1SYSTEMD.NETWORK(5) systemd.network SYSTEMD.NETWORK(5)
2
6 systemd.network - Network configuration
7
9 network.network
10
12 Network setup is performed by systemd-networkd(8).
13 The main network file must have the extension .network; other
15 extensions are ignored. Networks are applied to links whenever the
16 links appear.
17 The .network files are read from the files located in the system
19 network directories /usr/lib/systemd/network and
20 /usr/local/lib/systemd/network, the volatile runtime network directory
21 /run/systemd/network and the local administration network directory
22 /etc/systemd/network. All configuration files are collectively sorted
23 and processed in lexical order, regardless of the directories in which
24 they live. However, files with identical filenames replace each other.
25 Files in /etc have the highest priority, files in /run take precedence
26 over files with the same name under /usr. This can be used to override
27 a system-supplied configuration file with a local file if needed. As a
28 special case, an empty file (file size 0) or symlink with the same name
29 pointing to /dev/null disables the configuration file entirely (it is
30 "masked").
31 Along with the network file foo.network, a "drop-in" directory
33 foo.network.d/ may exist. All files with the suffix ".conf" from this
34 directory will be parsed after the file itself is parsed. This is
35 useful to alter or add configuration settings, without having to modify
36 the main configuration file. Each drop-in file must have appropriate
37 section headers.
38 In addition to /etc/systemd/network, drop-in ".d" directories can be
40 placed in /usr/lib/systemd/network or /run/systemd/network directories.
41 Drop-in files in /etc take precedence over those in /run which in turn
42 take precedence over those in /usr/lib. Drop-in files under any of
43 these directories take precedence over the main network file wherever
44 located.
45 Note that an interface without any static IPv6 addresses configured,
47 and neither DHCPv6 nor IPv6LL enabled, shall be considered to have no
48 IPv6 support. IPv6 will be automatically disabled for that interface by
49 writing "1" to /proc/sys/net/ipv6/conf/ifname/disable_ipv6.
50
52 The network file contains a "[Match]" section, which determines if a
53 given network file may be applied to a given device; and a "[Network]"
54 section specifying how the device should be configured. The first (in
55 lexical order) of the network files that matches a given device is
56 applied, all later files are ignored, even if they match as well.
57 A network file is said to match a network interface if all matches
59 specified by the "[Match]" section are satisfied. When a network file
60 does not contain valid settings in "[Match]" section, then the file
61 will match all interfaces and systemd-networkd warns about that. Hint:
62 to avoid the warning and to make it clear that all interfaces shall be
63 matched, add the following:
64 Name=*
66 The following keys are accepted:
68 MACAddress=
70 A whitespace-separated list of hardware addresses. Use full colon-,
71 hyphen- or dot-delimited hexadecimal. See the example below. This
72 option may appear more than once, in which case the lists are
73 merged. If the empty string is assigned to this option, the list of
74 hardware addresses defined prior to this is reset.
75 Example:
77 MACAddress=01:23:45:67:89:ab 00-11-22-33-44-55 AABB.CCDD.EEFF
79 Path=
81 A whitespace-separated list of shell-style globs matching the
82 persistent path, as exposed by the udev property "ID_PATH". If the
83 list is prefixed with a "!", the test is inverted; i.e. it is true
84 when "ID_PATH" does not match any item in the list.
85 Driver=
87 A whitespace-separated list of shell-style globs matching the
88 driver currently bound to the device, as exposed by the udev
89 property "ID_NET_DRIVER" of its parent device, or if that is not
90 set the driver as exposed by "ethtool -i" of the device itself. If
91 the list is prefixed with a "!", the test is inverted.
92 Type=
94 A whitespace-separated list of shell-style globs matching the
95 device type, as exposed by the udev property "DEVTYPE". If the list
96 is prefixed with a "!", the test is inverted.
97 Name=
99 A whitespace-separated list of shell-style globs matching the
100 device name, as exposed by the udev property "INTERFACE". If the
101 list is prefixed with a "!", the test is inverted.
102 Property=
104 A whitespace-separated list of udev property name with its value
105 after a equal ("="). If multiple properties are specified, the test
106 results are ANDed. If the list is prefixed with a "!", the test is
107 inverted. If a value contains white spaces, then please quote whole
108 key and value pair. If a value contains quotation, then please
109 escape the quotation with "\".
110 Example: if a .network file has the following:
112 Property=ID_MODEL_ID=9999 "ID_VENDOR_FROM_DATABASE=vendor name" "KEY=with \"quotation\""
114 then, the .network file matches only when an interface has all the
116 above three properties.
117 Host=
119 Matches against the hostname or machine ID of the host. See
120 "ConditionHost=" in systemd.unit(5) for details. When prefixed with
121 an exclamation mark ("!"), the result is negated. If an empty
122 string is assigned, then previously assigned value is cleared.
123 Virtualization=
125 Checks whether the system is executed in a virtualized environment
126 and optionally test whether it is a specific implementation. See
127 "ConditionVirtualization=" in systemd.unit(5) for details. When
128 prefixed with an exclamation mark ("!"), the result is negated. If
129 an empty string is assigned, then previously assigned value is
130 cleared.
131 KernelCommandLine=
133 Checks whether a specific kernel command line option is set. See
134 "ConditionKernelCommandLine=" in systemd.unit(5) for details. When
135 prefixed with an exclamation mark ("!"), the result is negated. If
136 an empty string is assigned, then previously assigned value is
137 cleared.
138 KernelVersion=
140 Checks whether the kernel version (as reported by uname -r) matches
141 a certain expression. See "ConditionKernelVersion=" in
142 systemd.unit(5) for details. When prefixed with an exclamation mark
143 ("!"), the result is negated. If an empty string is assigned, then
144 previously assigned value is cleared.
145 Architecture=
147 Checks whether the system is running on a specific architecture.
148 See "ConditionArchitecture=" in systemd.unit(5) for details. When
149 prefixed with an exclamation mark ("!"), the result is negated. If
150 an empty string is assigned, then previously assigned value is
151 cleared.
152
154 The "[Link]" section accepts the following keys:
155 MACAddress=
157 The hardware address to set for the device.
158 MTUBytes=
160 The maximum transmission unit in bytes to set for the device. The
161 usual suffixes K, M, G, are supported and are understood to the
162 base of 1024.
163 Note that if IPv6 is enabled on the interface, and the MTU is
165 chosen below 1280 (the minimum MTU for IPv6) it will automatically
166 be increased to this value.
167 ARP=
169 Takes a boolean. If set to true, the ARP (low-level Address
170 Resolution Protocol) for this interface is enabled. When unset, the
171 kernel's default will be used.
172 For example, disabling ARP is useful when creating multiple MACVLAN
174 or VLAN virtual interfaces atop a single lower-level physical
175 interface, which will then only serve as a link/"bridge" device
176 aggregating traffic to the same physical link and not participate
177 in the network otherwise.
178 Multicast=
180 Takes a boolean. If set to true, the multicast flag on the device
181 is enabled.
182 AllMulticast=
184 Takes a boolean. If set to true, the driver retrieves all multicast
185 packets from the network. This happens when multicast routing is
186 enabled.
187 Unmanaged=
189 Takes a boolean. When "yes", no attempts are made to bring up or
190 configure matching links, equivalent to when there are no matching
191 network files. Defaults to "no".
192 This is useful for preventing later matching network files from
194 interfering with certain interfaces that are fully controlled by
195 other applications.
196 RequiredForOnline=
198 Takes a boolean or operational state. Please see networkctl(1) for
199 possible operational states. When "yes", the network is deemed
200 required when determining whether the system is online when running
201 systemd-networkd-wait-online. When "no", the network is ignored
202 when checking for online state. When an operational state is set,
203 "yes" is implied, and this controls the operational state required
204 for the network interface to be considered online. Defaults to
205 "yes".
206 The network will be brought up normally in all cases, but in the
208 event that there is no address being assigned by DHCP or the cable
209 is not plugged in, the link will simply remain offline and be
210 skipped automatically by systemd-networkd-wait-online if
211 "RequiredForOnline=no".
212
214 The "[Network]" section accepts the following keys:
215 Description=
217 A description of the device. This is only used for presentation
218 purposes.
219 DHCP=
221 Enables DHCPv4 and/or DHCPv6 client support. Accepts "yes", "no",
222 "ipv4", or "ipv6". Defaults to "no".
223 Note that DHCPv6 will by default be triggered by Router
225 Advertisement, if that is enabled, regardless of this parameter. By
226 enabling DHCPv6 support explicitly, the DHCPv6 client will be
227 started regardless of the presence of routers on the link, or what
228 flags the routers pass. See "IPv6AcceptRA=".
