1SYSTEMD.NETDEV(5) systemd.network SYSTEMD.NETDEV(5)
2
6 systemd.netdev - Virtual Network Device configuration
7
9 netdev.netdev
10
12 Network setup is performed by systemd-networkd(8).
13 The main Virtual Network Device file must have the extension .netdev;
15 other extensions are ignored. Virtual network devices are created as
16 soon as networkd is started. If a netdev with the specified name
17 already exists, networkd will use that as-is rather than create its
18 own. Note that the settings of the pre-existing netdev will not be
19 changed by networkd.
20 The .netdev files are read from the files located in the system network
22 directory /usr/lib/systemd/network, the volatile runtime network
23 directory /run/systemd/network and the local administration network
24 directory /etc/systemd/network. All configuration files are
25 collectively sorted and processed in lexical order, regardless of the
26 directories in which they live. However, files with identical filenames
27 replace each other. Files in /etc have the highest priority, files in
28 /run take precedence over files with the same name in /usr/lib. This
29 can be used to override a system-supplied configuration file with a
30 local file if needed. As a special case, an empty file (file size 0) or
31 symlink with the same name pointing to /dev/null disables the
32 configuration file entirely (it is "masked").
33 Along with the netdev file foo.netdev, a "drop-in" directory
35 foo.netdev.d/ may exist. All files with the suffix ".conf" from this
36 directory will be parsed after the file itself is parsed. This is
37 useful to alter or add configuration settings, without having to modify
38 the main configuration file. Each drop-in file must have appropriate
39 section headers.
40 In addition to /etc/systemd/network, drop-in ".d" directories can be
42 placed in /usr/lib/systemd/network or /run/systemd/network directories.
43 Drop-in files in /etc take precedence over those in /run which in turn
44 take precedence over those in /usr/lib. Drop-in files under any of
45 these directories take precedence over the main netdev file wherever
46 located. (Of course, since /run is temporary and /usr/lib is for
47 vendors, it is unlikely drop-ins should be used in either of those
48 places.)
49
51 The following kinds of virtual network devices may be configured in
52 .netdev files:
53 Table 1. Supported kinds of virtual network devices
55 ┌──────────┬────────────────────────────┐
56 │Kind │ Description │
57 ├──────────┼────────────────────────────┤
58 │bond │ A bond device is an │
59 │ │ aggregation of all its │
60 │ │ slave devices. See Linux │
61 │ │ Ethernet Bonding Driver │
62 │ │ HOWTO[1] for details.Local │
63 │ │ configuration │
64 ├──────────┼────────────────────────────┤
65 │bridge │ A bridge device is a │
66 │ │ software switch, and each │
67 │ │ of its slave devices and │
68 │ │ the bridge itself are │
69 │ │ ports of the switch. │
70 ├──────────┼────────────────────────────┤
71 │dummy │ A dummy device drops all │
72 │ │ packets sent to it. │
73 ├──────────┼────────────────────────────┤
74 │gre │ A Level 3 GRE tunnel over │
75 │ │ IPv4. See RFC 2784[2] for │
76 │ │ details. │
77 ├──────────┼────────────────────────────┤
78 │gretap │ A Level 2 GRE tunnel over │
79 │ │ IPv4. │
80 ├──────────┼────────────────────────────┤
81 │erspan │ ERSPAN mirrors traffic on │
82 │ │ one or more source ports │
83 │ │ and delivers the mirrored │
84 │ │ traffic to one or more │
85 │ │ destination ports on │
86 │ │ another switch. The │
87 │ │ traffic is encapsulated in │
88 │ │ generic routing │
89 │ │ encapsulation (GRE) and is │
90 │ │ therefore routable across │
91 │ │ a layer 3 network between │
92 │ │ the source switch and the │
93 │ │ destination switch. │
94 ├──────────┼────────────────────────────┤
95 │ip6gre │ A Level 3 GRE tunnel over │
96 │ │ IPv6. │
97 ├──────────┼────────────────────────────┤
98 │ip6tnl │ An IPv4 or IPv6 tunnel │
99 │ │ over IPv6 │
100 ├──────────┼────────────────────────────┤
101 │ip6gretap │ A Level 2 GRE tunnel over │
102 │ │ IPv6. │
103 ├──────────┼────────────────────────────┤
104 │ipip │ An IPv4 over IPv4 tunnel. │
105 ├──────────┼────────────────────────────┤
106 │ipvlan │ An ipvlan device is a │
107 │ │ stacked device which │
108 │ │ receives packets from its │
109 │ │ underlying device based on │
110 │ │ IP address filtering. │
111 ├──────────┼────────────────────────────┤
112 │macvlan │ A macvlan device is a │
113 │ │ stacked device which │
114 │ │ receives packets from its │
115 │ │ underlying device based on │
116 │ │ MAC address filtering. │
117 ├──────────┼────────────────────────────┤
118 │macvtap │ A macvtap device is a │
119 │ │ stacked device which │
120 │ │ receives packets from its │
121 │ │ underlying device based on │
122 │ │ MAC address filtering. │
123 ├──────────┼────────────────────────────┤
124 │sit │ An IPv6 over IPv4 tunnel. │
125 ├──────────┼────────────────────────────┤
126 │tap │ A persistent Level 2 │
127 │ │ tunnel between a network │
128 │ │ device and a device node. │
