         │                                     │               │ resolv.conf. To prioritize a given                   │
   │                         │                                     │               │ server over another one within the                   │
   │                         │                                     │               │ same connection, just specify them in                │
   │                         │                                     │               │ the desired order. Note that commonly                │
   │                         │                                     │               │ the resolver tries name servers in                   │
   │                         │                                     │               │ /etc/resolv.conf in the order listed,                │
   │                         │                                     │               │ proceeding with the next server in the               │
   │                         │                                     │               │ list on failure. See for example the                 │
   │                         │                                     │               │ "rotate" option of the dns-options                   │
   │                         │                                     │               │ setting. If there are any negative DNS               │
   │                         │                                     │               │ priorities, then only name servers                   │
   │                         │                                     │               │ from the devices with that lowest                    │
   │                         │                                     │               │ priority will be considered.                         │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ When using a DNS resolver that                       │
   │                         │                                     │               │ supports Conditional Forwarding or                   │
   │                         │                                     │               │ Split DNS (with dns=dnsmasq or                       │
   │                         │                                     │               │ dns=systemd-resolved settings), each                 │
   │                         │                                     │               │ connection is used to query domains in               │
   │                         │                                     │               │ its search list. The search domains                  │
   │                         │                                     │               │ determine which name servers to ask,                 │
   │                         │                                     │               │ and the DNS priority is used to                      │
   │                         │                                     │               │ prioritize name servers based on the                 │
   │                         │                                     │               │ domain.  Queries for domains not                     │
   │                         │                                     │               │ present in any search list are routed                │
   │                         │                                     │               │ through connections having the '~.'                  │
   │                         │                                     │               │ special wildcard domain, which is                    │
   │                         │                                     │               │ added automatically to connections                   │
   │                         │                                     │               │ with the default route (or can be                    │
   │                         │                                     │               │ added manually).  When multiple                      │
   │                         │                                     │               │ connections specify the same domain,                 │
   │                         │                                     │               │ the one with the best priority (lowest               │
   │                         │                                     │               │ numerical value) wins.  If a sub                     │
   │                         │                                     │               │ domain is configured on another                      │
   │                         │                                     │               │ interface it will be accepted                        │
   │                         │                                     │               │ regardless the priority, unless parent               │
   │                         │                                     │               │ domain on the other interface has a                  │
   │                         │                                     │               │ negative priority, which causes the                  │
   │                         │                                     │               │ sub domain to be shadowed. With Split                │
   │                         │                                     │               │ DNS one can avoid undesired DNS leaks                │
   │                         │                                     │               │ by properly configuring DNS priorities               │
   │                         │                                     │               │ and the search domains, so that only                 │
   │                         │                                     │               │ name servers of the desired interface                │
   │                         │                                     │               │ are configured.                                      │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ dns-search              │ array of string                     │               │ List of DNS search domains. Domains                  │
   │                         │                                     │               │ starting with a tilde ('~') are                      │
   │                         │                                     │               │ considered 'routing' domains and are                 │
   │                         │                                     │               │ used only to decide the interface over               │
   │                         │                                     │               │ which a query must be forwarded; they                │
   │                         │                                     │               │ are not used to complete unqualified                 │
   │                         │                                     │               │ host names.                                          │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ When using a DNS plugin that supports                │
   │                         │                                     │               │ Conditional Forwarding or Split DNS,                 │
   │                         │                                     │               │ then the search domains specify which                │
   │                         │                                     │               │ name servers to query. This makes the                │
   │                         │                                     │               │ behavior different from running with                 │
   │                         │                                     │               │ plain /etc/resolv.conf. For more                     │
   │                         │                                     │               │ information see also the dns-priority                │
   │                         │                                     │               │ setting.                                             │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ When set on a profile that also                      │
   │                         │                                     │               │ enabled DHCP, the DNS search list                    │
   │                         │                                     │               │ received automatically (option 119 for               │
   │                         │                                     │               │ DHCPv4 and option 24 for DHCPv6) gets                │
   │                         │                                     │               │ merged with the manual list. This can                │
   │                         │                                     │               │ be prevented by setting                              │
   │                         │                                     │               │ "ignore-auto-dns". Note that if no DNS               │
   │                         │                                     │               │ searches are configured, the fallback                │
   │                         │                                     │               │ will be derived from the domain from                 │
   │                         │                                     │               │ DHCP (option 15).                                    │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ gateway                 │ string                              │               │ The gateway associated with this                     │
   │                         │                                     │               │ configuration. This is only meaningful               │
   │                         │                                     │               │ if "addresses" is also set.                          │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ Setting the gateway causes                           │
   │                         │                                     │               │ NetworkManager to configure a standard               │
   │                         │                                     │               │ default route with the gateway as next               │
   │                         │                                     │               │ hop. This is ignored if                              │
   │                         │                                     │               │ "never-default" is set. An alternative               │
   │                         │                                     │               │ is to configure the default route                    │
   │                         │                                     │               │ explicitly with a manual route and /0                │
   │                         │                                     │               │ as prefix length.                                    │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ Note that the gateway usually                        │
   │                         │                                     │               │ conflicts with routing that                          │
   │                         │                                     │               │ NetworkManager configures for                        │
   │                         │                                     │               │ WireGuard interfaces, so usually it                  │
   │                         │                                     │               │ should not be set in that case. See                  │
   │                         │                                     │               │ "ip4-auto-default-route".                            │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ ignore-auto-dns         │ boolean                             │ FALSE         │ When "method" is set to "auto" and                   │
   │                         │                                     │               │ this property to TRUE, automatically                 │
   │                         │                                     │               │ configured name servers and search                   │
   │                         │                                     │               │ domains are ignored and only name                    │
   │                         │                                     │               │ servers and search domains specified                 │
   │                         │                                     │               │ in the "dns" and "dns-search"                        │
   │                         │                                     │               │ properties, if any, are used.                        │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ ignore-auto-routes      │ boolean                             │ FALSE         │ When "method" is set to "auto" and                   │
   │                         │                                     │               │ this property to TRUE, automatically                 │
   │                         │                                     │               │ configured routes are ignored and only               │
   │                         │                                     │               │ routes specified in the "routes"                     │
   │                         │                                     │               │ property, if any, are used.                          │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ ip6-privacy             │ NMSettingIP6ConfigPrivacy (int32)   │               │ Configure IPv6 Privacy Extensions for                │
   │                         │                                     │               │ SLAAC, described in RFC4941.  If                     │
   │                         │                                     │               │ enabled, it makes the kernel generate                │
   │                         │                                     │               │ a temporary IPv6 address in addition                 │
   │                         │                                     │               │ to the public one generated from MAC                 │
   │                         │                                     │               │ address via modified EUI-64.  This                   │
   │                         │                                     │               │ enhances privacy, but could cause                    │
   │                         │                                     │               │ problems in some applications, on the                │
   │                         │                                     │               │ other hand.  The permitted values are:               │
   │                         │                                     │               │ -1: unknown, 0: disabled, 1: enabled                 │
   │                         │                                     │               │ (prefer public address), 2: enabled                  │
   │                         │                                     │               │ (prefer temporary addresses).                        │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ Having a per-connection setting set to               │
   │                         │                                     │               │ "-1" (default) means fallback to                     │
   │                         │                                     │               │ global configuration                                 │
   │                         │                                     │               │ "ipv6.ip6-privacy". If it's also                     
                                                                                 unspecified or set to "-1", fallback                 
                                                                                 to read                                              
                                                                                 "/proc/sys/net/ipv6/conf/default/use_tempaddr".      
                                                                                                                                      
