nm-settings-dbus(5)

Description of settings and properties of NetworkManager connection profiles on the D-Bus API

Section 5 network-manager bookworm source

Description

'\" t

nm-settings-dbus - Description of settings and properties of NetworkManager connection profiles on the D-Bus API

NetworkManager is based on a concept of connection profiles, sometimes referred to as connections only. These connection profiles contain a network configuration. When NetworkManager activates a connection profile on a network device the configuration will be applied and an active network connection will be established. Users are free to create as many connection profiles as they see fit. Thus they are flexible in having various network configurations for different networking needs. The connection profiles are handled by NetworkManager via settings service and are exported on D-Bus (/org/freedesktop/NetworkManager/Settings/ objects). The conceptual objects can be described as follows:

Connection (profile)

A specific, encapsulated, independent group of settings describing all the configuration required to connect to a specific network. It is referred to by a unique identifier called the UUID. A connection is tied to a one specific device type, but not necessarily a specific hardware device. It is composed of one or more Settings objects.

Setting

A group of related key/value pairs describing a specific piece of a Connection (profile). Settings keys and allowed values are described in the tables below. Keys are also referred to as properties. Developers can find the setting objects and their properties in the libnm-core sources. Look for the *_class_init functions near the bottom of each setting source file.

The settings and properties shown in tables below list all available connection configuration options. However, note that not all settings are applicable to all connection types. NetworkManager provides a command-line tool nmcli that allows direct configuration of the settings and properties according to a connection profile type. nmcli connection editor has also a built-in describe command that can display description of particular settings and properties of this page.

General Connection Profile Settings.

allbox tab(:); lB lB lB lB. T{ Key Name T}:T{ Value Type T}:T{ Default Value T}:T{ Value Description T}

l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l. T{ auth-retries T}:T{ int32 T}:T{ -1 T}:T{ The number of retries for the authentication. Zero means to try indefinitely; -1 means to use a global default. If the global default is not set, the authentication retries for 3 times before failing the connection.

Currently, this only applies to 802-1x authentication. T} T{ autoconnect T}:T{ boolean T}:T{ TRUE T}:T{ Whether or not the connection should be automatically connected by NetworkManager when the resources for the connection are available. TRUE to automatically activate the connection, FALSE to require manual intervention to activate the connection.

Autoconnect happens when the circumstances are suitable. That means for example that the device is currently managed and not active. Autoconnect thus never replaces or competes with an already active profile.

Note that autoconnect is not implemented for VPN profiles. See "secondaries" as an alternative to automatically connect VPN profiles.

If multiple profiles are ready to autoconnect on the same device, the one with the better "connection.autoconnect-priority" is chosen. If the priorities are equal, then the most recently connected profile is activated. If the profiles were not connected earlier or their "connection.timestamp" is identical, the choice is undefined.

Depending on "connection.multi-connect", a profile can (auto)connect only once at a time or multiple times. T} T{ autoconnect-priority T}:T{ int32 T}:T{ 0 T}:T{ The autoconnect priority in range -999 to 999. If the connection is set to autoconnect, connections with higher priority will be preferred. The higher number means higher priority. Defaults to 0. Note that this property only matters if there are more than one candidate profile to select for autoconnect. In case of equal priority, the profile used most recently is chosen. T} T{ autoconnect-retries T}:T{ int32 T}:T{ -1 T}:T{ The number of times a connection should be tried when autoactivating before giving up. Zero means forever, -1 means the global default (4 times if not overridden). Setting this to 1 means to try activation only once before blocking autoconnect. Note that after a timeout, NetworkManager will try to autoconnect again. T} T{ autoconnect-slaves T}:T{ NMSettingConnectionAutoconnectSlaves (int32) T}:T{ \ T}:T{ Whether or not slaves of this connection should be automatically brought up when NetworkManager activates this connection. This only has a real effect for master connections. The properties "autoconnect", "autoconnect-priority" and "autoconnect-retries" are unrelated to this setting. The permitted values are: 0: leave slave connections untouched, 1: activate all the slave connections with this connection, -1: default. If -1 (default) is set, global connection.autoconnect-slaves is read to determine the real value. If it is default as well, this fallbacks to 0. T} T{ dns-over-tls T}:T{ int32 T}:T{ -1 T}:T{ Whether DNSOverTls (dns-over-tls) is enabled for the connection. DNSOverTls is a technology which uses TLS to encrypt dns traffic.

The permitted values are: "yes" (2) use DNSOverTls and disabled fallback, "opportunistic" (1) use DNSOverTls but allow fallback to unencrypted resolution, "no" (0) dont ever use DNSOverTls. If unspecified "default" depends on the plugin used. Systemd-resolved uses global setting.

This feature requires a plugin which supports DNSOverTls. Otherwise, the setting has no effect. One such plugin is dns-systemd-resolved. T} T{ gateway-ping-timeout T}:T{ uint32 T}:T{ 0 T}:T{ If greater than zero, delay success of IP addressing until either the timeout is reached, or an IP gateway replies to a ping. T} T{ id T}:T{ string T}:T{ \ T}:T{ A human readable unique identifier for the connection, like "Work Wi-Fi" or "T-Mobile 3G". T} T{ interface-name T}:T{ string T}:T{ \ T}:T{ The name of the network interface this connection is bound to. If not set, then the connection can be attached to any interface of the appropriate type (subject to restrictions imposed by other settings).

For software devices this specifies the name of the created device.

