nm-settings: NetworkManager Reference Manual

nm-settings

nm-settings — Description of settings and properties of NetworkManager connection profiles

Description

NetworkManager is based on a concept of connection profiles, sometimes referred to as connections only. These connection profiles contain a network configuration. When NetworkManager activates a connection profile on a network device the configuration will be applied and an active network connection will be established. Users are free to create as many connection profiles as they see fit. Thus they are flexible in having various network configurations for different networking needs. The connection profiles are handled by NetworkManager via settings service and are exported on D-Bus (/org/freedesktop/NetworkManager/Settings/<num> objects). The conceptual objects can be described as follows:

Connection (profile)

A specific, encapsulated, independent group of settings describing all the configuration required to connect to a specific network. It is referred to by a unique identifier called the UUID. A connection is tied to a one specific device type, but not necessarily a specific hardware device. It is composed of one or more Settings objects.

Setting

A group of related key/value pairs describing a specific piece of a Connection (profile). Settings keys and allowed values are described in the tables below. Keys are also referred to as properties. Developers can find the setting objects and their properties in the libnm-util sources. Look for the class_init functions near the bottom of each setting source file.

The settings and properties shown in tables below list all available connection configuration options. However, note that not all settings are applicable to all connection types. NetworkManager provides a command-line tool nmcli that allows direct configuration of the settings and properties according to a connection profile type. nmcli connection editor has also a built-in describe command that can display description of particular settings and properties of this page.

Table 24. 802-1x setting

Key Name	Value Type	Default Value	Value Description
altsubject-matches	array of string	[]	List of strings to be matched against the altSubjectName of the certificate presented by the authentication server. If the list is empty, no verification of the server certificate's altSubjectName is performed.
anonymous-identity	string		Anonymous identity string for EAP authentication methods. Used as the unencrypted identity with EAP types that support different tunneled identity like EAP-TTLS.
ca-cert	byte array		Contains the CA certificate if used by the EAP method specified in the "eap" property. Certificate data is specified using a "scheme"; two are currently supported: blob and path. When using the blob scheme (which is backwards compatible with NM 0.7.x) this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string "file://" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended.
ca-path	string		UTF-8 encoded path to a directory containing PEM or DER formatted certificates to be added to the verification chain in addition to the certificate specified in the "ca-cert" property.
client-cert	byte array		Contains the client certificate if used by the EAP method specified in the "eap" property. Certificate data is specified using a "scheme"; two are currently supported: blob and path. When using the blob scheme (which is backwards compatible with NM 0.7.x) this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string "file://" and ending with a terminating NUL byte.
domain-suffix-match	string		Constraint for server domain name. If set, this FQDN is used as a suffix match requirement for dNSName element(s) of the certificate presented by the authentication server. If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using same suffix match comparison.
eap	array of string	[]	The allowed EAP method to be used when authenticating to the network with 802.1x. Valid methods are: "leap", "md5", "tls", "peap", "ttls", "pwd", and "fast". Each method requires different configuration using the properties of this setting; refer to wpa_supplicant documentation for the allowed combinations.
identity	string		Identity string for EAP authentication methods. Often the user's user or login name.
name	string	802-1x	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".
pac-file	string		UTF-8 encoded file path containing PAC for EAP-FAST.
password	string		UTF-8 encoded password used for EAP authentication methods. If both the "password" property and the "password-raw" property are specified, "password" is preferred.
password-flags	NMSettingSecretFlags (uint32)		Flags indicating how to handle the "password" property. (see the section called “Secret flag types:” for flag values)
password-raw	byte array		Password used for EAP authentication methods, given as a byte array to allow passwords in other encodings than UTF-8 to be used. If both the "password" property and the "password-raw" property are specified, "password" is preferred.
password-raw-flags	NMSettingSecretFlags (uint32)		Flags indicating how to handle the "password-raw" property. (see the section called “Secret flag types:” for flag values)
phase1-fast-provisioning	string		Enables or disables in-line provisioning of EAP-FAST credentials when FAST is specified as the EAP method in the "eap" property. Recognized values are "0" (disabled), "1" (allow unauthenticated provisioning), "2" (allow authenticated provisioning), and "3" (allow both authenticated and unauthenticated provisioning). See the wpa_supplicant documentation for more details.
phase1-peaplabel	string		Forces use of the new PEAP label during key derivation. Some RADIUS servers may require forcing the new PEAP label to interoperate with PEAPv1. Set to "1" to force use of the new PEAP label. See the wpa_supplicant documentation for more details.
phase1-peapver	string		Forces which PEAP version is used when PEAP is set as the EAP method in the "eap" property. When unset, the version reported by the server will be used. Sometimes when using older RADIUS servers, it is necessary to force the client to use a particular PEAP version. To do so, this property may be set to "0" or "1" to force that specific PEAP version.
phase2-altsubject-matches	array of string	[]	List of strings to be matched against the altSubjectName of the certificate presented by the authentication server during the inner "phase 2" authentication. If the list is empty, no verification of the server certificate's altSubjectName is performed.
phase2-auth	string		Specifies the allowed "phase 2" inner non-EAP authentication methods when an EAP method that uses an inner TLS tunnel is specified in the "eap" property. Recognized non-EAP "phase 2" methods are "pap", "chap", "mschap", "mschapv2", "gtc", "otp", "md5", and "tls". Each "phase 2" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details.
phase2-autheap	string		Specifies the allowed "phase 2" inner EAP-based authentication methods when an EAP method that uses an inner TLS tunnel is specified in the "eap" property. Recognized EAP-based "phase 2" methods are "md5", "mschapv2", "otp", "gtc", and "tls". Each "phase 2" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details.
phase2-ca-cert	byte array		Contains the "phase 2" CA certificate if used by the EAP method specified in the "phase2-auth" or "phase2-autheap" properties. Certificate data is specified using a "scheme"; two are currently supported: blob and path. When using the blob scheme (which is backwards compatible with NM 0.7.x) this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string "file://" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended.
phase2-ca-path	string		UTF-8 encoded path to a directory containing PEM or DER formatted certificates to be added to the verification chain in addition to the certificate specified in the "phase2-ca-cert" property.
phase2-client-cert	byte array		Contains the "phase 2" client certificate if used by the EAP method specified in the "phase2-auth" or "phase2-autheap" properties. Certificate data is specified using a "scheme"; two are currently supported: blob and path. When using the blob scheme (which is backwards compatible with NM 0.7.x) this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string "file://" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended.
phase2-domain-suffix-match	string		Constraint for server domain name. If set, this FQDN is used as a suffix match requirement for dNSName element(s) of the certificate presented by the authentication server during the inner "phase 2" authentication. If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using same suffix match comparison.
phase2-private-key	byte array		Contains the "phase 2" inner private key when the "phase2-auth" or "phase2-autheap" property is set to "tls". Key data is specified using a "scheme"; two are currently supported: blob and path. When using the blob scheme and private keys, this property should be set to the key's encrypted PEM encoded data. When using private keys with the path scheme, this property should be set to the full UTF-8 encoded path of the key, prefixed with the string "file://" and ending with a terminating NUL byte. When using PKCS#12 format private keys and the blob scheme, this property should be set to the PKCS#12 data and the "phase2-private-key-password" property must be set to password used to decrypt the PKCS#12 certificate and key. When using PKCS#12 files and the path scheme, this property should be set to the full UTF-8 encoded path of the key, prefixed with the string "file://" and and ending with a terminating NUL byte, and as with the blob scheme the "phase2-private-key-password" property must be set to the password used to decode the PKCS#12 private key and certificate.
phase2-private-key-password	string		The password used to decrypt the "phase 2" private key specified in the "phase2-private-key" property when the private key either uses the path scheme, or is a PKCS#12 format key.
phase2-private-key-password-flags	NMSettingSecretFlags (uint32)		Flags indicating how to handle the "phase2-private-key-password" property. (see the section called “Secret flag types:” for flag values)
phase2-subject-match	string		Substring to be matched against the subject of the certificate presented by the authentication server during the inner "phase 2" authentication. When unset, no verification of the authentication server certificate's subject is performed. This property provides little security, if any, and its use is deprecated in favor of NMSetting8021x:phase2-domain-suffix-match.
pin	string		PIN used for EAP authentication methods.
pin-flags	NMSettingSecretFlags (uint32)		Flags indicating how to handle the "pin" property. (see the section called “Secret flag types:” for flag values)
private-key	byte array		Contains the private key when the "eap" property is set to "tls". Key data is specified using a "scheme"; two are currently supported: blob and path. When using the blob scheme and private keys, this property should be set to the key's encrypted PEM encoded data. When using private keys with the path scheme, this property should be set to the full UTF-8 encoded path of the key, prefixed with the string "file://" and ending with a terminating NUL byte. When using PKCS#12 format private keys and the blob scheme, this property should be set to the PKCS#12 data and the "private-key-password" property must be set to password used to decrypt the PKCS#12 certificate and key. When using PKCS#12 files and the path scheme, this property should be set to the full UTF-8 encoded path of the key, prefixed with the string "file://" and and ending with a terminating NUL byte, and as with the blob scheme the "private-key-password" property must be set to the password used to decode the PKCS#12 private key and certificate. WARNING: "private-key" is not a "secret" property, and thus unencrypted private key data using the BLOB scheme may be readable by unprivileged users. Private keys should always be encrypted with a private key password to prevent unauthorized access to unencrypted private key data.
private-key-password	string		The password used to decrypt the private key specified in the "private-key" property when the private key either uses the path scheme, or if the private key is a PKCS#12 format key.
private-key-password-flags	NMSettingSecretFlags (uint32)		Flags indicating how to handle the "private-key-password" property. (see the section called “Secret flag types:” for flag values)
subject-match	string		Substring to be matched against the subject of the certificate presented by the authentication server. When unset, no verification of the authentication server certificate's subject is performed. This property provides little security, if any, and its use is deprecated in favor of NMSetting8021x:domain-suffix-match.
system-ca-certs	boolean	FALSE	When TRUE, overrides the "ca-path" and "phase2-ca-path" properties using the system CA directory specified at configure time with the --system-ca-path switch. The certificates in this directory are added to the verification chain in addition to any certificates specified by the "ca-cert" and "phase2-ca-cert" properties. If the path provided with --system-ca-path is rather a file name (bundle of trusted CA certificates), it overrides "ca-cert" and "phase2-ca-cert" properties instead (sets ca_cert/ca_cert2 options for wpa_supplicant).