                                                                                 Note that this setting is distinct                   
                                                                                 from the Stable Privacy addresses that               
                                                                                 can be enabled with the                              
                                                                                 "addr-gen-mode" property's                           │
   │                         │                                     │               │ "stable-privacy" setting as another                  │
   │                         │                                     │               │ way of avoiding host tracking with                   │
   │                         │                                     │               │ IPv6 addresses.                                      │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ may-fail                │ boolean                             │ TRUE          │ If TRUE, allow overall network configuration to      │
   │                         │                                     │               │ proceed even if the configuration specified by       │
   │                         │                                     │               │ this property times out.  Note that at least         │
   │                         │                                     │               │ one IP configuration must succeed or overall         │
   │                         │                                     │               │ network configuration will still fail.  For          │
   │                         │                                     │               │ example, in IPv6-only networks, setting this         │
   │                         │                                     │               │ property to TRUE on the NMSettingIP4Config           │
   │                         │                                     │               │ allows the overall network configuration to          │
   │                         │                                     │               │ succeed if IPv4 configuration fails but IPv6         │
   │                         │                                     │               │ configuration completes successfully.                │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ method                  │ string                              │               │ IP configuration method.                             │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ NMSettingIP4Config and NMSettingIP6Config both       │
   │                         │                                     │               │ support "disabled", "auto", "manual", and            │
   │                         │                                     │               │ "link-local". See the subclass-specific              │
   │                         │                                     │               │ documentation for other values.                      │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ In general, for the "auto" method, properties        │
   │                         │                                     │               │ such as "dns" and "routes" specify information       │
   │                         │                                     │               │ that is added on to the information returned         │
   │                         │                                     │               │ from automatic configuration.  The                   │
   │                         │                                     │               │ "ignore-auto-routes" and "ignore-auto-dns"           │
   │                         │                                     │               │ properties modify this behavior.                     │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ For methods that imply no upstream network,          │
   │                         │                                     │               │ such as "shared" or "link-local", these              │
   │                         │                                     │               │ properties must be empty.                            │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ For IPv4 method "shared", the IP subnet can be       │
   │                         │                                     │               │ configured by adding one manual IPv4 address or      │
   │                         │                                     │               │ otherwise 10.42.x.0/24 is chosen. Note that the      │
   │                         │                                     │               │ shared method must be configured on the              │
   │                         │                                     │               │ interface which shares the internet to a             │
   │                         │                                     │               │ subnet, not on the uplink which is shared.           │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ mtu                     │ uint32                              │ 0             │ Maximum transmission unit size, in bytes. If         │
   │                         │                                     │               │ zero (the default), the MTU is set                   │
   │                         │                                     │               │ automatically from router advertisements or is       │
   │                         │                                     │               │ left equal to the link-layer MTU. If greater         │
   │                         │                                     │               │ than the link-layer MTU, or greater than zero        │
   │                         │                                     │               │ but less than the minimum IPv6 MTU of 1280,          │
   │                         │                                     │               │ this value has no effect.                            │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ never-default           │ boolean                             │ FALSE         │ If TRUE, this connection will never be the           │
   │                         │                                     │               │ default connection for this IP type, meaning it      │
   │                         │                                     │               │ will never be assigned the default route by          │
   │                         │                                     │               │ NetworkManager.                                      │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ ra-timeout              │ int32                               │ 0             │ A timeout for waiting Router Advertisements in       │
   │                         │                                     │               │ seconds. If zero (the default), a globally           │
   │                         │                                     │               │ configured default is used. If still                 │
   │                         │                                     │               │ unspecified, the timeout depends on the sysctl       │
   │                         │                                     │               │ settings of the device.                              │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ Set to 2147483647 (MAXINT32) for infinity.           │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ replace-local-rule      │ NMTernary (int32)                   │               │ Connections will default to keep the                 │
   │                         │                                     │               │ autogenerated priority 0 local rule unless this      │
   │                         │                                     │               │ setting is set to TRUE.                              │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ required-timeout        │ int32                               │ -1            │ The minimum time interval in milliseconds for        │
   │                         │                                     │               │ which dynamic IP configuration should be tried       │
   │                         │                                     │               │ before the connection succeeds.                      │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ This property is useful for example if both          │
   │                         │                                     │               │ IPv4 and IPv6 are enabled and are allowed to         │
   │                         │                                     │               │ fail. Normally the connection succeeds as soon       │
   │                         │                                     │               │ as one of the two address families completes;        │
   │                         │                                     │               │ by setting a required timeout for e.g. IPv4,         │
   │                         │                                     │               │ one can ensure that even if IP6 succeeds             │
   │                         │                                     │               │ earlier than IPv4, NetworkManager waits some         │
   │                         │                                     │               │ time for IPv4 before the connection becomes          │
   │                         │                                     │               │ active.                                              │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ Note that if "may-fail" is FALSE for the same        │
   │                         │                                     │               │ address family, this property has no effect as       │
   │                         │                                     │               │ NetworkManager needs to wait for the full DHCP       │
   │                         │                                     │               │ timeout.                                             │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ A zero value means that no required timeout is       │
   │                         │                                     │               │ present, -1 means the default value (either          │
   │                         │                                     │               │ configuration ipvx.required-timeout override or      │
   │                         │                                     │               │ zero).                                               │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ route-data              │ array of vardict                    │               │ Array of IPv6 routes. Each route dictionary          │
   │                         │                                     │               │ contains at least 'dest' and 'prefix' entries,       │
   │                         │                                     │               │ containing the destination IP address as a           │
   │                         │                                     │               │ string, and the prefix length as a uint32. Most      │
   │                         │                                     │               │ routes will also have a 'next-hop' entry,            │
   │                         │                                     │               │ containing the next hop IP address as a string.      │
   │                         │                                     │               │ If the route has a 'metric' entry (containing a      │
   │                         │                                     │               │ uint32), that will be used as the metric for         │
   │                         │                                     │               │ the route (otherwise NM will pick a default          │
   │                         │                                     │               │ value appropriate to the device). Additional         │
   │                         │                                     │               │ attributes may also exist on some routes.            │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ route-metric            │ int64                               │ -1            │ The default metric for routes that don't             
                                                                                 explicitly specify a metric. The default value       
                                                                                 -1 means that the metric is chosen                   
                                                                                 automatically based on the device type. The          
                                                                                 metric applies to dynamic routes, manual             
                                                                                 (static) routes that don't have an explicit          │
   │                         │                                     │               │ metric setting, address prefix routes, and the       │
   │                         │                                     │               │ default route. Note that for IPv6, the kernel        │
   │                         │                                     │               │ accepts zero (0) but coerces it to 1024 (user        │
   │                         │                                     │               │ default). Hence, setting this property to zero       │
   │                         │                                     │               │ effectively mean setting it to 1024. For IPv4,       │
   │                         │                                     │               │ zero is a regular value for the metric.              │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ route-table             │ uint32                              │ 0             │ Enable policy routing (source routing) and set       │
   │                         │                                     │               │ the routing table used when adding routes.           │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ This affects all routes, including                   │
   │                         │                                     │               │ device-routes, IPv4LL, DHCP, SLAAC,                  │
   │                         │                                     │               │ default-routes and static routes. But note that      │
   │                         │                                     │               │ static routes can individually overwrite the         │
   │                         │                                     │               │ setting by explicitly specifying a non-zero          │
   │                         │                                     │               │ routing table.                                       │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ If the table setting is left at zero, it is          │
   │                         │                                     │               │ eligible to be overwritten via global                │
   │                         │                                     │               │ configuration. If the property is zero even          │
   │                         │                                     │               │ after applying the global configuration value,       │
   │                         │                                     │               │ policy routing is disabled for the address           │
   │                         │                                     │               │ family of this connection.                           │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ Policy routing disabled means that                   │
   │                         │                                     │               │ NetworkManager will add all routes to the main       │
   │                         │                                     │               │ table (except static routes that explicitly          │
   │                         │                                     │               │ configure a different table). Additionally,          │
   │                         │                                     │               │ NetworkManager will not delete any extraneous        │
   │                         │                                     │               │ routes from tables except the main table. This       │
   │                         │                                     │               │ is to preserve backward compatibility for users      │
   │                         │                                     │               │ who manage routing tables outside of                 │
   │                         │                                     │               │ NetworkManager.                                      │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ routed-dns              │ int32                               │ -1            │ Whether to add routes for DNS servers. When          │
   │                         │                                     │               │ enabled, NetworkManager adds a route for each        │
   │                         │                                     │               │ DNS server that is associated with this              │
   │                         │                                     │               │ connection either statically (defined in the         │
   │                         │                                     │               │ connection profile) or dynamically (for              │
   │                         │                                     │               │ example, retrieved via DHCP). The route              │
   │                         │                                     │               │ guarantees that the DNS server is reached via        │
   │                         │                                     │               │ this interface. When set to -1 (default), the        │
   │                         │                                     │               │ value from global configuration is used; if no       │
   │                         │                                     │               │ global default is defined, this feature is           │
   │                         │                                     │               │ disabled.                                            │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ routes                  │ array of legacy IPv6 route struct   │               │ Deprecated in favor of the 'route-data'              │
   │                         │ (a(ayuayu))                         │               │ property, but this can be used for                   │
   │                         │                                     │               │ backward-compatibility with older daemons. Note      │
   │                         │                                     │               │ that if you send this property the daemon will       │
   │                         │                                     │               │ ignore 'route-data'.  Array of IPv6 route            │
   │                         │                                     │               │ structures.  Each IPv6 route structure is            │
   │                         │                                     │               │ composed of an IPv6 address, a prefix length (0      │
   │                         │                                     │               │ - 128), an IPv6 next hop address (which may be       │
   │                         │                                     │               │ zeroed out if there is no next hop), and a           │
   │                         │                                     │               │ metric. If the metric is 0, NM will choose an        │
   │                         │                                     │               │ appropriate default metric for the device.           │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ routing-rules           │ array of 'a{sv}'                    │               │ Array of dictionaries for routing rules. Each        │
   │                         │                                     │               │ routing rule supports the following options:         │
   │                         │                                     │               │ action (y), dport-end (q), dport-start (q),          │
   │                         │                                     │               │ family (i), from (s), from-len (y), fwmark (u),      │
   │                         │                                     │               │ fwmask (u), iifname (s), invert (b), ipproto         │
   │                         │                                     │               │ (s), oifname (s), priority (u), sport-end (q),       │
   │                         │                                     │               │ sport-start (q), supress-prefixlength (i),           │
   │                         │                                     │               │ table (u), to (s), tos (y), to-len (y),              │
   │                         │                                     │               │ range-end (u), range-start (u).                      │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ shared-dhcp-lease-time  │ int32                               │ 0             │ This option allows you to specify a custom DHCP      │
   │                         │                                     │               │ lease time for the shared connection method in       │
   │                         │                                     │               │ seconds. The value should be either a number         │
   │                         │                                     │               │ between 120 and 31536000 (one year) If this          │
   │                         │                                     │               │ option is not specified, 3600 (one hour) is          │
   │                         │                                     │               │ used.                                                │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ Special values are 0 for default value of 1          │
   │                         │                                     │               │ hour and 2147483647 (MAXINT32) for infinite          │
   │                         │                                     │               │ lease time.                                          │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ shared-dhcp-range       │ string                              │               │ This option allows you to specify a custom DHCP      │
   │                         │                                     │               │ range for the shared connection method. The          │
   │                         │                                     │               │ value is expected to be in                           │
   │                         │                                     │               │ `<START_ADDRESS>,<END_ADDRESS>` format. The          │
   │                         │                                     │               │ range should be part of network set by               │
   │                         │                                     │               │ ipv4.address option and it should not contain        │
   │                         │                                     │               │ network address or broadcast address. If this        │
   │                         │                                     │               │ option is not specified, the DHCP range will be      │
   │                         │                                     │               │ automatically determined based on the interface      │
   │                         │                                     │               │ address. The range will be selected to be            │
   │                         │                                     │               │ adjacent to the interface address, either            │
   │                         │                                     │               │ before or after it, with the larger possible         │
   │                         │                                     │               │ range being preferred. The range will be             │
   │                         │                                     │               │ adjusted to fill the available address space,        │
   │                         │                                     │               │ except for networks with a prefix length             │
   │                         │                                     │               │ greater than 24, which will be treated as if         │
   │                         │                                     │               │ they have a prefix length of 24.                     │
   ├─────────────────────────┼─────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────┤
   │ temp-preferred-lifetime │ int32                               │ 0             │ The preferred lifetime of autogenerated              │
   │                         │                                     │               │ temporary addresses, in seconds.                     │
   │                         │                                     │               │                                                      │
   │                         │                                     │               │ Having a per-connection setting set to "0"           │
   │                         │                                     │               │ (default) means fallback to global                   │
   │                         │                                     │               │ configuration "ipv6.temp-preferred-lifetime"         │
   │                         │                                     │               │ setting". If it's also unspecified or set to         
                                                                                 "0", fallback to read                                
                                                                                 "/proc/sys/net/ipv6/conf/default/temp_prefered_lft". 
   
    temp-valid-lifetime      int32                                0              The valid lifetime of autogenerated temporary        
                                                                                 addresses, in seconds.                               
                                                                                                                                      
                                                                                 Having a per-connection setting set to "0" (default) 
                                                                                 means fallback to global configuration               
                                                                                 "ipv6.temp-valid-lifetime" setting". If it's also    │
   │                         │                                     │               │ unspecified or set to "0", fallback to read          │
   │                         │                                     │               │ "/proc/sys/net/ipv6/conf/default/temp_valid_lft".    
   
    token                    string                                              Configure the token for                              
                                                                                 draft-chown-6man-tokenised-ipv6-identifiers-02 IPv6  
                                                                                 tokenized interface identifiers. Useful with eui64   
                                                                                 addr-gen-mode.                                       
                                                                                                                                      
                                                                                 When set, the token is used as IPv6 interface        
                                                                                 identifier instead of the hardware address. This     
                                                                                 only applies to addresses from stateless             
                                                                                 autoconfiguration, not to IPv6 link local addresses. 
   

ip-tunnel setting

   IP Tunneling Settings.
   
    Key Name             Value Type  Default Value  Value Description                      
   
    encapsulation-limit  uint32      0              How many additional levels of          
                                                    encapsulation are permitted to be      
                                                    prepended to packets. This property    
                                                    applies only to IPv6 tunnels. To       
                                                    disable this option, add 0x1           
                                                    (ip6-ign-encap-limit) to ip-tunnel     
                                                    flags.                                 
   
    flags                uint32      0              Tunnel flags. Currently, the following 
                                                    values are supported: 0x1              
                                                    (ip6-ign-encap-limit), 0x2             
                                                    (ip6-use-orig-tclass), 0x4             
                                                    (ip6-use-orig-flowlabel), 0x8          
                                                    (ip6-mip6-dev), 0x10                   
                                                    (ip6-rcv-dscp-copy), 0x20              
                                                    (ip6-use-orig-fwmark). They are valid  
                                                    only for IPv6 tunnels.                 
   
    flow-label           uint32      0              The flow label to assign to tunnel     
                                                    packets. This property applies only to 
                                                    IPv6 tunnels.                          
   
    fwmark               uint32      0              The fwmark value to assign to tunnel   
                                                    packets. This property can be set to a 
                                                    non zero value only on VTI and VTI6    
                                                    tunnels.                               
   
    input-key            string                     The key used for tunnel input packets; 
                                                    the property is valid only for certain 
                                                    tunnel modes (GRE, IP6GRE). If empty,  
                                                    no key is used.                        
   
    local                string                     The local endpoint of the tunnel; the  
                                                    value can be empty, otherwise it must  
                                                    contain an IPv4 or IPv6 address.       
   
    mode                 uint32      0              The tunneling mode. Valid values: 1    
                                                    (ipip), 2 (gre), 3 (sit), 4 (isatap),  
                                                    5 (vti), 6 (ip6ip6), 7 (ipip6), 8      
                                                    (ip6gre), 9 (vti6), 10 (gretap) and 11 
                                                    (ip6gretap)                            
   
    mtu                  uint32      0              If non-zero, only transmit packets of  
                                                    the specified size or smaller,         
                                                    breaking larger packets up into        
                                                    multiple fragments.                    
   
    output-key           string                     The key used for tunnel output         
                                                    packets; the property is valid only    
                                                    for certain tunnel modes (GRE,         
                                                    IP6GRE). If empty, no key is used.     
   
    parent               string                     If given, specifies the parent         
                                                    interface name or parent connection    
                                                    UUID the new device will be bound to   
                                                    so that tunneled packets will only be  
                                                    routed via that interface.             
   
    path-mtu-discovery   boolean     TRUE           Whether to enable Path MTU Discovery   
                                                    on this tunnel.                        
   
    remote               string                     The remote endpoint of the tunnel; the 
                                                    value must contain an IPv4 or IPv6     
                                                    address.                               
   
    tos                  uint32      0              The type of service (IPv4) or traffic  
                                                    class (IPv6) field to be set on        
                                                    tunneled packets.                      
   
    ttl                  uint32      0              The TTL to assign to tunneled packets. 
                                                    0 is a special value meaning that      
                                                    packets inherit the TTL value.         
   

ipvlan setting

   IPVLAN Settings.
   
    Key Name  Value Type  Default Value  Value Description                      
   
    mode      uint32      0              The IPVLAN mode. Valid values: 1 (l2), 
                                         2 (l3) and 3 (l3s).                    
   
    parent    string                     If given, specifies the parent         
                                         interface name or parent connection    
                                         UUID from which this IPVLAN interface  
                                         should be created. If this property is 
                                         not specified, the connection must     
                                         contain an "802-3-ethernet" setting    
                                         with a "mac-address" property.         
   
    private   boolean     FALSE          Whether the interface should be put in 
                                         private mode.                          
   
    vepa      boolean     FALSE          Whether the interface should be put in 
                                         VEPA mode.                             
   

macsec setting

   MACSec Settings.
   
    Key Name       Value Type                     Default Value  Value Description                      
   
    encrypt        boolean                        TRUE           Whether the transmitted traffic must   
                                                                 be encrypted.                          
   
    mka-cak        string                                        The pre-shared CAK (Connectivity       
                                                                 Association Key) for MACsec Key        
                                                                 Agreement. Must be a string of 32      
                                                                 hexadecimal characters.                
   
    mka-cak-flags  NMSettingSecretFlags (uint32)                 Flags indicating how to handle the     
                                                                 "mka-cak" property.                    
   
    mka-ckn        string                                        The pre-shared CKN                     
                                                                 (Connectivity-association Key Name)    
                                                                 for MACsec Key Agreement. Must be a    
                                                                 string of hexadecimal characters with  
                                                                 a even length between 2 and 64.        
   
    mode           int32                          0              Specifies how the CAK (Connectivity    
                                                                 Association Key) for MKA (MACsec Key   
                                                                 Agreement) is obtained.                
   
    offload        int32                          -1             Specifies the MACsec offload mode.     
                                                                                                        
                                                                 0 (off) disables MACsec offload.       
                                                                                                        
                                                                 1 (phy) and 2 (mac) request offload    
                                                                 respectively to the PHY or to the MAC; 
                                                                 if the selected mode is not available, 
                                                                 the connection will fail.              
                                                                                                        
                                                                 -1 (default) uses the global default   
                                                                 value specified in NetworkManager      
                                                                 configuration; if no global default is 
                                                                 defined, the built-in default is 0     
                                                                 (off).                                 
   
    parent         string                                        If given, specifies the parent         
                                                                 interface name or parent connection    
                                                                 UUID from which this MACSEC interface  
                                                                 should be created.  If this property   
                                                                 is not specified, the connection must  
                                                                 contain an "802-3-ethernet" setting    
                                                                 with a "mac-address" property.         
   
    port           int32                          1              The port component of the SCI (Secure  
                                                                 Channel Identifier), between 1 and     
                                                                 65534.                                 
   
    send-sci       boolean                        TRUE           Specifies whether the SCI (Secure      
                                                                 Channel Identifier) is included in     
                                                                 every packet.                          
   
    validation     int32                          2              Specifies the validation mode for      
                                                                 incoming frames.                       
   

macvlan setting

   MAC VLAN Settings.
   