For connection types where interface names cannot easily be made persistent (e.g. mobile broadband or USB Ethernet), this property should not be used. Setting this property restricts the interfaces a connection can be used with, and if interface names change or are reordered the connection may be applied to the wrong interface. T} T{ lldp T}:T{ int32 T}:T{ -1 T}:T{ Whether LLDP is enabled for the connection. T} T{ llmnr T}:T{ int32 T}:T{ -1 T}:T{ Whether Link-Local Multicast Name Resolution (LLMNR) is enabled for the connection. LLMNR is a protocol based on the Domain Name System (DNS) packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link.

The permitted values are: "yes" (2) register hostname and resolving for the connection, "no" (0) disable LLMNR for the interface, "resolve" (1) do not register hostname but allow resolving of LLMNR host names If unspecified, "default" ultimately depends on the DNS plugin (which for systemd-resolved currently means "yes").

This feature requires a plugin which supports LLMNR. Otherwise, the setting has no effect. One such plugin is dns-systemd-resolved. T} T{ master T}:T{ string T}:T{ \ T}:T{ Interface name of the master device or UUID of the master connection. T} T{ mdns T}:T{ int32 T}:T{ -1 T}:T{ Whether mDNS is enabled for the connection.

The permitted values are: "yes" (2) register hostname and resolving for the connection, "no" (0) disable mDNS for the interface, "resolve" (1) do not register hostname but allow resolving of mDNS host names and "default" (-1) to allow lookup of a global default in NetworkManager.conf. If unspecified, "default" ultimately depends on the DNS plugin (which for systemd-resolved currently means "no").

This feature requires a plugin which supports mDNS. Otherwise, the setting has no effect. One such plugin is dns-systemd-resolved. T} T{ metered T}:T{ NMMetered (int32) T}:T{ \ T}:T{ Whether the connection is metered.

When updating this property on a currently activated connection, the change takes effect immediately. T} T{ mptcp-flags T}:T{ uint32 T}:T{ 0 T}:T{ Whether to configure MPTCP endpoints and the address flags. If MPTCP is enabled in NetworkManager, it will configure the addresses of the interface as MPTCP endpoints. Note that IPv4 loopback addresses (127.0.0.0/8), IPv4 link local addresses (169.254.0.0/16), the IPv6 loopback address (::1), IPv6 link local addresses (fe80::/10), IPv6 unique local addresses (ULA, fc00::/7) and IPv6 privacy extension addresses (rfc3041, ipv6.ip6-privacy) will be excluded from being configured as endpoints.

If "disabled" (0x1), MPTCP handling for the interface is disabled and no endpoints are registered.

The "enabled" (0x2) flag means that MPTCP handling is enabled. This flag can also be implied from the presence of other flags.

Even when enabled, MPTCP handling will by default still be disabled unless "/proc/sys/net/mptcp/enabled" sysctl is on. NetworkManager does not change the sysctl and this is up to the administrator or distribution. To configure endpoints even if the sysctl is disabled, "also-without-sysctl" (0x4) flag can be used. In that case, NetworkManager doesnt look at the sysctl and configures endpoints regardless.

Even when enabled, NetworkManager will only configure MPTCP endpoints for a certain address family, if there is a unicast default route (0.0.0.0/0 or ::/0) in the main routing table. The flag "also-without-default-route" (0x8) can override that.

When MPTCP handling is enabled then endpoints are configured with the specified address flags "signal" (0x10), "subflow" (0x20), "backup" (0x40), "fullmesh" (0x80). See ip-mptcp(8) manual for additional information about the flags.

If the flags are zero (0x0), the global connection default from NetworkManager.conf is honored. If still unspecified, the fallback is "enabled,subflow". Note that this means that MPTCP is by default done depending on the "/proc/sys/net/mptcp/enabled" sysctl.

NetworkManager does not change the MPTCP limits nor enable MPTCP via "/proc/sys/net/mptcp/enabled". That is a host configuration which the admin can change via sysctl and ip-mptcp.

Strict reverse path filtering (rp_filter) breaks many MPTCP use cases, so when MPTCP handling for IPv4 addresses on the interface is enabled, NetworkManager would loosen the strict reverse path filtering (1) to the loose setting (2). T} T{ mud-url T}:T{ string T}:T{ \ T}:T{ If configured, set to a Manufacturer Usage Description (MUD) URL that points to manufacturer-recommended network policies for IoT devices. It is transmitted as a DHCPv4 or DHCPv6 option. The value must be a valid URL starting with "https://".

The special value "none" is allowed to indicate that no MUD URL is used.

If the per-profile value is unspecified (the default), a global connection default gets consulted. If still unspecified, the ultimate default is "none". T} T{ multi-connect T}:T{ int32 T}:T{ 0 T}:T{ Specifies whether the profile can be active multiple times at a particular moment. The value is of type NMConnectionMultiConnect. T} T{ permissions T}:T{ array of string T}:T{ \ T}:T{ An array of strings defining what access a given user has to this connection. If this is NULL or empty, all users are allowed to access this connection; otherwise users are allowed if and only if they are in this list. When this is not empty, the connection can be active only when one of the specified users is logged into an active session. Each entry is of the form "[type]:[id]:[reserved]"; for example, "user:dcbw:blah".