129 ├──────────┼────────────────────────────┤
130 │tun │ A persistent Level 3 │
131 │ │ tunnel between a network │
132 │ │ device and a device node. │
133 ├──────────┼────────────────────────────┤
134 │veth │ An Ethernet tunnel between │
135 │ │ a pair of network devices. │
136 ├──────────┼────────────────────────────┤
137 │vlan │ A VLAN is a stacked device │
138 │ │ which receives packets │
139 │ │ from its underlying device │
140 │ │ based on VLAN tagging. See │
141 │ │ IEEE 802.1Q[3] for │
142 │ │ details. │
143 ├──────────┼────────────────────────────┤
144 │vti │ An IPv4 over IPSec tunnel. │
145 ├──────────┼────────────────────────────┤
146 │vti6 │ An IPv6 over IPSec tunnel. │
147 ├──────────┼────────────────────────────┤
148 │vxlan │ A virtual extensible LAN │
149 │ │ (vxlan), for connecting │
150 │ │ Cloud computing │
151 │ │ deployments. │
152 ├──────────┼────────────────────────────┤
153 │geneve │ A GEneric NEtwork │
154 │ │ Virtualization │
155 │ │ Encapsulation (GENEVE) │
156 │ │ netdev driver. │
157 ├──────────┼────────────────────────────┤
158 │vrf │ A Virtual Routing and │
159 │ │ Forwarding (VRF[4]) │
160 │ │ interface to create │
161 │ │ separate routing and │
162 │ │ forwarding domains. │
163 ├──────────┼────────────────────────────┤
164 │vcan │ The virtual CAN driver │
165 │ │ (vcan). Similar to the │
166 │ │ network loopback devices, │
167 │ │ vcan offers a virtual │
168 │ │ local CAN interface. │
169 ├──────────┼────────────────────────────┤
170 │vxcan │ The virtual CAN tunnel │
171 │ │ driver (vxcan). Similar to │
172 │ │ the virtual ethernet │
173 │ │ driver veth, vxcan │
174 │ │ implements a local CAN │
175 │ │ traffic tunnel between two │
176 │ │ virtual CAN network │
177 │ │ devices. When creating a │
178 │ │ vxcan, two vxcan devices │
179 │ │ are created as pair. When │
180 │ │ one end receives the │
181 │ │ packet it appears on its │
182 │ │ pair and vice versa. The │
183 │ │ vxcan can be used for │
184 │ │ cross namespace │
185 │ │ communication. │
186 ├──────────┼────────────────────────────┤
187 │wireguard │ WireGuard Secure Network │
188 │ │ Tunnel. │
189 ├──────────┼────────────────────────────┤
190 │netdevsim │ A simulator. This │
191 │ │ simulated networking │
192 │ │ device is used for testing │
193 │ │ various networking APIs │
194 │ │ and at this time is │
195 │ │ particularly focused on │
196 │ │ testing hardware │
197 │ │ offloading related │
198 │ │ interfaces. │
199 ├──────────┼────────────────────────────┤
200 │fou │ Foo-over-UDP tunneling. │
201 └──────────┴────────────────────────────┘
202
204 A virtual network device is only created if the "[Match]" section
205 matches the current environment, or if the section is empty. The
206 following keys are accepted:
207 Host=
209 Matches against the hostname or machine ID of the host. See
210 "ConditionHost=" in systemd.unit(5) for details. When prefixed with
211 an exclamation mark ("!"), the result is negated. If an empty
212 string is assigned, then previously assigned value is cleared.
213 Virtualization=
215 Checks whether the system is executed in a virtualized environment
216 and optionally test whether it is a specific implementation. See
217 "ConditionVirtualization=" in systemd.unit(5) for details. When
218 prefixed with an exclamation mark ("!"), the result is negated. If
219 an empty string is assigned, then previously assigned value is
220 cleared.
221 KernelCommandLine=
223 Checks whether a specific kernel command line option is set. See
224 "ConditionKernelCommandLine=" in systemd.unit(5) for details. When
225 prefixed with an exclamation mark ("!"), the result is negated. If
226 an empty string is assigned, then previously assigned value is
227 cleared.
228 KernelVersion=
230 Checks whether the kernel version (as reported by uname -r) matches
231 a certain expression. See "ConditionKernelVersion=" in
232 systemd.unit(5) for details. When prefixed with an exclamation mark
233 ("!"), the result is negated. If an empty string is assigned, then
234 previously assigned value is cleared.
235 Architecture=
237 Checks whether the system is running on a specific architecture.
238 See "ConditionArchitecture=" in systemd.unit(5) for details. When
239 prefixed with an exclamation mark ("!"), the result is negated. If
240 an empty string is assigned, then previously assigned value is
241 cleared.
242
244 The "[NetDev]" section accepts the following keys:
245 Description=
247 A free-form description of the netdev.
248 Name=
250 The interface name used when creating the netdev. This option is
251 compulsory.
252 Kind=
254 The netdev kind. This option is compulsory. See the "Supported
255 netdev kinds" section for the valid keys.
256 MTUBytes=
258 The maximum transmission unit in bytes to set for the device. The
259 usual suffixes K, M, G, are supported and are understood to the
260 base of 1024. For "tun" or "tap" devices, MTUBytes= setting is not
261 currently supported in "[NetDev]" section. Please specify it in
262 "[Link]" section of corresponding systemd.network(5) files.