    Key Name     Value Type  Default Value  Value Description                      
   
    mode         uint32      0              The macvlan mode, which specifies the  
                                            communication mechanism between        
                                            multiple macvlans on the same lower    
                                            device.                                
   
    parent       string                     If given, specifies the parent         
                                            interface name or parent connection    
                                            UUID from which this MAC-VLAN          
                                            interface should be created.  If this  
                                            property is not specified, the         
                                            connection must contain an             
                                            "802-3-ethernet" setting with a        
                                            "mac-address" property.                
   
    promiscuous  boolean     TRUE           Whether the parent interface should be 
                                            put in promiscuous mode (true by       
                                            default).                              
   
    tap          boolean     FALSE          Whether the interface should be a      
                                            MACVTAP.                               
   

match setting

   Match settings.
   
    Key Name             Value Type       Default Value  Value Description                      
   
    driver               array of string                 A list of driver names to match. Each  
                                                         element is a shell wildcard pattern.   
                                                                                                
                                                         See NMSettingMatch:interface-name for  
                                                         how special characters '|', '&', '!'   
                                                         and '\\' are used for optional and     
                                                         mandatory matches and inverting the    
                                                         pattern.                               
   
    interface-name       array of string                 A list of interface names to match.    
                                                         Each element is a shell wildcard       
                                                         pattern.                               
                                                                                                
                                                         An element can be prefixed with a pipe 
                                                         symbol (|) or an ampersand (&). The    
                                                         former means that the element is       
                                                         optional and the latter means that it  
                                                         is mandatory. If there are any         
                                                         optional elements, than the match      
                                                         evaluates to true if at least one of   
                                                         the optional element matches (logical  
                                                         OR). If there are any mandatory        
                                                         elements, then they all must match     
                                                         (logical AND). By default, an element  
                                                         is optional. This means that an        
                                                         element "foo" behaves the same as      
                                                         "|foo". An element can also be         
                                                         inverted with exclamation mark (!)     
                                                         between the pipe symbol (or the        
                                                         ampersand) and before the pattern.     
                                                         Note that "!foo" is a shortcut for the 
                                                         mandatory match "&!foo". Finally, a    
                                                         backslash can be used at the beginning 
                                                         of the element (after the optional     
                                                         special characters) to escape the      
                                                         start of the pattern. For example,     
                                                         "&\\!a" is an mandatory match for      
                                                         literally "!a".                        
   
    kernel-command-line  array of string                 A list of kernel command line          
                                                         arguments to match. This may be used   
                                                         to check whether a specific kernel     
                                                         command line option is set (or unset,  
                                                         if prefixed with the exclamation       
                                                         mark). The argument must either be a   
                                                         single word, or an assignment (i.e.    
                                                         two words, joined by "="). In the      
                                                         former case the kernel command line is 
                                                         searched for the word appearing as is, 
                                                         or as left hand side of an assignment. 
                                                         In the latter case, the exact          
                                                         assignment is looked for with right    
                                                         and left hand side matching. Wildcard  
                                                         patterns are not supported.            
                                                                                                
                                                         See NMSettingMatch:interface-name for  
                                                         how special characters '|', '&', '!'   
                                                         and '\\' are used for optional and     
                                                         mandatory matches and inverting the    
                                                         match.                                 
   
    path                 array of string                 A list of paths to match against the   
                                                         ID_PATH udev property of devices.      
                                                         ID_PATH represents the topological     
                                                         persistent path of a device. It        
                                                         typically contains a subsystem string  
                                                         (pci, usb, platform, etc.) and a       
                                                         subsystem-specific identifier.         
                                                                                                
                                                         For PCI devices the path has the form  
                                                         "pci-$domain:$bus:$device.$function",  
                                                         where each variable is an hexadecimal  
                                                         value; for example "pci-0000:0a:00.0". 
                                                                                                
                                                         The path of a device can be obtained   
                                                         with "udevadm info /sys/class/net/$dev │
   │                     │                 │               │ | grep ID_PATH=" or by looking at the  
                                                         "path" property exported by            
                                                         NetworkManager ("nmcli -f general.path │
   │                     │                 │               │ device show $dev").                    
                                                                                                
                                                         Each element of the list is a shell    
                                                         wildcard pattern.                      
                                                                                                
                                                         See NMSettingMatch:interface-name for  
                                                         how special characters '|', '&', '!'   
                                                         and '\\' are used for optional and     
                                                         mandatory matches and inverting the    
                                                         pattern.                               
   

802-11-olpc-mesh setting

   OLPC Wireless Mesh Settings.
   
    Key Name              Value Type  Default Value  Value Description                      
   
    channel               uint32      0              Channel on which the mesh network to   
                                                     join is located.                       
   
    dhcp-anycast-address  byte array                 Anycast DHCP MAC address used when     
                                                     requesting an IP address via DHCP. The 
                                                     specific anycast address used          
                                                     determines which DHCP server class     
                                                     answers the request.                   
                                                                                            
                                                     This is currently only implemented by  
                                                     dhclient DHCP plugin.                  
   
    ssid                  byte array                 SSID of the mesh network to join.      
   

ovs-bridge setting

   OvsBridge Link Settings.
   
    Key Name               Value Type  Default Value  Value Description                     
   
    datapath-type          string                     The data path type. One of "system",  
                                                      "netdev" or empty.                    
   
    fail-mode              string                     The bridge failure mode. One of       
                                                      "secure", "standalone" or empty.      
   
    mcast-snooping-enable  boolean     FALSE          Enable or disable multicast snooping. 
   
    rstp-enable            boolean     FALSE          Enable or disable RSTP.               
   
    stp-enable             boolean     FALSE          Enable or disable STP.                
   

ovs-dpdk setting

   OvsDpdk Link Settings.
   
    Key Name    Value Type  Default Value  Value Description                      
   
    devargs     string                     Open vSwitch DPDK device arguments.    
   
    n-rxq       uint32      0              Open vSwitch DPDK number of rx queues. 
                                           Defaults to zero which means to leave  
                                           the parameter in OVS unspecified and   
                                           effectively configures one queue.      
   
    n-rxq-desc  uint32      0              The rx queue size (number of rx        
                                           descriptors) for DPDK ports. Must be   
                                           zero or a power of 2 between 1 and     
                                           4096, and supported by the hardware.   
                                           Defaults to zero which means to leave  
                                           the parameter in OVS unspecified and   
                                           effectively configures 2048            
                                           descriptors.                           
   
    n-txq-desc  uint32      0              The tx queue size (number of tx        
                                           descriptors) for DPDK ports. Must be   
                                           zero or a power of 2 between 1 and     
                                           4096, and supported by the hardware.   
                                           Defaults to zero which means to leave  
                                           the parameter in OVS unspecified and   
                                           effectively configures 2048            
                                           descriptors.                           
   

ovs-interface setting

   Open vSwitch Interface Settings.
   
    Key Name        Value Type  Default Value  Value Description                      
   
    ofport-request  uint32      0              Open vSwitch openflow port number.     
                                               Defaults to zero which means that port 
                                               number will not be specified and it    
                                               will be chosen randomly by ovs.        
                                               OpenFlow ports are the network         
                                               interfaces for passing packets between 
                                               OpenFlow processing and the rest of    
                                               the network. OpenFlow switches connect 
                                               logically to each other via their      
                                               OpenFlow ports.                        
   
    type            string                     The interface type. Either "internal", 
                                               "system", "patch", "dpdk", or empty.   
   

ovs-patch setting

   OvsPatch Link Settings.
   
    Key Name  Value Type  Default Value  Value Description                     
   
    peer      string                     Specifies the name of the interface   
                                         for the other side of the patch. The  
                                         patch on the other side must also set 
                                         this interface as peer.               
   

ovs-port setting

   OvsPort Link Settings.
   
    Key Name        Value Type        Default Value  Value Description                      
   
    bond-downdelay  uint32            0              The time port must be inactive in      
                                                     order to be considered down.           
   
    bond-mode       string                           Bonding mode. One of "active-backup",  
                                                     "balance-slb", or "balance-tcp".       
   
    bond-updelay    uint32            0              The time port must be active before it 
                                                     starts forwarding traffic.             
   
    lacp            string                           LACP mode. One of "active", "off", or  
                                                     "passive".                             
   
    tag             uint32            0              The VLAN tag in the range 0-4095.      
   
    trunks          array of vardict                 A list of VLAN ranges that this port   
                                                     trunks.                                
                                                                                            
                                                     The property is valid only for ports   
                                                     with mode "trunk", "native-tagged", or 
                                                     "native-untagged port". If it is       
                                                     empty, the port trunks all VLANs.      
   
    vlan-mode       string                           The VLAN mode. One of "access",        
                                                     "native-tagged", "native-untagged",    
                                                     "trunk", "dot1q-tunnel" or unset.      
   

ppp setting

   Point-to-Point Protocol Settings.
   
    Key Name           Value Type  Default Value  Value Description                      
   
    baud               uint32      0              If non-zero, instruct pppd to set the  
                                                  serial port to the specified baudrate. 
                                                  This value should normally be left as  
                                                  0 to automatically choose the speed.   
   
    crtscts            boolean     FALSE          If TRUE, specify that pppd should set  
                                                  the serial port to use hardware flow   
                                                  control with RTS and CTS signals.      
                                                  This value should normally be set to   
                                                  FALSE.                                 
   
    lcp-echo-failure   uint32      0              If non-zero, instruct pppd to presume  
                                                  the connection to the peer has failed  
                                                  if the specified number of LCP         
                                                  echo-requests go unanswered by the     
                                                  peer.  The "lcp-echo-interval"         
                                                  property must also be set to a         
                                                  non-zero value if this property is     
                                                  used.                                  
   
    lcp-echo-interval  uint32      0              If non-zero, instruct pppd to send an  
                                                  LCP echo-request frame to the peer     
                                                  every n seconds (where n is the        
                                                  specified value).  Note that some PPP  
                                                  peers will respond to echo requests    
                                                  and some will not, and it is not       
                                                  possible to autodetect this.           
   
    mppe-stateful      boolean     FALSE          If TRUE, stateful MPPE is used.  See   
                                                  pppd documentation for more            
                                                  information on stateful MPPE.          
   
    mru                uint32      0              If non-zero, instruct pppd to request  
                                                  that the peer send packets no larger   
                                                  than the specified size.  If non-zero, 
                                                  the MRU should be between 128 and      
                                                  16384.                                 
   
    mtu                uint32      0              If non-zero, instruct pppd to send     
                                                  packets no larger than the specified   
                                                  size.                                  
   
    no-vj-comp         boolean     FALSE          If TRUE, Van Jacobsen TCP header       
                                                  compression will not be requested.     
   
    noauth             boolean     TRUE           If TRUE, do not require the other side 
                                                  (usually the PPP server) to            
                                                  authenticate itself to the client.  If 
                                                  FALSE, require authentication from the 
                                                  remote side.  In almost all cases,     
                                                  this should be TRUE.                   
   
    nobsdcomp          boolean     FALSE          If TRUE, BSD compression will not be   
                                                  requested.                             
   
    nodeflate          boolean     FALSE          If TRUE, "deflate" compression will    
                                                  not be requested.                      
   
    refuse-chap        boolean     FALSE          If TRUE, the CHAP authentication       
                                                  method will not be used.               
   
    refuse-eap         boolean     FALSE          If TRUE, the EAP authentication method 
                                                  will not be used.                      
   
    refuse-mschap      boolean     FALSE          If TRUE, the MSCHAP authentication     
                                                  method will not be used.               
   
    refuse-mschapv2    boolean     FALSE          If TRUE, the MSCHAPv2 authentication   
                                                  method will not be used.               
   
    refuse-pap         boolean     FALSE          If TRUE, the PAP authentication method 
                                                  will not be used.                      
   
    require-mppe       boolean     FALSE          If TRUE, MPPE (Microsoft               
                                                  Point-to-Point Encryption) will be     
                                                  required for the PPP session.  If      
                                                  either 64-bit or 128-bit MPPE is not   
                                                  available the session will fail.  Note 
                                                  that MPPE is not used on mobile        
                                                  broadband connections.                 
   
    require-mppe-128   boolean     FALSE          If TRUE, 128-bit MPPE (Microsoft       
                                                  Point-to-Point Encryption) will be     
                                                  required for the PPP session, and the  
                                                  "require-mppe" property must also be   
                                                  set to TRUE.  If 128-bit MPPE is not   
                                                  available the session will fail.       
   

pppoe setting

   PPP-over-Ethernet Settings.
   
    Key Name        Value Type                     Default Value  Value Description                      
   
    parent          string                                        If given, specifies the parent         
                                                                  interface name on which this PPPoE     
                                                                  connection should be created.  If this 
                                                                  property is not specified, the         
                                                                  connection is activated on the         
                                                                  interface specified in                 
                                                                  "interface-name" of                    
                                                                  NMSettingConnection.                   
   
    password        string                                        Password used to authenticate with the 
                                                                  PPPoE service.                         
   
    password-flags  NMSettingSecretFlags (uint32)                 Flags indicating how to handle the     
                                                                  "password" property.                   
   
    service         string                                        If specified, instruct PPPoE to only   
                                                                  initiate sessions with access          
                                                                  concentrators that provide the         
                                                                  specified service.  For most           
                                                                  providers, this should be left blank.  
                                                                  It is only required if there are       
                                                                  multiple access concentrators or a     
                                                                  specific service is known to be        
                                                                  required.                              
   
    username        string                                        Username used to authenticate with the 
                                                                  PPPoE service.                         
   

proxy setting

   WWW Proxy Settings.
   
