1SYSTEMD.NETDEV(5) systemd.network SYSTEMD.NETDEV(5)
2
3
4
6 systemd.netdev - Virtual Network Device configuration
7
9 netdev.netdev
10
12 A plain ini-style text file that encodes configuration about a virtual
13 network device, used by systemd-networkd(8). See systemd.syntax(5) for
14 a general description of the syntax.
15
16 The main Virtual Network Device file must have the extension .netdev;
17 other extensions are ignored. Virtual network devices are created as
18 soon as networkd is started. If a netdev with the specified name
19 already exists, networkd will use that as-is rather than create its
20 own. Note that the settings of the pre-existing netdev will not be
21 changed by networkd.
22
23 The .netdev files are read from the files located in the system network
24 directory /usr/lib/systemd/network, the volatile runtime network
25 directory /run/systemd/network and the local administration network
26 directory /etc/systemd/network. All configuration files are
27 collectively sorted and processed in lexical order, regardless of the
28 directories in which they live. However, files with identical filenames
29 replace each other. Files in /etc have the highest priority, files in
30 /run take precedence over files with the same name in /usr/lib. This
31 can be used to override a system-supplied configuration file with a
32 local file if needed. As a special case, an empty file (file size 0) or
33 symlink with the same name pointing to /dev/null disables the
34 configuration file entirely (it is "masked").
35
36 Along with the netdev file foo.netdev, a "drop-in" directory
37 foo.netdev.d/ may exist. All files with the suffix ".conf" from this
38 directory will be parsed after the file itself is parsed. This is
39 useful to alter or add configuration settings, without having to modify
40 the main configuration file. Each drop-in file must have appropriate
41 section headers.
42
43 In addition to /etc/systemd/network, drop-in ".d" directories can be
44 placed in /usr/lib/systemd/network or /run/systemd/network directories.
45 Drop-in files in /etc take precedence over those in /run which in turn
46 take precedence over those in /usr/lib. Drop-in files under any of
47 these directories take precedence over the main netdev file wherever
48 located. (Of course, since /run is temporary and /usr/lib is for
49 vendors, it is unlikely drop-ins should be used in either of those
50 places.)
51
53 The following kinds of virtual network devices may be configured in
54 .netdev files:
55
56 Table 1. Supported kinds of virtual network devices
57 ┌──────────┬────────────────────────────┐
58 │Kind │ Description │
59 ├──────────┼────────────────────────────┤
60 │bond │ A bond device is an │
61 │ │ aggregation of all its │
62 │ │ slave devices. See Linux │
63 │ │ Ethernet Bonding Driver │
64 │ │ HOWTO[1] for details.Local │
65 │ │ configuration │
66 ├──────────┼────────────────────────────┤
67 │bridge │ A bridge device is a │
68 │ │ software switch, and each │
69 │ │ of its slave devices and │
70 │ │ the bridge itself are │
71 │ │ ports of the switch. │
72 ├──────────┼────────────────────────────┤
73 │dummy │ A dummy device drops all │
74 │ │ packets sent to it. │
75 ├──────────┼────────────────────────────┤
76 │gre │ A Level 3 GRE tunnel over │
77 │ │ IPv4. See RFC 2784[2] for │
78 │ │ details. │
79 ├──────────┼────────────────────────────┤
80 │gretap │ A Level 2 GRE tunnel over │
81 │ │ IPv4. │
82 ├──────────┼────────────────────────────┤
83 │erspan │ ERSPAN mirrors traffic on │
84 │ │ one or more source ports │
85 │ │ and delivers the mirrored │
86 │ │ traffic to one or more │
87 │ │ destination ports on │
88 │ │ another switch. The │
89 │ │ traffic is encapsulated in │
90 │ │ generic routing │
91 │ │ encapsulation (GRE) and is │
92 │ │ therefore routable across │
93 │ │ a layer 3 network between │
94 │ │ the source switch and the │
95 │ │ destination switch. │
96 ├──────────┼────────────────────────────┤
97 │ip6gre │ A Level 3 GRE tunnel over │
98 │ │ IPv6. │
99 ├──────────┼────────────────────────────┤
100 │ip6tnl │ An IPv4 or IPv6 tunnel │
101 │ │ over IPv6 │
102 ├──────────┼────────────────────────────┤
103 │ip6gretap │ A Level 2 GRE tunnel over │
104 │ │ IPv6. │
105 ├──────────┼────────────────────────────┤
106 │ipip │ An IPv4 over IPv4 tunnel. │
107 ├──────────┼────────────────────────────┤
108 │ipvlan │ An ipvlan device is a │
109 │ │ stacked device which │
110 │ │ receives packets from its │
111 │ │ underlying device based on │
112 │ │ IP address filtering. │
113 ├──────────┼────────────────────────────┤
114 │ipvtap │ An ipvtap device is a │
115 │ │ stacked device which │
116 │ │ receives packets from its │
117 │ │ underlying device based on │
118 │ │ IP address filtering and │
119 │ │ can be accessed using the │
120 │ │ tap user space interface. │
121 ├──────────┼────────────────────────────┤
122 │macvlan │ A macvlan device is a │
123 │ │ stacked device which │
124 │ │ receives packets from its │
125 │ │ underlying device based on │
126 │ │ MAC address filtering. │
127 ├──────────┼────────────────────────────┤
128 │macvtap │ A macvtap device is a │
129 │ │ stacked device which │
130 │ │ receives packets from its │
131 │ │ underlying device based on │
132 │ │ MAC address filtering. │
133 ├──────────┼────────────────────────────┤
134 │sit │ An IPv6 over IPv4 tunnel. │
135 ├──────────┼────────────────────────────┤
136 │tap │ A persistent Level 2 │
137 │ │ tunnel between a network │
138 │ │ device and a device node. │
139 ├──────────┼────────────────────────────┤
140 │tun │ A persistent Level 3 │
141 │ │ tunnel between a network │
142 │ │ device and a device node. │
143 ├──────────┼────────────────────────────┤
144 │veth │ An Ethernet tunnel between │
145 │ │ a pair of network devices. │
146 ├──────────┼────────────────────────────┤
147 │vlan │ A VLAN is a stacked device │
148 │ │ which receives packets │
149 │ │ from its underlying device │
150 │ │ based on VLAN tagging. See │
151 │ │ IEEE 802.1Q[3] for │
152 │ │ details. │
153 ├──────────┼────────────────────────────┤
154 │vti │ An IPv4 over IPSec tunnel. │
155 ├──────────┼────────────────────────────┤
156 │vti6 │ An IPv6 over IPSec tunnel. │
157 ├──────────┼────────────────────────────┤
158 │vxlan │ A virtual extensible LAN │
159 │ │ (vxlan), for connecting │
160 │ │ Cloud computing │
161 │ │ deployments. │
162 ├──────────┼────────────────────────────┤
163 │geneve │ A GEneric NEtwork │
164 │ │ Virtualization │
165 │ │ Encapsulation (GENEVE) │
166 │ │ netdev driver. │
167 ├──────────┼────────────────────────────┤
168 │l2tp │ A Layer 2 Tunneling │
169 │ │ Protocol (L2TP) is a │
170 │ │ tunneling protocol used to │
171 │ │ support virtual private │