263 MACAddress=
265 The MAC address to use for the device. For "tun" or "tap" devices,
266 setting MACAddress= in the "[NetDev]" section is not supported.
267 Please specify it in "[Link]" section of the corresponding
268 systemd.network(5) file. If this option is not set, "vlan" devices
269 inherit the MAC address of the physical interface. For other kind
270 of netdevs, if this option is not set, then MAC address is
271 generated based on the interface name and the machine-id(5).
272
274 The "[Bridge]" section only applies for netdevs of kind "bridge", and
275 accepts the following keys:
276 HelloTimeSec=
278 HelloTimeSec specifies the number of seconds between two hello
279 packets sent out by the root bridge and the designated bridges.
280 Hello packets are used to communicate information about the
281 topology throughout the entire bridged local area network.
282 MaxAgeSec=
284 MaxAgeSec specifies the number of seconds of maximum message age.
285 If the last seen (received) hello packet is more than this number
286 of seconds old, the bridge in question will start the takeover
287 procedure in attempt to become the Root Bridge itself.
288 ForwardDelaySec=
290 ForwardDelaySec specifies the number of seconds spent in each of
291 the Listening and Learning states before the Forwarding state is
292 entered.
293 AgeingTimeSec=
295 This specifies the number of seconds a MAC Address will be kept in
296 the forwarding database after having a packet received from this
297 MAC Address.
298 Priority=
300 The priority of the bridge. An integer between 0 and 65535. A lower
301 value means higher priority. The bridge having the lowest priority
302 will be elected as root bridge.
303 GroupForwardMask=
305 A 16-bit bitmask represented as an integer which allows forwarding
306 of link local frames with 802.1D reserved addresses
307 (01:80:C2:00:00:0X). A logical AND is performed between the
308 specified bitmask and the exponentiation of 2^X, the lower nibble
309 of the last octet of the MAC address. For example, a value of 8
310 would allow forwarding of frames addressed to 01:80:C2:00:00:03
311 (802.1X PAE).
312 DefaultPVID=
314 This specifies the default port VLAN ID of a newly attached bridge
315 port. Set this to an integer in the range 1–4094 or "none" to
316 disable the PVID.
317 MulticastQuerier=
319 Takes a boolean. This setting controls the IFLA_BR_MCAST_QUERIER
320 option in the kernel. If enabled, the kernel will send general ICMP
321 queries from a zero source address. This feature should allow
322 faster convergence on startup, but it causes some multicast-aware
323 switches to misbehave and disrupt forwarding of multicast packets.
324 When unset, the kernel's default will be used.
325 MulticastSnooping=
327 Takes a boolean. This setting controls the IFLA_BR_MCAST_SNOOPING
328 option in the kernel. If enabled, IGMP snooping monitors the
329 Internet Group Management Protocol (IGMP) traffic between hosts and
330 multicast routers. When unset, the kernel's default will be used.
331 VLANFiltering=
333 Takes a boolean. This setting controls the IFLA_BR_VLAN_FILTERING
334 option in the kernel. If enabled, the bridge will be started in
335 VLAN-filtering mode. When unset, the kernel's default will be used.
336 STP=
338 Takes a boolean. This enables the bridge's Spanning Tree Protocol
339 (STP). When unset, the kernel's default will be used.
340
342 The "[VLAN]" section only applies for netdevs of kind "vlan", and
343 accepts the following key:
344 Id=
346 The VLAN ID to use. An integer in the range 0–4094. This option is
347 compulsory.
348 GVRP=
350 Takes a boolean. The Generic VLAN Registration Protocol (GVRP) is a
351 protocol that allows automatic learning of VLANs on a network. When
352 unset, the kernel's default will be used.
353 MVRP=
355 Takes a boolean. Multiple VLAN Registration Protocol (MVRP)
356 formerly known as GARP VLAN Registration Protocol (GVRP) is a
357 standards-based Layer 2 network protocol, for automatic
358 configuration of VLAN information on switches. It was defined in
359 the 802.1ak amendment to 802.1Q-2005. When unset, the kernel's
360 default will be used.
361 LooseBinding=
363 Takes a boolean. The VLAN loose binding mode, in which only the
364 operational state is passed from the parent to the associated
365 VLANs, but the VLAN device state is not changed. When unset, the
366 kernel's default will be used.
367 ReorderHeader=
369 Takes a boolean. The VLAN reorder header is set VLAN interfaces
370 behave like physical interfaces. When unset, the kernel's default
371 will be used.
372
374 The "[MACVLAN]" section only applies for netdevs of kind "macvlan", and
375 accepts the following key:
376 Mode=
378 The MACVLAN mode to use. The supported options are "private",
379 "vepa", "bridge", and "passthru".
380
382 The "[MACVTAP]" section applies for netdevs of kind "macvtap" and
383 accepts the same key as "[MACVLAN]".
384
386 The "[IPVLAN]" section only applies for netdevs of kind "ipvlan", and
387 accepts the following key:
388 Mode=
390 The IPVLAN mode to use. The supported options are "L2","L3" and
391 "L3S".
392 Flags=
394 The IPVLAN flags to use. The supported options are
395 "bridge","private" and "vepa".