    Key Name      Value Type  Default Value  Value Description                      
   
    browser-only  boolean     FALSE          Whether the proxy configuration is for 
                                             browser only.                          
   
    method        int32       0              Method for proxy configuration,        
                                             Default is 0 (none)                    
   
    pac-script    string                     PAC script for the connection. This is 
                                             an UTF-8 encoded javascript code that  
                                             defines a FindProxyForURL() function.  
   
    pac-url       string                     PAC URL for obtaining PAC file.        
   

serial setting

   Serial Link Settings.
   
    Key Name    Value Type  Default Value  Value Description                      
   
    baud        uint32      57600          Speed to use for communication over    
                                           the serial port.  Note that this value 
                                           usually has no effect for mobile       
                                           broadband modems as they generally     
                                           ignore speed settings and use the      
                                           highest available speed.               
   
    bits        uint32      8              Byte-width of the serial               
                                           communication. The 8 in "8n1" for      
                                           example.                               
   
    parity      byte                       The connection parity: 69 (ASCII 'E')  
                                           for even parity, 111 (ASCII 'o') for   
                                           odd, 110 (ASCII 'n') for none.         
   
    send-delay  uint64      0              Time to delay between each byte sent   
                                           to the modem, in microseconds.         
   
    stopbits    uint32      1              Number of stop bits for communication  
                                           on the serial port.  Either 1 or 2.    
                                           The 1 in "8n1" for example.            
   

sriov setting

   SR-IOV settings.
   
    Key Name             Value Type         Default Value  Value Description                      
   
    autoprobe-drivers    NMTernary (int32)                 Whether to autoprobe virtual functions 
                                                           by a compatible driver.                
                                                                                                  
                                                           If set to 1 (true), the kernel will    
                                                           try to bind VFs to a compatible driver 
                                                           and if this succeeds a new network     
                                                           interface will be instantiated for     
                                                           each VF.                               
                                                                                                  
                                                           If set to 0 (false), VFs will not be   
                                                           claimed and no network interfaces will 
                                                           be created for them.                   
                                                                                                  
                                                           When set to -1 (default), the global   
                                                           default is used; in case the global    
                                                           default is unspecified it is assumed   
                                                           to be 1 (true).                        
   
    eswitch-encap-mode   int32              -1             Select the eswitch encapsulation       
                                                           support.                               
                                                                                                  
                                                           Currently it's only supported for PCI  │
   │                     │                   │               │ PF devices, and only if the eswitch    │
   │                     │                   │               │ device is managed from the same PCI    │
   │                     │                   │               │ address than the PF.                   │
   │                     │                   │               │                                        │
   │                     │                   │               │ If set to -1 (preserve) (default) the  │
   │                     │                   │               │ eswitch encap-mode won't be modified   
                                                           by NetworkManager.                     
   
    eswitch-inline-mode  int32              -1             Select the eswitch inline-mode of the  
                                                           device. Some HWs need the VF driver to 
                                                           put part of the packet headers on the  
                                                           TX descriptor so the e-switch can do   
                                                           proper matching and steering.          
                                                                                                  
                                                           Currently it's only supported for PCI  │
   │                     │                   │               │ PF devices, and only if the eswitch    │
   │                     │                   │               │ device is managed from the same PCI    │
   │                     │                   │               │ address than the PF.                   │
   │                     │                   │               │                                        │
   │                     │                   │               │ If set to -1 (preserve) (default) the  │
   │                     │                   │               │ eswitch inline-mode won't be modified  
                                                           by NetworkManager.                     
   
    eswitch-mode         int32              -1             Select the eswitch mode of the device. 
                                                           Currently it's only supported for PCI  │
   │                     │                   │               │ PF devices, and only if the eswitch    │
   │                     │                   │               │ device is managed from the same PCI    │
   │                     │                   │               │ address than the PF.                   │
   │                     │                   │               │                                        │
   │                     │                   │               │ If set to -1 (preserve) (default) the  │
   │                     │                   │               │ eswitch mode won't be modified by      
                                                           NetworkManager.                        
   
    total-vfs            uint32             0              The total number of virtual functions  
                                                           to create.                             
                                                                                                  
                                                           Note that when the sriov setting is    
                                                           present NetworkManager enforces the    
                                                           number of virtual functions on the     
                                                           interface (also when it is zero)       
                                                           during activation and resets it upon   
                                                           deactivation. To prevent any changes   
                                                           to SR-IOV parameters don't add a sriov │
   │                     │                   │               │ setting to the connection.             │
   ├─────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
   │ vfs                 │ array of vardict  │               │ Array of virtual function descriptors. │
   │                     │                   │               │                                        │
   │                     │                   │               │ Each VF descriptor is a dictionary     │
   │                     │                   │               │ mapping attribute names to GVariant    │
   │                     │                   │               │ values. The 'index' entry is mandatory │
   │                     │                   │               │ for each VF.                           │
   │                     │                   │               │                                        │
   │                     │                   │               │ When represented as string a VF is in  │
   │                     │                   │               │ the form:                              │
   │                     │                   │               │                                        │
   │                     │                   │               │ "INDEX [ATTR=VALUE[ ATTR=VALUE]...]".  │
   │                     │                   │               │                                        │
   │                     │                   │               │ for example:                           │
   │                     │                   │               │                                        │
   │                     │                   │               │ "2 mac=00:11:22:33:44:55               │
   │                     │                   │               │ spoof-check=true".                     │
   │                     │                   │               │                                        │
   │                     │                   │               │ Multiple VFs can be specified using a  │
   │                     │                   │               │ comma as separator. Currently, the     │
   │                     │                   │               │ following attributes are supported:    │
   │                     │                   │               │ mac, spoof-check, trust, min-tx-rate,  │
   │                     │                   │               │ max-tx-rate, vlans.                    │
   │                     │                   │               │                                        │
   │                     │                   │               │ The "vlans" attribute is represented   │
   │                     │                   │               │ as a semicolon-separated list of VLAN  │
   │                     │                   │               │ descriptors, where each descriptor has │
   │                     │                   │               │ the form                               │
   │                     │                   │               │                                        │
   │                     │                   │               │ "ID[.PRIORITY[.PROTO]]".               │
   │                     │                   │               │                                        │
   │                     │                   │               │ PROTO can be either 'q' for 802.1Q     │
   │                     │                   │               │ (the default) or 'ad' for 802.1ad.     
   

tc setting

   Linux Traffic Control Settings.
   
    Key Name  Value Type        Default Value  Value Description                      
   
    qdiscs    array of vardict                 Array of TC queueing disciplines.      
                                                                                      
                                               When the "tc" setting is present,      
                                               qdiscs from this property are applied  
                                               upon activation. If the property is    
                                               empty, all qdiscs are removed and the  
                                               device will only have the default      
                                               qdisc assigned by kernel according to  
                                               the "net.core.default_qdisc" sysctl.   
                                                                                      
                                               If the "tc" setting is not present,    
                                               NetworkManager doesn't touch the       │
   │          │                  │               │ qdiscs present on the interface.       │
   ├──────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
   │ tfilters │ array of vardict │               │ Array of TC traffic filters.           │
   │          │                  │               │                                        │
   │          │                  │               │ When the "tc" setting is present,      │
   │          │                  │               │ filters from this property are applied │
   │          │                  │               │ upon activation. If the property is    │
   │          │                  │               │ empty, NetworkManager removes all the  │
   │          │                  │               │ filters.                               │
   │          │                  │               │                                        │
   │          │                  │               │ If the "tc" setting is not present,    │
   │          │                  │               │ NetworkManager doesn't touch the       
                                               filters present on the interface.      
   

team setting

   Teaming Settings.
   
    Key Name                     Value Type        Default Value  Value Description                      
   
    config                       string                           The JSON configuration for the team    
                                                                  network interface.  The property       
                                                                  should contain raw JSON configuration  
                                                                  data suitable for teamd, because the   
                                                                  value is passed directly to teamd. If  
                                                                  not specified, the default             
                                                                  configuration is used.  See man        
                                                                  teamd.conf for the format details.     
   
    interface-name               string                           Deprecated in favor of                 
                                                                  connection.interface-name, but can be  
                                                                  used for backward-compatibility with   
                                                                  older daemons, to set the team's       │
   │                             │                  │               │ interface name.                        │
   ├─────────────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤
   │ link-watchers               │ array of vardict │               │ Link watchers configuration for the    │
   │                             │                  │               │ connection: each link watcher is       │
   │                             │                  │               │ defined by a dictionary, whose keys    │
   │                             │                  │               │ depend upon the selected link watcher. │
   │                             │                  │               │ Available link watchers are 'ethtool', │
   │                             │                  │               │ 'nsna_ping' and 'arp_ping' and it is   │
   │                             │                  │               │ specified in the dictionary with the   │
   │                             │                  │               │ key 'name'. Available keys are:        │
   │                             │                  │               │ ethtool: 'delay-up', 'delay-down',     │
   │                             │                  │               │ 'init-wait'; nsna_ping: 'init-wait',   │
   │                             │                  │               │ 'interval', 'missed-max',              │
   │                             │                  │               │ 'target-host'; arp_ping: all the ones  │
   │                             │                  │               │ in nsna_ping and 'source-host',        │
   │                             │                  │               │ 'validate-active',                     │
   │                             │                  │               │ 'validate-inactive', 'send-always'.    
                                                                  See teamd.conf man for more details.   
   
    mcast-rejoin-count           int32             -1             Corresponds to the teamd               
                                                                  mcast_rejoin.count.                    
   
    mcast-rejoin-interval        int32             -1             Corresponds to the teamd               
                                                                  mcast_rejoin.interval.                 
   
    notify-peers-count           int32             -1             Corresponds to the teamd               
                                                                  notify_peers.count.                    
   
    notify-peers-interval        int32             -1             Corresponds to the teamd               
                                                                  notify_peers.interval.                 
   
    runner                       string                           Corresponds to the teamd runner.name.  
                                                                  Permitted values are: "roundrobin",    
                                                                  "broadcast", "activebackup",           
                                                                  "loadbalance", "lacp", "random".       
   
    runner-active                boolean           TRUE           Corresponds to the teamd               
                                                                  runner.active.                         
   
    runner-agg-select-policy     string                           Corresponds to the teamd               
                                                                  runner.agg_select_policy.              
   
    runner-fast-rate             boolean           FALSE          Corresponds to the teamd               
                                                                  runner.fast_rate.                      
   
    runner-hwaddr-policy         string                           Corresponds to the teamd               
                                                                  runner.hwaddr_policy.                  
   
    runner-min-ports             int32             -1             Corresponds to the teamd               
                                                                  runner.min_ports.                      
   
    runner-sys-prio              int32             -1             Corresponds to the teamd               
                                                                  runner.sys_prio.                       
   
    runner-tx-balancer           string                           Corresponds to the teamd               
                                                                  runner.tx_balancer.name.               
   
    runner-tx-balancer-interval  int32             -1             Corresponds to the teamd               
                                                                  runner.tx_balancer.interval.           
   
    runner-tx-hash               array of string                  Corresponds to the teamd               
                                                                  runner.tx_hash.                        
   

team-port setting

   Team Port Settings.
   
    Key Name       Value Type        Default Value  Value Description                      
   
    config         string                           The JSON configuration for the team    
                                                    port. The property should contain raw  
                                                    JSON configuration data suitable for   
                                                    teamd, because the value is passed     
                                                    directly to teamd. If not specified,   
                                                    the default configuration is used. See 
                                                    man teamd.conf for the format details. 
   
    lacp-key       int32             -1             Corresponds to the teamd               
                                                    ports.PORTIFNAME.lacp_key.             
   
    lacp-prio      int32             -1             Corresponds to the teamd               
                                                    ports.PORTIFNAME.lacp_prio.            
   
    link-watchers  array of vardict                 Link watchers configuration for the    
                                                    connection: each link watcher is       
                                                    defined by a dictionary, whose keys    
                                                    depend upon the selected link watcher. 
                                                    Available link watchers are 'ethtool', 
                                                    'nsna_ping' and 'arp_ping' and it is   
                                                    specified in the dictionary with the   
                                                    key 'name'. Available keys are:        
                                                    ethtool: 'delay-up', 'delay-down',     
                                                    'init-wait'; nsna_ping: 'init-wait',   
                                                    'interval', 'missed-max',              
                                                    'target-host'; arp_ping: all the ones  
                                                    in nsna_ping and 'source-host',        
                                                    'validate-active',                     
                                                    'validate-inactive', 'send-always'.    
                                                    See teamd.conf man for more details.   
   
    prio           int32             0              Corresponds to the teamd               
                                                    ports.PORTIFNAME.prio.                 
   
    queue-id       int32             -1             Corresponds to the teamd               
                                                    ports.PORTIFNAME.queue_id. When set to 
                                                    -1 means the parameter is skipped from 
                                                    the json config.                       
   
    sticky         boolean           FALSE          Corresponds to the teamd               
                                                    ports.PORTIFNAME.sticky.               
   

tun setting

   Tunnel Settings.
   