172 │ │ networks (VPNs) or as part │
173 │ │ of the delivery of │
174 │ │ services by ISPs. It does │
175 │ │ not provide any encryption │
176 │ │ or confidentiality by │
177 │ │ itself │
178 ├──────────┼────────────────────────────┤
179 │macsec │ Media Access Control │
180 │ │ Security (MACsec) is an │
181 │ │ 802.1AE IEEE │
182 │ │ industry-standard security │
183 │ │ technology that provides │
184 │ │ secure communication for │
185 │ │ all traffic on Ethernet │
186 │ │ links. MACsec provides │
187 │ │ point-to-point security on │
188 │ │ Ethernet links between │
189 │ │ directly connected nodes │
190 │ │ and is capable of │
191 │ │ identifying and preventing │
192 │ │ most security threats. │
193 ├──────────┼────────────────────────────┤
194 │vrf │ A Virtual Routing and │
195 │ │ Forwarding (VRF[4]) │
196 │ │ interface to create │
197 │ │ separate routing and │
198 │ │ forwarding domains. │
199 ├──────────┼────────────────────────────┤
200 │vcan │ The virtual CAN driver │
201 │ │ (vcan). Similar to the │
202 │ │ network loopback devices, │
203 │ │ vcan offers a virtual │
204 │ │ local CAN interface. │
205 ├──────────┼────────────────────────────┤
206 │vxcan │ The virtual CAN tunnel │
207 │ │ driver (vxcan). Similar to │
208 │ │ the virtual ethernet │
209 │ │ driver veth, vxcan │
210 │ │ implements a local CAN │
211 │ │ traffic tunnel between two │
212 │ │ virtual CAN network │
213 │ │ devices. When creating a │
214 │ │ vxcan, two vxcan devices │
215 │ │ are created as pair. When │
216 │ │ one end receives the │
217 │ │ packet it appears on its │
218 │ │ pair and vice versa. The │
219 │ │ vxcan can be used for │
220 │ │ cross namespace │
221 │ │ communication. │
222 ├──────────┼────────────────────────────┤
223 │wireguard │ WireGuard Secure Network │
224 │ │ Tunnel. │
225 ├──────────┼────────────────────────────┤
226 │netdevsim │ A simulator. This │
227 │ │ simulated networking │
228 │ │ device is used for testing │
229 │ │ various networking APIs │
230 │ │ and at this time is │
231 │ │ particularly focused on │
232 │ │ testing hardware │
233 │ │ offloading related │
234 │ │ interfaces. │
235 ├──────────┼────────────────────────────┤
236 │nlmon │ A Netlink monitor device. │
237 │ │ Use an nlmon device when │
238 │ │ you want to monitor system │
239 │ │ Netlink messages. │
240 ├──────────┼────────────────────────────┤
241 │fou │ Foo-over-UDP tunneling. │
242 ├──────────┼────────────────────────────┤
243 │xfrm │ A virtual tunnel interface │
244 │ │ like vti/vti6 but with │
245 │ │ several advantages. │
246 ├──────────┼────────────────────────────┤
247 │ifb │ The Intermediate │
248 │ │ Functional Block (ifb) │
249 │ │ pseudo network interface │
250 │ │ acts as a QoS concentrator │
251 │ │ for multiple different │
252 │ │ sources of traffic. │
253 └──────────┴────────────────────────────┘
254
256 A virtual network device is only created if the "[Match]" section
257 matches the current environment, or if the section is empty. The
258 following keys are accepted:
259
260 Host=
261 Matches against the hostname or machine ID of the host. See
262 "ConditionHost=" in systemd.unit(5) for details. When prefixed with
263 an exclamation mark ("!"), the result is negated. If an empty
264 string is assigned, then previously assigned value is cleared.
265
266 Virtualization=
267 Checks whether the system is executed in a virtualized environment
268 and optionally test whether it is a specific implementation. See
269 "ConditionVirtualization=" in systemd.unit(5) for details. When
270 prefixed with an exclamation mark ("!"), the result is negated. If
271 an empty string is assigned, then previously assigned value is
272 cleared.
273
274 KernelCommandLine=
275 Checks whether a specific kernel command line option is set. See
276 "ConditionKernelCommandLine=" in systemd.unit(5) for details. When
277 prefixed with an exclamation mark ("!"), the result is negated. If
278 an empty string is assigned, then previously assigned value is
279 cleared.
280
281 KernelVersion=
282 Checks whether the kernel version (as reported by uname -r) matches
283 a certain expression. See "ConditionKernelVersion=" in
284 systemd.unit(5) for details. When prefixed with an exclamation mark
285 ("!"), the result is negated. If an empty string is assigned, then
286 previously assigned value is cleared.
287
288 Architecture=
289 Checks whether the system is running on a specific architecture.
290 See "ConditionArchitecture=" in systemd.unit(5) for details. When
291 prefixed with an exclamation mark ("!"), the result is negated. If
292 an empty string is assigned, then previously assigned value is
293 cleared.
294
296 The "[NetDev]" section accepts the following keys:
297
298 Description=
299 A free-form description of the netdev.
300
301 Name=
302 The interface name used when creating the netdev. This option is
303 compulsory.
304
305 Kind=
306 The netdev kind. This option is compulsory. See the "Supported
307 netdev kinds" section for the valid keys.
308
309 MTUBytes=
310 The maximum transmission unit in bytes to set for the device. The
311 usual suffixes K, M, G, are supported and are understood to the
312 base of 1024. For "tun" or "tap" devices, MTUBytes= setting is not
313 currently supported in "[NetDev]" section. Please specify it in
314 "[Link]" section of corresponding systemd.network(5) files.
315
316 MACAddress=
317 The MAC address to use for the device. For "tun" or "tap" devices,
318 setting MACAddress= in the "[NetDev]" section is not supported.
319 Please specify it in "[Link]" section of the corresponding
320 systemd.network(5) file. If this option is not set, "vlan" devices
321 inherit the MAC address of the physical interface. For other kind
322 of netdevs, if this option is not set, then MAC address is
323 generated based on the interface name and the machine-id(5).
324
326 The "[Bridge]" section only applies for netdevs of kind "bridge", and
327 accepts the following keys:
328
329 HelloTimeSec=
330 HelloTimeSec specifies the number of seconds between two hello
331 packets sent out by the root bridge and the designated bridges.
332 Hello packets are used to communicate information about the
333 topology throughout the entire bridged local area network.
334
335 MaxAgeSec=
336 MaxAgeSec specifies the number of seconds of maximum message age.
337 If the last seen (received) hello packet is more than this number
338 of seconds old, the bridge in question will start the takeover
339 procedure in attempt to become the Root Bridge itself.
340
341 ForwardDelaySec=
342 ForwardDelaySec specifies the number of seconds spent in each of
343 the Listening and Learning states before the Forwarding state is
344 entered.