396
398 The "[VXLAN]" section only applies for netdevs of kind "vxlan", and
399 accepts the following keys:
400 Id=
402 The VXLAN ID to use.
403 Remote=
405 Configures destination IP address.
406 Local=
408 Configures local IP address.
409 TOS=
411 The Type Of Service byte value for a vxlan interface.
412 TTL=
414 A fixed Time To Live N on Virtual eXtensible Local Area Network
415 packets. N is a number in the range 1–255. 0 is a special value
416 meaning that packets inherit the TTL value.
417 MacLearning=
419 Takes a boolean. When true, enables dynamic MAC learning to
420 discover remote MAC addresses.
421 FDBAgeingSec=
423 The lifetime of Forwarding Database entry learnt by the kernel, in
424 seconds.
425 MaximumFDBEntries=
427 Configures maximum number of FDB entries.
428 ReduceARPProxy=
430 Takes a boolean. When true, bridge-connected VXLAN tunnel endpoint
431 answers ARP requests from the local bridge on behalf of remote
432 Distributed Overlay Virtual Ethernet (DVOE)[5] clients. Defaults to
433 false.
434 L2MissNotification=
436 Takes a boolean. When true, enables netlink LLADDR miss
437 notifications.
438 L3MissNotification=
440 Takes a boolean. When true, enables netlink IP address miss
441 notifications.
442 RouteShortCircuit=
444 Takes a boolean. When true, route short circuiting is turned on.
445 UDPChecksum=
447 Takes a boolean. When true, transmitting UDP checksums when doing
448 VXLAN/IPv4 is turned on.
449 UDP6ZeroChecksumTx=
451 Takes a boolean. When true, sending zero checksums in VXLAN/IPv6 is
452 turned on.
453 UDP6ZeroChecksumRx=
455 Takes a boolean. When true, receiving zero checksums in VXLAN/IPv6
456 is turned on.
457 RemoteChecksumTx=
459 Takes a boolean. When true, remote transmit checksum offload of
460 VXLAN is turned on.
461 RemoteChecksumRx=
463 Takes a boolean. When true, remote receive checksum offload in
464 VXLAN is turned on.
465 GroupPolicyExtension=
467 Takes a boolean. When true, it enables Group Policy VXLAN extension
468 security label mechanism across network peers based on VXLAN. For
469 details about the Group Policy VXLAN, see the VXLAN Group Policy[6]
470 document. Defaults to false.
471 DestinationPort=
473 Configures the default destination UDP port on a per-device basis.
474 If destination port is not specified then Linux kernel default will
475 be used. Set destination port 4789 to get the IANA assigned value.
476 If not set or if the destination port is assigned the empty string
477 the default port of 4789 is used.
478 PortRange=
480 Configures VXLAN port range. VXLAN bases source UDP port based on
481 flow to help the receiver to be able to load balance based on outer
482 header flow. It restricts the port range to the normal UDP local
483 ports, and allows overriding via configuration.
484 FlowLabel=
486 Specifies the flow label to use in outgoing packets. The valid
487 range is 0-1048575.
488
490 The "[GENEVE]" section only applies for netdevs of kind "geneve", and
491 accepts the following keys:
492 Id=
494 Specifies the Virtual Network Identifier (VNI) to use. Ranges
495 [0-16777215].
496 Remote=
498 Specifies the unicast destination IP address to use in outgoing
499 packets.
500 TOS=
502 Specifies the TOS value to use in outgoing packets. Ranges [1-255].
503 TTL=
505 Specifies the TTL value to use in outgoing packets. Ranges [1-255].
506 UDPChecksum=
508 Takes a boolean. When true, specifies if UDP checksum is calculated
509 for transmitted packets over IPv4.
510 UDP6ZeroChecksumTx=
512 Takes a boolean. When true, skip UDP checksum calculation for
513 transmitted packets over IPv6.
514 UDP6ZeroChecksumRx=
516 Takes a boolean. When true, allows incoming UDP packets over IPv6
517 with zero checksum field.
518 DestinationPort=
520 Specifies destination port. Defaults to 6081. If not set or
521 assigned the empty string, the default port of 6081 is used.
522 FlowLabel=
524 Specifies the flow label to use in outgoing packets.
525
527 The "[Tunnel]" section only applies for netdevs of kind "ipip", "sit",
528 "gre", "gretap", "ip6gre", "ip6gretap", "vti", "vti6", and "ip6tnl" and
529 accepts the following keys:
530 Local=
532 A static local address for tunneled packets. It must be an address
533 on another interface of this host, or the special value "any".
534 Remote=
536 The remote endpoint of the tunnel. Takes an IP address or the
537 special value "any".
538 TOS=
540 The Type Of Service byte value for a tunnel interface. For details
541 about the TOS, see the Type of Service in the Internet Protocol
542 Suite[7] document.
543 TTL=
545 A fixed Time To Live N on tunneled packets. N is a number in the
546 range 1–255. 0 is a special value meaning that packets inherit the
547 TTL value. The default value for IPv4 tunnels is: inherit. The
548 default value for IPv6 tunnels is 64.
549 DiscoverPathMTU=
551 Takes a boolean. When true, enables Path MTU Discovery on the
552 tunnel.