Table 25. adsl setting

Key Name	Value Type	Default Value	Value Description
encapsulation	string		Encapsulation of ADSL connection. Can be "vcmux" or "llc".
name	string	adsl	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".
password	string		Password used to authenticate with the ADSL service.
password-flags	NMSettingSecretFlags (uint32)		Flags indicating how to handle the "password" property. (see the section called “Secret flag types:” for flag values)
protocol	string		ADSL connection protocol. Can be "pppoa", "pppoe" or "ipoatm".
username	string		Username used to authenticate with the ADSL service.
vci	uint32	0	VCI of ADSL connection
vpi	uint32	0	VPI of ADSL connection

Table 26. bluetooth setting

Key Name	Value Type	Default Value	Value Description
bdaddr	byte array		The Bluetooth address of the device.
name	string	bluetooth	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".
type	string		Either "dun" for Dial-Up Networking connections or "panu" for Personal Area Networking connections to devices supporting the NAP profile.

Table 27. bond setting

Key Name	Value Type	Default Value	Value Description
interface-name	string		Deprecated in favor of connection.interface-name, but can be used for backward-compatibility with older daemons, to set the bond's interface name.
name	string	bond	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".
options	dict of string to string	{'mode': 'balance-rr'}	Dictionary of key/value pairs of bonding options. Both keys and values must be strings. Option names must contain only alphanumeric characters (ie, [a-zA-Z0-9]).

Table 28. bridge setting

Key Name	Value Type	Default Value	Value Description
ageing-time	uint32	300	The Ethernet MAC address aging time, in seconds.
forward-delay	uint32	15	The Spanning Tree Protocol (STP) forwarding delay, in seconds.
hello-time	uint32	2	The Spanning Tree Protocol (STP) hello time, in seconds.
interface-name	string		Deprecated in favor of connection.interface-name, but can be used for backward-compatibility with older daemons, to set the bridge's interface name.
mac-address	byte array		If specified, the MAC address of bridge. When creating a new bridge, this MAC address will be set. When matching an existing (outside NetworkManager created) bridge, this MAC address must match.
max-age	uint32	20	The Spanning Tree Protocol (STP) maximum message age, in seconds.
multicast-snooping	boolean	TRUE	Controls whether IGMP snooping is enabled for this bridge. Note that if snooping was automatically disabled due to hash collisions, the system may refuse to enable the feature until the collisions are resolved.
name	string	bridge	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".
priority	uint32	32768	Sets the Spanning Tree Protocol (STP) priority for this bridge. Lower values are "better"; the lowest priority bridge will be elected the root bridge.
stp	boolean	TRUE	Controls whether Spanning Tree Protocol (STP) is enabled for this bridge.

Table 29. bridge-port setting

Key Name	Value Type	Default Value	Value Description
hairpin-mode	boolean	FALSE	Enables or disabled "hairpin mode" for the port, which allows frames to be sent back out through the port the frame was received on.
name	string	bridge-port	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".
path-cost	uint32	100	The Spanning Tree Protocol (STP) port cost for destinations via this port.
priority	uint32	32	The Spanning Tree Protocol (STP) priority of this bridge port.

Table 30. cdma setting

Key Name	Value Type	Default Value	Value Description
name	string	cdma	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".
number	string		The number to dial to establish the connection to the CDMA-based mobile broadband network, if any. If not specified, the default number (#777) is used when required.
password	string		The password used to authenticate with the network, if required. Many providers do not require a password, or accept any password. But if a password is required, it is specified here.
password-flags	NMSettingSecretFlags (uint32)		Flags indicating how to handle the "password" property. (see the section called “Secret flag types:” for flag values)
username	string		The username used to authenticate with the network, if required. Many providers do not require a username, or accept any username. But if a username is required, it is specified here.