345
346 AgeingTimeSec=
347 This specifies the number of seconds a MAC Address will be kept in
348 the forwarding database after having a packet received from this
349 MAC Address.
350
351 Priority=
352 The priority of the bridge. An integer between 0 and 65535. A lower
353 value means higher priority. The bridge having the lowest priority
354 will be elected as root bridge.
355
356 GroupForwardMask=
357 A 16-bit bitmask represented as an integer which allows forwarding
358 of link local frames with 802.1D reserved addresses
359 (01:80:C2:00:00:0X). A logical AND is performed between the
360 specified bitmask and the exponentiation of 2^X, the lower nibble
361 of the last octet of the MAC address. For example, a value of 8
362 would allow forwarding of frames addressed to 01:80:C2:00:00:03
363 (802.1X PAE).
364
365 DefaultPVID=
366 This specifies the default port VLAN ID of a newly attached bridge
367 port. Set this to an integer in the range 1–4094 or "none" to
368 disable the PVID.
369
370 MulticastQuerier=
371 Takes a boolean. This setting controls the IFLA_BR_MCAST_QUERIER
372 option in the kernel. If enabled, the kernel will send general ICMP
373 queries from a zero source address. This feature should allow
374 faster convergence on startup, but it causes some multicast-aware
375 switches to misbehave and disrupt forwarding of multicast packets.
376 When unset, the kernel's default will be used.
377
378 MulticastSnooping=
379 Takes a boolean. This setting controls the IFLA_BR_MCAST_SNOOPING
380 option in the kernel. If enabled, IGMP snooping monitors the
381 Internet Group Management Protocol (IGMP) traffic between hosts and
382 multicast routers. When unset, the kernel's default will be used.
383
384 VLANFiltering=
385 Takes a boolean. This setting controls the IFLA_BR_VLAN_FILTERING
386 option in the kernel. If enabled, the bridge will be started in
387 VLAN-filtering mode. When unset, the kernel's default will be used.
388
389 STP=
390 Takes a boolean. This enables the bridge's Spanning Tree Protocol
391 (STP). When unset, the kernel's default will be used.
392
393 MulticastIGMPVersion=
394 Allows changing bridge's multicast Internet Group Management
395 Protocol (IGMP) version. Takes an integer 2 or 3. When unset, the
396 kernel's default will be used.
397
399 The "[VLAN]" section only applies for netdevs of kind "vlan", and
400 accepts the following key:
401
402 Id=
403 The VLAN ID to use. An integer in the range 0–4094. This option is
404 compulsory.
405
406 GVRP=
407 Takes a boolean. The Generic VLAN Registration Protocol (GVRP) is a
408 protocol that allows automatic learning of VLANs on a network. When
409 unset, the kernel's default will be used.
410
411 MVRP=
412 Takes a boolean. Multiple VLAN Registration Protocol (MVRP)
413 formerly known as GARP VLAN Registration Protocol (GVRP) is a
414 standards-based Layer 2 network protocol, for automatic
415 configuration of VLAN information on switches. It was defined in
416 the 802.1ak amendment to 802.1Q-2005. When unset, the kernel's
417 default will be used.
418
419 LooseBinding=
420 Takes a boolean. The VLAN loose binding mode, in which only the
421 operational state is passed from the parent to the associated
422 VLANs, but the VLAN device state is not changed. When unset, the
423 kernel's default will be used.
424
425 ReorderHeader=
426 Takes a boolean. The VLAN reorder header is set VLAN interfaces
427 behave like physical interfaces. When unset, the kernel's default
428 will be used.
429
431 The "[MACVLAN]" section only applies for netdevs of kind "macvlan", and
432 accepts the following key:
433
434 Mode=
435 The MACVLAN mode to use. The supported options are "private",
436 "vepa", "bridge", and "passthru".
437
439 The "[MACVTAP]" section applies for netdevs of kind "macvtap" and
440 accepts the same key as "[MACVLAN]".
441
443 The "[IPVLAN]" section only applies for netdevs of kind "ipvlan", and
444 accepts the following key:
445
446 Mode=
447 The IPVLAN mode to use. The supported options are "L2","L3" and
448 "L3S".
449
450 Flags=
451 The IPVLAN flags to use. The supported options are
452 "bridge","private" and "vepa".
453
455 The "[IPVTAP]" section only applies for netdevs of kind "ipvtap" and
456 accepts the same key as "[IPVLAN]".
457
459 The "[VXLAN]" section only applies for netdevs of kind "vxlan", and
460 accepts the following keys:
461
462 VNI=
463 The VXLAN Network Identifier (or VXLAN Segment ID). Takes a number
464 in the range 1-16777215.
465
466 Remote=
467 Configures destination IP address.
468
469 Local=
470 Configures local IP address.
471
472 Group=
473 Configures VXLAN multicast group IP address. All members of a VXLAN
474 must use the same multicast group address.
475
476 TOS=
477 The Type Of Service byte value for a vxlan interface.
478
479 TTL=
480 A fixed Time To Live N on Virtual eXtensible Local Area Network
481 packets. Takes "inherit" or a number in the range 0–255. 0 is a
482 special value meaning inherit the inner protocol's TTL value.
483 "inherit" means that it will inherit the outer protocol's TTL
484 value.
485
486 MacLearning=
487 Takes a boolean. When true, enables dynamic MAC learning to
488 discover remote MAC addresses.
489
490 FDBAgeingSec=
491 The lifetime of Forwarding Database entry learnt by the kernel, in
492 seconds.
493
494 MaximumFDBEntries=
495 Configures maximum number of FDB entries.
496
497 ReduceARPProxy=
498 Takes a boolean. When true, bridge-connected VXLAN tunnel endpoint
499 answers ARP requests from the local bridge on behalf of remote
500 Distributed Overlay Virtual Ethernet (DVOE)[5] clients. Defaults to
501 false.
502
503 L2MissNotification=
504 Takes a boolean. When true, enables netlink LLADDR miss
505 notifications.
506
507 L3MissNotification=
508 Takes a boolean. When true, enables netlink IP address miss
509 notifications.
510
511 RouteShortCircuit=
512 Takes a boolean. When true, route short circuiting is turned on.
513
514 UDPChecksum=
515 Takes a boolean. When true, transmitting UDP checksums when doing
516 VXLAN/IPv4 is turned on.
517
518 UDP6ZeroChecksumTx=
519 Takes a boolean. When true, sending zero checksums in VXLAN/IPv6 is
520 turned on.
521
522 UDP6ZeroChecksumRx=
523 Takes a boolean. When true, receiving zero checksums in VXLAN/IPv6
524 is turned on.
525
526 RemoteChecksumTx=
527 Takes a boolean. When true, remote transmit checksum offload of
528 VXLAN is turned on.
529
530 RemoteChecksumRx=
531 Takes a boolean. When true, remote receive checksum offload in
532 VXLAN is turned on.
533
534 GroupPolicyExtension=
535 Takes a boolean. When true, it enables Group Policy VXLAN extension
536 security label mechanism across network peers based on VXLAN. For
537 details about the Group Policy VXLAN, see the VXLAN Group Policy[6]
538 document. Defaults to false.