At this time only the "user" [type] is allowed. Any other values are ignored and reserved for future use. [id] is the username that this permission refers to, which may not contain the ":" character. Any [reserved] information present must be ignored and is reserved for future use. All of [type], [id], and [reserved] must be valid UTF-8. T} T{ read-only T}:T{ boolean T}:T{ FALSE T}:T{ FALSE if the connection can be modified using the provided settings services D-Bus interface with the right privileges, or TRUE if the connection is read-only and cannot be modified. T} T{ secondaries T}:T{ array of string T}:T{ \ T}:T{ List of connection UUIDs that should be activated when the base connection itself is activated. Currently, only VPN connections are supported. T} T{ slave-type T}:T{ string T}:T{ \ T}:T{ Setting name of the device type of this slaves master connection (eg, "bond"), or NULL if this connection is not a slave. T} T{ stable-id T}:T{ string T}:T{ \ T}:T{ This represents the identity of the connection used for various purposes. It allows to configure multiple profiles to share the identity. Also, the stable-id can contain placeholders that are substituted dynamically and deterministically depending on the context.

The stable-id is used for generating IPv6 stable private addresses with ipv6.addr-gen-mode=stable-privacy. It is also used to seed the generated cloned MAC address for ethernet.cloned-mac-address=stable and wifi.cloned-mac-address=stable. It is also used as DHCP client identifier with ipv4.dhcp-client-id=stable and to derive the DHCP DUID with ipv6.dhcp-duid=stable-[llt,ll,uuid].

Note that depending on the context where it is used, other parameters are also seeded into the generation algorithm. For example, a per-host key is commonly also included, so that different systems end up generating different IDs. Or with ipv6.addr-gen-mode=stable-privacy, also the devices name is included, so that different interfaces yield different addresses. The per-host key is the identity of your machine and stored in /var/lib/NetworkManager/secret_key. See NetworkManager(8) manual about the secret-key and the host identity.

The $ character is treated special to perform dynamic substitutions at runtime. Currently, supported are "${CONNECTION}", "${DEVICE}", "${MAC}", "${BOOT}", "${RANDOM}". These effectively create unique IDs per-connection, per-device, per-boot, or every time. Note that "${DEVICE}" corresponds to the interface name of the device and "${MAC}" is the permanent MAC address of the device. Any unrecognized patterns following $ are treated verbatim, however are reserved for future use. You are thus advised to avoid $ or escape it as "$$". For example, set it to "${CONNECTION}-${BOOT}-${DEVICE}" to create a unique id for this connection that changes with every reboot and differs depending on the interface where the profile activates.

If the value is unset, a global connection default is consulted. If the value is still unset, the default is similar to "${CONNECTION}" and uses a unique, fixed ID for the connection. T} T{ timestamp T}:T{ uint64 T}:T{ 0 T}:T{ The time, in seconds since the Unix Epoch, that the connection was last _successfully_ fully activated.

NetworkManager updates the connection timestamp periodically when the connection is active to ensure that an active connection has the latest timestamp. The property is only meant for reading (changes to this property will not be preserved). T} T{ type T}:T{ string T}:T{ \ T}:T{ Base type of the connection. For hardware-dependent connections, should contain the setting name of the hardware-type specific setting (ie, "802-3-ethernet" or "802-11-wireless" or "bluetooth", etc), and for non-hardware dependent connections like VPN or otherwise, should contain the setting name of that setting type (ie, "vpn" or "bridge", etc). T} T{ uuid T}:T{ string T}:T{ \ T}:T{ A universally unique identifier for the connection, for example generated with libuuid. It should be assigned when the connection is created, and never changed as long as the connection still applies to the same network. For example, it should not be changed when the "id" property or NMSettingIP4Config changes, but might need to be re-created when the Wi-Fi SSID, mobile broadband network provider, or "type" property changes.

The UUID must be in the format "2815492f-7e56-435e-b2e9-246bd7cdc664" (ie, contains only hexadecimal characters and "-"). T} T{ wait-activation-delay T}:T{ int32 T}:T{ -1 T}:T{ Time in milliseconds to wait for connection to be considered activated. The wait will start after the pre-up dispatcher event.

The value 0 means no wait time. The default value is -1, which currently has the same meaning as no wait time. T} T{ wait-device-timeout T}:T{ int32 T}:T{ -1 T}:T{ Timeout in milliseconds to wait for device at startup. During boot, devices may take a while to be detected by the driver. This property will cause to delay NetworkManager-wait-online.service and nm-online to give the device a chance to appear. This works by waiting for the given timeout until a compatible device for the profile is available and managed.

The value 0 means no wait time. The default value is -1, which currently has the same meaning as no wait time. T} T{ zone T}:T{ string T}:T{ \ T}:T{ The trust level of a the connection. Free form case-insensitive string (for example "Home", "Work", "Public"). NULL or unspecified zone means the connection will be placed in the default zone as defined by the firewall.

When updating this property on a currently activated connection, the change takes effect immediately. T}

6LoWPAN Settings.

allbox tab(:); lB lB lB lB. T{ Key Name T}:T{ Value Type T}:T{ Default Value T}:T{ Value Description T}

l l l l. T{ parent T}:T{ string T}:T{ \ T}:T{ If given, specifies the parent interface name or parent connection UUID from which this 6LowPAN interface should be created. T}

IEEE 802.1x Authentication Settings.

allbox tab(:); lB lB lB lB. T{ Key Name T}:T{ Value Type T}:T{ Default Value T}:T{ Value Description T}

l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l. T{ altsubject-matches T}:T{ array of string T}:T{ \ T}:T{ List of strings to be matched against the altSubjectName of the certificate presented by the authentication server. If the list is empty, no verification of the server certificates altSubjectName is performed. T} T{ anonymous-identity T}:T{ string T}:T{ \ T}:T{ Anonymous identity string for EAP authentication methods. Used as the unencrypted identity with EAP types that support different tunneled identity like EAP-TTLS. T} T{ auth-timeout T}:T{ int32 T}:T{ 0 T}:T{ A timeout for the authentication. Zero means the global default; if the global default is not set, the authentication timeout is 25 seconds. T} T{ ca-cert T}:T{ byte array T}:T{ \ T}:T{ Contains the CA certificate if used by the EAP method specified in the "eap" property.