Table 31. connection setting

Key Name	Value Type	Default Value	Value Description
autoconnect	boolean	TRUE	Whether or not the connection should be automatically connected by NetworkManager when the resources for the connection are available. TRUE to automatically activate the connection, FALSE to require manual intervention to activate the connection.
autoconnect-priority	int32	0	The autoconnect priority. If the connection is set to autoconnect, connections with higher priority will be preferred. Defaults to 0. The higher number means higher priority.
autoconnect-slaves	NMSettingConnectionAutoconnectSlaves (int32)		Whether or not slaves of this connection should be automatically brought up when NetworkManager activates this connection. This only has a real effect for master connections. The permitted values are: 0: leave slave connections untouched, 1: activate all the slave connections with this connection, -1: default. If -1 (default) is set, global connection.autoconnect-slaves is read to determine the real value. If it is default as well, this fallbacks to 0.
gateway-ping-timeout	uint32	0	If greater than zero, delay success of IP addressing until either the timeout is reached, or an IP gateway replies to a ping.
id	string		A human readable unique identifier for the connection, like "Work Wi-Fi" or "T-Mobile 3G".
interface-name	string		The name of the network interface this connection is bound to. If not set, then the connection can be attached to any interface of the appropriate type (subject to restrictions imposed by other settings). For software devices this specifies the name of the created device. For connection types where interface names cannot easily be made persistent (e.g. mobile broadband or USB Ethernet), this property should not be used. Setting this property restricts the interfaces a connection can be used with, and if interface names change or are reordered the connection may be applied to the wrong interface.
lldp	int32	-1	Whether LLDP is enabled for the connection.
master	string		Interface name of the master device or UUID of the master connection.
metered	NMMetered (int32)		Whether the connection is metered. When updating this property on a currently activated connection, the change takes effect immediately.
name	string	connection	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".
permissions	array of string	[]	An array of strings defining what access a given user has to this connection. If this is NULL or empty, all users are allowed to access this connection. Otherwise a user is allowed to access this connection if and only if they are in this list. Each entry is of the form "[type]:[id]:[reserved]"; for example, "user:dcbw:blah". At this time only the "user" [type] is allowed. Any other values are ignored and reserved for future use. [id] is the username that this permission refers to, which may not contain the ":" character. Any [reserved] information present must be ignored and is reserved for future use. All of [type], [id], and [reserved] must be valid UTF-8.
read-only	boolean	FALSE	FALSE if the connection can be modified using the provided settings service's D-Bus interface with the right privileges, or TRUE if the connection is read-only and cannot be modified.
secondaries	array of string	[]	List of connection UUIDs that should be activated when the base connection itself is activated. Currently only VPN connections are supported.
slave-type	string		Setting name of the device type of this slave's master connection (eg, "bond"), or NULL if this connection is not a slave.
timestamp	uint64	0	The time, in seconds since the Unix Epoch, that the connection was last _successfully_ fully activated. NetworkManager updates the connection timestamp periodically when the connection is active to ensure that an active connection has the latest timestamp. The property is only meant for reading (changes to this property will not be preserved).
type	string		Base type of the connection. For hardware-dependent connections, should contain the setting name of the hardware-type specific setting (ie, "802-3-ethernet" or "802-11-wireless" or "bluetooth", etc), and for non-hardware dependent connections like VPN or otherwise, should contain the setting name of that setting type (ie, "vpn" or "bridge", etc).
uuid	string		A universally unique identifier for the connection, for example generated with libuuid. It should be assigned when the connection is created, and never changed as long as the connection still applies to the same network. For example, it should not be changed when the "id" property or NMSettingIP4Config changes, but might need to be re-created when the Wi-Fi SSID, mobile broadband network provider, or "type" property changes. The UUID must be in the format "2815492f-7e56-435e-b2e9-246bd7cdc664" (ie, contains only hexadecimal characters and "-").
zone	string		The trust level of a the connection. Free form case-insensitive string (for example "Home", "Work", "Public"). NULL or unspecified zone means the connection will be placed in the default zone as defined by the firewall. When updating this property on a currently activated connection, the change takes effect immediately.

Table 32. dcb setting

Key Name	Value Type	Default Value	Value Description
app-fcoe-flags	NMSettingDcbFlags (uint32)		Specifies the NMSettingDcbFlags for the DCB FCoE application. Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1), NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and NM_SETTING_DCB_FLAG_WILLING (0x4).
app-fcoe-mode	string	"fabric"	The FCoE controller mode; either "fabric" (default) or "vn2vn".
app-fcoe-priority	int32	-1	The highest User Priority (0 - 7) which FCoE frames should use, or -1 for default priority. Only used when the "app-fcoe-flags" property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
app-fip-flags	NMSettingDcbFlags (uint32)		Specifies the NMSettingDcbFlags for the DCB FIP application. Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1), NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and NM_SETTING_DCB_FLAG_WILLING (0x4).
app-fip-priority	int32	-1	The highest User Priority (0 - 7) which FIP frames should use, or -1 for default priority. Only used when the "app-fip-flags" property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
app-iscsi-flags	NMSettingDcbFlags (uint32)		Specifies the NMSettingDcbFlags for the DCB iSCSI application. Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1), NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and NM_SETTING_DCB_FLAG_WILLING (0x4).
app-iscsi-priority	int32	-1	The highest User Priority (0 - 7) which iSCSI frames should use, or -1 for default priority. Only used when the "app-iscsi-flags" property includes the NM_SETTING_DCB_FLAG_ENABLE (0x1) flag.
name	string	dcb	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".
priority-bandwidth	array of uint32	[0, 0, 0, 0, 0, 0, 0, 0]	An array of 8 uint values, where the array index corresponds to the User Priority (0 - 7) and the value indicates the percentage of bandwidth of the priority's assigned group that the priority may use. The sum of all percentages for priorities which belong to the same group must total 100 percent.
priority-flow-control	array of uint32	[0, 0, 0, 0, 0, 0, 0, 0]	An array of 8 boolean values, where the array index corresponds to the User Priority (0 - 7) and the value indicates whether or not the corresponding priority should transmit priority pause.
priority-flow-control-flags	NMSettingDcbFlags (uint32)		Specifies the NMSettingDcbFlags for DCB Priority Flow Control (PFC). Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1), NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and NM_SETTING_DCB_FLAG_WILLING (0x4).
priority-group-bandwidth	array of uint32	[0, 0, 0, 0, 0, 0, 0, 0]	An array of 8 uint values, where the array index corresponds to the Priority Group ID (0 - 7) and the value indicates the percentage of link bandwidth allocated to that group. Allowed values are 0 - 100, and the sum of all values must total 100 percent.
priority-group-flags	NMSettingDcbFlags (uint32)		Specifies the NMSettingDcbFlags for DCB Priority Groups. Flags may be any combination of NM_SETTING_DCB_FLAG_ENABLE (0x1), NM_SETTING_DCB_FLAG_ADVERTISE (0x2), and NM_SETTING_DCB_FLAG_WILLING (0x4).
priority-group-id	array of uint32	[0, 0, 0, 0, 0, 0, 0, 0]	An array of 8 uint values, where the array index corresponds to the User Priority (0 - 7) and the value indicates the Priority Group ID. Allowed Priority Group ID values are 0 - 7 or 15 for the unrestricted group.
priority-strict-bandwidth	array of uint32	[0, 0, 0, 0, 0, 0, 0, 0]	An array of 8 boolean values, where the array index corresponds to the User Priority (0 - 7) and the value indicates whether or not the priority may use all of the bandwidth allocated to its assigned group.
priority-traffic-class	array of uint32	[0, 0, 0, 0, 0, 0, 0, 0]	An array of 8 uint values, where the array index corresponds to the User Priority (0 - 7) and the value indicates the traffic class (0 - 7) to which the priority is mapped.

Table 33. generic setting

Key Name	Value Type	Default Value	Value Description
name	string	generic	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".

Table 34. gsm setting

Key Name	Value Type	Default Value	Value Description
apn	string		The GPRS Access Point Name specifying the APN used when establishing a data session with the GSM-based network. The APN often determines how the user will be billed for their network usage and whether the user has access to the Internet or just a provider-specific walled-garden, so it is important to use the correct APN for the user's mobile broadband plan. The APN may only be composed of the characters a-z, 0-9, ., and - per GSM 03.60 Section 14.9.
device-id	string		The device unique identifier (as given by the WWAN management service) which this connection applies to. If given, the connection will only apply to the specified device.
home-only	boolean	FALSE	When TRUE, only connections to the home network will be allowed. Connections to roaming networks will not be made.
name	string	gsm	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".
network-id	string		The Network ID (GSM LAI format, ie MCC-MNC) to force specific network registration. If the Network ID is specified, NetworkManager will attempt to force the device to register only on the specified network. This can be used to ensure that the device does not roam when direct roaming control of the device is not otherwise possible.
number	string		Number to dial when establishing a PPP data session with the GSM-based mobile broadband network. Many modems do not require PPP for connections to the mobile network and thus this property should be left blank, which allows NetworkManager to select the appropriate settings automatically.
password	string		The password used to authenticate with the network, if required. Many providers do not require a password, or accept any password. But if a password is required, it is specified here.
password-flags	NMSettingSecretFlags (uint32)		Flags indicating how to handle the "password" property. (see the section called “Secret flag types:” for flag values)
pin	string		If the SIM is locked with a PIN it must be unlocked before any other operations are requested. Specify the PIN here to allow operation of the device.
pin-flags	NMSettingSecretFlags (uint32)		Flags indicating how to handle the "pin" property. (see the section called “Secret flag types:” for flag values)
sim-id	string		The SIM card unique identifier (as given by the WWAN management service) which this connection applies to. If given, the connection will apply to any device also allowed by "device-id" which contains a SIM card matching the given identifier.
sim-operator-id	string		A MCC/MNC string like "310260" or "21601" identifying the specific mobile network operator which this connection applies to. If given, the connection will apply to any device also allowed by "device-id" and "sim-id" which contains a SIM card provisioined by the given operator.
username	string		The username used to authenticate with the network, if required. Many providers do not require a username, or accept any username. But if a username is required, it is specified here.