229 Furthermore, note that by default the domain name specified through
231 DHCP is not used for name resolution. See option UseDomains= below.
232 See the "[DHCPv4]" or "[DHCPv6]" section below for further
234 configuration options for the DHCP client support.
235 DHCPServer=
237 Takes a boolean. If set to "yes", DHCPv4 server will be started.
238 Defaults to "no". Further settings for the DHCP server may be set
239 in the "[DHCPServer]" section described below.
240 LinkLocalAddressing=
242 Enables link-local address autoconfiguration. Accepts "yes", "no",
243 "ipv4", "ipv6", "fallback", or "ipv4-fallback". If "fallback" or
244 "ipv4-fallback" is specified, then an IPv4 link-local address is
245 configured only when DHCPv4 fails. If "fallback", an IPv6
246 link-local address is always configured, and if "ipv4-fallback",
247 the address is not configured. Note that, the fallback mechanism
248 works only when DHCPv4 client is enabled, that is, it requires
249 "DHCP=yes" or "DHCP=ipv4". If Bridge= is set, defaults to "no", and
250 if not, defaults to "ipv6".
251 IPv4LLRoute=
253 Takes a boolean. If set to true, sets up the route needed for
254 non-IPv4LL hosts to communicate with IPv4LL-only hosts. Defaults to
255 false.
256 DefaultRouteOnDevice=
258 Takes a boolean. If set to true, sets up the default route bound to
259 the interface. Defaults to false. This is useful when creating
260 routes on point-to-point interfaces. This is equivalent to e.g. the
261 following.
262 ip route add default dev veth99
264 IPv6Token=
266 An IPv6 address with the top 64 bits unset. When set, indicates the
267 64-bit interface part of SLAAC IPv6 addresses for this link. Note
268 that the token is only ever used for SLAAC, and not for DHCPv6
269 addresses, even in the case DHCP is requested by router
270 advertisement. By default, the token is autogenerated.
271 LLMNR=
273 Takes a boolean or "resolve". When true, enables Link-Local
274 Multicast Name Resolution[1] on the link. When set to "resolve",
275 only resolution is enabled, but not host registration and
276 announcement. Defaults to true. This setting is read by systemd-
277 resolved.service(8).
278 MulticastDNS=
280 Takes a boolean or "resolve". When true, enables Multicast DNS[2]
281 support on the link. When set to "resolve", only resolution is
282 enabled, but not host or service registration and announcement.
283 Defaults to false. This setting is read by systemd-
284 resolved.service(8).
285 DNSOverTLS=
287 Takes a boolean or "opportunistic". When true, enables
288 DNS-over-TLS[3] support on the link. When set to "opportunistic",
289 compatibility with non-DNS-over-TLS servers is increased, by
290 automatically turning off DNS-over-TLS servers in this case. This
291 option defines a per-interface setting for resolved.conf(5)'s
292 global DNSOverTLS= option. Defaults to false. This setting is read
293 by systemd-resolved.service(8).
294 DNSSEC=
296 Takes a boolean. or "allow-downgrade". When true, enables DNSSEC[4]
297 DNS validation support on the link. When set to "allow-downgrade",
298 compatibility with non-DNSSEC capable networks is increased, by
299 automatically turning off DNSSEC in this case. This option defines
300 a per-interface setting for resolved.conf(5)'s global DNSSEC=
301 option. Defaults to false. This setting is read by systemd-
302 resolved.service(8).
303 DNSSECNegativeTrustAnchors=
305 A space-separated list of DNSSEC negative trust anchor domains. If
306 specified and DNSSEC is enabled, look-ups done via the interface's
307 DNS server will be subject to the list of negative trust anchors,
308 and not require authentication for the specified domains, or
309 anything below it. Use this to disable DNSSEC authentication for
310 specific private domains, that cannot be proven valid using the
311 Internet DNS hierarchy. Defaults to the empty list. This setting is
312 read by systemd-resolved.service(8).
313 LLDP=
315 Controls support for Ethernet LLDP packet reception. LLDP is a
316 link-layer protocol commonly implemented on professional routers
317 and bridges which announces which physical port a system is
318 connected to, as well as other related data. Accepts a boolean or
319 the special value "routers-only". When true, incoming LLDP packets
320 are accepted and a database of all LLDP neighbors maintained. If
321 "routers-only" is set only LLDP data of various types of routers is
322 collected and LLDP data about other types of devices ignored (such
323 as stations, telephones and others). If false, LLDP reception is
324 disabled. Defaults to "routers-only". Use networkctl(1) to query
325 the collected neighbor data. LLDP is only available on Ethernet
326 links. See EmitLLDP= below for enabling LLDP packet emission from
327 the local system.
328 EmitLLDP=
330 Controls support for Ethernet LLDP packet emission. Accepts a
331 boolean parameter or the special values "nearest-bridge",
332 "non-tpmr-bridge" and "customer-bridge". Defaults to false, which
333 turns off LLDP packet emission. If not false, a short LLDP packet
334 with information about the local system is sent out in regular
335 intervals on the link. The LLDP packet will contain information
336 about the local host name, the local machine ID (as stored in
337 machine-id(5)) and the local interface name, as well as the pretty
338 hostname of the system (as set in machine-info(5)). LLDP emission
339 is only available on Ethernet links. Note that this setting passes
340 data suitable for identification of host to the network and should
341 thus not be enabled on untrusted networks, where such
342 identification data should not be made available. Use this option
343 to permit other systems to identify on which interfaces they are
344 connected to this system. The three special values control
345 propagation of the LLDP packets. The "nearest-bridge" setting
346 permits propagation only to the nearest connected bridge,
347 "non-tpmr-bridge" permits propagation across Two-Port MAC Relays,
348 but not any other bridges, and "customer-bridge" permits
349 propagation until a customer bridge is reached. For details about
350 these concepts, see IEEE 802.1AB-2016[5]. Note that configuring
351 this setting to true is equivalent to "nearest-bridge", the
352 recommended and most restricted level of propagation. See LLDP=
353 above for an option to enable LLDP reception.
354 BindCarrier=
356 A link name or a list of link names. When set, controls the
357 behavior of the current link. When all links in the list are in an
358 operational down state, the current link is brought down. When at
359 least one link has carrier, the current interface is brought up.
360 Address=
362 A static IPv4 or IPv6 address and its prefix length, separated by a
363 "/" character. Specify this key more than once to configure several
364 addresses. The format of the address must be as described in
365 inet_pton(3). This is a short-hand for an [Address] section only
366 containing an Address key (see below). This option may be specified
367 more than once.
368 If the specified address is "0.0.0.0" (for IPv4) or "::" (for
370 IPv6), a new address range of the requested size is automatically
371 allocated from a system-wide pool of unused ranges. Note that the
372 prefix length must be equal or larger than 8 for IPv4, and 64 for
373 IPv6. The allocated range is checked against all current network
374 interfaces and all known network configuration files to avoid
375 address range conflicts. The default system-wide pool consists of
376 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8 for IPv4, and fd00::/8
377 for IPv6. This functionality is useful to manage a large number of
378 dynamically created network interfaces with the same network
379 configuration and automatic address range assignment.
380 Gateway=
382 The gateway address, which must be in the format described in
383 inet_pton(3). This is a short-hand for a [Route] section only
384 containing a Gateway key. This option may be specified more than
385 once.
386 DNS=
388 A DNS server address, which must be in the format described in
389 inet_pton(3). This option may be specified more than once. This
390 setting is read by systemd-resolved.service(8).
391 Domains=
393 A list of domains which should be resolved using the DNS servers on
394 this link. Each item in the list should be a domain name,
395 optionally prefixed with a tilde ("~"). The domains with the prefix
396 are called "routing-only domains". The domains without the prefix
397 are called "search domains" and are first used as search suffixes
398 for extending single-label host names (host names containing no
399 dots) to become fully qualified domain names (FQDNs). If a
400 single-label host name is resolved on this interface, each of the
401 specified search domains are appended to it in turn, converting it
402 into a fully qualified domain name, until one of them may be
403 successfully resolved.
404 Both "search" and "routing-only" domains are used for routing of
406 DNS queries: look-ups for host names ending in those domains (hence
407 also single label names, if any "search domains" are listed), are
408 routed to the DNS servers configured for this interface. The domain
409 routing logic is particularly useful on multi-homed hosts with DNS
410 servers serving particular private DNS zones on each interface.