539
540 GenericProtocolExtension=
541 Takes a boolean. When true, Generic Protocol Extension extends the
542 existing VXLAN protocol to provide protocol typing, OAM, and
543 versioning capabilities. For details about the VXLAN GPE Header,
544 see the Generic Protocol Extension for VXLAN[7] document. If
545 destination port is not specified and Generic Protocol Extension is
546 set then default port of 4790 is used. Defaults to false.
547
548 DestinationPort=
549 Configures the default destination UDP port on a per-device basis.
550 If destination port is not specified then Linux kernel default will
551 be used. Set destination port 4789 to get the IANA assigned value.
552 If not set or if the destination port is assigned the empty string
553 the default port of 4789 is used.
554
555 PortRange=
556 Configures VXLAN port range. VXLAN bases source UDP port based on
557 flow to help the receiver to be able to load balance based on outer
558 header flow. It restricts the port range to the normal UDP local
559 ports, and allows overriding via configuration.
560
561 FlowLabel=
562 Specifies the flow label to use in outgoing packets. The valid
563 range is 0-1048575.
564
565 IPDoNotFragment=
566 Allows setting the IPv4 Do not Fragment (DF) bit in outgoing
567 packets, or to inherit its value from the IPv4 inner header. Takes
568 a boolean value, or "inherit". Set to "inherit" if the encapsulated
569 protocol is IPv6. When unset, the kernel's default will be used.
570
572 The "[GENEVE]" section only applies for netdevs of kind "geneve", and
573 accepts the following keys:
574
575 Id=
576 Specifies the Virtual Network Identifier (VNI) to use. Ranges
577 [0-16777215]. This field is mandatory.
578
579 Remote=
580 Specifies the unicast destination IP address to use in outgoing
581 packets.
582
583 TOS=
584 Specifies the TOS value to use in outgoing packets. Ranges [1-255].
585
586 TTL=
587 Accepts the same key in "[VXLAN]" section except when unset or set
588 to 0, the kernel's default will be used meaning that packets TTL
589 will be set from /proc/sys/net/ipv4/ip_default_ttl.
590
591 UDPChecksum=
592 Takes a boolean. When true, specifies if UDP checksum is calculated
593 for transmitted packets over IPv4.
594
595 UDP6ZeroChecksumTx=
596 Takes a boolean. When true, skip UDP checksum calculation for
597 transmitted packets over IPv6.
598
599 UDP6ZeroChecksumRx=
600 Takes a boolean. When true, allows incoming UDP packets over IPv6
601 with zero checksum field.
602
603 DestinationPort=
604 Specifies destination port. Defaults to 6081. If not set or
605 assigned the empty string, the default port of 6081 is used.
606
607 FlowLabel=
608 Specifies the flow label to use in outgoing packets.
609
610 IPDoNotFragment=
611 Accepts the same key in "[VXLAN]" section.
612
614 The "[L2TP]" section only applies for netdevs of kind "l2tp", and
615 accepts the following keys:
616
617 TunnelId=
618 Specifies the tunnel id. The value used must match the
619 "PeerTunnelId=" value being used at the peer. Ranges a number
620 between 1 and 4294967295). This option is compulsory.
621
622 PeerTunnelId=
623 Specifies the peer tunnel id. The value used must match the
624 "PeerTunnelId=" value being used at the peer. Ranges a number
625 between 1 and 4294967295). This option is compulsory.
626
627 Remote=
628 Specifies the IP address of the remote peer. This option is
629 compulsory.
630
631 Local=
632 Specifies the IP address of the local interface. Takes an IP
633 address, or the special values "auto", "static", or "dynamic". When
634 an address is set, then the local interface must have the address.
635 If "auto", then one of the addresses on the local interface is
636 used. Similarly, if "static" or "dynamic" is set, then one of the
637 static or dynamic addresses on the local interface is used.
638 Defaults to "auto".
639
640 EncapsulationType=
641 Specifies the encapsulation type of the tunnel. Takes one of "udp"
642 or "ip".
643
644 UDPSourcePort=
645 Specifies the UDP source port to be used for the tunnel. When UDP
646 encapsulation is selected it's mandotory. Ignored when ip
647 encapsulation is selected.
648
649 UDPDestinationPort=
650 Specifies destination port. When UDP encapsulation is selected it's
651 mandotory. Ignored when ip encapsulation is selected.
652
653 UDPChecksum=
654 Takes a boolean. When true, specifies if UDP checksum is calculated
655 for transmitted packets over IPv4.
656
657 UDP6ZeroChecksumTx=
658 Takes a boolean. When true, skip UDP checksum calculation for
659 transmitted packets over IPv6.
660
661 UDP6ZeroChecksumRx=
662 Takes a boolean. When true, allows incoming UDP packets over IPv6
663 with zero checksum field.
664
666 The "[L2TPSession]" section only applies for netdevs of kind "l2tp",
667 and accepts the following keys:
668
669 Name=
670 Specifies the name of the session. This option is compulsory.
671
672 SessionId=
673 Specifies the session id. The value used must match the
674 "SessionId=" value being used at the peer. Ranges a number between
675 1 and 4294967295). This option is compulsory.
676
677 PeerSessionId=
678 Specifies the peer session id. The value used must match the
679 "PeerSessionId=" value being used at the peer. Ranges a number
680 between 1 and 4294967295). This option is compulsory.
681
682 Layer2SpecificHeader=
683 Specifies layer2specific header type of the session. One of "none"
684 or "default". Defaults to "default".
685
687 The "[MACsec]" section only applies for network devices of kind
688 "macsec", and accepts the following keys:
689
690 Port=
691 Specifies the port to be used for the MACsec transmit channel. The
692 port is used to make secure channel identifier (SCI). Takes a value
693 between 1 and 65535. Defaults to unset.
694
695 Encrypt=
696 Takes a boolean. When true, enable encryption. Defaults to unset.
697
699 The "[MACsecReceiveChannel]" section only applies for network devices
700 of kind "macsec", and accepts the following keys:
701
702 Port=
703 Specifies the port to be used for the MACsec receive channel. The
704 port is used to make secure channel identifier (SCI). Takes a value
705 between 1 and 65535. This option is compulsory, and is not set by
706 default.
707
708 MACAddress=
709 Specifies the MAC address to be used for the MACsec receive
710 channel. The MAC address used to make secure channel identifier
711 (SCI). This option is compulsory, and is not set by default.
712
714 The "[MACsecTransmitAssociation]" section only applies for network
715 devices of kind "macsec", and accepts the following keys:
716
717 PacketNumber=
718 Specifies the packet number to be used for replay protection and
719 the construction of the initialization vector (along with the
720 secure channel identifier [SCI]). Takes a value between
721 1-4,294,967,295. Defaults to unset.
722
723 KeyId=
724 Specifies the identification for the key. Takes a number between
725 0-255. This option is compulsory, and is not set by default.
726
727 Key=
728 Specifies the encryption key used in the transmission channel. The
729 same key must be configured on the peer’s matching receive channel.