Table 35. infiniband setting

Key Name	Value Type	Default Value	Value Description
mac-address	byte array		If specified, this connection will only apply to the IPoIB device whose permanent MAC address matches. This property does not change the MAC address of the device (i.e. MAC spoofing).
mtu	uint32	0	If non-zero, only transmit packets of the specified size or smaller, breaking larger packets up into multiple frames.
name	string	infiniband	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".
p-key	int32	-1	The InfiniBand P_Key to use for this device. A value of -1 means to use the default P_Key (aka "the P_Key at index 0"). Otherwise it is a 16-bit unsigned integer, whose high bit is set if it is a "full membership" P_Key.
parent	string		The interface name of the parent device of this device. Normally NULL, but if the "p_key" property is set, then you must specify the base device by setting either this property or "mac-address".
transport-mode	string		The IP-over-InfiniBand transport mode. Either "datagram" or "connected".

Table 36. ipv4 setting

Key Name	Value Type	Default Value	Value Description
address-data	array of vardict		Array of IPv4 addresses. Each address dictionary contains at least 'address' and 'prefix' entries, containing the IP address as a string, and the prefix length as a uint32. Additional attributes may also exist on some addresses.
addresses	array of array of uint32	[]	Deprecated in favor of the 'address-data' and 'gateway' properties, but this can be used for backward-compatibility with older daemons. Note that if you send this property the daemon will ignore 'address-data' and 'gateway'. Array of IPv4 address structures. Each IPv4 address structure is composed of 3 32-bit values; the first being the IPv4 address (network byte order), the second the prefix (1 - 32), and last the IPv4 gateway (network byte order). The gateway may be left as 0 if no gateway exists for that subnet.
dad-timeout	int32	-1	Timeout in milliseconds used to check for the presence of duplicate IP addresses on the network. If an address conflict is detected, the activation will fail. A zero value means that no duplicate address detection is performed, -1 means the default value (either configuration ipvx.dad-timeout override or 3 seconds). A value greater than zero is a timeout in milliseconds.
dhcp-client-id	string		A string sent to the DHCP server to identify the local machine which the DHCP server may use to customize the DHCP lease and options.
dhcp-fqdn	string		If the "dhcp-send-hostname" property is TRUE, then the specified FQDN will be sent to the DHCP server when acquiring a lease. This property and "dhcp-hostname" are mutually exclusive and cannot be set at the same time.
dhcp-hostname	string		If the "dhcp-send-hostname" property is TRUE, then the specified name will be sent to the DHCP server when acquiring a lease. This property and "dhcp-fqdn" are mutually exclusive and cannot be set at the same time.
dhcp-send-hostname	boolean	TRUE	If TRUE, a hostname is sent to the DHCP server when acquiring a lease. Some DHCP servers use this hostname to update DNS databases, essentially providing a static hostname for the computer. If the "dhcp-hostname" property is NULL and this property is TRUE, the current persistent hostname of the computer is sent.
dhcp-timeout	int32	0	A timeout for a DHCP transaction in seconds.
dns	array of uint32	[]	Array of IP addresses of DNS servers (as network-byte-order integers)
dns-options	array of string	[]	Array of DNS options. NULL means that the options are unset and left at the default. In this case NetworkManager will use default options. This is distinct from an empty list of properties.
dns-priority	int32	0	DNS priority. The relative priority to be used when determining the order of DNS servers in resolv.conf. A lower value means that servers will be on top of the file. Zero selects the default value, which is 50 for VPNs and 100 for other connections. When multiple devices have configurations with the same priority, the one with an active default route will be preferred. Note that when using dns=dnsmasq the order is meaningless since dnsmasq forwards queries to all known servers at the same time. Negative values have the special effect of excluding other configurations with a greater priority value; so in presence of at least a negative priority, only DNS servers from configurations with the lowest priority value will be used.
dns-search	array of string	[]	Array of DNS search domains.
gateway	string		The gateway associated with this configuration. This is only meaningful if "addresses" is also set.
ignore-auto-dns	boolean	FALSE	When "method" is set to "auto" and this property to TRUE, automatically configured nameservers and search domains are ignored and only nameservers and search domains specified in the "dns" and "dns-search" properties, if any, are used.
ignore-auto-routes	boolean	FALSE	When "method" is set to "auto" and this property to TRUE, automatically configured routes are ignored and only routes specified in the "routes" property, if any, are used.
may-fail	boolean	TRUE	If TRUE, allow overall network configuration to proceed even if the configuration specified by this property times out. Note that at least one IP configuration must succeed or overall network configuration will still fail. For example, in IPv6-only networks, setting this property to TRUE on the NMSettingIP4Config allows the overall network configuration to succeed if IPv4 configuration fails but IPv6 configuration completes successfully.
method	string		IP configuration method. NMSettingIP4Config and NMSettingIP6Config both support "auto", "manual", and "link-local". See the subclass-specific documentation for other values. In general, for the "auto" method, properties such as "dns" and "routes" specify information that is added on to the information returned from automatic configuration. The "ignore-auto-routes" and "ignore-auto-dns" properties modify this behavior. For methods that imply no upstream network, such as "shared" or "link-local", these properties must be empty. For IPv4 method "shared", the IP subnet can be configured by adding one manual IPv4 address or otherwise 10.42.x.0/24 is chosen.
name	string	ipv4	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".
never-default	boolean	FALSE	If TRUE, this connection will never be the default connection for this IP type, meaning it will never be assigned the default route by NetworkManager.
route-data	array of vardict		Array of IPv4 routes. Each route dictionary contains at least 'dest' and 'prefix' entries, containing the destination IP address as a string, and the prefix length as a uint32. Most routes will also have a 'gateway' entry, containing the gateway IP address as a string. If the route has a 'metric' entry (containing a uint32), that will be used as the metric for the route (otherwise NM will pick a default value appropriate to the device). Additional attributes may also exist on some routes.
route-metric	int64	-1	The default metric for routes that don't explicitly specify a metric. The default value -1 means that the metric is choosen automatically based on the device type. The metric applies to dynamic routes, manual (static) routes that don't have an explicit metric setting, address prefix routes, and the default route. Note that for IPv6, the kernel accepts zero (0) but coerces it to 1024 (user default). Hence, setting this property to zero effectively mean setting it to 1024. For IPv4, zero is a regular value for the metric.
routes	array of array of uint32	[]	Deprecated in favor of the 'route-data' property, but this can be used for backward-compatibility with older daemons. Note that if you send this property the daemon will ignore 'route-data'. Array of IPv4 route structures. Each IPv4 route structure is composed of 4 32-bit values; the first being the destination IPv4 network or address (network byte order), the second the destination network or address prefix (1 - 32), the third being the next-hop (network byte order) if any, and the fourth being the route metric. If the metric is 0, NM will choose an appropriate default metric for the device. (There is no way to explicitly specify an actual metric of 0 with this property.)