    Key Name     Value Type  Default Value  Value Description                      
   
    group        string                     The group ID which will own the        
                                            device. If set to NULL everyone will   
                                            be able to use the device.             
   
    mode         uint32      1              The operating mode of the virtual      
                                            device. Allowed values are 1 (tun) to  
                                            create a layer 3 device and 2 (tap) to 
                                            create an Ethernet-like layer 2 one.   
   
    multi-queue  boolean     FALSE          If the property is set to TRUE, the    
                                            interface will support multiple file   
                                            descriptors (queues) to parallelize    
                                            packet sending or receiving.           
                                            Otherwise, the interface will only     
                                            support a single queue.                
   
    owner        string                     The user ID which will own the device. 
                                            If set to NULL everyone will be able   
                                            to use the device.                     
   
    pi           boolean     FALSE          If TRUE the interface will prepend a 4 
                                            byte header describing the physical    
                                            interface to the packets.              
   
    vnet-hdr     boolean     FALSE          If TRUE the IFF_VNET_HDR the tunnel    
                                            packets will include a virtio network  
                                            header.                                
   

user setting

   General User Profile Settings.
   
    Key Name  Value Type                Default Value  Value Description                      
   
    data      dict of string to string  {}             A dictionary of key/value pairs with   
                                                       user data. This data is ignored by     
                                                       NetworkManager and can be used at the  
                                                       users discretion. The keys only        
                                                       support a strict ascii format, but the 
                                                       values can be arbitrary UTF8 strings   
                                                       up to a certain length.                
   

vlan setting

   VLAN Settings.
   
    Key Name              Value Type            Default Value  Value Description                      
   
    egress-priority-map   array of string                      For outgoing packets, a list of        
                                                               mappings from Linux SKB priorities to  
                                                               802.1p priorities.  The mapping is     
                                                               given in the format "from:to" where    
                                                               both "from" and "to" are unsigned      
                                                               integers, ie "7:3".                    
   
    flags                 NMVlanFlags (uint32)                 One or more flags which control the    
                                                               behavior and features of the VLAN      
                                                               interface.  Flags include 0x1          
                                                               (reorder-headers) (reordering of       
                                                               output packet headers), 0x2 (gvrp)     
                                                               (use of the GVRP protocol), and 0x4    
                                                               (loose-binding) (loose binding of the  
                                                               interface to its controller device's   │
   │                      │                      │               │ operating state). 0x8 (mvrp) (use of   │
   │                      │                      │               │ the MVRP protocol).                    │
   │                      │                      │               │                                        │
   │                      │                      │               │ The default value of this property is  │
   │                      │                      │               │ NM_VLAN_FLAG_REORDER_HEADERS, but it   │
   │                      │                      │               │ used to be 0. To preserve backward     │
   │                      │                      │               │ compatibility, the default-value in    │
   │                      │                      │               │ the D-Bus API continues to be 0 and a  │
   │                      │                      │               │ missing property on D-Bus is still     │
   │                      │                      │               │ considered as 0.                       │
   ├──────────────────────┼──────────────────────┼───────────────┼────────────────────────────────────────┤
   │ id                   │ uint32               │ 0             │ The VLAN identifier that the interface │
   │                      │                      │               │ created by this connection should be   │
   │                      │                      │               │ assigned. The valid range is from 0 to │
   │                      │                      │               │ 4094, without the reserved id 4095.    │
   ├──────────────────────┼──────────────────────┼───────────────┼────────────────────────────────────────┤
   │ ingress-priority-map │ array of string      │               │ For incoming packets, a list of        │
   │                      │                      │               │ mappings from 802.1p priorities to     │
   │                      │                      │               │ Linux SKB priorities.  The mapping is  │
   │                      │                      │               │ given in the format "from:to" where    │
   │                      │                      │               │ both "from" and "to" are unsigned      │
   │                      │                      │               │ integers, ie "7:3".                    │
   ├──────────────────────┼──────────────────────┼───────────────┼────────────────────────────────────────┤
   │ interface-name       │ string               │               │ Deprecated in favor of                 │
   │                      │                      │               │ connection.interface-name, but can be  │
   │                      │                      │               │ used for backward-compatibility with   │
   │                      │                      │               │ older daemons, to set the vlan's       
                                                               interface name.                        
   
    parent                string                               If given, specifies the parent         
                                                               interface name or parent connection    
                                                               UUID from which this VLAN interface    
                                                               should be created.  If this property   
                                                               is not specified, the connection must  
                                                               contain an "802-3-ethernet" setting    
                                                               with a "mac-address" property.         
   
    protocol              string                               Specifies the VLAN protocol to use for 
                                                               encapsulation.                         
                                                                                                      
                                                               Supported values are: '802.1Q',        
                                                               '802.1ad'. If not specified the        
                                                               default value is '802.1Q'.             
   

vpn setting

   VPN Settings.
   
    Key Name      Value Type                Default Value  Value Description                      
   
    data          dict of string to string  {}             Dictionary of key/value pairs of VPN   
                                                           plugin specific data.  Both keys and   
                                                           values must be strings.                
   
    persistent    boolean                   FALSE          If the VPN service supports            
                                                           persistence, and this property is      
                                                           TRUE, the VPN will attempt to stay     
                                                           connected across link changes and      
                                                           outages, until explicitly              
                                                           disconnected.                          
   
    secrets       dict of string to string  {}             Dictionary of key/value pairs of VPN   
                                                           plugin specific secrets like passwords 
                                                           or private keys.  Both keys and values 
                                                           must be strings.                       
   
    service-type  string                                   D-Bus service name of the VPN plugin   
                                                           that this setting uses to connect to   
                                                           its network.  i.e.                     
                                                           org.freedesktop.NetworkManager.vpnc    
                                                           for the vpnc plugin.                   
   
    timeout       uint32                    0              Timeout for the VPN service to         
                                                           establish the connection. Some         
                                                           services may take quite a long time to 
                                                           connect. Value of 0 means a default    
                                                           timeout, which is 60 seconds (unless   
                                                           overridden by vpn.timeout in           
                                                           configuration file). Values greater    
                                                           than zero mean timeout in seconds.     
   
    user-name     string                                   If the VPN connection requires a user  
                                                           name for authentication, that name     
                                                           should be provided here.  If the       
                                                           connection is available to more than   
                                                           one user, and the VPN requires each    
                                                           user to supply a different name, then  
                                                           leave this property empty.  If this    
                                                           property is empty, NetworkManager will 
                                                           automatically supply the username of   
                                                           the user which requested the VPN       
                                                           connection.                            
   

vrf setting

   VRF settings.
   
    Key Name  Value Type  Default Value  Value Description               
   
    table     uint32      0              The routing table for this VRF. 
   

vxlan setting

   VXLAN Settings.
   
    Key Name          Value Type  Default Value  Value Description                      
   
    ageing            uint32      300            Specifies the lifetime in seconds of   
                                                 FDB entries learnt by the kernel.      
   
    destination-port  uint32      8472           Specifies the UDP destination port to  
                                                 communicate to the remote VXLAN tunnel 
                                                 endpoint.                              
   
    id                uint32      0              Specifies the VXLAN Network Identifier 
                                                 (or VXLAN Segment Identifier) to use.  
   
    l2-miss           boolean     FALSE          Specifies whether netlink LL ADDR miss 
                                                 notifications are generated.           
   
    l3-miss           boolean     FALSE          Specifies whether netlink IP ADDR miss 
                                                 notifications are generated.           
   
    learning          boolean     TRUE           Specifies whether unknown source link  
                                                 layer addresses and IP addresses are   
                                                 entered into the VXLAN device          
                                                 forwarding database.                   
   
    limit             uint32      0              Specifies the maximum number of FDB    
                                                 entries. A value of zero means that    
                                                 the kernel will store unlimited        
                                                 entries.                               
   
    local             string                     If given, specifies the source IP      
                                                 address to use in outgoing packets.    
   
    parent            string                     If given, specifies the parent         
                                                 interface name or parent connection    
                                                 UUID.                                  
   
    proxy             boolean     FALSE          Specifies whether ARP proxy is turned  
                                                 on.                                    
   
    remote            string                     Specifies the unicast destination IP   
                                                 address to use in outgoing packets     
                                                 when the destination link layer        
                                                 address is not known in the VXLAN      
                                                 device forwarding database, or the     
                                                 multicast IP address to join.          
   
    rsc               boolean     FALSE          Specifies whether route short circuit  
                                                 is turned on.                          
   
    source-port-max   uint32      0              Specifies the maximum UDP source port  
                                                 to communicate to the remote VXLAN     
                                                 tunnel endpoint.                       
   
    source-port-min   uint32      0              Specifies the minimum UDP source port  
                                                 to communicate to the remote VXLAN     
                                                 tunnel endpoint.                       
   
    tos               uint32      0              Specifies the TOS value to use in      
                                                 outgoing packets.                      
   
    ttl               uint32      0              Specifies the time-to-live value to    
                                                 use in outgoing packets.               
   

wifi-p2p setting

   Wi-Fi P2P Settings.
   
    Key Name    Value Type  Default Value  Value Description                      
   
    peer        string                     The P2P device that should be          
                                           connected to. Currently, this is the   
                                           only way to create or join a group.    
   
    wfd-ies     byte array                 The Wi-Fi Display (WFD) Information    
                                           Elements (IEs) to set.                 
                                                                                  
                                           Wi-Fi Display requires a protocol      
                                           specific information element to be set 
                                           in certain Wi-Fi frames. These can be  
                                           specified here for the purpose of      
                                           establishing a connection. This        
                                           setting is only useful when            
                                           implementing a Wi-Fi Display client.   
   
    wps-method  uint32      0              Flags indicating which mode of WPS is  
                                           to be used.                            
                                                                                  
                                           There's little point in changing the   
                                           default setting as NetworkManager will 
                                           automatically determine the best       
                                           method to use.                         
   

wimax setting

   WiMax Settings.
   
    Key Name      Value Type  Default Value  Value Description                      
   
    mac-address   byte array                 If specified, this connection will     
                                             only apply to the WiMAX device whose   
                                             MAC address matches. This property     
                                             does not change the MAC address of the 
                                             device (known as MAC spoofing).        
                                                                                    
                                             This property is deprecated since      
                                             version 1.2.WiMAX is no longer         
                                             supported.                             
   
    network-name  string                     Network Service Provider (NSP) name of 
                                             the WiMAX network this connection      
                                             should use.                            
                                                                                    
                                             This property is deprecated since      
                                             version 1.2.WiMAX is no longer         
                                             supported.                             
   

802-3-ethernet setting

   Wired Ethernet Settings.
   
    Key Name                   Value Type                Default Value  Value Description                      
   
    accept-all-mac-addresses   NMTernary (int32)                        When TRUE, setup the interface to      
                                                                        accept packets for all MAC addresses.  
                                                                        This is enabling the kernel interface  
                                                                        flag IFF_PROMISC. When FALSE, the      
                                                                        interface will only accept the packets 
                                                                        with the interface destination mac     
                                                                        address or broadcast.                  
   
    assigned-mac-address       string                                   The new field for the cloned MAC       
                                                                        address. It can be either a hardware   
                                                                        address in ASCII representation, or    
                                                                        one of the special values "preserve",  
                                                                        "permanent", "random" or "stable".     
                                                                        This field replaces the deprecated     
                                                                        "cloned-mac-address" on D-Bus, which   
                                                                        can only contain explicit hardware     
                                                                        addresses. Note that this property     
                                                                        only exists in D-Bus API. libnm and    
                                                                        nmcli continue to call this property   
                                                                        "cloned-mac-address".                  
   
    auto-negotiate             boolean                   FALSE          When TRUE, enforce auto-negotiation of 
                                                                        speed and duplex mode. If "speed" and  
                                                                        "duplex" properties are both           
                                                                        specified, only that single mode will  
                                                                        be advertised and accepted during the  
                                                                        link auto-negotiation process: this    
                                                                        works only for BASE-T 802.3            
                                                                        specifications and is useful for       
                                                                        enforcing gigabits modes, as in these  
                                                                        cases link negotiation is mandatory.   
                                                                        When FALSE, "speed" and "duplex"       
                                                                        properties should be both set or link  
                                                                        configuration will be skipped.         
   
    cloned-mac-address         byte array                               This D-Bus field is deprecated in      
                                                                        favor of "assigned-mac-address" which  
                                                                        is more flexible and allows specifying 
                                                                        special variants like "random". For    
                                                                        libnm and nmcli, this field is called  
                                                                        "cloned-mac-address".                  
   
    duplex                     string                                   When a value is set, either "half" or  
                                                                        "full", configures the device to use   
                                                                        the specified duplex mode. If          
                                                                        "auto-negotiate" is "yes" the          
                                                                        specified duplex mode will be the only 
                                                                        one advertised during link             
                                                                        negotiation: this works only for       
                                                                        BASE-T 802.3 specifications and is     
                                                                        useful for enforcing gigabits modes,   
                                                                        as in these cases link negotiation is  
                                                                        mandatory. If the value is unset (the  
                                                                        default), the link configuration will  
                                                                        be either skipped (if "auto-negotiate" 
                                                                        is "no", the default) or will be       
                                                                        auto-negotiated (if "auto-negotiate"   
                                                                        is "yes") and the local device will    
                                                                        advertise all the supported duplex     
                                                                        modes. Must be set together with the   
                                                                        "speed" property if specified. Before  
                                                                        specifying a duplex mode be sure your  
                                                                        device supports it.                    
   
    generate-mac-address-mask  string                                   With "cloned-mac-address" setting      
                                                                        "random" or "stable", by default all   
                                                                        bits of the MAC address are scrambled  
                                                                        and a locally-administered, unicast    
                                                                        MAC address is created. This property  
                                                                        allows to specify that certain bits    
                                                                        are fixed. Note that the least         
                                                                        significant bit of the first MAC       
                                                                        address will always be unset to create 
                                                                        a unicast MAC address.                 
                                                                                                               
                                                                        If the property is NULL, it is         
                                                                        eligible to be overwritten by a        
                                                                        default connection setting. If the     
                                                                        value is still NULL or an empty        
                                                                        string, the default is to create a     
                                                                        locally-administered, unicast MAC      
                                                                        address.                               
                                                                                                               