Certificate data is specified using a "scheme"; three are currently supported: blob, path and pkcs#11 URL. When using the blob scheme this property should be set to the certificates DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string "file://" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended.

Note that enabling NMSetting8021x:system-ca-certs will override this setting to use the built-in path, if the built-in path is not a directory. T} T{ ca-cert-password T}:T{ string T}:T{ \ T}:T{ The password used to access the CA certificate stored in "ca-cert" property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login. T} T{ ca-cert-password-flags T}:T{ NMSettingSecretFlags (uint32) T}:T{ \ T}:T{ Flags indicating how to handle the "ca-cert-password" property. T} T{ ca-path T}:T{ string T}:T{ \ T}:T{ UTF-8 encoded path to a directory containing PEM or DER formatted certificates to be added to the verification chain in addition to the certificate specified in the "ca-cert" property.

If NMSetting8021x:system-ca-certs is enabled and the built-in CA path is an existing directory, then this setting is ignored. T} T{ client-cert T}:T{ byte array T}:T{ \ T}:T{ Contains the client certificate if used by the EAP method specified in the "eap" property.

Certificate data is specified using a "scheme"; two are currently supported: blob and path. When using the blob scheme (which is backwards compatible with NM 0.7.x) this property should be set to the certificates DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string "file://" and ending with a terminating NUL byte. T} T{ client-cert-password T}:T{ string T}:T{ \ T}:T{ The password used to access the client certificate stored in "client-cert" property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login. T} T{ client-cert-password-flags T}:T{ NMSettingSecretFlags (uint32) T}:T{ \ T}:T{ Flags indicating how to handle the "client-cert-password" property. T} T{ domain-match T}:T{ string T}:T{ \ T}:T{ Constraint for server domain name. If set, this list of FQDNs is used as a match requirement for dNSName element(s) of the certificate presented by the authentication server. If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using the same comparison. Multiple valid FQDNs can be passed as a ";" delimited list. T} T{ domain-suffix-match T}:T{ string T}:T{ \ T}:T{ Constraint for server domain name. If set, this FQDN is used as a suffix match requirement for dNSName element(s) of the certificate presented by the authentication server. If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using same suffix match comparison. Since version 1.24, multiple valid FQDNs can be passed as a ";" delimited list. T} T{ eap T}:T{ array of string T}:T{ \ T}:T{ The allowed EAP method to be used when authenticating to the network with 802.1x. Valid methods are: "leap", "md5", "tls", "peap", "ttls", "pwd", and "fast". Each method requires different configuration using the properties of this setting; refer to wpa_supplicant documentation for the allowed combinations. T} T{ identity T}:T{ string T}:T{ \ T}:T{ Identity string for EAP authentication methods. Often the users user or login name. T} T{ optional T}:T{ boolean T}:T{ FALSE T}:T{ Whether the 802.1X authentication is optional. If TRUE, the activation will continue even after a timeout or an authentication failure. Setting the property to TRUE is currently allowed only for Ethernet connections. If set to FALSE, the activation can continue only after a successful authentication. T} T{ pac-file T}:T{ string T}:T{ \ T}:T{ UTF-8 encoded file path containing PAC for EAP-FAST. T} T{ password T}:T{ string T}:T{ \ T}:T{ UTF-8 encoded password used for EAP authentication methods. If both the "password" property and the "password-raw" property are specified, "password" is preferred. T} T{ password-flags T}:T{ NMSettingSecretFlags (uint32) T}:T{ \ T}:T{ Flags indicating how to handle the "password" property. T} T{ password-raw T}:T{ byte array T}:T{ \ T}:T{ Password used for EAP authentication methods, given as a byte array to allow passwords in other encodings than UTF-8 to be used. If both the "password" property and the "password-raw" property are specified, "password" is preferred. T} T{ password-raw-flags T}:T{ NMSettingSecretFlags (uint32) T}:T{ \ T}:T{ Flags indicating how to handle the "password-raw" property. T} T{ phase1-auth-flags T}:T{ uint32 T}:T{ 0 T}:T{ Specifies authentication flags to use in "phase 1" outer authentication using NMSetting8021xAuthFlags options. The individual TLS versions can be explicitly disabled. TLS time checks can be also disabled. If a certain TLS disable flag is not set, it is up to the supplicant to allow or forbid it. The TLS options map to tls_disable_tlsv1_x and tls_disable_time_checks settings. See the wpa_supplicant documentation for more details. T} T{ phase1-fast-provisioning T}:T{ string T}:T{ \ T}:T{ Enables or disables in-line provisioning of EAP-FAST credentials when FAST is specified as the EAP method in the "eap" property. Recognized values are "0" (disabled), "1" (allow unauthenticated provisioning), "2" (allow authenticated provisioning), and "3" (allow both authenticated and unauthenticated provisioning). See the wpa_supplicant documentation for more details. T} T{ phase1-peaplabel T}:T{ string T}:T{ \ T}:T{ Forces use of the new PEAP label during key derivation. Some RADIUS servers may require forcing the new PEAP label to interoperate with PEAPv1. Set to "1" to force use of the new PEAP label. See the wpa_supplicant documentation for more details. T} T{ phase1-peapver T}:T{ string T}:T{ \ T}:T{ Forces which PEAP version is used when PEAP is set as the EAP method in the "eap" property. When unset, the version reported by the server will be used. Sometimes when using older RADIUS servers, it is necessary to force the client to use a particular PEAP version. To do so, this property may be set to "0" or "1" to force that specific PEAP version. T} T{ phase2-altsubject-matches T}:T{ array of string T}:T{ \ T}:T{ List of strings to be matched against the altSubjectName of the certificate presented by the authentication server during the inner "phase 2" authentication. If the list is empty, no verification of the server certificates altSubjectName is performed. T} T{ phase2-auth T}:T{ string T}:T{ \ T}:T{ Specifies the allowed "phase 2" inner authentication method when an EAP method that uses an inner TLS tunnel is specified in the "eap" property. For TTLS this property selects one of the supported non-EAP inner methods: "pap", "chap", "mschap", "mschapv2" while "phase2-autheap" selects an EAP inner method. For PEAP this selects an inner EAP method, one of: "gtc", "otp", "md5" and "tls". Each "phase 2" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details. Both "phase2-auth" and "phase2-autheap" cannot be specified. T} T{ phase2-autheap T}:T{ string T}:T{ \ T}:T{ Specifies the allowed "phase 2" inner EAP-based authentication method when TTLS is specified in the "eap" property. Recognized EAP-based "phase 2" methods are "md5", "mschapv2", "otp", "gtc", and "tls". Each "phase 2" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details. T} T{ phase2-ca-cert T}:T{ byte array T}:T{ \ T}:T{ Contains the "phase 2" CA certificate if used by the EAP method specified in the "phase2-auth" or "phase2-autheap" properties.