Table 37. ipv6 setting

Key Name	Value Type	Default Value	Value Description
addr-gen-mode	int32	1	Configure method for creating the address for use with RFC4862 IPv6 Stateless Address Autoconfiguration. The permitted values are: "eui64", or "stable-privacy". If the property is set to "eui64", the addresses will be generated using the interface tokens derived from hardware address. This makes the host part of the address to stay constant, making it possible to track host's presence when it changes networks. The address changes when the interface hardware is replaced. The value of "stable-privacy" enables use of cryptographically secure hash of a secret host-specific key along with the connection identification and the network address as specified by RFC7217. This makes it impossible to use the address track host's presence, and makes the address stable when the network interface hardware is replaced. On D-Bus, the absence of an addr-gen-mode setting equals enabling "stable-privacy". For keyfile plugin, the absence of the setting on disk means "eui64" so that the property doesn't change on upgrade from older versions. Note that this setting is distinct from the Privacy Extensions as configured by "ip6-privacy" property and it does not affect the temporary addresses configured with this option.
address-data	array of vardict		Array of IPv6 addresses. Each address dictionary contains at least 'address' and 'prefix' entries, containing the IP address as a string, and the prefix length as a uint32. Additional attributes may also exist on some addresses.
addresses	array of legacy IPv6 address struct (a(ayuay))	[]	Deprecated in favor of the 'address-data' and 'gateway' properties, but this can be used for backward-compatibility with older daemons. Note that if you send this property the daemon will ignore 'address-data' and 'gateway'. Array of IPv6 address structures. Each IPv6 address structure is composed of an IPv6 address, a prefix length (1 - 128), and an IPv6 gateway address. The gateway may be zeroed out if no gateway exists for that subnet.
dad-timeout	int32	-1	Timeout in milliseconds used to check for the presence of duplicate IP addresses on the network. If an address conflict is detected, the activation will fail. A zero value means that no duplicate address detection is performed, -1 means the default value (either configuration ipvx.dad-timeout override or 3 seconds). A value greater than zero is a timeout in milliseconds.
dhcp-hostname	string		If the "dhcp-send-hostname" property is TRUE, then the specified name will be sent to the DHCP server when acquiring a lease. This property and "dhcp-fqdn" are mutually exclusive and cannot be set at the same time.
dhcp-send-hostname	boolean	TRUE	If TRUE, a hostname is sent to the DHCP server when acquiring a lease. Some DHCP servers use this hostname to update DNS databases, essentially providing a static hostname for the computer. If the "dhcp-hostname" property is NULL and this property is TRUE, the current persistent hostname of the computer is sent.
dhcp-timeout	int32	0	A timeout for a DHCP transaction in seconds.
dns	array of byte array	[]	Array of IP addresses of DNS servers (in network byte order)
dns-options	array of string	[]	Array of DNS options. NULL means that the options are unset and left at the default. In this case NetworkManager will use default options. This is distinct from an empty list of properties.
dns-priority	int32	0	DNS priority. The relative priority to be used when determining the order of DNS servers in resolv.conf. A lower value means that servers will be on top of the file. Zero selects the default value, which is 50 for VPNs and 100 for other connections. When multiple devices have configurations with the same priority, the one with an active default route will be preferred. Note that when using dns=dnsmasq the order is meaningless since dnsmasq forwards queries to all known servers at the same time. Negative values have the special effect of excluding other configurations with a greater priority value; so in presence of at least a negative priority, only DNS servers from configurations with the lowest priority value will be used.
dns-search	array of string	[]	Array of DNS search domains.
gateway	string		The gateway associated with this configuration. This is only meaningful if "addresses" is also set.
ignore-auto-dns	boolean	FALSE	When "method" is set to "auto" and this property to TRUE, automatically configured nameservers and search domains are ignored and only nameservers and search domains specified in the "dns" and "dns-search" properties, if any, are used.
ignore-auto-routes	boolean	FALSE	When "method" is set to "auto" and this property to TRUE, automatically configured routes are ignored and only routes specified in the "routes" property, if any, are used.
ip6-privacy	NMSettingIP6ConfigPrivacy (int32)		Configure IPv6 Privacy Extensions for SLAAC, described in RFC4941. If enabled, it makes the kernel generate a temporary IPv6 address in addition to the public one generated from MAC address via modified EUI-64. This enhances privacy, but could cause problems in some applications, on the other hand. The permitted values are: -1: unknown, 0: disabled, 1: enabled (prefer public address), 2: enabled (prefer temporary addresses). Having a per-connection setting set to "-1" (unknown) means fallback to global configuration "ipv6.ip6-privacy". If also global configuration is unspecified or set to "-1", fallback to read "/proc/sys/net/ipv6/conf/default/use_tempaddr". Note that this setting is distinct from the Stable Privacy addresses that can be enabled with the "addr-gen-mode" property's "stable-privacy" setting as another way of avoiding host tracking with IPv6 addresses.
may-fail	boolean	TRUE	If TRUE, allow overall network configuration to proceed even if the configuration specified by this property times out. Note that at least one IP configuration must succeed or overall network configuration will still fail. For example, in IPv6-only networks, setting this property to TRUE on the NMSettingIP4Config allows the overall network configuration to succeed if IPv4 configuration fails but IPv6 configuration completes successfully.
method	string		IP configuration method. NMSettingIP4Config and NMSettingIP6Config both support "auto", "manual", and "link-local". See the subclass-specific documentation for other values. In general, for the "auto" method, properties such as "dns" and "routes" specify information that is added on to the information returned from automatic configuration. The "ignore-auto-routes" and "ignore-auto-dns" properties modify this behavior. For methods that imply no upstream network, such as "shared" or "link-local", these properties must be empty. For IPv4 method "shared", the IP subnet can be configured by adding one manual IPv4 address or otherwise 10.42.x.0/24 is chosen.
name	string	ipv6	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".
never-default	boolean	FALSE	If TRUE, this connection will never be the default connection for this IP type, meaning it will never be assigned the default route by NetworkManager.
route-data	array of vardict		Array of IPv6 routes. Each route dictionary contains at least 'dest' and 'prefix' entries, containing the destination IP address as a string, and the prefix length as a uint32. Most routes will also have a 'next-hop' entry, containing the next hop IP address as a string. If the route has a 'metric' entry (containing a uint32), that will be used as the metric for the route (otherwise NM will pick a default value appropriate to the device). Additional attributes may also exist on some routes.
route-metric	int64	-1	The default metric for routes that don't explicitly specify a metric. The default value -1 means that the metric is choosen automatically based on the device type. The metric applies to dynamic routes, manual (static) routes that don't have an explicit metric setting, address prefix routes, and the default route. Note that for IPv6, the kernel accepts zero (0) but coerces it to 1024 (user default). Hence, setting this property to zero effectively mean setting it to 1024. For IPv4, zero is a regular value for the metric.
routes	array of legacy IPv6 route struct (a(ayuayu))	[]	Deprecated in favor of the 'route-data' property, but this can be used for backward-compatibility with older daemons. Note that if you send this property the daemon will ignore 'route-data'. Array of IPv6 route structures. Each IPv6 route structure is composed of an IPv6 address, a prefix length (1 - 128), an IPv6 next hop address (which may be zeroed out if there is no next hop), and a metric. If the metric is 0, NM will choose an appropriate default metric for the device.
token	string		Configure the token for draft-chown-6man-tokenised-ipv6-identifiers-02 IPv6 tokenized interface identifiers. Useful with eui64 addr-gen-mode.

Table 38. ip-tunnel setting

Key Name	Value Type	Default Value	Value Description
encapsulation-limit	uint32	0	How many additional levels of encapsulation are permitted to be prepended to packets. This property applies only to IPv6 tunnels.
flow-label	uint32	0	The flow label to assign to tunnel packets. This property applies only to IPv6 tunnels.
input-key	string		The key used for tunnel input packets; the property is valid only for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
local	string		The local endpoint of the tunnel; the value can be empty, otherwise it must contain an IPv4 or IPv6 address.
mode	uint32	0	The tunneling mode, for example NM_IP_TUNNEL_MODE_IPIP (1) or NM_IP_TUNNEL_MODE_GRE (2).
mtu	uint32	0	None
name	string	ip-tunnel	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".
output-key	string		The key used for tunnel output packets; the property is valid only for certain tunnel modes (GRE, IP6GRE). If empty, no key is used.
parent	string		If given, specifies the parent interface name or parent connection UUID the new device will be bound to so that tunneled packets will only be routed via that interface.
path-mtu-discovery	boolean	TRUE	Whether to enable Path MTU Discovery on this tunnel.
remote	string		The remote endpoint of the tunnel; the value must contain an IPv4 or IPv6 address.
tos	uint32	0	The type of service (IPv4) or traffic class (IPv6) field to be set on tunneled packets.
ttl	uint32	0	The TTL to assign to tunneled packets. 0 is a special value meaning that packets inherit the TTL value.