411 The "routing-only" domain "~." (the tilde indicating definition of
413 a routing domain, the dot referring to the DNS root domain which is
414 the implied suffix of all valid DNS names) has special effect. It
415 causes all DNS traffic which does not match another configured
416 domain routing entry to be routed to DNS servers specified for this
417 interface. This setting is useful to prefer a certain set of DNS
418 servers if a link on which they are connected is available.
419 This setting is read by systemd-resolved.service(8). "Search
421 domains" correspond to the domain and search entries in
422 resolv.conf(5). Domain name routing has no equivalent in the
423 traditional glibc API, which has no concept of domain name servers
424 limited to a specific link.
425 DNSDefaultRoute=
427 Takes a boolean argument. If true, this link's configured DNS
428 servers are used for resolving domain names that do not match any
429 link's configured Domains= setting. If false, this link's
430 configured DNS servers are never used for such domains, and are
431 exclusively used for resolving names that match at least one of the
432 domains configured on this link. If not specified defaults to an
433 automatic mode: queries not matching any link's configured domains
434 will be routed to this link if it has no routing-only domains
435 configured.
436 NTP=
438 An NTP server address. This option may be specified more than once.
439 This setting is read by systemd-timesyncd.service(8).
440 IPForward=
442 Configures IP packet forwarding for the system. If enabled,
443 incoming packets on any network interface will be forwarded to any
444 other interfaces according to the routing table. Takes a boolean,
445 or the values "ipv4" or "ipv6", which only enable IP packet
446 forwarding for the specified address family. This controls the
447 net.ipv4.ip_forward and net.ipv6.conf.all.forwarding sysctl options
448 of the network interface (see ip-sysctl.txt[6] for details about
449 sysctl options). Defaults to "no".
450 Note: this setting controls a global kernel option, and does so one
452 way only: if a network that has this setting enabled is set up the
453 global setting is turned on. However, it is never turned off again,
454 even after all networks with this setting enabled are shut down
455 again.
456 To allow IP packet forwarding only between specific network
458 interfaces use a firewall.
459 IPMasquerade=
461 Configures IP masquerading for the network interface. If enabled,
462 packets forwarded from the network interface will be appear as
463 coming from the local host. Takes a boolean argument. Implies
464 IPForward=ipv4. Defaults to "no".
465 IPv6PrivacyExtensions=
467 Configures use of stateless temporary addresses that change over
468 time (see RFC 4941[7], Privacy Extensions for Stateless Address
469 Autoconfiguration in IPv6). Takes a boolean or the special values
470 "prefer-public" and "kernel". When true, enables the privacy
471 extensions and prefers temporary addresses over public addresses.
472 When "prefer-public", enables the privacy extensions, but prefers
473 public addresses over temporary addresses. When false, the privacy
474 extensions remain disabled. When "kernel", the kernel's default
475 setting will be left in place. Defaults to "no".
476 IPv6AcceptRA=
478 Takes a boolean. Controls IPv6 Router Advertisement (RA) reception
479 support for the interface. If true, RAs are accepted; if false, RAs
480 are ignored, independently of the local forwarding state. When RAs
481 are accepted, they may trigger the start of the DHCPv6 client if
482 the relevant flags are set in the RA data, or if no routers are
483 found on the link.
484 Further settings for the IPv6 RA support may be configured in the
486 "[IPv6AcceptRA]" section, see below.
487 Also see ip-sysctl.txt[6] in the kernel documentation regarding
489 "accept_ra", but note that systemd's setting of 1 (i.e. true)
490 corresponds to kernel's setting of 2.
491 Note that kernel's implementation of the IPv6 RA protocol is always
493 disabled, regardless of this setting. If this option is enabled, a
494 userspace implementation of the IPv6 RA protocol is used, and the
495 kernel's own implementation remains disabled, since
496 systemd-networkd needs to know all details supplied in the
497 advertisements, and these are not available from the kernel if the
498 kernel's own implementation is used.
499 IPv6DuplicateAddressDetection=
501 Configures the amount of IPv6 Duplicate Address Detection (DAD)
502 probes to send. When unset, the kernel's default will be used.
503 IPv6HopLimit=
505 Configures IPv6 Hop Limit. For each router that forwards the
506 packet, the hop limit is decremented by 1. When the hop limit field
507 reaches zero, the packet is discarded. When unset, the kernel's
508 default will be used.
509 IPv4ProxyARP=
511 Takes a boolean. Configures proxy ARP for IPv4. Proxy ARP is the
512 technique in which one host, usually a router, answers ARP requests
513 intended for another machine. By "faking" its identity, the router
514 accepts responsibility for routing packets to the "real"
515 destination. (see RFC 1027[8]. When unset, the kernel's default
516 will be used.
517 IPv6ProxyNDP=
519 Takes a boolean. Configures proxy NDP for IPv6. Proxy NDP (Neighbor
520 Discovery Protocol) is a technique for IPv6 to allow routing of
521 addresses to a different destination when peers expect them to be
522 present on a certain physical link. In this case a router answers
523 Neighbour Advertisement messages intended for another machine by
524 offering its own MAC address as destination. Unlike proxy ARP for
525 IPv4, it is not enabled globally, but will only send Neighbour
526 Advertisement messages for addresses in the IPv6 neighbor proxy
527 table, which can also be shown by ip -6 neighbour show proxy.
528 systemd-networkd will control the per-interface `proxy_ndp` switch
529 for each configured interface depending on this option. When unset,
530 the kernel's default will be used.
531 IPv6ProxyNDPAddress=
533 An IPv6 address, for which Neighbour Advertisement messages will be
534 proxied. This option may be specified more than once.
535 systemd-networkd will add the IPv6ProxyNDPAddress= entries to the
536 kernel's IPv6 neighbor proxy table. This option implies
537 IPv6ProxyNDP=yes but has no effect if IPv6ProxyNDP has been set to
538 false. When unset, the kernel's default will be used.
539 IPv6PrefixDelegation=
541 Whether to enable or disable Router Advertisement sending on a
542 link. Allowed values are "static" which distributes prefixes as
543 defined in the "[IPv6PrefixDelegation]" and any "[IPv6Prefix]"
544 sections, "dhcpv6" which requests prefixes using a DHCPv6 client
545 configured for another link and any values configured in the
546 "[IPv6PrefixDelegation]" section while ignoring all static prefix
547 configuration sections, "yes" which uses both static configuration
548 and DHCPv6, and "false" which turns off IPv6 prefix delegation
549 altogether. Defaults to "false". See the "[IPv6PrefixDelegation]"
550 and the "[IPv6Prefix]" sections for more configuration options.
551 IPv6MTUBytes=
553 Configures IPv6 maximum transmission unit (MTU). An integer greater
554 than or equal to 1280 bytes. When unset, the kernel's default will
555 be used.
556 Bridge=
558 The name of the bridge to add the link to. See systemd.netdev(5).
559 Bond=
561 The name of the bond to add the link to. See systemd.netdev(5).
562 VRF=
564 The name of the VRF to add the link to. See systemd.netdev(5).
565 VLAN=
567 The name of a VLAN to create on the link. See systemd.netdev(5).
568 This option may be specified more than once.
569 IPVLAN=
571 The name of a IPVLAN to create on the link. See systemd.netdev(5).
572 This option may be specified more than once.
573 MACVLAN=
575 The name of a MACVLAN to create on the link. See systemd.netdev(5).
576 This option may be specified more than once.
577 VXLAN=
579 The name of a VXLAN to create on the link. See systemd.netdev(5).
580 This option may be specified more than once.
581 Tunnel=
583 The name of a Tunnel to create on the link. See systemd.netdev(5).
584 This option may be specified more than once.
585 MACsec=
587 The name of a MACsec device to create on the link. See
588 systemd.netdev(5). This option may be specified more than once.
589 ActiveSlave=
591 Takes a boolean. Specifies the new active slave. The "ActiveSlave="
592 option is only valid for following modes: "active-backup",
593 "balance-alb" and "balance-tlb". Defaults to false.
594 PrimarySlave=
596 Takes a boolean. Specifies which slave is the primary device. The
597 specified device will always be the active slave while it is
598 available. Only when the primary is off-line will alternate devices
599 be used. This is useful when one slave is preferred over another,
600 e.g. when one slave has higher throughput than another. The
601 "PrimarySlave=" option is only valid for following modes:
602 "active-backup", "balance-alb" and "balance-tlb". Defaults to
603 false.
604 ConfigureWithoutCarrier=
606 Takes a boolean. Allows networkd to configure a specific link even
607 if it has no carrier. Defaults to false.