Note that enabling NMSetting8021x:system-ca-certs will override this setting to use the built-in path, if the built-in path is not a directory. T} T{ phase2-ca-cert-password T}:T{ string T}:T{ \ T}:T{ The password used to access the "phase2" CA certificate stored in "phase2-ca-cert" property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login. T} T{ phase2-ca-cert-password-flags T}:T{ NMSettingSecretFlags (uint32) T}:T{ \ T}:T{ Flags indicating how to handle the "phase2-ca-cert-password" property. T} T{ phase2-ca-path T}:T{ string T}:T{ \ T}:T{ UTF-8 encoded path to a directory containing PEM or DER formatted certificates to be added to the verification chain in addition to the certificate specified in the "phase2-ca-cert" property.

If NMSetting8021x:system-ca-certs is enabled and the built-in CA path is an existing directory, then this setting is ignored. T} T{ phase2-client-cert T}:T{ byte array T}:T{ \ T}:T{ Contains the "phase 2" client certificate if used by the EAP method specified in the "phase2-auth" or "phase2-autheap" properties.

Key data is specified using a "scheme"; two are currently supported: blob and path. When using the blob scheme and private keys, this property should be set to the keys encrypted PEM encoded data. When using private keys with the path scheme, this property should be set to the full UTF-8 encoded path of the key, prefixed with the string "file://" and ending with a terminating NUL byte. When using PKCS#12 format private keys and the blob scheme, this property should be set to the PKCS#12 data and the "phase2-private-key-password" property must be set to password used to decrypt the PKCS#12 certificate and key. When using PKCS#12 files and the path scheme, this property should be set to the full UTF-8 encoded path of the key, prefixed with the string "file://" and ending with a terminating NUL byte, and as with the blob scheme the "phase2-private-key-password" property must be set to the password used to decode the PKCS#12 private key and certificate. T} T{ phase2-private-key-password T}:T{ string T}:T{ \ T}:T{ The password used to decrypt the "phase 2" private key specified in the "phase2-private-key" property when the private key either uses the path scheme, or is a PKCS#12 format key. T} T{ phase2-private-key-password-flags T}:T{ NMSettingSecretFlags (uint32) T}:T{ \ T}:T{ Flags indicating how to handle the "phase2-private-key-password" property. T} T{ phase2-subject-match T}:T{ string T}:T{ \ T}:T{ Substring to be matched against the subject of the certificate presented by the authentication server during the inner "phase 2" authentication. When unset, no verification of the authentication server certificates subject is performed. This property provides little security, if any, and should not be used.

This property is deprecated since version 1.2.Use "phase2-domain-suffix-match" instead. T} T{ pin T}:T{ string T}:T{ \ T}:T{ PIN used for EAP authentication methods. T} T{ pin-flags T}:T{ NMSettingSecretFlags (uint32) T}:T{ \ T}:T{ Flags indicating how to handle the "pin" property. T} T{ private-key T}:T{ byte array T}:T{ \ T}:T{ Contains the private key when the "eap" property is set to "tls".