Table 39. macvlan setting

Key Name	Value Type	Default Value	Value Description
mode	uint32	0	The macvlan mode, which specifies the communication mechanism between multiple macvlans on the same lower device.
name	string	macvlan	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".
parent	string		If given, specifies the parent interface name or parent connection UUID from which this MAC-VLAN interface should be created. If this property is not specified, the connection must contain an "802-3-ethernet" setting with a "mac-address" property.
promiscuous	boolean	TRUE	Whether the interface should be put in promiscuous mode.
tap	boolean	FALSE	Whether the interface should be a MACVTAP.

Table 40. 802-11-olpc-mesh setting

Key Name	Value Type	Default Value	Value Description
channel	uint32	0	Channel on which the mesh network to join is located.
dhcp-anycast-address	byte array		Anycast DHCP MAC address used when requesting an IP address via DHCP. The specific anycast address used determines which DHCP server class answers the request.
name	string	802-11-olpc-mesh	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".
ssid	byte array		SSID of the mesh network to join.

Table 41. ppp setting

Key Name	Value Type	Default Value	Value Description
baud	uint32	0	If non-zero, instruct pppd to set the serial port to the specified baudrate. This value should normally be left as 0 to automatically choose the speed.
crtscts	boolean	FALSE	If TRUE, specify that pppd should set the serial port to use hardware flow control with RTS and CTS signals. This value should normally be set to FALSE.
lcp-echo-failure	uint32	0	If non-zero, instruct pppd to presume the connection to the peer has failed if the specified number of LCP echo-requests go unanswered by the peer. The "lcp-echo-interval" property must also be set to a non-zero value if this property is used.
lcp-echo-interval	uint32	0	If non-zero, instruct pppd to send an LCP echo-request frame to the peer every n seconds (where n is the specified value). Note that some PPP peers will respond to echo requests and some will not, and it is not possible to autodetect this.
mppe-stateful	boolean	FALSE	If TRUE, stateful MPPE is used. See pppd documentation for more information on stateful MPPE.
mru	uint32	0	If non-zero, instruct pppd to request that the peer send packets no larger than the specified size. If non-zero, the MRU should be between 128 and 16384.
mtu	uint32	0	If non-zero, instruct pppd to send packets no larger than the specified size.
name	string	ppp	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".
no-vj-comp	boolean	FALSE	If TRUE, Van Jacobsen TCP header compression will not be requested.
noauth	boolean	TRUE	If TRUE, do not require the other side (usually the PPP server) to authenticate itself to the client. If FALSE, require authentication from the remote side. In almost all cases, this should be TRUE.
nobsdcomp	boolean	FALSE	If TRUE, BSD compression will not be requested.
nodeflate	boolean	FALSE	If TRUE, "deflate" compression will not be requested.
refuse-chap	boolean	FALSE	If TRUE, the CHAP authentication method will not be used.
refuse-eap	boolean	FALSE	If TRUE, the EAP authentication method will not be used.
refuse-mschap	boolean	FALSE	If TRUE, the MSCHAP authentication method will not be used.
refuse-mschapv2	boolean	FALSE	If TRUE, the MSCHAPv2 authentication method will not be used.
refuse-pap	boolean	FALSE	If TRUE, the PAP authentication method will not be used.
require-mppe	boolean	FALSE	If TRUE, MPPE (Microsoft Point-to-Point Encrpytion) will be required for the PPP session. If either 64-bit or 128-bit MPPE is not available the session will fail. Note that MPPE is not used on mobile broadband connections.
require-mppe-128	boolean	FALSE	If TRUE, 128-bit MPPE (Microsoft Point-to-Point Encrpytion) will be required for the PPP session, and the "require-mppe" property must also be set to TRUE. If 128-bit MPPE is not available the session will fail.

Table 42. pppoe setting

Key Name	Value Type	Default Value	Value Description
name	string	pppoe	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".
password	string		Password used to authenticate with the PPPoE service.
password-flags	NMSettingSecretFlags (uint32)		Flags indicating how to handle the "password" property. (see the section called “Secret flag types:” for flag values)
service	string		If specified, instruct PPPoE to only initiate sessions with access concentrators that provide the specified service. For most providers, this should be left blank. It is only required if there are multiple access concentrators or a specific service is known to be required.
username	string		Username used to authenticate with the PPPoE service.

Table 43. serial setting

Key Name	Value Type	Default Value	Value Description
baud	uint32	57600	Speed to use for communication over the serial port. Note that this value usually has no effect for mobile broadband modems as they generally ignore speed settings and use the highest available speed.
bits	uint32	8	Byte-width of the serial communication. The 8 in "8n1" for example.
name	string	serial	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".
parity	byte		The connection parity: 69 (ASCII 'E') for even parity, 111 (ASCII 'o') for odd, 110 (ASCII 'n') for none.
send-delay	uint64	0	Time to delay between each byte sent to the modem, in microseconds.
stopbits	uint32	1	Number of stop bits for communication on the serial port. Either 1 or 2. The 1 in "8n1" for example.

Table 44. team setting

Key Name	Value Type	Default Value	Value Description
config	string		The JSON configuration for the team network interface. The property should contain raw JSON configuration data suitable for teamd, because the value is passed directly to teamd. If not specified, the default configuration is used. See man teamd.conf for the format details.
interface-name	string		Deprecated in favor of connection.interface-name, but can be used for backward-compatibility with older daemons, to set the team's interface name.
name	string	team	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".

Table 45. team-port setting

Key Name	Value Type	Default Value	Value Description
config	string		The JSON configuration for the team port. The property should contain raw JSON configuration data suitable for teamd, because the value is passed directly to teamd. If not specified, the default configuration is used. See man teamd.conf for the format details.
name	string	team-port	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".

Table 46. tun setting

Key Name	Value Type	Default Value	Value Description
group	string		The group ID which will own the device. If set to NULL everyone will be able to use the device.
mode	uint32	1	The operating mode of the virtual device. Allowed values are NM_SETTING_TUN_MODE_TUN (1) to create a layer 3 device and NM_SETTING_TUN_MODE_TAP (2) to create an Ethernet-like layer 2 one.
multi-queue	boolean	FALSE	If the property is set to TRUE, the interface will support multiple file descriptors (queues) to parallelize packet sending or receiving. Otherwise, the interface will only support a single queue.
name	string	tun	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".
owner	string		The user ID which will own the device. If set to NULL everyone will be able to use the device.
pi	boolean	FALSE	If TRUE the interface will prepend a 4 byte header describing the physical interface to the packets.
vnet-hdr	boolean	FALSE	If TRUE the IFF_VNET_HDR the tunnel packets will include a virtio network header.

Table 47. vlan setting

Key Name	Value Type	Default Value	Value Description
egress-priority-map	array of string	[]	For outgoing packets, a list of mappings from Linux SKB priorities to 802.1p priorities. The mapping is given in the format "from:to" where both "from" and "to" are unsigned integers, ie "7:3".
flags	NMVlanFlags (uint32)		One or more flags which control the behavior and features of the VLAN interface. Flags include NM_VLAN_FLAG_REORDER_HEADERS (0x1) (reordering of output packet headers), NM_VLAN_FLAG_GVRP (0x2) (use of the GVRP protocol), and NM_VLAN_FLAG_LOOSE_BINDING (0x4) (loose binding of the interface to its master device's operating state). NM_VLAN_FLAG_MVRP (0x8) (use of the MVRP protocol). The default value of this property is NM_VLAN_FLAG_REORDER_HEADERS, but it used to be 0. To preserve backward compatibility, the default-value in the D-Bus API continues to be 0 and a missing property on D-Bus is still considered as 0.
id	uint32	0	The VLAN identifier that the interface created by this connection should be assigned. The valid range is from 0 to 4094, without the reserved id 4095.
ingress-priority-map	array of string	[]	For incoming packets, a list of mappings from 802.1p priorities to Linux SKB priorities. The mapping is given in the format "from:to" where both "from" and "to" are unsigned integers, ie "7:3".
interface-name	string		Deprecated in favor of connection.interface-name, but can be used for backward-compatibility with older daemons, to set the vlan's interface name.
name	string	vlan	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".
parent	string		If given, specifies the parent interface name or parent connection UUID from which this VLAN interface should be created. If this property is not specified, the connection must contain an "802-3-ethernet" setting with a "mac-address" property.