608 IgnoreCarrierLoss=
610 A boolean. Allows networkd to retain both the static and dynamic
611 configuration of the interface even if its carrier is lost.
612 Defaults to false.
613 Xfrm=
615 The name of the xfrm to create on the link. See systemd.netdev(5).
616 This option may be specified more than once.
617 KeepConfiguration=
619 Takes a boolean or one of "static", "dhcp-on-stop", "dhcp". When
620 "static", systemd-networkd will not drop static addresses and
621 routes on starting up process. When set to "dhcp-on-stop",
622 systemd-networkd will not drop addresses and routes on stopping the
623 daemon. When "dhcp", the addresses and routes provided by a DHCP
624 server will never be dropped even if the DHCP lease expires. This
625 is contrary to the DHCP specification, but may be the best choice
626 if, e.g., the root filesystem relies on this connection. The
627 setting "dhcp" implies "dhcp-on-stop", and "yes" implies "dhcp" and
628 "static". Defaults to "dhcp-on-stop".
629
631 An "[Address]" section accepts the following keys. Specify several
632 "[Address]" sections to configure several addresses.
633 Address=
635 As in the "[Network]" section. This key is mandatory. Each
636 "[Address]" section can contain one Address= setting.
637 Peer=
639 The peer address in a point-to-point connection. Accepts the same
640 format as the Address= key.
641 Broadcast=
643 The broadcast address, which must be in the format described in
644 inet_pton(3). This key only applies to IPv4 addresses. If it is not
645 given, it is derived from the Address= key.
646 Label=
648 An address label.
649 PreferredLifetime=
651 Allows the default "preferred lifetime" of the address to be
652 overridden. Only three settings are accepted: "forever" or
653 "infinity" which is the default and means that the address never
654 expires, and "0" which means that the address is considered
655 immediately "expired" and will not be used, unless explicitly
656 requested. A setting of PreferredLifetime=0 is useful for addresses
657 which are added to be used only by a specific application, which is
658 then configured to use them explicitly.
659 Scope=
661 The scope of the address, which can be "global", "link" or "host"
662 or an unsigned integer ranges 0 to 255. Defaults to "global".
663 HomeAddress=
665 Takes a boolean. Designates this address the "home address" as
666 defined in RFC 6275[9]. Supported only on IPv6. Defaults to false.
667 DuplicateAddressDetection=
669 Takes a boolean. Do not perform Duplicate Address Detection RFC
670 4862[10] when adding this address. Supported only on IPv6. Defaults
671 to false.
672 ManageTemporaryAddress=
674 Takes a boolean. If true the kernel manage temporary addresses
675 created from this one as template on behalf of Privacy Extensions
676 RFC 3041[11]. For this to become active, the use_tempaddr sysctl
677 setting has to be set to a value greater than zero. The given
678 address needs to have a prefix length of 64. This flag allows to
679 use privacy extensions in a manually configured network, just like
680 if stateless auto-configuration was active. Defaults to false.
681 PrefixRoute=
683 Takes a boolean. When adding or modifying an IPv6 address, the
684 userspace application needs a way to suppress adding a prefix
685 route. This is for example relevant together with
686 IFA_F_MANAGERTEMPADDR, where userspace creates autoconf generated
687 addresses, but depending on on-link, no route for the prefix should
688 be added. Defaults to false.
689 AutoJoin=
691 Takes a boolean. Joining multicast group on ethernet level via ip
692 maddr command would not work if we have an Ethernet switch that
693 does IGMP snooping since the switch would not replicate multicast
694 packets on ports that did not have IGMP reports for the multicast
695 addresses. Linux vxlan interfaces created via ip link add vxlan or
696 networkd's netdev kind vxlan have the group option that enables
697 then to do the required join. By extending ip address command with
698 option "autojoin" we can get similar functionality for openvswitch
699 (OVS) vxlan interfaces as well as other tunneling mechanisms that
700 need to receive multicast traffic. Defaults to "no".
701
703 A "[Neighbor]" section accepts the following keys. The neighbor section
704 adds a permanent, static entry to the neighbor table (IPv6) or ARP
705 table (IPv4) for the given hardware address on the links matched for
706 the network. Specify several "[Neighbor]" sections to configure several
707 static neighbors.
708 Address=
710 The IP address of the neighbor.
711 LinkLayerAddress=
713 The link layer address (MAC address or IP address) of the neighbor.
714
716 An "[IPv6AddressLabel]" section accepts the following keys. Specify
717 several "[IPv6AddressLabel]" sections to configure several address
718 labels. IPv6 address labels are used for address selection. See RFC
719 3484[12]. Precedence is managed by userspace, and only the label itself
720 is stored in the kernel
721 Label=
723 The label for the prefix (an unsigned integer) ranges 0 to
724 4294967294. 0xffffffff is reserved. This key is mandatory.
725 Prefix=
727 IPv6 prefix is an address with a prefix length, separated by a
728 slash "/" character. This key is mandatory.
729
731 An "[RoutingPolicyRule]" section accepts the following keys. Specify
732 several "[RoutingPolicyRule]" sections to configure several rules.
733 TypeOfService=
735 Specifies the type of service to match a number between 0 to 255.
736 From=
738 Specifies the source address prefix to match. Possibly followed by
739 a slash and the prefix length.
740 To=
742 Specifies the destination address prefix to match. Possibly
743 followed by a slash and the prefix length.
744 FirewallMark=
746 Specifies the iptables firewall mark value to match (a number
747 between 1 and 4294967295).
748 Table=
750 Specifies the routing table identifier to lookup if the rule
751 selector matches. Takes one of "default", "main", and "local", or a
752 number between 1 and 4294967295. Defaults to "main".
753 Priority=
755 Specifies the priority of this rule. Priority= is an unsigned
756 integer. Higher number means lower priority, and rules get
757 processed in order of increasing number.
758 IncomingInterface=
760 Specifies incoming device to match. If the interface is loopback,
761 the rule only matches packets originating from this host.
762 OutgoingInterface=
764 Specifies the outgoing device to match. The outgoing interface is
765 only available for packets originating from local sockets that are
766 bound to a device.
767 SourcePort=
769 Specifies the source IP port or IP port range match in forwarding
770 information base (FIB) rules. A port range is specified by the
771 lower and upper port separated by a dash. Defaults to unset.
772 DestinationPort=
774 Specifies the destination IP port or IP port range match in
775 forwarding information base (FIB) rules. A port range is specified
776 by the lower and upper port separated by a dash. Defaults to unset.
777 IPProtocol=
779 Specifies the IP protocol to match in forwarding information base
780 (FIB) rules. Takes IP protocol name such as "tcp", "udp" or "sctp",
781 or IP protocol number such as "6" for "tcp" or "17" for "udp".
782 Defaults to unset.
783 InvertRule=
785 A boolean. Specifies whether the rule to be inverted. Defaults to
786 false.
787 Family=
789 Takes a special value "ipv4", "ipv6", or "both". By default, the
790 address family is determined by the address specified in To= or
791 From=. If neither To= nor From= are specified, then defaults to
792 "ipv4".
793
795 The "[Route]" section accepts the following keys. Specify several
796 "[Route]" sections to configure several routes.
797 Gateway=
799 As in the "[Network]" section.
800 GatewayOnLink=
802 Takes a boolean. If set to true, the kernel does not have to check
803 if the gateway is reachable directly by the current machine (i.e.,
804 the kernel does not need to check if the gateway is attached to the
805 local network), so that we can insert the route in the kernel table
806 without it being complained about. Defaults to "no".
807 Destination=
809 The destination prefix of the route. Possibly followed by a slash
810 and the prefix length. If omitted, a full-length host route is
811 assumed.
812 Source=
814 The source prefix of the route. Possibly followed by a slash and
815 the prefix length. If omitted, a full-length host route is assumed.
816 Metric=
818 The metric of the route (an unsigned integer).
819 IPv6Preference=
821 Specifies the route preference as defined in RFC4191[13] for Router
822 Discovery messages. Which can be one of "low" the route has a
823 lowest priority, "medium" the route has a default priority or
824 "high" the route has a highest priority.
825 Scope=
827 The scope of the route, which can be "global", "link" or "host".
828 Defaults to "global".
829 PreferredSource=
831 The preferred source address of the route. The address must be in
832 the format described in inet_pton(3).
833 Table=num
835 The table identifier for the route (a number between 1 and
836 4294967295, or 0 to unset). The table can be retrieved using ip
837 route show table num.