553 IPv6FlowLabel=
555 Configures the 20-bit flow label (see RFC 6437[8]) field in the
556 IPv6 header (see RFC 2460[9]), which is used by a node to label
557 packets of a flow. It is only used for IPv6 tunnels. A flow label
558 of zero is used to indicate packets that have not been labeled. It
559 can be configured to a value in the range 0–0xFFFFF, or be set to
560 "inherit", in which case the original flowlabel is used.
561 CopyDSCP=
563 Takes a boolean. When true, the Differentiated Service Code Point
564 (DSCP) field will be copied to the inner header from outer header
565 during the decapsulation of an IPv6 tunnel packet. DSCP is a field
566 in an IP packet that enables different levels of service to be
567 assigned to network traffic. Defaults to "no".
568 EncapsulationLimit=
570 The Tunnel Encapsulation Limit option specifies how many additional
571 levels of encapsulation are permitted to be prepended to the
572 packet. For example, a Tunnel Encapsulation Limit option containing
573 a limit value of zero means that a packet carrying that option may
574 not enter another tunnel before exiting the current tunnel. (see
575 RFC 2473[10]). The valid range is 0–255 and "none". Defaults to 4.
576 Key=
578 The Key= parameter specifies the same key to use in both directions
579 (InputKey= and OutputKey=). The Key= is either a number or an IPv4
580 address-like dotted quad. It is used as mark-configured SAD/SPD
581 entry as part of the lookup key (both in data and control path) in
582 ip xfrm (framework used to implement IPsec protocol). See ip-xfrm —
583 transform configuration[11] for details. It is only used for
584 VTI/VTI6 tunnels.
585 InputKey=
587 The InputKey= parameter specifies the key to use for input. The
588 format is same as Key=. It is only used for VTI/VTI6 tunnels.
589 OutputKey=
591 The OutputKey= parameter specifies the key to use for output. The
592 format is same as Key=. It is only used for VTI/VTI6 tunnels.
593 Mode=
595 An "ip6tnl" tunnel can be in one of three modes "ip6ip6" for IPv6
596 over IPv6, "ipip6" for IPv4 over IPv6 or "any" for either.
597 Independent=
599 Takes a boolean. When true tunnel does not require .network file.
600 Created as "tunnel@NONE". Defaults to "false".
601 AllowLocalRemote=
603 Takes a boolean. When true allows tunnel traffic on ip6tnl devices
604 where the remote endpoint is a local host address. When unset, the
605 kernel's default will be used.
606 FooOverUDP=
608 Takes a boolean. Specifies whether FooOverUDP= tunnel is to be
609 configured. Defaults to false. For more detail information see Foo
610 over UDP[12]
611 FOUDestinationPort=
613 This setting specifies the UDP destination port for encapsulation.
614 This field is mandatory and is not set by default.
615 FOUSourcePort=
617 This setting specifies the UDP source port for encapsulation.
618 Defaults to 0 — that is, the source port for packets is left to the
619 network stack to decide.
620 Encapsulation=
622 Accepts the same key as "[FooOverUDP]"
623 IPv6RapidDeploymentPrefix=
625 Reconfigure the tunnel for IPv6 Rapid Deployment[13], also known as
626 6rd. The value is an ISP-specific IPv6 prefix with a non-zero
627 length. Only applicable to SIT tunnels.
628 ISATAP=
630 Takes a boolean. If set, configures the tunnel as Intra-Site
631 Automatic Tunnel Addressing Protocol (ISATAP) tunnel. Only
632 applicable to SIT tunnels. When unset, the kernel's default will be
633 used.
634 SerializeTunneledPackets=
636 Takes a boolean. If set to yes, then packets are serialized. Only
637 applies for ERSPAN tunnel. When unset, the kernel's default will be
638 used.
639 ERSPANIndex=
641 Specifies the ERSPAN index field for the interface, an integer in
642 the range 1-1048575 associated with the ERSPAN traffic's source
643 port and direction. This field is mandatory.
644
646 The "[FooOverUDP]" section only applies for netdevs of kind "fou" and
647 accepts the following keys:
648 Protocol=
650 The Protocol= specifies the protocol number of the packets arriving
651 at the UDP port. This field is mandatory and is not set by default.
652 Valid range is 1-255.
653 Encapsulation=
655 Specifies the encapsulation mechanism used to store networking
656 packets of various protocols inside the UDP packets. Supports the
657 following values: "FooOverUDP" provides the simplest no frills
658 model of UDP encapsulation, it simply encapsulates packets directly
659 in the UDP payload. "GenericUDPEncapsulation" is a generic and
660 extensible encapsulation, it allows encapsulation of packets for
661 any IP protocol and optional data as part of the encapsulation. For
662 more detailed information see Generic UDP Encapsulation[14].
663 Defaults to "FooOverUDP".
664 Port=
666 Specifies the port number, where the IP encapsulation packets will
667 arrive. Please take note that the packets will arrive with the
668 encapsulation will be removed. Then they will be manually fed back
669 into the network stack, and sent ahead for delivery to the real
670 destination. This option is mandatory.
671
673 The "[Peer]" section only applies for netdevs of kind "veth" and
674 accepts the following keys:
675 Name=
677 The interface name used when creating the netdev. This option is
678 compulsory.
679 MACAddress=
681 The peer MACAddress, if not set, it is generated in the same way as
682 the MAC address of the main interface.