                                                                        If the value contains one MAC address, 
                                                                        this address is used as mask. The set  
                                                                        bits of the mask are to be filled with 
                                                                        the current MAC address of the device, 
                                                                        while the unset bits are subject to    
                                                                        randomization. Setting                 
                                                                        "FE:FF:FF:00:00:00" means to preserve  
                                                                        the OUI of the current MAC address and 
                                                                        only randomize the lower 3 bytes using 
                                                                        the "random" or "stable" algorithm.    
                                                                                                               
                                                                        If the value contains one additional   
                                                                        MAC address after the mask, this       
                                                                        address is used instead of the current 
                                                                        MAC address to fill the bits that      
                                                                        shall not be randomized. For example,  
                                                                        a value of "FE:FF:FF:00:00:00          │
   │                           │                          │               │ 68:F7:28:00:00:00" will set the OUI of 
                                                                        the MAC address to 68:F7:28, while the 
                                                                        lower bits are randomized. A value of  
                                                                        "02:00:00:00:00:00 00:00:00:00:00:00"  
                                                                        will create a fully scrambled          
                                                                        globally-administered, burned-in MAC   
                                                                        address.                               
                                                                                                               
                                                                        If the value contains more than one    
                                                                        additional MAC addresses, one of them  
                                                                        is chosen randomly. For example,       
                                                                        "02:00:00:00:00:00 00:00:00:00:00:00   │
   │                           │                          │               │ 02:00:00:00:00:00" will create a fully 
                                                                        scrambled MAC address, randomly        
                                                                        locally or globally administered.      
   
    mac-address                byte array                               If specified, this connection will     
                                                                        only apply to the Ethernet device      
                                                                        whose permanent MAC address matches.   
                                                                        This property does not change the MAC  
                                                                        address of the device (i.e. MAC        
                                                                        spoofing).                             
   
    mac-address-blacklist      array of string                          If specified, this connection will     
                                                                        never apply to the Ethernet device     
                                                                        whose permanent MAC address matches an 
                                                                        address in the list.  Each MAC address 
                                                                        is in the standard                     
                                                                        hex-digits-and-colons notation         
                                                                        (00:11:22:33:44:55).                   
   
    mac-address-denylist       array of string                          If specified, this connection will     
                                                                        never apply to the Ethernet device     
                                                                        whose permanent MAC address matches an 
                                                                        address in the list.  Each MAC address 
                                                                        is in the standard                     
                                                                        hex-digits-and-colons notation         
                                                                        (00:11:22:33:44:55).                   
   
    mtu                        uint32                    0              If non-zero, only transmit packets of  
                                                                        the specified size or smaller,         
                                                                        breaking larger packets up into        
                                                                        multiple Ethernet frames.              
   
    port                       string                                   Specific port type to use if the       
                                                                        device supports multiple attachment    
                                                                        methods.  One of "tp" (Twisted Pair),  
                                                                        "aui" (Attachment Unit Interface),     
                                                                        "bnc" (Thin Ethernet) or "mii" (Media  
                                                                        Independent Interface). If the device  
                                                                        supports only one port type, this      
                                                                        setting is ignored.                    
   
    s390-nettype               string                                   s390 network device type; one of       
                                                                        "qeth", "lcs", or "ctc", representing  
                                                                        the different types of virtual network 
                                                                        devices available on s390 systems.     
   
    s390-options               dict of string to string  {}             Dictionary of key/value pairs of       
                                                                        s390-specific device options.  Both    
                                                                        keys and values must be strings.       
                                                                        Allowed keys include "portno",         
                                                                        "layer2", "portname", "protocol",      
                                                                        among others.  Key names must contain  
                                                                        only alphanumeric characters (ie,      
                                                                        [a-zA-Z0-9]).                          
                                                                                                               
                                                                        Currently, NetworkManager itself does  
                                                                        nothing with this information.         
                                                                        However, s390utils ships a udev rule   
                                                                        which parses this information and      
                                                                        applies it to the interface.           
   
    s390-subchannels           array of string                          Identifies specific subchannels that   
                                                                        this network device uses for           
                                                                        communication with z/VM or s390 host.  
                                                                        Like the "mac-address" property for    
                                                                        non-z/VM devices, this property can be 
                                                                        used to ensure this connection only    
                                                                        applies to the network device that     
                                                                        uses these subchannels.  The list      
                                                                        should contain exactly 3 strings, and  
                                                                        each string may only be composed of    
                                                                        hexadecimal characters and the period  
                                                                        (.) character.                         
   
    speed                      uint32                    0              When a value greater than 0 is set,    
                                                                        configures the device to use the       
                                                                        specified speed. If "auto-negotiate"   
                                                                        is "yes" the specified speed will be   
                                                                        the only one advertised during link    
                                                                        negotiation: this works only for       
                                                                        BASE-T 802.3 specifications and is     
                                                                        useful for enforcing gigabit speeds,   
                                                                        as in this case link negotiation is    
                                                                        mandatory. If the value is unset (0,   
                                                                        the default), the link configuration   
                                                                        will be either skipped (if             
                                                                        "auto-negotiate" is "no", the default) 
                                                                        or will be auto-negotiated (if         
                                                                        "auto-negotiate" is "yes") and the     
                                                                        local device will advertise all the    
                                                                        supported speeds. In Mbit/s, ie 100 == 
                                                                        100Mbit/s. Must be set together with   
                                                                        the "duplex" property when non-zero.   
                                                                        Before specifying a speed value be     
                                                                        sure your device supports it.          
   
    wake-on-lan                uint32                    1              The NMSettingWiredWakeOnLan options to 
                                                                        enable. Not all devices support all    
                                                                        options. May be any combination of 0x2 
                                                                        (phy), 0x4 (unicast), 0x8 (multicast), 
                                                                        0x10 (broadcast), 0x20 (arp), 0x40     
                                                                        (magic) or the special values 0x1      
                                                                        (default) (to use global settings) and 
                                                                        0x8000 (ignore) (to disable management 
                                                                        of Wake-on-LAN in NetworkManager).     
   
    wake-on-lan-password       string                                   If specified, the password used with   
                                                                        magic-packet-based Wake-on-LAN,        
                                                                        represented as an Ethernet MAC         
                                                                        address.  If NULL, no password will be 
                                                                        required.                              
   

wireguard setting

   WireGuard Settings.
   
    Key Name                Value Type                     Default Value  Value Description                      
   
    fwmark                  uint32                         0              The use of fwmark is optional and is   
                                                                          by default off. Setting it to 0        
                                                                          disables it. Otherwise, it is a 32-bit 
                                                                          fwmark for outgoing packets.           
                                                                                                                 
                                                                          Note that "ip4-auto-default-route" or  
                                                                          "ip6-auto-default-route" enabled,      
                                                                          implies to automatically choose a      
                                                                          fwmark.                                
   
    ip4-auto-default-route  NMTernary (int32)                             Whether to enable special handling of  
                                                                          the IPv4 default route. If enabled,    
                                                                          the IPv4 default route from            
                                                                          wireguard.peer-routes will be placed   
                                                                          to a dedicated routing-table and two   
                                                                          policy routing rules will be added.    
                                                                          The fwmark number is also used as      
                                                                          routing-table for the default-route,   
                                                                          and if fwmark is zero, an unused       
                                                                          fwmark/table is chosen automatically.  
                                                                          This corresponds to what wg-quick does 
                                                                          with Table=auto and what WireGuard     
                                                                          calls "Improved Rule-based Routing".   
                                                                                                                 
                                                                          Note that for this automatism to work, 
                                                                          you usually don't want to set          │
   │                        │                               │               │ ipv4.gateway, because that will result │
   │                        │                               │               │ in a conflicting default route.        │
   │                        │                               │               │                                        │
   │                        │                               │               │ Leaving this at the default will       │
   │                        │                               │               │ enable this option automatically if    │
   │                        │                               │               │ ipv4.never-default is not set and      │
   │                        │                               │               │ there are any peers that use a         │
   │                        │                               │               │ default-route as allowed-ips. Since    │
   │                        │                               │               │ this automatism only makes sense if    │
   │                        │                               │               │ you also have a peer with an /0        │
   │                        │                               │               │ allowed-ips, it is usually not         │
   │                        │                               │               │ necessary to enable this explicitly.   │
   │                        │                               │               │ However, you can disable it if you     │
   │                        │                               │               │ want to configure your own routing and │
   │                        │                               │               │ rules.                                 │
   ├────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ ip6-auto-default-route │ NMTernary (int32)             │               │ Like ip4-auto-default-route, but for   │
   │                        │                               │               │ the IPv6 default route.                │
   ├────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ listen-port            │ uint32                        │ 0             │ The listen-port. If listen-port is not │
   │                        │                               │               │ specified, the port will be chosen     │
   │                        │                               │               │ randomly when the interface comes up.  │
   ├────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ mtu                    │ uint32                        │ 0             │ If non-zero, only transmit packets of  │
   │                        │                               │               │ the specified size or smaller,         │
   │                        │                               │               │ breaking larger packets up into        │
   │                        │                               │               │ multiple fragments.                    │
   │                        │                               │               │                                        │
   │                        │                               │               │ If zero a default MTU is used. Note    │
   │                        │                               │               │ that contrary to wg-quick's MTU        
                                                                          setting, this does not take into       
                                                                          account the current routes at the time 
                                                                          of activation.                         
   
    peer-routes             boolean                        TRUE           Whether to automatically add routes    
                                                                          for the AllowedIPs ranges of the       
                                                                          peers. If TRUE (the default),          
                                                                          NetworkManager will automatically add  
                                                                          routes in the routing tables according 
                                                                          to ipv4.route-table and                
                                                                          ipv6.route-table. Usually you want     
                                                                          this automatism enabled. If FALSE, no  
                                                                          such routes are added automatically.   
                                                                          In this case, the user may want to     
                                                                          configure static routes in ipv4.routes 
                                                                          and ipv6.routes, respectively.         
                                                                                                                 
                                                                          Note that if the peer's AllowedIPs is  │
   │                        │                               │               │ "0.0.0.0/0" or "::/0" and the          │
   │                        │                               │               │ profile's ipv4.never-default or        
                                                                          ipv6.never-default setting is enabled, 
                                                                          the peer route for this peer won't be  │
   │                        │                               │               │ added automatically.                   │
   ├────────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ peers                  │ array of 'a{sv}'                              Array of dictionaries for the          
                                                                          WireGuard peers.                       
   
    private-key             string                                        The 256 bit private-key in base64      
                                                                          encoding.                              
   
    private-key-flags       NMSettingSecretFlags (uint32)                 Flags indicating how to handle the     
                                                                          "private-key" property.                
   

802-11-wireless setting

   Wi-Fi Settings.
   
    Key Name                   Value Type         Default Value  Value Description                      
   
    ap-isolation               NMTernary (int32)                 Configures AP isolation, which         
                                                                 prevents communication between         
                                                                 wireless devices connected to this AP. 
                                                                 This property can be set to a value    
                                                                 different from -1 (default) only when  
                                                                 the interface is configured in AP      
                                                                 mode.                                  
                                                                                                        
                                                                 If set to 1 (true), devices are not    
                                                                 able to communicate with each other.   
                                                                 This increases security because it     
                                                                 protects devices against attacks from  
                                                                 other clients in the network. At the   
                                                                 same time, it prevents devices to      
                                                                 access resources on the same wireless  
                                                                 networks as file shares, printers,     
                                                                 etc.                                   
                                                                                                        
                                                                 If set to 0 (false), devices can talk  
                                                                 to each other.                         
                                                                                                        
                                                                 When set to -1 (default), the global   
                                                                 default is used; in case the global    
                                                                 default is unspecified it is assumed   
                                                                 to be 0 (false).                       
   
    assigned-mac-address       string                            The new field for the cloned MAC       
                                                                 address. It can be either a hardware   
                                                                 address in ASCII representation, or    
                                                                 one of the special values "preserve",  
                                                                 "permanent", "random" or "stable".     
                                                                 This field replaces the deprecated     
                                                                 "cloned-mac-address" on D-Bus, which   
                                                                 can only contain explicit hardware     
                                                                 addresses. Note that this property     
                                                                 only exists in D-Bus API. libnm and    
                                                                 nmcli continue to call this property   
                                                                 "cloned-mac-address".                  
   