Table 48. vpn setting

Key Name	Value Type	Default Value	Value Description
data	dict of string to string	{}	Dictionary of key/value pairs of VPN plugin specific data. Both keys and values must be strings.
name	string	vpn	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".
persistent	boolean	FALSE	If the VPN service supports persistence, and this property is TRUE, the VPN will attempt to stay connected across link changes and outages, until explicitly disconnected.
secrets	dict of string to string	{}	Dictionary of key/value pairs of VPN plugin specific secrets like passwords or private keys. Both keys and values must be strings.
service-type	string		D-Bus service name of the VPN plugin that this setting uses to connect to its network. i.e. org.freedesktop.NetworkManager.vpnc for the vpnc plugin.
timeout	uint32	0	Timeout for the VPN service to establish the connection. Some services may take quite a long time to connect. Value of 0 means a default timeout, which is 60 seconds (unless overriden by vpn.timeout in configuration file). Values greater than zero mean timeout in seconds.
user-name	string		If the VPN connection requires a user name for authentication, that name should be provided here. If the connection is available to more than one user, and the VPN requires each user to supply a different name, then leave this property empty. If this property is empty, NetworkManager will automatically supply the username of the user which requested the VPN connection.

Table 49. vxlan setting

Key Name	Value Type	Default Value	Value Description
ageing	uint32	300	Specifies the lifetime in seconds of FDB entries learnt by the kernel.
destination-port	uint32	8472	Specifies the UDP destination port to communicate to the remote VXLAN tunnel endpoint.
id	uint32	0	Specifies the VXLAN Network Identifer (or VXLAN Segment Identifier) to use.
l2-miss	boolean	FALSE	Specifies whether netlink LL ADDR miss notifications are generated.
l3-miss	boolean	FALSE	Specifies whether netlink IP ADDR miss notifications are generated.
learning	boolean	TRUE	Specifies whether unknown source link layer addresses and IP addresses are entered into the VXLAN device forwarding database.
limit	uint32	0	Specifies the maximum number of FDB entries. A value of zero means that the kernel will store unlimited entries.
local	string		If given, specifies the source IP address to use in outgoing packets.
name	string	vxlan	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".
parent	string		If given, specifies the parent interface name or parent connection UUID.
proxy	boolean	FALSE	Specifies whether ARP proxy is turned on.
remote	string		Specifies the unicast destination IP address to use in outgoing packets when the destination link layer address is not known in the VXLAN device forwarding database, or the multicast IP address to join.
rsc	boolean	FALSE	Specifies whether route short circuit is turned on.
source-port-max	uint32	0	Specifies the maximum UDP source port to communicate to the remote VXLAN tunnel endpoint.
source-port-min	uint32	0	Specifies the minimum UDP source port to communicate to the remote VXLAN tunnel endpoint.
tos	uint32	0	Specifies the TOS value to use in outgoing packets.
ttl	uint32	0	Specifies the time-to-live value to use in outgoing packets.

Table 50. wimax setting

Key Name	Value Type	Default Value	Value Description
mac-address	byte array		If specified, this connection will only apply to the WiMAX device whose MAC address matches. This property does not change the MAC address of the device (known as MAC spoofing). Deprecated: 1
name	string	wimax	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".
network-name	string		Network Service Provider (NSP) name of the WiMAX network this connection should use. Deprecated: 1

Table 51. 802-3-ethernet setting

Key Name	Value Type	Default Value	Value Description
auto-negotiate	boolean	TRUE	If TRUE, allow auto-negotiation of port speed and duplex mode. If FALSE, do not allow auto-negotiation, in which case the "speed" and "duplex" properties should be set.
cloned-mac-address	byte array		If specified, request that the device use this MAC address instead of its permanent MAC address. This is known as MAC cloning or spoofing.
duplex	string		If specified, request that the device only use the specified duplex mode. Either "half" or "full".
mac-address	byte array		If specified, this connection will only apply to the Ethernet device whose permanent MAC address matches. This property does not change the MAC address of the device (i.e. MAC spoofing).
mac-address-blacklist	array of string	[]	If specified, this connection will never apply to the Ethernet device whose permanent MAC address matches an address in the list. Each MAC address is in the standard hex-digits-and-colons notation (00:11:22:33:44:55).
mtu	uint32	0	If non-zero, only transmit packets of the specified size or smaller, breaking larger packets up into multiple Ethernet frames.
name	string	802-3-ethernet	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".
port	string		Specific port type to use if multiple the device supports multiple attachment methods. One of "tp" (Twisted Pair), "aui" (Attachment Unit Interface), "bnc" (Thin Ethernet) or "mii" (Media Independent Interface. If the device supports only one port type, this setting is ignored.
s390-nettype	string		s390 network device type; one of "qeth", "lcs", or "ctc", representing the different types of virtual network devices available on s390 systems.
s390-options	dict of string to string	{}	Dictionary of key/value pairs of s390-specific device options. Both keys and values must be strings. Allowed keys include "portno", "layer2", "portname", "protocol", among others. Key names must contain only alphanumeric characters (ie, [a-zA-Z0-9]).
s390-subchannels	array of string	[]	Identifies specific subchannels that this network device uses for communication with z/VM or s390 host. Like the "mac-address" property for non-z/VM devices, this property can be used to ensure this connection only applies to the network device that uses these subchannels. The list should contain exactly 3 strings, and each string may only be composed of hexadecimal characters and the period (.) character.
speed	uint32	0	If non-zero, request that the device use only the specified speed. In Mbit/s, ie 100 == 100Mbit/s.
wake-on-lan	uint32	1	The NMSettingWiredWakeOnLan options to enable. Not all devices support all options. May be any combination of NM_SETTING_WIRED_WAKE_ON_LAN_PHY (0x2), NM_SETTING_WIRED_WAKE_ON_LAN_UNICAST (0x4), NM_SETTING_WIRED_WAKE_ON_LAN_MULTICAST (0x8), NM_SETTING_WIRED_WAKE_ON_LAN_BROADCAST (0x10), NM_SETTING_WIRED_WAKE_ON_LAN_ARP (0x20), NM_SETTING_WIRED_WAKE_ON_LAN_MAGIC (0x40) or the special values NM_SETTING_WIRED_WAKE_ON_LAN_DEFAULT (0x1) (to use global settings) and NM_SETTING_WIRED_WAKE_ON_LAN_IGNORE (0x8000) (to disable management of Wake-on-LAN in NetworkManager).
wake-on-lan-password	string		If specified, the password used with magic-packet-based Wake-on-LAN, represented as an Ethernet MAC address. If NULL, no password will be required.