683
685 The "[VXCAN]" section only applies for netdevs of kind "vxcan" and
686 accepts the following key:
687 Peer=
689 The peer interface name used when creating the netdev. This option
690 is compulsory.
691
693 The "[Tun]" section only applies for netdevs of kind "tun", and accepts
694 the following keys:
695 OneQueue=
697 Takes a boolean. Configures whether all packets are queued at the
698 device (enabled), or a fixed number of packets are queued at the
699 device and the rest at the "qdisc". Defaults to "no".
700 MultiQueue=
702 Takes a boolean. Configures whether to use multiple file
703 descriptors (queues) to parallelize packets sending and receiving.
704 Defaults to "no".
705 PacketInfo=
707 Takes a boolean. Configures whether packets should be prepended
708 with four extra bytes (two flag bytes and two protocol bytes). If
709 disabled, it indicates that the packets will be pure IP packets.
710 Defaults to "no".
711 VNetHeader=
713 Takes a boolean. Configures IFF_VNET_HDR flag for a tap device. It
714 allows sending and receiving larger Generic Segmentation Offload
715 (GSO) packets. This may increase throughput significantly. Defaults
716 to "no".
717 User=
719 User to grant access to the /dev/net/tun device.
720 Group=
722 Group to grant access to the /dev/net/tun device.
723
725 The "[Tap]" section only applies for netdevs of kind "tap", and accepts
726 the same keys as the "[Tun]" section.
727
729 The "[WireGuard]" section accepts the following keys:
730 PrivateKey=
732 The Base64 encoded private key for the interface. It can be
733 generated using the wg genkey command (see wg(8)). This option is
734 mandatory to use WireGuard. Note that because this information is
735 secret, you may want to set the permissions of the .netdev file to
736 be owned by "root:systemd-network" with a "0640" file mode.
737 ListenPort=
739 Sets UDP port for listening. Takes either value between 1 and 65535
740 or "auto". If "auto" is specified, the port is automatically
741 generated based on interface name. Defaults to "auto".
742 FwMark=
744 Sets a firewall mark on outgoing WireGuard packets from this
745 interface.
746
748 The "[WireGuardPeer]" section accepts the following keys:
749 PublicKey=
751 Sets a Base64 encoded public key calculated by wg pubkey (see
752 wg(8)) from a private key, and usually transmitted out of band to
753 the author of the configuration file. This option is mandatory for
754 this section.
755 PresharedKey=
757 Optional preshared key for the interface. It can be generated by
758 the wg genpsk command. This option adds an additional layer of
759 symmetric-key cryptography to be mixed into the already existing
760 public-key cryptography, for post-quantum resistance. Note that
761 because this information is secret, you may want to set the
762 permissions of the .netdev file to be owned by
763 "root:systemd-networkd" with a "0640" file mode.
764 AllowedIPs=
766 Sets a comma-separated list of IP (v4 or v6) addresses with CIDR
767 masks from which this peer is allowed to send incoming traffic and
768 to which outgoing traffic for this peer is directed. The catch-all
769 0.0.0.0/0 may be specified for matching all IPv4 addresses, and
770 ::/0 may be specified for matching all IPv6 addresses.
771 Endpoint=
773 Sets an endpoint IP address or hostname, followed by a colon, and
774 then a port number. This endpoint will be updated automatically
775 once to the most recent source IP address and port of correctly
776 authenticated packets from the peer at configuration time.
777 PersistentKeepalive=
779 Sets a seconds interval, between 1 and 65535 inclusive, of how
780 often to send an authenticated empty packet to the peer for the
781 purpose of keeping a stateful firewall or NAT mapping valid
782 persistently. For example, if the interface very rarely sends
783 traffic, but it might at anytime receive traffic from a peer, and
784 it is behind NAT, the interface might benefit from having a
785 persistent keepalive interval of 25 seconds. If set to 0 or "off",
786 this option is disabled. By default or when unspecified, this
787 option is off. Most users will not need this.
788
790 The "[Bond]" section accepts the following key:
791 Mode=
793 Specifies one of the bonding policies. The default is "balance-rr"
794 (round robin). Possible values are "balance-rr", "active-backup",
795 "balance-xor", "broadcast", "802.3ad", "balance-tlb", and
796 "balance-alb".
797 TransmitHashPolicy=
799 Selects the transmit hash policy to use for slave selection in
800 balance-xor, 802.3ad, and tlb modes. Possible values are "layer2",
801 "layer3+4", "layer2+3", "encap2+3", and "encap3+4".
802 LACPTransmitRate=
804 Specifies the rate with which link partner transmits Link
805 Aggregation Control Protocol Data Unit packets in 802.3ad mode.
806 Possible values are "slow", which requests partner to transmit
807 LACPDUs every 30 seconds, and "fast", which requests partner to
808 transmit LACPDUs every second. The default value is "slow".
809 MIIMonitorSec=
811 Specifies the frequency that Media Independent Interface link
812 monitoring will occur. A value of zero disables MII link
813 monitoring. This value is rounded down to the nearest millisecond.
814 The default value is 0.
815 UpDelaySec=
817 Specifies the delay before a link is enabled after a link up status
818 has been detected. This value is rounded down to a multiple of
819 MIIMonitorSec. The default value is 0.
820 DownDelaySec=
822 Specifies the delay before a link is disabled after a link down
823 status has been detected. This value is rounded down to a multiple
824 of MIIMonitorSec. The default value is 0.