838 Protocol=
840 The protocol identifier for the route. Takes a number between 0 and
841 255 or the special values "kernel", "boot", "static", "ra" and
842 "dhcp". Defaults to "static".
843 Type=
845 Specifies the type for the route. Takes one of "unicast", "local",
846 "broadcast", "anycast", "multicast", "blackhole", "unreachable",
847 "prohibit", "throw", "nat", and "xresolve". If "unicast", a regular
848 route is defined, i.e. a route indicating the path to take to a
849 destination network address. If "blackhole", packets to the defined
850 route are discarded silently. If "unreachable", packets to the
851 defined route are discarded and the ICMP message "Host Unreachable"
852 is generated. If "prohibit", packets to the defined route are
853 discarded and the ICMP message "Communication Administratively
854 Prohibited" is generated. If "throw", route lookup in the current
855 routing table will fail and the route selection process will return
856 to Routing Policy Database (RPDB). Defaults to "unicast".
857 InitialCongestionWindow=
859 The TCP initial congestion window is used during the start of a TCP
860 connection. During the start of a TCP session, when a client
861 requests a resource, the server's initial congestion window
862 determines how many data bytes will be sent during the initial
863 burst of data. Takes a size in bytes between 1 and 4294967295 (2^32
864 - 1). The usual suffixes K, M, G are supported and are understood
865 to the base of 1024. When unset, the kernel's default will be used.
866 InitialAdvertisedReceiveWindow=
868 The TCP initial advertised receive window is the amount of receive
869 data (in bytes) that can initially be buffered at one time on a
870 connection. The sending host can send only that amount of data
871 before waiting for an acknowledgment and window update from the
872 receiving host. Takes a size in bytes between 1 and 4294967295
873 (2^32 - 1). The usual suffixes K, M, G are supported and are
874 understood to the base of 1024. When unset, the kernel's default
875 will be used.
876 QuickAck=
878 Takes a boolean. When true enables TCP quick ack mode for the
879 route. When unset, the kernel's default will be used.
880 FastOpenNoCookie=
882 Takes a boolean. When true enables TCP fastopen without a cookie on
883 a per-route basis. When unset, the kernel's default will be used.
884 TTLPropagate=
886 Takes a boolean. When true enables TTL propagation at Label
887 Switched Path (LSP) egress. When unset, the kernel's default will
888 be used.
889 MTUBytes=
891 The maximum transmission unit in bytes to set for the route. The
892 usual suffixes K, M, G, are supported and are understood to the
893 base of 1024.
894 Note that if IPv6 is enabled on the interface, and the MTU is
896 chosen below 1280 (the minimum MTU for IPv6) it will automatically
897 be increased to this value.
898
900 The "[DHCPv4]" section configures the DHCPv4 client, if it is enabled
901 with the DHCP= setting described above:
902 UseDNS=
904 When true (the default), the DNS servers received from the DHCP
905 server will be used and take precedence over any statically
906 configured ones.
907 This corresponds to the nameserver option in resolv.conf(5).
909 RoutesToDNS=
911 When true, the routes to the DNS servers received from the DHCP
912 server will be configured. When UseDNS= is disabled, this setting
913 is ignored. Defaults to false.
914 UseNTP=
916 When true (the default), the NTP servers received from the DHCP
917 server will be used by systemd-timesyncd and take precedence over
918 any statically configured ones.
919 UseMTU=
921 When true, the interface maximum transmission unit from the DHCP
922 server will be used on the current link. If MTUBytes= is set, then
923 this setting is ignored. Defaults to false.
924 Anonymize=
926 Takes a boolean. When true, the options sent to the DHCP server
927 will follow the RFC 7844[14] (Anonymity Profiles for DHCP Clients)
928 to minimize disclosure of identifying information. Defaults to
929 false.
930 This option should only be set to true when MACAddressPolicy= is
932 set to "random" (see systemd.link(5)).
933 Note that this configuration will overwrite others. In concrete,
935 the following variables will be ignored: SendHostname=,
936 ClientIdentifier=, UseRoutes=, SendHostname=, UseMTU=,
937 VendorClassIdentifier=, UseTimezone=.
938 With this option enabled DHCP requests will mimic those generated
940 by Microsoft Windows, in order to reduce the ability to fingerprint
941 and recognize installations. This means DHCP request sizes will
942 grow and lease data will be more comprehensive than normally,
943 though most of the requested data is not actually used.
944 SendHostname=
946 When true (the default), the machine's hostname will be sent to the
947 DHCP server. Note that the machine's hostname must consist only of
948 7-bit ASCII lower-case characters and no spaces or dots, and be
949 formatted as a valid DNS domain name. Otherwise, the hostname is
950 not sent even if this is set to true.
951 UseHostname=
953 When true (the default), the hostname received from the DHCP server
954 will be set as the transient hostname of the system.
955 Hostname=
957 Use this value for the hostname which is sent to the DHCP server,
958 instead of machine's hostname. Note that the specified hostname
959 must consist only of 7-bit ASCII lower-case characters and no
960 spaces or dots, and be formatted as a valid DNS domain name.
961 UseDomains=
963 Takes a boolean, or the special value "route". When true, the
964 domain name received from the DHCP server will be used as DNS
965 search domain over this link, similar to the effect of the Domains=
966 setting. If set to "route", the domain name received from the DHCP
967 server will be used for routing DNS queries only, but not for
968 searching, similar to the effect of the Domains= setting when the
969 argument is prefixed with "~". Defaults to false.
970 It is recommended to enable this option only on trusted networks,
972 as setting this affects resolution of all host names, in particular
973 of single-label names. It is generally safer to use the supplied
974 domain only as routing domain, rather than as search domain, in
975 order to not have it affect local resolution of single-label names.
976 When set to true, this setting corresponds to the domain option in
978 resolv.conf(5).
979 UseRoutes=
981 When true (the default), the static routes will be requested from
982 the DHCP server and added to the routing table with a metric of
983 1024, and a scope of "global", "link" or "host", depending on the
984 route's destination and gateway. If the destination is on the local
985 host, e.g., 127.x.x.x, or the same as the link's own address, the
986 scope will be set to "host". Otherwise if the gateway is null (a
987 direct route), a "link" scope will be used. For anything else,
988 scope defaults to "global".
989 UseTimezone=
991 When true, the timezone received from the DHCP server will be set
992 as timezone of the local system. Defaults to "no".
993 ClientIdentifier=
995 The DHCPv4 client identifier to use. Takes one of "mac", "duid" or
996 "duid-only". If set to "mac", the MAC address of the link is used.
997 If set to "duid", an RFC4361-compliant Client ID, which is the
998 combination of IAID and DUID (see below), is used. If set to
999 "duid-only", only DUID is used, this may not be RFC compliant, but
1000 some setups may require to use this. Defaults to "duid".
1001 VendorClassIdentifier=
1003 The vendor class identifier used to identify vendor type and
1004 configuration.
1005 UserClass=
1007 A DHCPv4 client can use UserClass option to identify the type or
1008 category of user or applications it represents. The information
1009 contained in this option is a string that represents the user class
1010 of which the client is a member. Each class sets an identifying
1011 string of information to be used by the DHCP service to classify
1012 clients. Takes a whitespace-separated list of strings.
1013 MaxAttempts=
1015 Specifies how many times the DHCPv4 client configuration should be
1016 attempted. Takes a number or "infinity". Defaults to "infinity".
1017 Note that the time between retries is increased exponentially, so
1018 the network will not be overloaded even if this number is high.
1019 DUIDType=
1021 Override the global DUIDType setting for this network. See
1022 networkd.conf(5) for a description of possible values.
1023 DUIDRawData=
1025 Override the global DUIDRawData setting for this network. See
1026 networkd.conf(5) for a description of possible values.
1027 IAID=
1029 The DHCP Identity Association Identifier (IAID) for the interface,
1030 a 32-bit unsigned integer.
1031 RequestBroadcast=
1033 Request the server to use broadcast messages before the IP address
1034 has been configured. This is necessary for devices that cannot
1035 receive RAW packets, or that cannot receive packets at all before
1036 an IP address has been configured. On the other hand, this must not
1037 be enabled on networks where broadcasts are filtered out.
1038 RouteMetric=
1040 Set the routing metric for routes specified by the DHCP server.
1041 RouteTable=num
1043 The table identifier for DHCP routes (a number between 1 and
1044 4294967295, or 0 to unset). The table can be retrieved using ip
1045 route show table num.
1046 When used in combination with VRF= the VRF's routing table is used
1048 unless this parameter is specified.