Table 52. 802-11-wireless setting

Key Name	Value Type	Default Value	Value Description
band	string		802.11 frequency band of the network. One of "a" for 5GHz 802.11a or "bg" for 2.4GHz 802.11. This will lock associations to the Wi-Fi network to the specific band, i.e. if "a" is specified, the device will not associate with the same network in the 2.4GHz band even if the network's settings are compatible. This setting depends on specific driver capability and may not work with all drivers.
bssid	byte array		If specified, directs the device to only associate with the given access point. This capability is highly driver dependent and not supported by all devices. Note: this property does not control the BSSID used when creating an Ad-Hoc network and is unlikely to in the future.
channel	uint32	0	Wireless channel to use for the Wi-Fi connection. The device will only join (or create for Ad-Hoc networks) a Wi-Fi network on the specified channel. Because channel numbers overlap between bands, this property also requires the "band" property to be set.
cloned-mac-address	byte array		If specified, request that the Wi-Fi device use this MAC address instead of its permanent MAC address. This is known as MAC cloning or spoofing.
hidden	boolean	FALSE	If TRUE, indicates this network is a non-broadcasting network that hides its SSID. In this case various workarounds may take place, such as probe-scanning the SSID for more reliable network discovery. However, these workarounds expose inherent insecurities with hidden SSID networks, and thus hidden SSID networks should be used with caution.
mac-address	byte array		If specified, this connection will only apply to the Wi-Fi device whose permanent MAC address matches. This property does not change the MAC address of the device (i.e. MAC spoofing).
mac-address-blacklist	array of string	[]	A list of permanent MAC addresses of Wi-Fi devices to which this connection should never apply. Each MAC address should be given in the standard hex-digits-and-colons notation (eg "00:11:22:33:44:55").
mac-address-randomization	uint32	0	One of NM_SETTING_MAC_RANDOMIZATION_DEFAULT (0) (never randomize unless the user has set a global default to randomize and the supplicant supports randomization), NM_SETTING_MAC_RANDOMIZATION_NEVER (1) (never randomize the MAC address), or NM_SETTING_MAC_RANDOMIZATION_ALWAYS (2) (always randomize the MAC address).
mode	string		Wi-Fi network mode; one of "infrastructure", "adhoc" or "ap". If blank, infrastructure is assumed.
mtu	uint32	0	If non-zero, only transmit packets of the specified size or smaller, breaking larger packets up into multiple Ethernet frames.
name	string	802-11-wireless	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".
powersave	uint32	0	One of NM_SETTING_WIRELESS_POWERSAVE_DISABLE (2) (disable Wi-Fi power saving), NM_SETTING_WIRELESS_POWERSAVE_ENABLE (3) (enable Wi-Fi power saving), NM_SETTING_WIRELESS_POWERSAVE_IGNORE (1) (don't touch currently configure setting) or NM_SETTING_WIRELESS_POWERSAVE_DEFAULT (0) (use the globally configured value). All other values are reserved.
rate	uint32	0	If non-zero, directs the device to only use the specified bitrate for communication with the access point. Units are in Kb/s, ie 5500 = 5.5 Mbit/s. This property is highly driver dependent and not all devices support setting a static bitrate.
security	None		This property is deprecated, but can be set to the value '802-11-wireless-security' when a wireless security setting is also present in the connection dictionary, for compatibility with very old NetworkManager daemons.
seen-bssids	array of string	[]	A list of BSSIDs (each BSSID formatted as a MAC address like "00:11:22:33:44:55") that have been detected as part of the Wi-Fi network. NetworkManager internally tracks previously seen BSSIDs. The property is only meant for reading and reflects the BSSID list of NetworkManager. The changes you make to this property will not be preserved.
ssid	byte array		SSID of the Wi-Fi network. Must be specified.
tx-power	uint32	0	If non-zero, directs the device to use the specified transmit power. Units are dBm. This property is highly driver dependent and not all devices support setting a static transmit power.

Table 53. 802-11-wireless-security setting

Key Name	Value Type	Default Value	Value Description
auth-alg	string		When WEP is used (ie, key-mgmt = "none" or "ieee8021x") indicate the 802.11 authentication algorithm required by the AP here. One of "open" for Open System, "shared" for Shared Key, or "leap" for Cisco LEAP. When using Cisco LEAP (ie, key-mgmt = "ieee8021x" and auth-alg = "leap") the "leap-username" and "leap-password" properties must be specified.
group	array of string	[]	A list of group/broadcast encryption algorithms which prevents connections to Wi-Fi networks that do not utilize one of the algorithms in the list. For maximum compatibility leave this property empty. Each list element may be one of "wep40", "wep104", "tkip", or "ccmp".
key-mgmt	string		Key management used for the connection. One of "none" (WEP), "ieee8021x" (Dynamic WEP), "wpa-none" (Ad-Hoc WPA-PSK), "wpa-psk" (infrastructure WPA-PSK), or "wpa-eap" (WPA-Enterprise). This property must be set for any Wi-Fi connection that uses security.
leap-password	string		The login password for legacy LEAP connections (ie, key-mgmt = "ieee8021x" and auth-alg = "leap").
leap-password-flags	NMSettingSecretFlags (uint32)		Flags indicating how to handle the "leap-password" property. (see the section called “Secret flag types:” for flag values)
leap-username	string		The login username for legacy LEAP connections (ie, key-mgmt = "ieee8021x" and auth-alg = "leap").
name	string	802-11-wireless-security	The setting's name, which uniquely identifies the setting within the connection. Each setting type has a name unique to that type, for example "ppp" or "wireless" or "wired".
pairwise	array of string	[]	A list of pairwise encryption algorithms which prevents connections to Wi-Fi networks that do not utilize one of the algorithms in the list. For maximum compatibility leave this property empty. Each list element may be one of "tkip" or "ccmp".
proto	array of string	[]	List of strings specifying the allowed WPA protocol versions to use. Each element may be one "wpa" (allow WPA) or "rsn" (allow WPA2/RSN). If not specified, both WPA and RSN connections are allowed.
psk	string		Pre-Shared-Key for WPA networks. If the key is 64-characters long, it must contain only hexadecimal characters and is interpreted as a hexadecimal WPA key. Otherwise, the key must be between 8 and 63 ASCII characters (as specified in the 802.11i standard) and is interpreted as a WPA passphrase, and is hashed to derive the actual WPA-PSK used when connecting to the Wi-Fi network.
psk-flags	NMSettingSecretFlags (uint32)		Flags indicating how to handle the "psk" property. (see the section called “Secret flag types:” for flag values)
wep-key-flags	NMSettingSecretFlags (uint32)		Flags indicating how to handle the "wep-key0", "wep-key1", "wep-key2", and "wep-key3" properties. (see the section called “Secret flag types:” for flag values)
wep-key-type	NMWepKeyType (uint32)		Controls the interpretation of WEP keys. Allowed values are NM_WEP_KEY_TYPE_KEY (1), in which case the key is either a 10- or 26-character hexadecimal string, or a 5- or 13-character ASCII password; or NM_WEP_KEY_TYPE_PASSPHRASE (2), in which case the passphrase is provided as a string and will be hashed using the de-facto MD5 method to derive the actual WEP key.
wep-key0	string		Index 0 WEP key. This is the WEP key used in most networks. See the "wep-key-type" property for a description of how this key is interpreted.
wep-key1	string		Index 1 WEP key. This WEP index is not used by most networks. See the "wep-key-type" property for a description of how this key is interpreted.
wep-key2	string		Index 2 WEP key. This WEP index is not used by most networks. See the "wep-key-type" property for a description of how this key is interpreted.
wep-key3	string		Index 3 WEP key. This WEP index is not used by most networks. See the "wep-key-type" property for a description of how this key is interpreted.
wep-tx-keyidx	uint32	0	When static WEP is used (ie, key-mgmt = "none") and a non-default WEP key index is used by the AP, put that WEP key index here. Valid values are 0 (default key) through 3. Note that some consumer access points (like the Linksys WRT54G) number the keys 1 - 4.

Secret flag types:

Each secret property in a setting has an associated flags property that describes how to handle that secret. The flags property is a bitfield that contains zero or more of the following values logically OR-ed together.

0x0 (none) - the system is responsible for providing and storing this secret.
0x1 (agent-owned) - a user-session secret agent is responsible for providing and storing this secret; when it is required, agents will be asked to provide it.
0x2 (not-saved) - this secret should not be saved but should be requested from the user each time it is required. This flag should be used for One-Time-Pad secrets, PIN codes from hardware tokens, or if the user simply does not want to save the secret.
0x4 (not-required) - in some situations it cannot be automatically determined that a secret is required or not. This flag hints that the secret is not required and should not be requested from the user.

Files

/etc/NetworkManager/system-connections or distro plugin-specific location

nm-settings

Description

Secret flag types:

Files

See Also