WARNING: "private-key" is not a "secret" property, and thus unencrypted private key data using the BLOB scheme may be readable by unprivileged users. Private keys should always be encrypted with a private key password to prevent unauthorized access to unencrypted private key data. T} T{ private-key-password T}:T{ string T}:T{ \ T}:T{ The password used to decrypt the private key specified in the "private-key" property when the private key either uses the path scheme, or if the private key is a PKCS#12 format key. T} T{ private-key-password-flags T}:T{ NMSettingSecretFlags (uint32) T}:T{ \ T}:T{ Flags indicating how to handle the "private-key-password" property. T} T{ subject-match T}:T{ string T}:T{ \ T}:T{ Substring to be matched against the subject of the certificate presented by the authentication server. When unset, no verification of the authentication server certificates subject is performed. This property provides little security, if any, and should not be used.

This property is deprecated since version 1.2.Use "phase2-domain-suffix-match" instead. T} T{ system-ca-certs T}:T{ boolean T}:T{ FALSE T}:T{ When TRUE, overrides the "ca-path" and "phase2-ca-path" properties using the system CA directory specified at configure time with the --system-ca-path switch. The certificates in this directory are added to the verification chain in addition to any certificates specified by the "ca-cert" and "phase2-ca-cert" properties. If the path provided with --system-ca-path is rather a file name (bundle of trusted CA certificates), it overrides "ca-cert" and "phase2-ca-cert" properties instead (sets ca_cert/ca_cert2 options for wpa_supplicant). T}

ADSL Settings.

allbox tab(:); lB lB lB lB. T{ Key Name T}:T{ Value Type T}:T{ Default Value T}:T{ Value Description T}

l l l l l l l l l l l l l l l l l l l l l l l l l l l l. T{ encapsulation T}:T{ string T}:T{ \ T}:T{ Encapsulation of ADSL connection. Can be "vcmux" or "llc". T} T{ password T}:T{ string T}:T{ \ T}:T{ Password used to authenticate with the ADSL service. T} T{ password-flags T}:T{ NMSettingSecretFlags (uint32) T}:T{ \ T}:T{ Flags indicating how to handle the "password" property. T} T{ protocol T}:T{ string T}:T{ \ T}:T{ ADSL connection protocol. Can be "pppoa", "pppoe" or "ipoatm". T} T{ username T}:T{ string T}:T{ \ T}:T{ Username used to authenticate with the ADSL service. T} T{ vci T}:T{ uint32 T}:T{ 0 T}:T{ VCI of ADSL connection T} T{ vpi T}:T{ uint32 T}:T{ 0 T}:T{ VPI of ADSL connection T}

Bluetooth Settings.

allbox tab(:); lB lB lB lB. T{ Key Name T}:T{ Value Type T}:T{ Default Value T}:T{ Value Description T}

l l l l l l l l. T{ bdaddr T}:T{ byte array T}:T{ \ T}:T{ The Bluetooth address of the device. T} T{ type T}:T{ string T}:T{ \ T}:T{ Either "dun" for Dial-Up Networking connections or "panu" for Personal Area Networking connections to devices supporting the NAP profile. T}

Bonding Settings.

allbox tab(:); lB lB lB lB. T{ Key Name T}:T{ Value Type T}:T{ Default Value T}:T{ Value Description T}

l l l l l l l l. T{ interface-name T}:T{ string T}:T{ \ T}:T{ Deprecated in favor of connection.interface-name, but can be used for backward-compatibility with older daemons, to set the bonds interface name. T} T{ options T}:T{ dict of string to string T}:T{ {mode: balance-rr} T}:T{ Dictionary of key/value pairs of bonding options. Both keys and values must be strings. Option names must contain only alphanumeric characters (ie, [a-zA-Z0-9]). T}

Bridging Settings.

allbox tab(:); lB lB lB lB. T{ Key Name T}:T{ Value Type T}:T{ Default Value T}:T{ Value Description T}

l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l. T{ ageing-time T}:T{ uint32 T}:T{ 300 T}:T{ The Ethernet MAC address aging time, in seconds. T} T{ forward-delay T}:T{ uint32 T}:T{ 15 T}:T{ The Spanning Tree Protocol (STP) forwarding delay, in seconds. T} T{ group-address T}:T{ byte array T}:T{ \ T}:T{ If specified, The MAC address of the multicast group this bridge uses for STP.

The address must be a link-local address in standard Ethernet MAC address format, ie an address of the form 01:80:C2:00:00:0X, with X in [0, 4..F]. If not specified the default value is 01:80:C2:00:00:00. T} T{ group-forward-mask T}:T{ uint32 T}:T{ 0 T}:T{ A mask of group addresses to forward. Usually, group addresses in the range from 01:80:C2:00:00:00 to 01:80:C2:00:00:0F are not forwarded according to standards. This property is a mask of 16 bits, each corresponding to a group address in that range that must be forwarded. The mask cant have bits 0, 1 or 2 set because they are used for STP, MAC pause frames and LACP. T} T{ hello-time T}:T{ uint32 T}:T{ 2 T}:T{ The Spanning Tree Protocol (STP) hello time, in seconds. T} T{ interface-name T}:T{ string T}:T{ \ T}:T{ Deprecated in favor of connection.interface-name, but can be used for backward-compatibility with older daemons, to set the bridges interface name. T} T{ mac-address T}:T{ byte array T}:T{ \ T}:T{ If specified, the MAC address of bridge. When creating a new bridge, this MAC address will be set.

If this field is left unspecified, the "ethernet.cloned-mac-address" is referred instead to generate the initial MAC address. Note that setting "ethernet.cloned-mac-address" anyway overwrites the MAC address of the bridge later while activating the bridge.