    band                       string                            802.11 frequency band of the network.  
                                                                 One of "a" for 5GHz 802.11a or "bg"    
                                                                 for 2.4GHz 802.11.  This will lock     
                                                                 associations to the Wi-Fi network to   
                                                                 the specific band, i.e. if "a" is      
                                                                 specified, the device will not         
                                                                 associate with the same network in the 
                                                                 2.4GHz band even if the network's      │
   │                           │                   │               │ settings are compatible.  This setting │
   │                           │                   │               │ depends on specific driver capability  │
   │                           │                   │               │ and may not work with all drivers.     │
   ├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
   │ bssid                     │ byte array        │               │ If specified, directs the device to    │
   │                           │                   │               │ only associate with the given access   │
   │                           │                   │               │ point.  This capability is highly      │
   │                           │                   │               │ driver dependent and not supported by  │
   │                           │                   │               │ all devices.  Note: this property does │
   │                           │                   │               │ not control the BSSID used when        │
   │                           │                   │               │ creating an Ad-Hoc network and is      │
   │                           │                   │               │ unlikely to in the future.             │
   │                           │                   │               │                                        │
   │                           │                   │               │ Locking a client profile to a certain  │
   │                           │                   │               │ BSSID will prevent roaming and also    │
   │                           │                   │               │ disable background scanning. That can  │
   │                           │                   │               │ be useful, if there is only one access │
   │                           │                   │               │ point for the SSID.                    │
   ├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
   │ channel                   │ uint32            │ 0             │ Wireless channel to use for the Wi-Fi  │
   │                           │                   │               │ connection.  The device will only join │
   │                           │                   │               │ (or create for Ad-Hoc networks) a      │
   │                           │                   │               │ Wi-Fi network on the specified         │
   │                           │                   │               │ channel.  Because channel numbers      │
   │                           │                   │               │ overlap between bands, this property   │
   │                           │                   │               │ also requires the "band" property to   │
   │                           │                   │               │ be set.                                │
   ├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
   │ channel-width             │ int32             │ 0             │ Specifies width of the wireless        │
   │                           │                   │               │ channel in Access Point (AP) mode.     │
   │                           │                   │               │                                        │
   │                           │                   │               │ When set to 0 (auto) (the default),    │
   │                           │                   │               │ the channel width is automatically     │
   │                           │                   │               │ determined. At the moment, this means  │
   │                           │                   │               │ that the safest (smallest) width is    │
   │                           │                   │               │ chosen.                                │
   │                           │                   │               │                                        │
   │                           │                   │               │ If the value is not 0 (auto), then the │
   │                           │                   │               │ 'channel' property must also be set.   │
   │                           │                   │               │ When using the 2.4GHz band, the width  │
   │                           │                   │               │ can be at most 40MHz.                  │
   │                           │                   │               │                                        │
   │                           │                   │               │ This property can be set to a value    │
   │                           │                   │               │ different from 0 (auto) only when the  │
   │                           │                   │               │ interface is configured in AP mode.    │
   ├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
   │ cloned-mac-address        │ byte array        │               │ This D-Bus field is deprecated in      │
   │                           │                   │               │ favor of "assigned-mac-address" which  │
   │                           │                   │               │ is more flexible and allows specifying │
   │                           │                   │               │ special variants like "random". For    │
   │                           │                   │               │ libnm and nmcli, this field is called  │
   │                           │                   │               │ "cloned-mac-address".                  │
   ├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
   │ generate-mac-address-mask │ string            │               │ With "cloned-mac-address" setting      │
   │                           │                   │               │ "random" or "stable", by default all   │
   │                           │                   │               │ bits of the MAC address are scrambled  │
   │                           │                   │               │ and a locally-administered, unicast    │
   │                           │                   │               │ MAC address is created. This property  │
   │                           │                   │               │ allows to specify that certain bits    │
   │                           │                   │               │ are fixed. Note that the least         │
   │                           │                   │               │ significant bit of the first MAC       │
   │                           │                   │               │ address will always be unset to create │
   │                           │                   │               │ a unicast MAC address.                 │
   │                           │                   │               │                                        │
   │                           │                   │               │ If the property is NULL, it is         │
   │                           │                   │               │ eligible to be overwritten by a        │
   │                           │                   │               │ default connection setting. If the     │
   │                           │                   │               │ value is still NULL or an empty        │
   │                           │                   │               │ string, the default is to create a     │
   │                           │                   │               │ locally-administered, unicast MAC      │
   │                           │                   │               │ address.                               │
   │                           │                   │               │                                        │
   │                           │                   │               │ If the value contains one MAC address, │
   │                           │                   │               │ this address is used as mask. The set  │
   │                           │                   │               │ bits of the mask are to be filled with │
   │                           │                   │               │ the current MAC address of the device, │
   │                           │                   │               │ while the unset bits are subject to    │
   │                           │                   │               │ randomization. Setting                 │
   │                           │                   │               │ "FE:FF:FF:00:00:00" means to preserve  │
   │                           │                   │               │ the OUI of the current MAC address and │
   │                           │                   │               │ only randomize the lower 3 bytes using │
   │                           │                   │               │ the "random" or "stable" algorithm.    │
   │                           │                   │               │                                        │
   │                           │                   │               │ If the value contains one additional   │
   │                           │                   │               │ MAC address after the mask, this       │
   │                           │                   │               │ address is used instead of the current │
   │                           │                   │               │ MAC address to fill the bits that      │
   │                           │                   │               │ shall not be randomized. For example,  │
   │                           │                   │               │ a value of "FE:FF:FF:00:00:00          │
   │                           │                   │               │ 68:F7:28:00:00:00" will set the OUI of │
   │                           │                   │               │ the MAC address to 68:F7:28, while the │
   │                           │                   │               │ lower bits are randomized. A value of  │
   │                           │                   │               │ "02:00:00:00:00:00 00:00:00:00:00:00"  │
   │                           │                   │               │ will create a fully scrambled          │
   │                           │                   │               │ globally-administered, burned-in MAC   │
   │                           │                   │               │ address.                               │
   │                           │                   │               │                                        │
   │                           │                   │               │ If the value contains more than one    │
   │                           │                   │               │ additional MAC addresses, one of them  │
   │                           │                   │               │ is chosen randomly. For example,       │
   │                           │                   │               │ "02:00:00:00:00:00 00:00:00:00:00:00   │
   │                           │                   │               │ 02:00:00:00:00:00" will create a fully │
   │                           │                   │               │ scrambled MAC address, randomly        │
   │                           │                   │               │ locally or globally administered.      │
   ├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
   │ hidden                    │ boolean           │ FALSE         │ If TRUE, indicates that the network is │
   │                           │                   │               │ a non-broadcasting network that hides  │
   │                           │                   │               │ its SSID. This works both in           │
   │                           │                   │               │ infrastructure and AP mode.            │
   │                           │                   │               │                                        │
   │                           │                   │               │ In infrastructure mode, various        │
   │                           │                   │               │ workarounds are used for a more        │
   │                           │                   │               │ reliable discovery of hidden networks, │
   │                           │                   │               │ such as probe-scanning the SSID.       │
   │                           │                   │               │ However, these workarounds expose      │
   │                           │                   │               │ inherent insecurities with hidden SSID │
   │                           │                   │               │ networks, and thus hidden SSID         │
   │                           │                   │               │ networks should be used with caution.  │
   │                           │                   │               │                                        │
   │                           │                   │               │ In AP mode, the created network does   │
   │                           │                   │               │ not broadcast its SSID.                │
   │                           │                   │               │                                        │
   │                           │                   │               │ Note that marking the network as       │
   │                           │                   │               │ hidden may be a privacy issue for you  │
   │                           │                   │               │ (in infrastructure mode) or client     │
   │                           │                   │               │ stations (in AP mode), as the explicit │
   │                           │                   │               │ probe-scans are distinctly             │
   │                           │                   │               │ recognizable on the air.               │
   ├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
   │ mac-address               │ byte array        │               │ If specified, this connection will     │
   │                           │                   │               │ only apply to the Wi-Fi device whose   │
   │                           │                   │               │ permanent MAC address matches. This    │
   │                           │                   │               │ property does not change the MAC       │
   │                           │                   │               │ address of the device (i.e. MAC        │
   │                           │                   │               │ spoofing).                             │
   ├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
   │ mac-address-blacklist     │ array of string   │               │ A list of permanent MAC addresses of   │
   │                           │                   │               │ Wi-Fi devices to which this connection │
   │                           │                   │               │ should never apply.  Each MAC address  │
   │                           │                   │               │ should be given in the standard        │
   │                           │                   │               │ hex-digits-and-colons notation (eg     │
   │                           │                   │               │ "00:11:22:33:44:55").                  │
   ├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
   │ mac-address-denylist      │ array of string   │               │ A list of permanent MAC addresses of   │
   │                           │                   │               │ Wi-Fi devices to which this connection │
   │                           │                   │               │ should never apply.  Each MAC address  │
   │                           │                   │               │ should be given in the standard        │
   │                           │                   │               │ hex-digits-and-colons notation (eg     │
   │                           │                   │               │ "00:11:22:33:44:55").                  │
   ├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
   │ mac-address-randomization │ uint32            │ 0             │ One of 0 (default) (never randomize    │
   │                           │                   │               │ unless the user has set a global       │
   │                           │                   │               │ default to randomize and the           │
   │                           │                   │               │ supplicant supports randomization),  1 │
   │                           │                   │               │ (never) (never randomize the MAC       │
   │                           │                   │               │ address), or 2 (always) (always        │
   │                           │                   │               │ randomize the MAC address).            │
   │                           │                   │               │                                        │
   │                           │                   │               │ This property is deprecated since      │
   │                           │                   │               │ version 1.4.Use the                    │
   │                           │                   │               │ "cloned-mac-address" property instead. │
   ├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
   │ mode                      │ string            │               │ Wi-Fi network mode; one of             │
   │                           │                   │               │ "infrastructure", "mesh", "adhoc" or   │
   │                           │                   │               │ "ap".  If blank, infrastructure is     │
   │                           │                   │               │ assumed.                               │
   ├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
   │ mtu                       │ uint32            │ 0             │ If non-zero, only transmit packets of  │
   │                           │                   │               │ the specified size or smaller,         │
   │                           │                   │               │ breaking larger packets up into        │
   │                           │                   │               │ multiple Ethernet frames.              │
   ├───────────────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
   │ powersave                 │ uint32            │ 0             │ One of 2 (disable) (disable Wi-Fi      │
   │                           │                   │               │ power saving), 3 (enable) (enable      │
   │                           │                   │               │ Wi-Fi power saving), 1 (ignore) (don't 
                                                                 touch currently configure setting) or  
                                                                 0 (default) (use the globally          
                                                                 configured value). All other values    
                                                                 are reserved.                          
   
    rate                       uint32             0              This property is not implemented and   
                                                                 has no effect.                         
                                                                                                        
                                                                 This property is deprecated since      
                                                                 version 1.44.This property is not      
                                                                 implemented and has no effect.         
   
    security                                                     This property is deprecated and has no 
                                                                 effect. For backwards compatibility,   
                                                                 it can be set to                       
                                                                 "802-11-wireless-security" if the      
                                                                 profile has a wireless security        
                                                                 setting.                               
   
    seen-bssids                array of string                   A list of BSSIDs (each BSSID formatted 
                                                                 as a MAC address like                  
                                                                 "00:11:22:33:44:55") that have been    
                                                                 detected as part of the Wi-Fi network. 
                                                                 NetworkManager internally tracks       
                                                                 previously seen BSSIDs. The property   
                                                                 is only meant for reading and reflects 
                                                                 the BSSID list of NetworkManager. The  
                                                                 changes you make to this property will 
                                                                 not be preserved.                      
                                                                                                        
                                                                 This is not a regular property that    
                                                                 the user would configure. Instead,     
                                                                 NetworkManager automatically sets the  
                                                                 seen BSSIDs and tracks them internally 
                                                                 in                                     
                                                                 "/var/lib/NetworkManager/seen-bssids"  
                                                                 file.                                  
   
    ssid                       byte array                        SSID of the Wi-Fi network. Must be     
                                                                 specified.                             
   
    tx-power                   uint32             0              This property is not implemented and   
                                                                 has no effect.                         
                                                                                                        
                                                                 This property is deprecated since      
                                                                 version 1.44.This property is not      
                                                                 implemented and has no effect.         
   
    wake-on-wlan               uint32             1              The NMSettingWirelessWakeOnWLan        
                                                                 options to enable. Not all devices     
                                                                 support all options. May be any        
                                                                 combination of 0x2 (any), 0x4          
                                                                 (disconnect), 0x8 (magic), 0x10        
                                                                 (gtk-rekey-failure), 0x20              
                                                                 (eap-identity-request), 0x40           
                                                                 (4way-handshake), 0x80                 
                                                                 (rfkill-release), 0x100 (tcp) or the   
                                                                 special values 0x1 (default) (to use   
                                                                 global settings) and 0x8000 (ignore)   
                                                                 (to disable management of Wake-on-LAN  
                                                                 in NetworkManager).                    
   

802-11-wireless-security setting

   Wi-Fi Security Settings.
   