825 LearnPacketIntervalSec=
827 Specifies the number of seconds between instances where the bonding
828 driver sends learning packets to each slave peer switch. The valid
829 range is 1–0x7fffffff; the default value is 1. This option has an
830 effect only for the balance-tlb and balance-alb modes.
831 AdSelect=
833 Specifies the 802.3ad aggregation selection logic to use. Possible
834 values are "stable", "bandwidth" and "count".
835 AdActorSystemPriority=
837 Specifies the 802.3ad actor system priority. Ranges [1-65535].
838 AdUserPortKey=
840 Specifies the 802.3ad user defined portion of the port key. Ranges
841 [0-1023].
842 AdActorSystem=
844 Specifies the 802.3ad system mac address. This can not be either
845 NULL or Multicast.
846 FailOverMACPolicy=
848 Specifies whether the active-backup mode should set all slaves to
849 the same MAC address at the time of enslavement or, when enabled,
850 to perform special handling of the bond's MAC address in accordance
851 with the selected policy. The default policy is none. Possible
852 values are "none", "active" and "follow".
853 ARPValidate=
855 Specifies whether or not ARP probes and replies should be validated
856 in any mode that supports ARP monitoring, or whether non-ARP
857 traffic should be filtered (disregarded) for link monitoring
858 purposes. Possible values are "none", "active", "backup" and "all".
859 ARPIntervalSec=
861 Specifies the ARP link monitoring frequency in milliseconds. A
862 value of 0 disables ARP monitoring. The default value is 0.
863 ARPIPTargets=
865 Specifies the IP addresses to use as ARP monitoring peers when
866 ARPIntervalSec is greater than 0. These are the targets of the ARP
867 request sent to determine the health of the link to the targets.
868 Specify these values in IPv4 dotted decimal format. At least one IP
869 address must be given for ARP monitoring to function. The maximum
870 number of targets that can be specified is 16. The default value is
871 no IP addresses.
872 ARPAllTargets=
874 Specifies the quantity of ARPIPTargets that must be reachable in
875 order for the ARP monitor to consider a slave as being up. This
876 option affects only active-backup mode for slaves with ARPValidate
877 enabled. Possible values are "any" and "all".
878 PrimaryReselectPolicy=
880 Specifies the reselection policy for the primary slave. This
881 affects how the primary slave is chosen to become the active slave
882 when failure of the active slave or recovery of the primary slave
883 occurs. This option is designed to prevent flip-flopping between
884 the primary slave and other slaves. Possible values are "always",
885 "better" and "failure".
886 ResendIGMP=
888 Specifies the number of IGMP membership reports to be issued after
889 a failover event. One membership report is issued immediately after
890 the failover, subsequent packets are sent in each 200ms interval.
891 The valid range is 0–255. Defaults to 1. A value of 0 prevents the
892 IGMP membership report from being issued in response to the
893 failover event.
894 PacketsPerSlave=
896 Specify the number of packets to transmit through a slave before
897 moving to the next one. When set to 0, then a slave is chosen at
898 random. The valid range is 0–65535. Defaults to 1. This option only
899 has effect when in balance-rr mode.
900 GratuitousARP=
902 Specify the number of peer notifications (gratuitous ARPs and
903 unsolicited IPv6 Neighbor Advertisements) to be issued after a
904 failover event. As soon as the link is up on the new slave, a peer
905 notification is sent on the bonding device and each VLAN
906 sub-device. This is repeated at each link monitor interval
907 (ARPIntervalSec or MIIMonitorSec, whichever is active) if the
908 number is greater than 1. The valid range is 0–255. The default
909 value is 1. These options affect only the active-backup mode.
910 AllSlavesActive=
912 Takes a boolean. Specifies that duplicate frames (received on
913 inactive ports) should be dropped when false, or delivered when
914 true. Normally, bonding will drop duplicate frames (received on
915 inactive ports), which is desirable for most users. But there are
916 some times it is nice to allow duplicate frames to be delivered.
917 The default value is false (drop duplicate frames received on
918 inactive ports).
919 DynamicTransmitLoadBalancing=
921 Takes a boolean. Specifies if dynamic shuffling of flows is
922 enabled. Applies only for balance-tlb mode. Defaults to unset.
923 MinLinks=
925 Specifies the minimum number of links that must be active before
926 asserting carrier. The default value is 0.