730 This option is compulsory, and is not set by default. Takes a
731 128-bit key encoded in a hexadecimal string, for example
732 "dffafc8d7b9a43d5b9a3dfbbf6a30c16".
733
734 KeyFile=
735 Takes a absolute path to a file which contains a 128-bit key
736 encoded in a hexadecimal string, which will be used in the
737 transmission channel. When this option is specified, Key= is
738 ignored. Note that the file must be readable by the user
739 "systemd-network", so it should be, e.g., owned by
740 "root:systemd-network" with a "0640" file mode.
741
742 Activate=
743 Takes a boolean. If enabled, then the security association is
744 activated. Defaults to unset.
745
746 UseForEncoding=
747 Takes a boolean. If enabled, then the security association is used
748 for encoding. Only one "[MACsecTransmitAssociation]" section can
749 enable this option. When enabled, Activate=yes is implied. Defaults
750 to unset.
751
753 The "[MACsecReceiveAssociation]" section only applies for network
754 devices of kind "macsec", and accepts the following keys:
755
756 Port=
757 Accepts the same key in "[MACsecReceiveChannel]" section.
758
759 MACAddress=
760 Accepts the same key in "[MACsecReceiveChannel]" section.
761
762 PacketNumber=
763 Accepts the same key in "[MACsecTransmitAssociation]" section.
764
765 KeyId=
766 Accepts the same key in "[MACsecTransmitAssociation]" section.
767
768 Key=
769 Accepts the same key in "[MACsecTransmitAssociation]" section.
770
771 KeyFile=
772 Accepts the same key in "[MACsecTransmitAssociation]" section.
773
774 Activate=
775 Accepts the same key in "[MACsecTransmitAssociation]" section.
776
778 The "[Tunnel]" section only applies for netdevs of kind "ipip", "sit",
779 "gre", "gretap", "ip6gre", "ip6gretap", "vti", "vti6", "ip6tnl", and
780 "erspan" and accepts the following keys:
781
782 Local=
783 A static local address for tunneled packets. It must be an address
784 on another interface of this host, or the special value "any".
785
786 Remote=
787 The remote endpoint of the tunnel. Takes an IP address or the
788 special value "any".
789
790 TOS=
791 The Type Of Service byte value for a tunnel interface. For details
792 about the TOS, see the Type of Service in the Internet Protocol
793 Suite[8] document.
794
795 TTL=
796 A fixed Time To Live N on tunneled packets. N is a number in the
797 range 1–255. 0 is a special value meaning that packets inherit the
798 TTL value. The default value for IPv4 tunnels is: inherit. The
799 default value for IPv6 tunnels is 64.
800
801 DiscoverPathMTU=
802 Takes a boolean. When true, enables Path MTU Discovery on the
803 tunnel.
804
805 IPv6FlowLabel=
806 Configures the 20-bit flow label (see RFC 6437[9]) field in the
807 IPv6 header (see RFC 2460[10]), which is used by a node to label
808 packets of a flow. It is only used for IPv6 tunnels. A flow label
809 of zero is used to indicate packets that have not been labeled. It
810 can be configured to a value in the range 0–0xFFFFF, or be set to
811 "inherit", in which case the original flowlabel is used.
812
813 CopyDSCP=
814 Takes a boolean. When true, the Differentiated Service Code Point
815 (DSCP) field will be copied to the inner header from outer header
816 during the decapsulation of an IPv6 tunnel packet. DSCP is a field
817 in an IP packet that enables different levels of service to be
818 assigned to network traffic. Defaults to "no".
819
820 EncapsulationLimit=
821 The Tunnel Encapsulation Limit option specifies how many additional
822 levels of encapsulation are permitted to be prepended to the
823 packet. For example, a Tunnel Encapsulation Limit option containing
824 a limit value of zero means that a packet carrying that option may
825 not enter another tunnel before exiting the current tunnel. (see
826 RFC 2473[11]). The valid range is 0–255 and "none". Defaults to 4.
827
828 Key=
829 The Key= parameter specifies the same key to use in both directions
830 (InputKey= and OutputKey=). The Key= is either a number or an IPv4
831 address-like dotted quad. It is used as mark-configured SAD/SPD
832 entry as part of the lookup key (both in data and control path) in
833 ip xfrm (framework used to implement IPsec protocol). See ip-xfrm —
834 transform configuration[12] for details. It is only used for
835 VTI/VTI6, GRE, GRETAP, and ERSPAN tunnels.
836
837 InputKey=
838 The InputKey= parameter specifies the key to use for input. The
839 format is same as Key=. It is only used for VTI/VTI6, GRE, GRETAP,
840 and ERSPAN tunnels.
841
842 OutputKey=
843 The OutputKey= parameter specifies the key to use for output. The
844 format is same as Key=. It is only used for VTI/VTI6, GRE, GRETAP,
845 and ERSPAN tunnels.
846
847 Mode=
848 An "ip6tnl" tunnel can be in one of three modes "ip6ip6" for IPv6
849 over IPv6, "ipip6" for IPv4 over IPv6 or "any" for either.
850
851 Independent=
852 Takes a boolean. When true tunnel does not require .network file.
853 Created as "tunnel@NONE". Defaults to "false".
854
855 AssignToLoopback=
856 Takes a boolean. If set to "yes", the loopback interface "lo" is
857 used as the underlying device of the tunnel interface. Defaults to
858 "no".
859
860 AllowLocalRemote=
861 Takes a boolean. When true allows tunnel traffic on ip6tnl devices
862 where the remote endpoint is a local host address. When unset, the
863 kernel's default will be used.
864
865 FooOverUDP=
866 Takes a boolean. Specifies whether FooOverUDP= tunnel is to be
867 configured. Defaults to false. This takes effects only for IPIP,
868 SIT, GRE, and GRETAP tunnels. For more detail information see Foo
869 over UDP[13]
870
871 FOUDestinationPort=
872 This setting specifies the UDP destination port for encapsulation.
873 This field is mandatory when FooOverUDP=yes, and is not set by
874 default.
875
876 FOUSourcePort=
877 This setting specifies the UDP source port for encapsulation.
878 Defaults to 0 — that is, the source port for packets is left to the
879 network stack to decide.
880
881 Encapsulation=
882 Accepts the same key as in the "[FooOverUDP]" section.
883
884 IPv6RapidDeploymentPrefix=
885 Reconfigure the tunnel for IPv6 Rapid Deployment[14], also known as
886 6rd. The value is an ISP-specific IPv6 prefix with a non-zero
887 length. Only applicable to SIT tunnels.
888
889 ISATAP=
890 Takes a boolean. If set, configures the tunnel as Intra-Site
891 Automatic Tunnel Addressing Protocol (ISATAP) tunnel. Only
892 applicable to SIT tunnels. When unset, the kernel's default will be
893 used.
894
895 SerializeTunneledPackets=
896 Takes a boolean. If set to yes, then packets are serialized. Only
897 applies for GRE, GRETAP, and ERSPAN tunnels. When unset, the
898 kernel's default will be used.
899
900 ERSPANIndex=
901 Specifies the ERSPAN index field for the interface, an integer in
902 the range 1-1048575 associated with the ERSPAN traffic's source
903 port and direction. This field is mandatory.