    Key Name             Value Type                     Default Value  Value Description                      
   
    auth-alg             string                                        When WEP is used (ie, key-mgmt =       
                                                                       "none" or "ieee8021x") indicate the    
                                                                       802.11 authentication algorithm        
                                                                       required by the AP here.  One of       
                                                                       "open" for Open System, "shared" for   
                                                                       Shared Key, or "leap" for Cisco LEAP.  
                                                                       When using Cisco LEAP (ie, key-mgmt =  
                                                                       "ieee8021x" and auth-alg = "leap") the 
                                                                       "leap-username" and "leap-password"    
                                                                       properties must be specified.          
   
    fils                 int32                          0              Indicates whether Fast Initial Link    
                                                                       Setup (802.11ai) must be enabled for   
                                                                       the connection.  One of 0 (default)    
                                                                       (use global default value), 1          
                                                                       (disable) (disable FILS), 2 (optional) 
                                                                       (enable FILS if the supplicant and the 
                                                                       access point support it) or 3          
                                                                       (required) (enable FILS and fail if    
                                                                       not supported).  When set to 0         
                                                                       (default) and no global default is     
                                                                       set, FILS will be optionally enabled.  
   
    group                array of string                               A list of group/broadcast encryption   
                                                                       algorithms which prevents connections  
                                                                       to Wi-Fi networks that do not utilize  
                                                                       one of the algorithms in the list.     
                                                                       For maximum compatibility leave this   
                                                                       property empty.  Each list element may 
                                                                       be one of "wep40", "wep104", "tkip",   
                                                                       or "ccmp".                             
   
    key-mgmt             string                                        Key management used for the            
                                                                       connection. One of "none" (WEP or no   
                                                                       password protection), "ieee8021x"      
                                                                       (Dynamic WEP), "owe" (Opportunistic    
                                                                       Wireless Encryption), "wpa-psk" (WPA2  
                                                                       + WPA3 personal), "sae" (WPA3 personal 
                                                                       only), "wpa-eap" (WPA2 + WPA3          
                                                                       enterprise) or "wpa-eap-suite-b-192"   
                                                                       (WPA3 enterprise only).                
                                                                                                              
                                                                       This property must be set for any      
                                                                       Wi-Fi connection that uses security.   
   
    leap-password        string                                        The login password for legacy LEAP     
                                                                       connections (ie, key-mgmt =            
                                                                       "ieee8021x" and auth-alg = "leap").    
   
    leap-password-flags  NMSettingSecretFlags (uint32)                 Flags indicating how to handle the     
                                                                       "leap-password" property.              
   
    leap-username        string                                        The login username for legacy LEAP     
                                                                       connections (ie, key-mgmt =            
                                                                       "ieee8021x" and auth-alg = "leap").    
   
    pairwise             array of string                               A list of pairwise encryption          
                                                                       algorithms which prevents connections  
                                                                       to Wi-Fi networks that do not utilize  
                                                                       one of the algorithms in the list. For 
                                                                       maximum compatibility leave this       
                                                                       property empty.  Each list element may 
                                                                       be one of "tkip" or "ccmp".            
   
    pmf                  int32                          0              Indicates whether Protected Management 
                                                                       Frames (802.11w) must be enabled for   
                                                                       the connection.  One of 0 (default)    
                                                                       (use global default value), 1          
                                                                       (disable) (disable PMF), 2 (optional)  
                                                                       (enable PMF if the supplicant and the  
                                                                       access point support it) or 3          
                                                                       (required) (enable PMF and fail if not 
                                                                       supported).  When set to 0 (default)   
                                                                       and no global default is set, PMF will 
                                                                       be optionally enabled.                 
   
    proto                array of string                               List of strings specifying the allowed 
                                                                       WPA protocol versions to use. Each     
                                                                       element may be one "wpa" (allow WPA)   
                                                                       or "rsn" (allow WPA2/RSN).  If not     
                                                                       specified, both WPA and RSN            
                                                                       connections are allowed.               
   
    psk                  string                                        Pre-Shared-Key for WPA networks. For   
                                                                       WPA-PSK, it's either an ASCII          │
   │                     │                               │               │ passphrase of 8 to 63 characters that  │
   │                     │                               │               │ is (as specified in the 802.11i        │
   │                     │                               │               │ standard) hashed to derive the actual  │
   │                     │                               │               │ key, or the key in form of 64          │
   │                     │                               │               │ hexadecimal character. The             │
   │                     │                               │               │ WPA3-Personal networks use a           │
   │                     │                               │               │ passphrase of any length for SAE       │
   │                     │                               │               │ authentication.                        │
   ├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ psk-flags           │ NMSettingSecretFlags (uint32) │               │ Flags indicating how to handle the     │
   │                     │                               │               │ "psk" property.                        │
   ├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ wep-key-flags       │ NMSettingSecretFlags (uint32) │               │ Flags indicating how to handle the     │
   │                     │                               │               │ "wep-key0", "wep-key1", "wep-key2",    │
   │                     │                               │               │ and "wep-key3" properties.             │
   ├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ wep-key-type        │ NMWepKeyType (uint32)         │               │ Controls the interpretation of WEP     │
   │                     │                               │               │ keys.  Allowed values are 1 (key), in  │
   │                     │                               │               │ which case the key is either a 10- or  │
   │                     │                               │               │ 26-character hexadecimal string, or a  │
   │                     │                               │               │ 5- or 13-character ASCII password; or  │
   │                     │                               │               │ 2 (passphrase), in which case the      │
   │                     │                               │               │ passphrase is provided as a string and │
   │                     │                               │               │ will be hashed using the de-facto MD5  │
   │                     │                               │               │ method to derive the actual WEP key.   │
   ├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ wep-key0            │ string                        │               │ Index 0 WEP key.  This is the WEP key  │
   │                     │                               │               │ used in most networks.  See the        │
   │                     │                               │               │ "wep-key-type" property for a          │
   │                     │                               │               │ description of how this key is         │
   │                     │                               │               │ interpreted.                           │
   ├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ wep-key1            │ string                        │               │ Index 1 WEP key.  This WEP index is    │
   │                     │                               │               │ not used by most networks.  See the    │
   │                     │                               │               │ "wep-key-type" property for a          │
   │                     │                               │               │ description of how this key is         │
   │                     │                               │               │ interpreted.                           │
   ├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ wep-key2            │ string                        │               │ Index 2 WEP key.  This WEP index is    │
   │                     │                               │               │ not used by most networks.  See the    │
   │                     │                               │               │ "wep-key-type" property for a          │
   │                     │                               │               │ description of how this key is         │
   │                     │                               │               │ interpreted.                           │
   ├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ wep-key3            │ string                        │               │ Index 3 WEP key.  This WEP index is    │
   │                     │                               │               │ not used by most networks.  See the    │
   │                     │                               │               │ "wep-key-type" property for a          │
   │                     │                               │               │ description of how this key is         │
   │                     │                               │               │ interpreted.                           │
   ├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ wep-tx-keyidx       │ uint32                        │ 0             │ When static WEP is used (ie, key-mgmt  │
   │                     │                               │               │ = "none") and a non-default WEP key    │
   │                     │                               │               │ index is used by the AP, put that WEP  │
   │                     │                               │               │ key index here.  Valid values are 0    │
   │                     │                               │               │ (default key) through 3.  Note that    │
   │                     │                               │               │ some consumer access points (like the  │
   │                     │                               │               │ Linksys WRT54G) number the keys 1 - 4. │
   ├─────────────────────┼───────────────────────────────┼───────────────┼────────────────────────────────────────┤
   │ wps-method          │ uint32                        │ 0             │ Flags indicating which mode of WPS is  │
   │                     │                               │               │ to be used if any.                     │
   │                     │                               │               │                                        │
   │                     │                               │               │ There's little point in changing the   
                                                                       default setting as NetworkManager will 
                                                                       automatically determine whether it's   
                                                                       feasible to start WPS enrollment from  
                                                                       the Access Point capabilities.         
                                                                                                              
                                                                       WPS can be disabled by setting this    
                                                                       property to a value of 1.              
   

wpan setting

   IEEE 802.15.4 (WPAN) MAC Settings.
   
    Key Name       Value Type  Default Value  Value Description                      
   
    channel        int32       -1             IEEE 802.15.4 channel. A positive      
                                              integer or -1, meaning "do not set,    │
   │               │            │               │ use whatever the device is already set │
   │               │            │               │ to".                                   
   
    mac-address    string                     If specified, this connection will     
                                              only apply to the IEEE 802.15.4 (WPAN) 
                                              MAC layer device whose permanent MAC   
                                              address matches.                       
   
    page           int32       -1             IEEE 802.15.4 channel page. A positive 
                                              integer or -1, meaning "do not set,    │
   │               │            │               │ use whatever the device is already set │
   │               │            │               │ to".                                   
   
    pan-id         uint32      65535          IEEE 802.15.4 Personal Area Network    
                                              (PAN) identifier.                      
   
    short-address  uint32      65535          Short IEEE 802.15.4 address to be used 
                                              within a restricted environment.       
   

bond-port setting

   Bond Port Settings.
   
    Key Name  Value Type  Default Value  Value Description                      
   
    prio      int32       0              The port priority for bond active port 
                                         re-selection during failover. A higher 
                                         number means a higher priority in      
                                         selection. The primary port has the    
                                         highest priority. This option is only  
                                         compatible with active-backup,         
                                         balance-tlb and balance-alb modes.     
   
    queue-id  uint32      0              The queue ID of this bond port. The    
                                         maximum value of queue ID is the       
                                         number of TX queues currently active   
                                         in device.                             
   

hostname setting

   Hostname settings.
   
    Key Name           Value Type         Default Value  Value Description                      
   
    from-dhcp          NMTernary (int32)                 Whether the system hostname can be     
                                                         determined from DHCP on this           
                                                         connection.                            
                                                                                                
                                                         When set to -1 (default), the value    
                                                         from global configuration is used. If  
                                                         the property doesn't have a value in   │
   │                   │                   │               │ the global configuration,              │
   │                   │                   │               │ NetworkManager assumes the value to be │
   │                   │                   │               │ 1 (true).                              │
   ├───────────────────┼───────────────────┼───────────────┼────────────────────────────────────────┤
   │ from-dns-lookup   │ NMTernary (int32) │               │ Whether the system hostname can be     │
   │                   │                   │               │ determined from reverse DNS lookup of  │
   │                   │                   │               │ addresses on this device.              │
   │                   │                   │               │                                        │
   │                   │                   │               │ When set to -1 (default), the value    │
   │                   │                   │               │ from global configuration is used. If  │
   │                   │                   │               │ the property doesn't have a value in   
                                                         the global configuration,              
                                                         NetworkManager assumes the value to be 
                                                         1 (true).                              
   
    only-from-default  NMTernary (int32)                 If set to 1 (true), NetworkManager     
                                                         attempts to get the hostname via       
                                                         DHCPv4/DHCPv6 or reverse DNS lookup on 
                                                         this device only when the device has   
                                                         the default route for the given        
                                                         address family (IPv4/IPv6).            
                                                                                                
                                                         If set to 0 (false), the hostname can  
                                                         be set from this device even if it     
                                                         doesn't have the default route.        │
   │                   │                   │               │                                        │
   │                   │                   │               │ When set to -1 (default), the value    │
   │                   │                   │               │ from global configuration is used. If  │
   │                   │                   │               │ the property doesn't have a value in   
                                                         the global configuration,              
                                                         NetworkManager assumes the value to be 
                                                         0 (false).                             
   
    priority           int32              0              The relative priority of this          
                                                         connection to determine the system     
                                                         hostname. A lower numerical value is   
                                                         better (higher priority).  A           
                                                         connection with higher priority is     
                                                         considered before connections with     
                                                         lower priority.                        
                                                                                                
                                                         If the value is zero, it can be        
                                                         overridden by a global value from      
                                                         NetworkManager configuration. If the   
                                                         property doesn't have a value in the   
                                                         global configuration, the value is     
                                                         assumed to be 100.                     
                                                                                                
                                                         Negative values have the special       
                                                         effect of excluding other connections  
                                                         with a greater numerical priority      
                                                         value; so in presence of at least one  
                                                         negative priority, only connections    
                                                         with the lowest priority value will be 
                                                         used to determine the hostname.        
   

link setting

   Link settings.
   
    Key Name          Value Type  Default Value  Value Description                      
   
    gro-max-size      int64       -1             The maximum size of a packet built by  
                                                 the Generic Receive Offload stack for  
                                                 this device. The value must be between 
                                                 0 and 4294967295. When set to -1, the  
                                                 existing value is preserved.           
   
    gso-max-segments  int64       -1             The maximum segments of a Generic      
                                                 Segment Offload packet the device      
                                                 should accept. The value must be       
                                                 between 0 and 4294967295. When set to  
                                                 -1, the existing value is preserved.   
   
    gso-max-size      int64       -1             The maximum size of a Generic Segment  
                                                 Offload packet the device should       
                                                 accept. The value must be between 0    
                                                 and 4294967295. When set to -1, the    
                                                 existing value is preserved.           
   
    tx-queue-length   int64       -1             The size of the transmit queue for the 
                                                 device, in number of packets. The      
                                                 value must be between 0 and            
                                                 4294967295. When set to -1, the        
                                                 existing value is preserved.           
   

loopback setting

   Loopback Link Settings.
   
    Key Name  Value Type  Default Value  Value Description                     
   
    mtu       uint32      0              If non-zero, only transmit packets of 
                                         the specified size or smaller,        
                                         breaking larger packets up into       
                                         multiple Ethernet frames.             
   

ovs-external-ids setting

   OVS External IDs Settings.
   
    Key Name  Value Type                Default Value  Value Description                    
   
    data      dict of string to string  {}             A dictionary of key/value pairs with 
                                                       external-ids for OVS.                
   

ovs-other-config setting

   OVS Other Config Settings.
   
    Key Name  Value Type                Default Value  Value Description                     
   
    data      dict of string to string  {}             A dictionary of key/value pairs with  
                                                       other_config settings for OVS. See    
                                                       also "other_config" in the            
                                                       "ovs-vswitchd.conf.db" manual for the 
                                                       keys that OVS supports.               
   

veth setting

   Veth Settings.
   
    Key Name  Value Type  Default Value  Value Description                
   
    peer      string                     This property specifies the peer 
                                         interface name of the veth. This 
                                         property is mandatory.           
   

Secret flag types:

   Each password or secret property in a setting has an associated flags property that describes how to handle that secret. The flags property is a bitfield that contains zero or more of
   the following values logically OR-ed together.

      0x0 (none) - the system is responsible for providing and storing this secret. This may be required so that secrets are already available before the user logs in. It also commonly
       means that the secret will be stored in plain text on disk, accessible to root only. For example via the keyfile settings plugin as described in the "PLUGINS" section in
       NetworkManager.conf(5).

      0x1 (agent-owned) - a user-session secret agent is responsible for providing and storing this secret; when it is required, agents will be asked to provide it.

      0x2 (not-saved) - this secret should not be saved but should be requested from the user each time it is required. This flag should be used for One-Time-Pad secrets, PIN codes from
       hardware tokens, or if the user simply does not want to save the secret.

      0x4 (not-required) - in some situations it cannot be automatically determined that a secret is required or not. This flag hints that the secret is not required and should not be
       requested from the user.

FILES

   /etc/NetworkManager/system-connections or distro plugin-specific location

SEE ALSO

   nm-settings-nmcli(5), nm-settings-keyfile(5), NetworkManager(8), nmcli(1), nmcli-examples(7), NetworkManager.conf(5)

NetworkManager 1.52.1 NM-SETTINGS-DBUS(5)