927 For more detail information see Linux Ethernet Bonding Driver HOWTO[1]
929
931 Example 1. /etc/systemd/network/25-bridge.netdev
932 [NetDev]
934 Name=bridge0
935 Kind=bridge
936 Example 2. /etc/systemd/network/25-vlan1.netdev
938 [Match]
940 Virtualization=no
941 [NetDev]
943 Name=vlan1
944 Kind=vlan
945 [VLAN]
947 Id=1
948 Example 3. /etc/systemd/network/25-ipip.netdev
950 [NetDev]
952 Name=ipip-tun
953 Kind=ipip
954 MTUBytes=1480
955 [Tunnel]
957 Local=192.168.223.238
958 Remote=192.169.224.239
959 TTL=64
960 Example 4. /etc/systemd/network/1-fou-tunnel.netdev
962 [NetDev]
964 Name=fou-tun
965 Kind=fou
966 [FooOverUDP]
968 Port=5555
969 Protocol=4
970 Example 5. /etc/systemd/network/25-fou-ipip.netdev
973 [NetDev]
975 Name=ipip-tun
976 Kind=ipip
977 [Tunnel]
979 Independent=yes
980 Local=10.65.208.212
981 Remote=10.65.208.211
982 FooOverUDP=yes
983 FOUDestinationPort=5555
984 Example 6. /etc/systemd/network/25-tap.netdev
987 [NetDev]
989 Name=tap-test
990 Kind=tap
991 [Tap]
993 MultiQueue=yes
994 PacketInfo=yes
995 Example 7. /etc/systemd/network/25-sit.netdev
997 [NetDev]
999 Name=sit-tun
1000 Kind=sit
1001 MTUBytes=1480
1002 [Tunnel]
1004 Local=10.65.223.238
1005 Remote=10.65.223.239
1006 Example 8. /etc/systemd/network/25-6rd.netdev
1008 [NetDev]
1010 Name=6rd-tun
1011 Kind=sit
1012 MTUBytes=1480
1013 [Tunnel]
1015 Local=10.65.223.238
1016 IPv6RapidDeploymentPrefix=2602::/24
1017 Example 9. /etc/systemd/network/25-gre.netdev
1019 [NetDev]
1021 Name=gre-tun
1022 Kind=gre
1023 MTUBytes=1480
1024 [Tunnel]
1026 Local=10.65.223.238
1027 Remote=10.65.223.239
1028 Example 10. /etc/systemd/network/25-vti.netdev
1030 [NetDev]
1032 Name=vti-tun
1033 Kind=vti
1034 MTUBytes=1480
1035 [Tunnel]
1037 Local=10.65.223.238
1038 Remote=10.65.223.239
1039 Example 11. /etc/systemd/network/25-veth.netdev
1041 [NetDev]
1043 Name=veth-test
1044 Kind=veth
1045 [Peer]
1047 Name=veth-peer
1048 Example 12. /etc/systemd/network/25-bond.netdev
1050 [NetDev]
1052 Name=bond1
1053 Kind=bond
1054 [Bond]
1056 Mode=802.3ad
1057 TransmitHashPolicy=layer3+4
1058 MIIMonitorSec=1s
1059 LACPTransmitRate=fast
1060 Example 13. /etc/systemd/network/25-dummy.netdev
1062 [NetDev]
1064 Name=dummy-test
1065 Kind=dummy
1066 MACAddress=12:34:56:78:9a:bc
1067 Example 14. /etc/systemd/network/25-vrf.netdev
1069 Create a VRF interface with table 42.
1071 [NetDev]
1073 Name=vrf-test
1074 Kind=vrf
1075 [VRF]
1077 Table=42
1078 Example 15. /etc/systemd/network/25-macvtap.netdev
1080 Create a MacVTap device.
1082 [NetDev]
1084 Name=macvtap-test
1085 Kind=macvtap
1086 Example 16. /etc/systemd/network/25-wireguard.netdev
1089 [NetDev]
1091 Name=wg0
1092 Kind=wireguard
1093 [WireGuard]
1095 PrivateKey=EEGlnEPYJV//kbvvIqxKkQwOiS+UENyPncC4bF46ong=
1096 ListenPort=51820
1097 [WireGuardPeer]
1099 PublicKey=RDf+LSpeEre7YEIKaxg+wbpsNV7du+ktR99uBEtIiCA=
1100 AllowedIPs=fd31:bf08:57cb::/48,192.168.26.0/24
1101 Endpoint=wireguard.example.com:51820
1102
1104 systemd(1), systemd-networkd(8), systemd.link(5), systemd.network(5)
1105
1107 1. Linux Ethernet Bonding Driver HOWTO
1108 https://www.kernel.org/doc/Documentation/networking/bonding.txt
1109 2. RFC 2784
1111 https://tools.ietf.org/html/rfc2784
1112 3. IEEE 802.1Q
1114 http://www.ieee802.org/1/pages/802.1Q.html
1115 4. VRF
1117 https://www.kernel.org/doc/Documentation/networking/vrf.txt
1118 5. (DVOE)
1120 https://en.wikipedia.org/wiki/Distributed_Overlay_Virtual_Ethernet
1121 6. VXLAN Group Policy
1123 https://tools.ietf.org/html/draft-smith-vxlan-group-policy
1124 7. Type of Service in the Internet Protocol Suite
1126 http://tools.ietf.org/html/rfc1349
1127 8. RFC 6437
1129 https://tools.ietf.org/html/rfc6437
1130 9. RFC 2460
1132 https://tools.ietf.org/html/rfc2460
1133 10. RFC 2473
1135 https://tools.ietf.org/html/rfc2473#section-4.1.1
1136 11. ip-xfrm — transform configuration
1138 http://man7.org/linux/man-pages/man8/ip-xfrm.8.html
1139 12. Foo over UDP
1141 https://lwn.net/Articles/614348
1142 13. IPv6 Rapid Deployment
1144 https://tools.ietf.org/html/rfc5569
1145 14. Generic UDP Encapsulation
1147 https://lwn.net/Articles/615044
1148systemd 241 SYSTEMD.NETDEV(5)