1049 ListenPort=
1051 Allow setting custom port for the DHCP client to listen on.
1052 SendRelease=
1054 When true, the DHCPv4 client sends a DHCP release packet when it
1055 stops. Defaults to false.
1056 BlackList=
1058 A whitespace-separated list of IPv4 addresses. DHCP offers from
1059 servers in the list are rejected.
1060
1062 The "[DHCPv6]" section configures the DHCPv6 client, if it is enabled
1063 with the DHCP= setting described above, or invoked by the IPv6 Router
1064 Advertisement:
1065 UseDNS=, UseNTP=
1067 As in the "[DHCPv4]" section.
1068 RapidCommit=
1070 Takes a boolean. The DHCPv6 client can obtain configuration
1071 parameters from a DHCPv6 server through a rapid two-message
1072 exchange (solicit and reply). When the rapid commit option is
1073 enabled by both the DHCPv6 client and the DHCPv6 server, the
1074 two-message exchange is used, rather than the default four-method
1075 exchange (solicit, advertise, request, and reply). The two-message
1076 exchange provides faster client configuration and is beneficial in
1077 environments in which networks are under a heavy load. See RFC
1078 3315[15] for details. Defaults to true.
1079 ForceDHCPv6PDOtherInformation=
1081 Takes a boolean that enforces DHCPv6 stateful mode when the 'Other
1082 information' bit is set in Router Advertisement messages. By
1083 default setting only the 'O' bit in Router Advertisements makes
1084 DHCPv6 request network information in a stateless manner using a
1085 two-message Information Request and Information Reply message
1086 exchange. RFC 7084[16], requirement WPD-4, updates this behavior
1087 for a Customer Edge router so that stateful DHCPv6 Prefix
1088 Delegation is also requested when only the 'O' bit is set in Router
1089 Advertisements. This option enables such a CE behavior as it is
1090 impossible to automatically distinguish the intention of the 'O'
1091 bit otherwise. By default this option is set to 'false', enable it
1092 if no prefixes are delegated when the device should be acting as a
1093 CE router.
1094
1096 The "[IPv6AcceptRA]" section configures the IPv6 Router Advertisement
1097 (RA) client, if it is enabled with the IPv6AcceptRA= setting described
1098 above:
1099 UseDNS=
1101 When true (the default), the DNS servers received in the Router
1102 Advertisement will be used and take precedence over any statically
1103 configured ones.
1104 This corresponds to the nameserver option in resolv.conf(5).
1106 UseDomains=
1108 Takes a boolean, or the special value "route". When true, the
1109 domain name received via IPv6 Router Advertisement (RA) will be
1110 used as DNS search domain over this link, similar to the effect of
1111 the Domains= setting. If set to "route", the domain name received
1112 via IPv6 RA will be used for routing DNS queries only, but not for
1113 searching, similar to the effect of the Domains= setting when the
1114 argument is prefixed with "~". Defaults to false.
1115 It is recommended to enable this option only on trusted networks,
1117 as setting this affects resolution of all host names, in particular
1118 of single-label names. It is generally safer to use the supplied
1119 domain only as routing domain, rather than as search domain, in
1120 order to not have it affect local resolution of single-label names.
1121 When set to true, this setting corresponds to the domain option in
1123 resolv.conf(5).
1124 RouteTable=num
1126 The table identifier for the routes received in the Router
1127 Advertisement (a number between 1 and 4294967295, or 0 to unset).
1128 The table can be retrieved using ip route show table num.
1129 UseAutonomousPrefix=
1131 When true (the default), the autonomous prefix received in the
1132 Router Advertisement will be used and take precedence over any
1133 statically configured ones.
1134 UseOnLinkPrefix=
1136 When true (the default), the onlink prefix received in the Router
1137 Advertisement will be used and take precedence over any statically
1138 configured ones.
1139 BlackList=
1141 A whitespace-separated list of IPv6 prefixes. IPv6 prefixes
1142 supplied via router advertisements in the list are ignored.
1143
1145 The "[DHCPServer]" section contains settings for the DHCP server, if
1146 enabled via the DHCPServer= option described above:
1147 PoolOffset=, PoolSize=
1149 Configures the pool of addresses to hand out. The pool is a
1150 contiguous sequence of IP addresses in the subnet configured for
1151 the server address, which does not include the subnet nor the
1152 broadcast address. PoolOffset= takes the offset of the pool from
1153 the start of subnet, or zero to use the default value. PoolSize=
1154 takes the number of IP addresses in the pool or zero to use the
1155 default value. By default, the pool starts at the first address
1156 after the subnet address and takes up the rest of the subnet,
1157 excluding the broadcast address. If the pool includes the server
1158 address (the default), this is reserved and not handed out to
1159 clients.
1160 DefaultLeaseTimeSec=, MaxLeaseTimeSec=
1162 Control the default and maximum DHCP lease time to pass to clients.
1163 These settings take time values in seconds or another common time
1164 unit, depending on the suffix. The default lease time is used for
1165 clients that did not ask for a specific lease time. If a client
1166 asks for a lease time longer than the maximum lease time, it is
1167 automatically shortened to the specified time. The default lease
1168 time defaults to 1h, the maximum lease time to 12h. Shorter lease
1169 times are beneficial if the configuration data in DHCP leases
1170 changes frequently and clients shall learn the new settings with
1171 shorter latencies. Longer lease times reduce the generated DHCP
1172 network traffic.
1173 EmitDNS=, DNS=
1175 Takes a boolean. Configures whether the DHCP leases handed out to
1176 clients shall contain DNS server information. Defaults to "yes".
1177 The DNS servers to pass to clients may be configured with the DNS=
1178 option, which takes a list of IPv4 addresses. If the EmitDNS=
1179 option is enabled but no servers configured, the servers are
1180 automatically propagated from an "uplink" interface that has
1181 appropriate servers set. The "uplink" interface is determined by
1182 the default route of the system with the highest priority. Note
1183 that this information is acquired at the time the lease is handed
1184 out, and does not take uplink interfaces into account that acquire
1185 DNS or NTP server information at a later point. DNS server
1186 propagation does not take /etc/resolv.conf into account. Also, note
1187 that the leases are not refreshed if the uplink network
1188 configuration changes. To ensure clients regularly acquire the most
1189 current uplink DNS server information, it is thus advisable to
1190 shorten the DHCP lease time via MaxLeaseTimeSec= described above.
1191 EmitNTP=, NTP=
1193 Similar to the EmitDNS= and DNS= settings described above, these
1194 settings configure whether and what NTP server information shall be
1195 emitted as part of the DHCP lease. The same syntax, propagation
1196 semantics and defaults apply as for EmitDNS= and DNS=.
1197 EmitRouter=
1199 Similar to the EmitDNS= setting described above, this setting
1200 configures whether the DHCP lease should contain the router option.
1201 The same syntax, propagation semantics and defaults apply as for
1202 EmitDNS=.
1203 EmitTimezone=, Timezone=
1205 Takes a boolean. Configures whether the DHCP leases handed out to
1206 clients shall contain timezone information. Defaults to "yes". The
1207 Timezone= setting takes a timezone string (such as "Europe/Berlin"
1208 or "UTC") to pass to clients. If no explicit timezone is set, the
1209 system timezone of the local host is propagated, as determined by
1210 the /etc/localtime symlink.
1211
1213 The "[IPv6PrefixDelegation]" section contains settings for sending IPv6
1214 Router Advertisements and whether to act as a router, if enabled via
1215 the IPv6PrefixDelegation= option described above. IPv6 network prefixes
1216 are defined with one or more "[IPv6Prefix]" sections.
1217 Managed=, OtherInformation=
1219 Takes a boolean. Controls whether a DHCPv6 server is used to
1220 acquire IPv6 addresses on the network link when Managed= is set to
1221 "true" or if only additional network information can be obtained
1222 via DHCPv6 for the network link when OtherInformation= is set to
1223 "true". Both settings default to "false", which means that a DHCPv6
1224 server is not being used.
1225 RouterLifetimeSec=
1227 Takes a timespan. Configures the IPv6 router lifetime in seconds.
1228 If set, this host also announces itself in Router Advertisements as
1229 an IPv6 router for the network link. When unset, the host is not
1230 acting as a router.
1231 RouterPreference=
1233 Configures IPv6 router preference if RouterLifetimeSec= is
1234 non-zero. Valid values are "high", "medium" and "low", with
1235 "normal" and "default" added as synonyms for "medium" just to make
1236 configuration easier. See RFC 4191[13] for details. Defaults to
1237 "medium".