904
906 The "[FooOverUDP]" section only applies for netdevs of kind "fou" and
907 accepts the following keys:
908
909 Encapsulation=
910 Specifies the encapsulation mechanism used to store networking
911 packets of various protocols inside the UDP packets. Supports the
912 following values: "FooOverUDP" provides the simplest no frills
913 model of UDP encapsulation, it simply encapsulates packets directly
914 in the UDP payload. "GenericUDPEncapsulation" is a generic and
915 extensible encapsulation, it allows encapsulation of packets for
916 any IP protocol and optional data as part of the encapsulation. For
917 more detailed information see Generic UDP Encapsulation[15].
918 Defaults to "FooOverUDP".
919
920 Port=
921 Specifies the port number, where the IP encapsulation packets will
922 arrive. Please take note that the packets will arrive with the
923 encapsulation will be removed. Then they will be manually fed back
924 into the network stack, and sent ahead for delivery to the real
925 destination. This option is mandatory.
926
927 PeerPort=
928 Specifies the peer port number. Defaults to unset. Note that when
929 peer port is set "Peer=" address is mandotory.
930
931 Protocol=
932 The Protocol= specifies the protocol number of the packets arriving
933 at the UDP port. When Encapsulation=FooOverUDP, this field is
934 mandatory and is not set by default. Takes an IP protocol name such
935 as "gre" or "ipip", or an integer within the range 1-255. When
936 Encapsulation=GenericUDPEncapsulation, this must not be specified.
937
938 Peer=
939 Configures peer IP address. Note that when peer address is set
940 "PeerPort=" is mandotory.
941
942 Local=
943 Configures local IP address.
944
946 The "[Peer]" section only applies for netdevs of kind "veth" and
947 accepts the following keys:
948
949 Name=
950 The interface name used when creating the netdev. This option is
951 compulsory.
952
953 MACAddress=
954 The peer MACAddress, if not set, it is generated in the same way as
955 the MAC address of the main interface.
956
958 The "[VXCAN]" section only applies for netdevs of kind "vxcan" and
959 accepts the following key:
960
961 Peer=
962 The peer interface name used when creating the netdev. This option
963 is compulsory.
964
966 The "[Tun]" section only applies for netdevs of kind "tun", and accepts
967 the following keys:
968
969 MultiQueue=
970 Takes a boolean. Configures whether to use multiple file
971 descriptors (queues) to parallelize packets sending and receiving.
972 Defaults to "no".
973
974 PacketInfo=
975 Takes a boolean. Configures whether packets should be prepended
976 with four extra bytes (two flag bytes and two protocol bytes). If
977 disabled, it indicates that the packets will be pure IP packets.
978 Defaults to "no".
979
980 VNetHeader=
981 Takes a boolean. Configures IFF_VNET_HDR flag for a tun or tap
982 device. It allows sending and receiving larger Generic Segmentation
983 Offload (GSO) packets. This may increase throughput significantly.
984 Defaults to "no".
985
986 User=
987 User to grant access to the /dev/net/tun device.
988
989 Group=
990 Group to grant access to the /dev/net/tun device.
991
993 The "[Tap]" section only applies for netdevs of kind "tap", and accepts
994 the same keys as the "[Tun]" section.
995
997 The "[WireGuard]" section accepts the following keys:
998
999 PrivateKey=
1000 The Base64 encoded private key for the interface. It can be
1001 generated using the wg genkey command (see wg(8)). This option or
1002 PrivateKeyFile= is mandatory to use WireGuard. Note that because
1003 this information is secret, you may want to set the permissions of
1004 the .netdev file to be owned by "root:systemd-network" with a
1005 "0640" file mode.
1006
1007 PrivateKeyFile=
1008 Takes an absolute path to a file which contains the Base64 encoded
1009 private key for the interface. When this option is specified, then
1010 PrivateKey= is ignored. Note that the file must be readable by the
1011 user "systemd-network", so it should be, e.g., owned by
1012 "root:systemd-network" with a "0640" file mode.
1013
1014 ListenPort=
1015 Sets UDP port for listening. Takes either value between 1 and 65535
1016 or "auto". If "auto" is specified, the port is automatically
1017 generated based on interface name. Defaults to "auto".
1018
1019 FirewallMark=
1020 Sets a firewall mark on outgoing WireGuard packets from this
1021 interface. Takes a number between 1 and 4294967295.
1022
1024 The "[WireGuardPeer]" section accepts the following keys:
1025
1026 PublicKey=
1027 Sets a Base64 encoded public key calculated by wg pubkey (see
1028 wg(8)) from a private key, and usually transmitted out of band to
1029 the author of the configuration file. This option is mandatory for
1030 this section.
1031
1032 PresharedKey=
1033 Optional preshared key for the interface. It can be generated by
1034 the wg genpsk command. This option adds an additional layer of
1035 symmetric-key cryptography to be mixed into the already existing
1036 public-key cryptography, for post-quantum resistance. Note that
1037 because this information is secret, you may want to set the
1038 permissions of the .netdev file to be owned by
1039 "root:systemd-networkd" with a "0640" file mode.
1040
1041 PresharedKeyFile=
1042 Takes an absolute path to a file which contains the Base64 encoded
1043 preshared key for the peer. When this option is specified, then
1044 PresharedKey= is ignored. Note that the file must be readable by
1045 the user "systemd-network", so it should be, e.g., owned by
1046 "root:systemd-network" with a "0640" file mode.
1047
1048 AllowedIPs=
1049 Sets a comma-separated list of IP (v4 or v6) addresses with CIDR
1050 masks from which this peer is allowed to send incoming traffic and
1051 to which outgoing traffic for this peer is directed. The catch-all
1052 0.0.0.0/0 may be specified for matching all IPv4 addresses, and
1053 ::/0 may be specified for matching all IPv6 addresses.
1054
1055 Endpoint=
1056 Sets an endpoint IP address or hostname, followed by a colon, and
1057 then a port number. This endpoint will be updated automatically
1058 once to the most recent source IP address and port of correctly
1059 authenticated packets from the peer at configuration time.
1060
1061 PersistentKeepalive=
1062 Sets a seconds interval, between 1 and 65535 inclusive, of how
1063 often to send an authenticated empty packet to the peer for the
1064 purpose of keeping a stateful firewall or NAT mapping valid
1065 persistently. For example, if the interface very rarely sends
1066 traffic, but it might at anytime receive traffic from a peer, and
1067 it is behind NAT, the interface might benefit from having a
1068 persistent keepalive interval of 25 seconds. If set to 0 or "off",
1069 this option is disabled. By default or when unspecified, this
1070 option is off. Most users will not need this.
1071
1073 The "[Bond]" section accepts the following key:
1074
1075 Mode=
1076 Specifies one of the bonding policies. The default is "balance-rr"
1077 (round robin). Possible values are "balance-rr", "active-backup",
1078 "balance-xor", "broadcast", "802.3ad", "balance-tlb", and
1079 "balance-alb".