This property is deprecated since version 1.12.Use the "cloned-mac-address" property instead. T} T{ max-age T}:T{ uint32 T}:T{ 20 T}:T{ The Spanning Tree Protocol (STP) maximum message age, in seconds. T} T{ multicast-hash-max T}:T{ uint32 T}:T{ 4096 T}:T{ Set maximum size of multicast hash table (value must be a power of 2). T} T{ multicast-last-member-count T}:T{ uint32 T}:T{ 2 T}:T{ Set the number of queries the bridge will send before stopping forwarding a multicast group after a "leave" message has been received. T} T{ multicast-last-member-interval T}:T{ uint64 T}:T{ 100 T}:T{ Set interval (in deciseconds) between queries to find remaining members of a group, after a "leave" message is received. T} T{ multicast-membership-interval T}:T{ uint64 T}:T{ 26000 T}:T{ Set delay (in deciseconds) after which the bridge will leave a group, if no membership reports for this group are received. T} T{ multicast-querier T}:T{ boolean T}:T{ FALSE T}:T{ Enable or disable sending of multicast queries by the bridge. If not specified the option is disabled. T} T{ multicast-querier-interval T}:T{ uint64 T}:T{ 25500 T}:T{ If no queries are seen after this delay (in deciseconds) has passed, the bridge will start to send its own queries. T} T{ multicast-query-interval T}:T{ uint64 T}:T{ 12500 T}:T{ Interval (in deciseconds) between queries sent by the bridge after the end of the startup phase. T} T{ multicast-query-response-interval T}:T{ uint64 T}:T{ 1000 T}:T{ Set the Max Response Time/Max Response Delay (in deciseconds) for IGMP/MLD queries sent by the bridge. T} T{ multicast-query-use-ifaddr T}:T{ boolean T}:T{ FALSE T}:T{ If enabled the bridges own IP address is used as the source address for IGMP queries otherwise the default of 0.0.0.0 is used. T} T{ multicast-router T}:T{ string T}:T{ \ T}:T{ Sets bridges multicast router. Multicast-snooping must be enabled for this option to work.

Supported values are: auto, disabled, enabled to which kernel assigns the numbers 1, 0, and 2, respectively. If not specified the default value is auto (1). T} T{ multicast-snooping T}:T{ boolean T}:T{ TRUE T}:T{ Controls whether IGMP snooping is enabled for this bridge. Note that if snooping was automatically disabled due to hash collisions, the system may refuse to enable the feature until the collisions are resolved. T} T{ multicast-startup-query-count T}:T{ uint32 T}:T{ 2 T}:T{ Set the number of IGMP queries to send during startup phase. T} T{ multicast-startup-query-interval T}:T{ uint64 T}:T{ 3125 T}:T{ Sets the time (in deciseconds) between queries sent out at startup to determine membership information. T} T{ priority T}:T{ uint32 T}:T{ 32768 T}:T{ Sets the Spanning Tree Protocol (STP) priority for this bridge. Lower values are "better"; the lowest priority bridge will be elected the root bridge. T} T{ stp T}:T{ boolean T}:T{ TRUE T}:T{ Controls whether Spanning Tree Protocol (STP) is enabled for this bridge. T} T{ vlan-default-pvid T}:T{ uint32 T}:T{ 1 T}:T{ The default PVID for the ports of the bridge, that is the VLAN id assigned to incoming untagged frames. T} T{ vlan-filtering T}:T{ boolean T}:T{ FALSE T}:T{ Control whether VLAN filtering is enabled on the bridge. T} T{ vlan-protocol T}:T{ string T}:T{ \ T}:T{ If specified, the protocol used for VLAN filtering.

Supported values are: 802.1Q, 802.1ad. If not specified the default value is 802.1Q. T} T{ vlan-stats-enabled T}:T{ boolean T}:T{ FALSE T}:T{ Controls whether per-VLAN stats accounting is enabled. T} T{ vlans T}:T{ array of vardict T}:T{ \ T}:T{ Array of bridge VLAN objects. In addition to the VLANs specified here, the bridge will also have the default-pvid VLAN configured by the bridge.vlan-default-pvid property.

In nmcli the VLAN list can be specified with the following syntax:

$vid [pvid] [untagged] [, $vid [pvid] [untagged]]...

where $vid is either a single id between 1 and 4094 or a range, represented as a couple of ids separated by a dash. T}

Bridge Port Settings.

allbox tab(:); lB lB lB lB. T{ Key Name T}:T{ Value Type T}:T{ Default Value T}:T{ Value Description T}

l l l l l l l l l l l l l l l l. T{ hairpin-mode T}:T{ boolean T}:T{ FALSE T}:T{ Enables or disables "hairpin mode" for the port, which allows frames to be sent back out through the port the frame was received on. T} T{ path-cost T}:T{ uint32 T}:T{ 100 T}:T{ The Spanning Tree Protocol (STP) port cost for destinations via this port. T} T{ priority T}:T{ uint32 T}:T{ 32 T}:T{ The Spanning Tree Protocol (STP) priority of this bridge port. T} T{ vlans T}:T{ array of vardict T}:T{ \ T}:T{ Array of bridge VLAN objects. In addition to the VLANs specified here, the port will also have the default-pvid VLAN configured on the bridge by the bridge.vlan-default-pvid property.