1238 EmitDNS=, DNS=
1240 DNS= specifies a list of recursive DNS server IPv6 addresses that
1241 distributed via Router Advertisement messages when EmitDNS= is
1242 true. If DNS= is empty, DNS servers are read from the "[Network]"
1243 section. If the "[Network]" section does not contain any DNS
1244 servers either, DNS servers from the uplink with the highest
1245 priority default route are used. When EmitDNS= is false, no DNS
1246 server information is sent in Router Advertisement messages.
1247 EmitDNS= defaults to true.
1248 EmitDomains=, Domains=
1250 A list of DNS search domains distributed via Router Advertisement
1251 messages when EmitDomains= is true. If Domains= is empty, DNS
1252 search domains are read from the "[Network]" section. If the
1253 "[Network]" section does not contain any DNS search domains either,
1254 DNS search domains from the uplink with the highest priority
1255 default route are used. When EmitDomains= is false, no DNS search
1256 domain information is sent in Router Advertisement messages.
1257 EmitDomains= defaults to true.
1258 DNSLifetimeSec=
1260 Lifetime in seconds for the DNS server addresses listed in DNS= and
1261 search domains listed in Domains=.
1262
1264 One or more "[IPv6Prefix]" sections contain the IPv6 prefixes that are
1265 announced via Router Advertisements. See RFC 4861[17] for further
1266 details.
1267 AddressAutoconfiguration=, OnLink=
1269 Takes a boolean to specify whether IPv6 addresses can be
1270 autoconfigured with this prefix and whether the prefix can be used
1271 for onlink determination. Both settings default to "true" in order
1272 to ease configuration.
1273 Prefix=
1275 The IPv6 prefix that is to be distributed to hosts. Similarly to
1276 configuring static IPv6 addresses, the setting is configured as an
1277 IPv6 prefix and its prefix length, separated by a "/" character.
1278 Use multiple "[IPv6Prefix]" sections to configure multiple IPv6
1279 prefixes since prefix lifetimes, address autoconfiguration and
1280 onlink status may differ from one prefix to another.
1281 PreferredLifetimeSec=, ValidLifetimeSec=
1283 Preferred and valid lifetimes for the prefix measured in seconds.
1284 PreferredLifetimeSec= defaults to 604800 seconds (one week) and
1285 ValidLifetimeSec= defaults to 2592000 seconds (30 days).
1286
1288 The "[Bridge]" section accepts the following keys.
1289 UnicastFlood=
1291 Takes a boolean. Controls whether the bridge should flood traffic
1292 for which an FDB entry is missing and the destination is unknown
1293 through this port. When unset, the kernel's default will be used.
1294 MulticastFlood=
1296 Takes a boolean. Controls whether the bridge should flood traffic
1297 for which an MDB entry is missing and the destination is unknown
1298 through this port. When unset, the kernel's default will be used.
1299 MulticastToUnicast=
1301 Takes a boolean. Multicast to unicast works on top of the multicast
1302 snooping feature of the bridge. Which means unicast copies are only
1303 delivered to hosts which are interested in it. When unset, the
1304 kernel's default will be used.
1305 NeighborSuppression=
1307 Takes a boolean. Configures whether ARP and ND neighbor suppression
1308 is enabled for this port. When unset, the kernel's default will be
1309 used.
1310 Learning=
1312 Takes a boolean. Configures whether MAC address learning is enabled
1313 for this port. When unset, the kernel's default will be used.
1314 HairPin=
1316 Takes a boolean. Configures whether traffic may be sent back out of
1317 the port on which it was received. When this flag is false, and the
1318 bridge will not forward traffic back out of the receiving port.
1319 When unset, the kernel's default will be used.
1320 UseBPDU=
1322 Takes a boolean. Configures whether STP Bridge Protocol Data Units
1323 will be processed by the bridge port. When unset, the kernel's
1324 default will be used.
1325 FastLeave=
1327 Takes a boolean. This flag allows the bridge to immediately stop
1328 multicast traffic on a port that receives an IGMP Leave message. It
1329 is only used with IGMP snooping if enabled on the bridge. When
1330 unset, the kernel's default will be used.
1331 AllowPortToBeRoot=
1333 Takes a boolean. Configures whether a given port is allowed to
1334 become a root port. Only used when STP is enabled on the bridge.
1335 When unset, the kernel's default will be used.
1336 ProxyARP=
1338 Takes a boolean. Configures whether proxy ARP to be enabled on this
1339 port. When unset, the kernel's default will be used.
1340 ProxyARPWiFi=
1342 Takes a boolean. Configures whether proxy ARP to be enabled on this
1343 port which meets extended requirements by IEEE 802.11 and Hotspot
1344 2.0 specifications. When unset, the kernel's default will be used.
1345 MulticastRouter=
1347 Configures this port for having multicast routers attached. A port
1348 with a multicast router will receive all multicast traffic. Takes
1349 one of "no" to disable multicast routers on this port, "query" to
1350 let the system detect the presence of routers, "permanent" to
1351 permanently enable multicast traffic forwarding on this port, or
1352 "temporary" to enable multicast routers temporarily on this port,
1353 not depending on incoming queries. When unset, the kernel's default
1354 will be used.
1355 Cost=
1357 Sets the "cost" of sending packets of this interface. Each port in
1358 a bridge may have a different speed and the cost is used to decide
1359 which link to use. Faster interfaces should have lower costs. It is
1360 an integer value between 1 and 65535.
1361 Priority=
1363 Sets the "priority" of sending packets on this interface. Each port
1364 in a bridge may have a different priority which is used to decide
1365 which link to use. Lower value means higher priority. It is an
1366 integer value between 0 to 63. Networkd does not set any default,
1367 meaning the kernel default value of 32 is used.
1368
1370 The "[BridgeFDB]" section manages the forwarding database table of a
1371 port and accepts the following keys. Specify several "[BridgeFDB]"
1372 sections to configure several static MAC table entries.
1373 MACAddress=
1375 As in the "[Network]" section. This key is mandatory.
1376 Destination=
1378 Takes an IP address of the destination VXLAN tunnel endpoint.
1379 VLANId=
1381 The VLAN ID for the new static MAC table entry. If omitted, no VLAN
1382 ID information is appended to the new static MAC table entry.
1383 VNI=
1385 The VXLAN Network Identifier (or VXLAN Segment ID) to use to
1386 connect to the remote VXLAN tunnel endpoint. Takes a number in the
1387 range 1-16777215. Defaults to unset.
1388 AssociatedWith=
1390 Specifies where the address is associated with. Takes one of "use",
1391 "self", "master" or "router". "use" means the address is in use.
1392 User space can use this option to indicate to the kernel that the
1393 fdb entry is in use. "self" means the address is associated with
1394 the port drivers fdb. Usually hardware. "master" means the address
1395 is associated with master devices fdb. "router" means the
1396 destination address is associated with a router. Note that it's
1397 valid if the referenced device is a VXLAN type device and has route
1398 shortcircuit enabled. Defaults to "self".
1399
1401 The "[CAN]" section manages the Controller Area Network (CAN bus) and
1402 accepts the following keys.
1403 BitRate=
1405 The bitrate of CAN device in bits per second. The usual SI prefixes
1406 (K, M) with the base of 1000 can be used here.
1407 SamplePoint=
1409 Optional sample point in percent with one decimal (e.g. "75%",
1410 "87.5%") or permille (e.g. "875‰").
1411 RestartSec=
1413 Automatic restart delay time. If set to a non-zero value, a restart
1414 of the CAN controller will be triggered automatically in case of a
1415 bus-off condition after the specified delay time. Subsecond delays
1416 can be specified using decimals (e.g. "0.1s") or a "ms" or "us"
1417 postfix. Using "infinity" or "0" will turn the automatic restart
1418 off. By default automatic restart is disabled.
1419 TripleSampling=
1421 Takes a boolean. When "yes", three samples (instead of one) are
1422 used to determine the value of a received bit by majority rule.
1423 When unset, the kernel's default will be used.
1424
1426 The "[BridgeVLAN]" section manages the VLAN ID configuration of a
1427 bridge port and accepts the following keys. Specify several
1428 "[BridgeVLAN]" sections to configure several VLAN entries. The
1429 VLANFiltering= option has to be enabled, see "[Bridge]" section in
1430 systemd.netdev(5).
1431 VLAN=
1433 The VLAN ID allowed on the port. This can be either a single ID or
1434 a range M-N. VLAN IDs are valid from 1 to 4094.