1080
1081 TransmitHashPolicy=
1082 Selects the transmit hash policy to use for slave selection in
1083 balance-xor, 802.3ad, and tlb modes. Possible values are "layer2",
1084 "layer3+4", "layer2+3", "encap2+3", and "encap3+4".
1085
1086 LACPTransmitRate=
1087 Specifies the rate with which link partner transmits Link
1088 Aggregation Control Protocol Data Unit packets in 802.3ad mode.
1089 Possible values are "slow", which requests partner to transmit
1090 LACPDUs every 30 seconds, and "fast", which requests partner to
1091 transmit LACPDUs every second. The default value is "slow".
1092
1093 MIIMonitorSec=
1094 Specifies the frequency that Media Independent Interface link
1095 monitoring will occur. A value of zero disables MII link
1096 monitoring. This value is rounded down to the nearest millisecond.
1097 The default value is 0.
1098
1099 UpDelaySec=
1100 Specifies the delay before a link is enabled after a link up status
1101 has been detected. This value is rounded down to a multiple of
1102 MIIMonitorSec. The default value is 0.
1103
1104 DownDelaySec=
1105 Specifies the delay before a link is disabled after a link down
1106 status has been detected. This value is rounded down to a multiple
1107 of MIIMonitorSec. The default value is 0.
1108
1109 LearnPacketIntervalSec=
1110 Specifies the number of seconds between instances where the bonding
1111 driver sends learning packets to each slave peer switch. The valid
1112 range is 1–0x7fffffff; the default value is 1. This option has an
1113 effect only for the balance-tlb and balance-alb modes.
1114
1115 AdSelect=
1116 Specifies the 802.3ad aggregation selection logic to use. Possible
1117 values are "stable", "bandwidth" and "count".
1118
1119 AdActorSystemPriority=
1120 Specifies the 802.3ad actor system priority. Ranges [1-65535].
1121
1122 AdUserPortKey=
1123 Specifies the 802.3ad user defined portion of the port key. Ranges
1124 [0-1023].
1125
1126 AdActorSystem=
1127 Specifies the 802.3ad system mac address. This can not be either
1128 NULL or Multicast.
1129
1130 FailOverMACPolicy=
1131 Specifies whether the active-backup mode should set all slaves to
1132 the same MAC address at the time of enslavement or, when enabled,
1133 to perform special handling of the bond's MAC address in accordance
1134 with the selected policy. The default policy is none. Possible
1135 values are "none", "active" and "follow".
1136
1137 ARPValidate=
1138 Specifies whether or not ARP probes and replies should be validated
1139 in any mode that supports ARP monitoring, or whether non-ARP
1140 traffic should be filtered (disregarded) for link monitoring
1141 purposes. Possible values are "none", "active", "backup" and "all".
1142
1143 ARPIntervalSec=
1144 Specifies the ARP link monitoring frequency. A value of 0 disables
1145 ARP monitoring. The default value is 0, and the default unit
1146 seconds.
1147
1148 ARPIPTargets=
1149 Specifies the IP addresses to use as ARP monitoring peers when
1150 ARPIntervalSec is greater than 0. These are the targets of the ARP
1151 request sent to determine the health of the link to the targets.
1152 Specify these values in IPv4 dotted decimal format. At least one IP
1153 address must be given for ARP monitoring to function. The maximum
1154 number of targets that can be specified is 16. The default value is
1155 no IP addresses.
1156
1157 ARPAllTargets=
1158 Specifies the quantity of ARPIPTargets that must be reachable in
1159 order for the ARP monitor to consider a slave as being up. This
1160 option affects only active-backup mode for slaves with ARPValidate
1161 enabled. Possible values are "any" and "all".
1162
1163 PrimaryReselectPolicy=
1164 Specifies the reselection policy for the primary slave. This
1165 affects how the primary slave is chosen to become the active slave
1166 when failure of the active slave or recovery of the primary slave
1167 occurs. This option is designed to prevent flip-flopping between
1168 the primary slave and other slaves. Possible values are "always",
1169 "better" and "failure".
1170
1171 ResendIGMP=
1172 Specifies the number of IGMP membership reports to be issued after
1173 a failover event. One membership report is issued immediately after
1174 the failover, subsequent packets are sent in each 200ms interval.
1175 The valid range is 0–255. Defaults to 1. A value of 0 prevents the
1176 IGMP membership report from being issued in response to the
1177 failover event.
1178
1179 PacketsPerSlave=
1180 Specify the number of packets to transmit through a slave before
1181 moving to the next one. When set to 0, then a slave is chosen at
1182 random. The valid range is 0–65535. Defaults to 1. This option only
1183 has effect when in balance-rr mode.
1184
1185 GratuitousARP=
1186 Specify the number of peer notifications (gratuitous ARPs and
1187 unsolicited IPv6 Neighbor Advertisements) to be issued after a
1188 failover event. As soon as the link is up on the new slave, a peer
1189 notification is sent on the bonding device and each VLAN
1190 sub-device. This is repeated at each link monitor interval
1191 (ARPIntervalSec or MIIMonitorSec, whichever is active) if the
1192 number is greater than 1. The valid range is 0–255. The default
1193 value is 1. These options affect only the active-backup mode.
1194
1195 AllSlavesActive=
1196 Takes a boolean. Specifies that duplicate frames (received on
1197 inactive ports) should be dropped when false, or delivered when
1198 true. Normally, bonding will drop duplicate frames (received on
1199 inactive ports), which is desirable for most users. But there are
1200 some times it is nice to allow duplicate frames to be delivered.
1201 The default value is false (drop duplicate frames received on
1202 inactive ports).
1203
1204 DynamicTransmitLoadBalancing=
1205 Takes a boolean. Specifies if dynamic shuffling of flows is
1206 enabled. Applies only for balance-tlb mode. Defaults to unset.
1207
1208 MinLinks=
1209 Specifies the minimum number of links that must be active before
1210 asserting carrier. The default value is 0.
1211
1212 For more detail information see Linux Ethernet Bonding Driver HOWTO[1]
1213
1215 The "[Xfrm]" section accepts the following keys:
1216
1217 InterfaceId=
1218 Sets the ID/key of the xfrm interface which needs to be associated
1219 with a SA/policy. Can be decimal or hexadecimal, valid range is
1220 0-0xffffffff, defaults to 0.
1221
1222 Independent=
1223 Takes a boolean. If set to "no", the xfrm interface should have an
1224 underlying device which can be used for hardware offloading.
1225 Defaults to "no". See systemd.network(5) for how to configure the
1226 underlying device.