In nmcli the VLAN list can be specified with the following syntax:

$vid [pvid] [untagged] [, $vid [pvid] [untagged]]...

where $vid is either a single id between 1 and 4094 or a range, represented as a couple of ids separated by a dash. T}

CDMA-based Mobile Broadband Settings.

allbox tab(:); lB lB lB lB. T{ Key Name T}:T{ Value Type T}:T{ Default Value T}:T{ Value Description T}

l l l l l l l l l l l l l l l l l l l l. T{ mtu T}:T{ uint32 T}:T{ 0 T}:T{ If non-zero, only transmit packets of the specified size or smaller, breaking larger packets up into multiple frames. T} T{ number T}:T{ string T}:T{ \ T}:T{ The number to dial to establish the connection to the CDMA-based mobile broadband network, if any. If not specified, the default number (#777) is used when required. T} T{ password T}:T{ string T}:T{ \ T}:T{ The password used to authenticate with the network, if required. Many providers do not require a password, or accept any password. But if a password is required, it is specified here. T} T{ password-flags T}:T{ NMSettingSecretFlags (uint32) T}:T{ \ T}:T{ Flags indicating how to handle the "password" property. T} T{ username T}:T{ string T}:T{ \ T}:T{ The username used to authenticate with the network, if required. Many providers do not require a username, or accept any username. But if a username is required, it is specified here. T}

Data Center Bridging Settings.

allbox tab(:); lB lB lB lB. T{ Key Name T}:T{ Value Type T}:T{ Default Value T}:T{ Value Description T}

l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l. T{ app-fcoe-flags T}:T{ NMSettingDcbFlags (uint32) T}:T{ \ T}:T{ Specifies the NMSettingDcbFlags for the DCB FCoE application. Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1), NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and NM_SETTING_DCB_FLAG_WILLING (0x4). T} T{ app-fcoe-mode T}:T{ string T}:T{ \ T}:T{ The FCoE controller mode; either "fabric" or "vn2vn".

Since 1.34, NULL is the default and means "fabric". Before 1.34, NULL was rejected as invalid and the default was "fabric". T} T{ app-fcoe-priority T}:T{ int32 T}:T{ -1 T}:T{ The highest User Priority (0 - 7) which FCoE frames should use, or -1 for default priority. Only used when the "app-fcoe-flags" property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag. T} T{ app-fip-flags T}:T{ NMSettingDcbFlags (uint32) T}:T{ \ T}:T{ Specifies the NMSettingDcbFlags for the DCB FIP application. Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1), NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and NM_SETTING_DCB_FLAG_WILLING (0x4). T} T{ app-fip-priority T}:T{ int32 T}:T{ -1 T}:T{ The highest User Priority (0 - 7) which FIP frames should use, or -1 for default priority. Only used when the "app-fip-flags" property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag. T} T{ app-iscsi-flags T}:T{ NMSettingDcbFlags (uint32) T}:T{ \ T}:T{ Specifies the NMSettingDcbFlags for the DCB iSCSI application. Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1), NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and NM_SETTING_DCB_FLAG_WILLING (0x4). T} T{ app-iscsi-priority T}:T{ int32 T}:T{ -1 T}:T{ The highest User Priority (0 - 7) which iSCSI frames should use, or -1 for default priority. Only used when the "app-iscsi-flags" property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag. T} T{ priority-bandwidth T}:T{ array of uint32 T}:T{ \ T}:T{ An array of 8 uint values, where the array index corresponds to the User Priority (0 - 7) and the value indicates the percentage of bandwidth of the prioritys assigned group that the priority may use. The sum of all percentages for priorities which belong to the same group must total 100 percents. T} T{ priority-flow-control T}:T{ array of uint32 T}:T{ \ T}:T{ An array of 8 boolean values, where the array index corresponds to the User Priority (0 - 7) and the value indicates whether or not the corresponding priority should transmit priority pause. T} T{ priority-flow-control-flags T}:T{ NMSettingDcbFlags (uint32) T}:T{ \ T}:T{ Specifies the NMSettingDcbFlags for DCB Priority Flow Control (PFC). Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1), NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and NM_SETTING_DCB_FLAG_WILLING (0x4). T} T{ priority-group-bandwidth T}:T{ array of uint32 T}:T{ \ T}:T{ An array of 8 uint values, where the array index corresponds to the Priority Group ID (0 - 7) and the value indicates the percentage of link bandwidth allocated to that group. Allowed values are 0 - 100, and the sum of all values must total 100 percents. T} T{ priority-group-flags T}:T{ NMSettingDcbFlags (uint32) T}:T{ \ T}:T{ Specifies the NMSettingDcbFlags for DCB Priority Groups. Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1), NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and NM_SETTING_DCB_FLAG_WILLING (0x4). T} T{ priority-group-id T}:T{ array of uint32 T}:T{ \ T}:T{ An array of 8 uint values, where the array index corresponds to the User Priority (0 - 7) and the value indicates the Priority Group ID. Allowed Priority Group ID values are 0 - 7 or 15 for the unrestricted group. T} T{ priority-strict-bandwidth T}:T{ array of uint32 T}:T{ \ T}:T{ An array of 8 boolean values, where the array index corresponds to the User Priority (0 - 7) and the value indicates whether or not the priority may use all of the bandwidth allocated to its assigned group. T} T{ priority-traffic-class T}:T{ array of uint32 T}:T{ \ T}:T{ An array of 8 uint values, where the array index corresponds to the User Priority (0 - 7) and the value indicates the traffic class (0 - 7) to which the priority is mapped. T}

Dummy Link Settings.

allbox tab(:); lB lB lB lB. T{ Key Name T}:T{ Value Type T}:T{ Default Value T}:T{ Value Description T}