1435 EgressUntagged=
1437 The VLAN ID specified here will be used to untag frames on egress.
1438 Configuring EgressUntagged= implicates the use of VLAN= above and
1439 will enable the VLAN ID for ingress as well. This can be either a
1440 single ID or a range M-N.
1441 PVID=
1443 The Port VLAN ID specified here is assigned to all untagged frames
1444 at ingress. PVID= can be used only once. Configuring PVID=
1445 implicates the use of VLAN= above and will enable the VLAN ID for
1446 ingress as well.
1447
1449 Example 1. Static network configuration
1450 # /etc/systemd/network/50-static.network
1452 [Match]
1453 Name=enp2s0
1454 [Network]
1456 Address=192.168.0.15/24
1457 Gateway=192.168.0.1
1458 This brings interface "enp2s0" up with a static address. The specified
1460 gateway will be used for a default route.
1461 Example 2. DHCP on ethernet links
1463 # /etc/systemd/network/80-dhcp.network
1465 [Match]
1466 Name=en*
1467 [Network]
1469 DHCP=yes
1470 This will enable DHCPv4 and DHCPv6 on all interfaces with names
1472 starting with "en" (i.e. ethernet interfaces).
1473 Example 3. IPv6 Prefix Delegation
1475 # /etc/systemd/network/55-ipv6-pd-upstream.network
1477 [Match]
1478 Name=enp1s0
1479 [Network]
1481 DHCP=ipv6
1482 # /etc/systemd/network/56-ipv6-pd-downstream.network
1484 [Match]
1485 Name=enp2s0
1486 [Network]
1488 IPv6PrefixDelegation=dhcpv6
1489 This will enable IPv6 PD on the interface enp1s0 as an upstream
1491 interface where the DHCPv6 client is running and enp2s0 as a downstream
1492 interface where the prefix is delegated to.
1493 Example 4. A bridge with two enslaved links
1495 # /etc/systemd/network/25-bridge-static.network
1497 [Match]
1498 Name=bridge0
1499 [Network]
1501 Address=192.168.0.15/24
1502 Gateway=192.168.0.1
1503 DNS=192.168.0.1
1504 # /etc/systemd/network/25-bridge-slave-interface-1.network
1506 [Match]
1507 Name=enp2s0
1508 [Network]
1510 Bridge=bridge0
1511 # /etc/systemd/network/25-bridge-slave-interface-2.network
1513 [Match]
1514 Name=wlp3s0
1515 [Network]
1517 Bridge=bridge0
1518 This creates a bridge and attaches devices "enp2s0" and "wlp3s0" to it.
1520 The bridge will have the specified static address and network assigned,
1521 and a default route via the specified gateway will be added. The
1522 specified DNS server will be added to the global list of DNS resolvers.
1523 Example 5.
1525 # /etc/systemd/network/20-bridge-slave-interface-vlan.network
1527 [Match]
1528 Name=enp2s0
1529 [Network]
1531 Bridge=bridge0
1532 [BridgeVLAN]
1534 VLAN=1-32
1535 PVID=42
1536 EgressUntagged=42
1537 [BridgeVLAN]
1539 VLAN=100-200
1540 [BridgeVLAN]
1542 EgressUntagged=300-400
1543 This overrides the configuration specified in the previous example for
1545 the interface "enp2s0", and enables VLAN on that bridge port. VLAN IDs
1546 1-32, 42, 100-400 will be allowed. Packets tagged with VLAN IDs 42,
1547 300-400 will be untagged when they leave on this interface. Untagged
1548 packets which arrive on this interface will be assigned VLAN ID 42.
1549 Example 6. Various tunnels
1551 /etc/systemd/network/25-tunnels.network
1553 [Match]
1554 Name=ens1
1555 [Network]
1557 Tunnel=ipip-tun
1558 Tunnel=sit-tun
1559 Tunnel=gre-tun
1560 Tunnel=vti-tun
1561 /etc/systemd/network/25-tunnel-ipip.netdev
1564 [NetDev]
1565 Name=ipip-tun
1566 Kind=ipip
1567 /etc/systemd/network/25-tunnel-sit.netdev
1570 [NetDev]
1571 Name=sit-tun
1572 Kind=sit
1573 /etc/systemd/network/25-tunnel-gre.netdev
1576 [NetDev]
1577 Name=gre-tun
1578 Kind=gre
1579 /etc/systemd/network/25-tunnel-vti.netdev
1582 [NetDev]
1583 Name=vti-tun
1584 Kind=vti
1585 This will bring interface "ens1" up and create an IPIP tunnel, a SIT
1588 tunnel, a GRE tunnel, and a VTI tunnel using it.
1589 Example 7. A bond device
1591 # /etc/systemd/network/30-bond1.network
1593 [Match]
1594 Name=bond1
1595 [Network]
1597 DHCP=ipv6
1598 # /etc/systemd/network/30-bond1.netdev
1600 [NetDev]
1601 Name=bond1
1602 Kind=bond
1603 # /etc/systemd/network/30-bond1-dev1.network
1605 [Match]
1606 MACAddress=52:54:00:e9:64:41
1607 [Network]
1609 Bond=bond1
1610 # /etc/systemd/network/30-bond1-dev2.network
1612 [Match]
1613 MACAddress=52:54:00:e9:64:42
1614 [Network]
1616 Bond=bond1
1617 This will create a bond device "bond1" and enslave the two devices with
1619 MAC addresses 52:54:00:e9:64:41 and 52:54:00:e9:64:42 to it. IPv6 DHCP
1620 will be used to acquire an address.
1621 Example 8. Virtual Routing and Forwarding (VRF)
1623 Add the "bond1" interface to the VRF master interface "vrf1". This will
1625 redirect routes generated on this interface to be within the routing
1626 table defined during VRF creation. For kernels before 4.8 traffic won't
1627 be redirected towards the VRFs routing table unless specific ip-rules
1628 are added.
1629 # /etc/systemd/network/25-vrf.network
1631 [Match]
1632 Name=bond1
1633 [Network]
1635 VRF=vrf1
1636 Example 9. MacVTap
1638 This brings up a network interface "macvtap-test" and attaches it to
1640 "enp0s25".
1641 # /usr/lib/systemd/network/25-macvtap.network
1643 [Match]
1644 Name=enp0s25
1645 [Network]
1647 MACVTAP=macvtap-test
1648 Example 10. A Xfrm interface with physical underlying device.
1650 # /etc/systemd/network/27-xfrm.netdev
1652 [NetDev]
1653 Name=xfrm0
1654 [Xfrm]
1656 InterfaceId=7
1657 # /etc/systemd/network/27-eth0.network
1659 [Match]
1660 Name=eth0
1661 [Network]
1663 Xfrm=xfrm0
1664 This creates a "xfrm0" interface and binds it to the "eth0" device.
1666 This allows hardware based ipsec offloading to the "eth0" nic. If
1667 offloading is not needed, xfrm interfaces can be assigned to the "lo"
1668 device.
1669
1671 systemd(1), systemd-networkd.service(8), systemd.link(5),
1672 systemd.netdev(5), systemd-resolved.service(8)
1673
1675 1. Link-Local Multicast Name Resolution
1676 https://tools.ietf.org/html/rfc4795
1677 2. Multicast DNS
1679 https://tools.ietf.org/html/rfc6762
1680 3. DNS-over-TLS
1682 https://tools.ietf.org/html/rfc7858
1683 4. DNSSEC
1685 https://tools.ietf.org/html/rfc4033
1686 5. IEEE 802.1AB-2016
1688 https://standards.ieee.org/findstds/standard/802.1AB-2016.html
1689 6. ip-sysctl.txt
1691 https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
1692 7. RFC 4941
1694 https://tools.ietf.org/html/rfc4941
1695 8. RFC 1027
1697 https://tools.ietf.org/html/rfc1027
1698 9. RFC 6275
1700 https://tools.ietf.org/html/rfc6275
1701 10. RFC 4862
1703 https://tools.ietf.org/html/rfc4862
1704 11. RFC 3041
1706 https://tools.ietf.org/html/rfc3041
1707 12. RFC 3484
1709 https://tools.ietf.org/html/rfc3484
1710 13. RFC4191
1712 https://tools.ietf.org/html/rfc4191
1713 14. RFC 7844
1715 https://tools.ietf.org/html/rfc7844
1716 15. RFC 3315
1718 https://tools.ietf.org/html/rfc3315#section-17.2.1
1719 16. RFC 7084
1721 https://tools.ietf.org/html/rfc7084
1722 17. RFC 4861
1724 https://tools.ietf.org/html/rfc4861
1725systemd 243 SYSTEMD.NETWORK(5)