1227
1228 For more detail information see Virtual xfrm interfaces[16]
1229
1231 The "[VRF]" section only applies for netdevs of kind "vrf" and accepts
1232 the following key:
1233
1234 Table=
1235 The numeric routing table identifier. This option is compulsory.
1236
1238 Example 1. /etc/systemd/network/25-bridge.netdev
1239
1240 [NetDev]
1241 Name=bridge0
1242 Kind=bridge
1243
1244 Example 2. /etc/systemd/network/25-vlan1.netdev
1245
1246 [Match]
1247 Virtualization=no
1248
1249 [NetDev]
1250 Name=vlan1
1251 Kind=vlan
1252
1253 [VLAN]
1254 Id=1
1255
1256 Example 3. /etc/systemd/network/25-ipip.netdev
1257
1258 [NetDev]
1259 Name=ipip-tun
1260 Kind=ipip
1261 MTUBytes=1480
1262
1263 [Tunnel]
1264 Local=192.168.223.238
1265 Remote=192.169.224.239
1266 TTL=64
1267
1268 Example 4. /etc/systemd/network/1-fou-tunnel.netdev
1269
1270 [NetDev]
1271 Name=fou-tun
1272 Kind=fou
1273
1274 [FooOverUDP]
1275 Port=5555
1276 Protocol=4
1277
1278
1279 Example 5. /etc/systemd/network/25-fou-ipip.netdev
1280
1281 [NetDev]
1282 Name=ipip-tun
1283 Kind=ipip
1284
1285 [Tunnel]
1286 Independent=yes
1287 Local=10.65.208.212
1288 Remote=10.65.208.211
1289 FooOverUDP=yes
1290 FOUDestinationPort=5555
1291
1292
1293 Example 6. /etc/systemd/network/25-tap.netdev
1294
1295 [NetDev]
1296 Name=tap-test
1297 Kind=tap
1298
1299 [Tap]
1300 MultiQueue=yes
1301 PacketInfo=yes
1302
1303 Example 7. /etc/systemd/network/25-sit.netdev
1304
1305 [NetDev]
1306 Name=sit-tun
1307 Kind=sit
1308 MTUBytes=1480
1309
1310 [Tunnel]
1311 Local=10.65.223.238
1312 Remote=10.65.223.239
1313
1314 Example 8. /etc/systemd/network/25-6rd.netdev
1315
1316 [NetDev]
1317 Name=6rd-tun
1318 Kind=sit
1319 MTUBytes=1480
1320
1321 [Tunnel]
1322 Local=10.65.223.238
1323 IPv6RapidDeploymentPrefix=2602::/24
1324
1325 Example 9. /etc/systemd/network/25-gre.netdev
1326
1327 [NetDev]
1328 Name=gre-tun
1329 Kind=gre
1330 MTUBytes=1480
1331
1332 [Tunnel]
1333 Local=10.65.223.238
1334 Remote=10.65.223.239
1335
1336 Example 10. /etc/systemd/network/25-ip6gre.netdev
1337
1338 [NetDev]
1339 Name=ip6gre-tun
1340 Kind=ip6gre
1341
1342 [Tunnel]
1343 Key=123
1344
1345 Example 11. /etc/systemd/network/25-vti.netdev
1346
1347 [NetDev]
1348 Name=vti-tun
1349 Kind=vti
1350 MTUBytes=1480
1351
1352 [Tunnel]
1353 Local=10.65.223.238
1354 Remote=10.65.223.239
1355
1356 Example 12. /etc/systemd/network/25-veth.netdev
1357
1358 [NetDev]
1359 Name=veth-test
1360 Kind=veth
1361
1362 [Peer]
1363 Name=veth-peer
1364
1365 Example 13. /etc/systemd/network/25-bond.netdev
1366
1367 [NetDev]
1368 Name=bond1
1369 Kind=bond
1370
1371 [Bond]
1372 Mode=802.3ad
1373 TransmitHashPolicy=layer3+4
1374 MIIMonitorSec=1s
1375 LACPTransmitRate=fast
1376
1377 Example 14. /etc/systemd/network/25-dummy.netdev
1378
1379 [NetDev]
1380 Name=dummy-test
1381 Kind=dummy
1382 MACAddress=12:34:56:78:9a:bc
1383
1384 Example 15. /etc/systemd/network/25-vrf.netdev
1385
1386 Create a VRF interface with table 42.
1387
1388 [NetDev]
1389 Name=vrf-test
1390 Kind=vrf
1391
1392 [VRF]
1393 Table=42
1394
1395 Example 16. /etc/systemd/network/25-macvtap.netdev
1396
1397 Create a MacVTap device.
1398
1399 [NetDev]
1400 Name=macvtap-test
1401 Kind=macvtap
1402
1403
1404 Example 17. /etc/systemd/network/25-wireguard.netdev
1405
1406 [NetDev]
1407 Name=wg0
1408 Kind=wireguard
1409
1410 [WireGuard]
1411 PrivateKey=EEGlnEPYJV//kbvvIqxKkQwOiS+UENyPncC4bF46ong=
1412 ListenPort=51820
1413
1414 [WireGuardPeer]
1415 PublicKey=RDf+LSpeEre7YEIKaxg+wbpsNV7du+ktR99uBEtIiCA=
1416 AllowedIPs=fd31:bf08:57cb::/48,192.168.26.0/24
1417 Endpoint=wireguard.example.com:51820
1418
1419 Example 18. /etc/systemd/network/27-xfrm.netdev
1420
1421 [NetDev]
1422 Name=xfrm0
1423 Kind=xfrm
1424
1425 [Xfrm]
1426 Independent=yes
1427
1429 systemd(1), systemd-networkd(8), systemd.link(5), systemd.network(5)
1430
1432 1. Linux Ethernet Bonding Driver HOWTO
1433 https://www.kernel.org/doc/Documentation/networking/bonding.txt
1434
1435 2. RFC 2784
1436 https://tools.ietf.org/html/rfc2784
1437
1438 3. IEEE 802.1Q
1439 http://www.ieee802.org/1/pages/802.1Q.html
1440
1441 4. VRF
1442 https://www.kernel.org/doc/Documentation/networking/vrf.txt
1443
1444 5. (DVOE)
1445 https://en.wikipedia.org/wiki/Distributed_Overlay_Virtual_Ethernet
1446
1447 6. VXLAN Group Policy
1448 https://tools.ietf.org/html/draft-smith-vxlan-group-policy
1449
1450 7. Generic Protocol Extension for VXLAN
1451 https://tools.ietf.org/html/draft-ietf-nvo3-vxlan-gpe-07
1452
1453 8. Type of Service in the Internet Protocol Suite
1454 http://tools.ietf.org/html/rfc1349
1455
1456 9. RFC 6437
1457 https://tools.ietf.org/html/rfc6437
1458
1459 10. RFC 2460
1460 https://tools.ietf.org/html/rfc2460
1461
1462 11. RFC 2473
1463 https://tools.ietf.org/html/rfc2473#section-4.1.1
1464
1465 12. ip-xfrm — transform configuration
1466 http://man7.org/linux/man-pages/man8/ip-xfrm.8.html
1467
1468 13. Foo over UDP
1469 https://lwn.net/Articles/614348
1470
1471 14. IPv6 Rapid Deployment
1472 https://tools.ietf.org/html/rfc5569
1473
1474 15. Generic UDP Encapsulation
1475 https://lwn.net/Articles/615044
1476
1477 16. Virtual xfrm interfaces
1478 https://lwn.net/Articles/757391
1479
1480
1481
1482systemd 245 SYSTEMD.NETDEV(5)