1SYSTEMD.NETDEV(5) systemd.network SYSTEMD.NETDEV(5)
2
3
4
6 systemd.netdev - Virtual Network Device configuration
7
9 netdev.netdev
10
12 A plain ini-style text file that encodes configuration about a virtual
13 network device, used by systemd-networkd(8). See systemd.syntax(7) for
14 a general description of the syntax.
15
16 The main Virtual Network Device file must have the extension .netdev;
17 other extensions are ignored. Virtual network devices are created as
18 soon as networkd is started. If a netdev with the specified name
19 already exists, networkd will use that as-is rather than create its
20 own. Note that the settings of the pre-existing netdev will not be
21 changed by networkd.
22
23 The .netdev files are read from the files located in the system network
24 directory /usr/lib/systemd/network and /usr/local/lib/systemd/network,
25 the volatile runtime network directory /run/systemd/network and the
26 local administration network directory /etc/systemd/network. All
27 configuration files are collectively sorted and processed in
28 alphanumeric order, regardless of the directories in which they live.
29 However, files with identical filenames replace each other. It is
30 recommended that each filename is prefixed with a number (e.g.
31 10-vlan.netdev). Otherwise, .netdev files generated by systemd-network-
32 generator.service(8) may take precedence over user configured files.
33 Files in /etc/ have the highest priority, files in /run/ take
34 precedence over files with the same name in /usr/lib/. This can be used
35 to override a system-supplied configuration file with a local file if
36 needed. As a special case, an empty file (file size 0) or symlink with
37 the same name pointing to /dev/null disables the configuration file
38 entirely (it is "masked").
39
40 Along with the netdev file foo.netdev, a "drop-in" directory
41 foo.netdev.d/ may exist. All files with the suffix ".conf" from this
42 directory will be merged in the alphanumeric order and parsed after the
43 main file itself has been parsed. This is useful to alter or add
44 configuration settings, without having to modify the main configuration
45 file. Each drop-in file must have appropriate section headers.
46
47 In addition to /etc/systemd/network, drop-in ".d" directories can be
48 placed in /usr/lib/systemd/network or /run/systemd/network directories.
49 Drop-in files in /etc/ take precedence over those in /run/ which in
50 turn take precedence over those in /usr/lib/. Drop-in files under any
51 of these directories take precedence over the main netdev file wherever
52 located. (Of course, since /run/ is temporary and /usr/lib/ is for
53 vendors, it is unlikely drop-ins should be used in either of those
54 places.)
55
57 The following kinds of virtual network devices may be configured in
58 .netdev files:
59
60 Table 1. Supported kinds of virtual network devices
61 ┌──────────┬────────────────────────────┐
62 │Kind │ Description │
63 ├──────────┼────────────────────────────┤
64 │bond │ A bond device is an │
65 │ │ aggregation of all its │
66 │ │ slave devices. See Linux │
67 │ │ Ethernet Bonding Driver │
68 │ │ HOWTO[1] for details. │
69 ├──────────┼────────────────────────────┤
70 │bridge │ A bridge device is a │
71 │ │ software switch, and each │
72 │ │ of its slave devices and │
73 │ │ the bridge itself are │
74 │ │ ports of the switch. │
75 ├──────────┼────────────────────────────┤
76 │dummy │ A dummy device drops all │
77 │ │ packets sent to it. │
78 ├──────────┼────────────────────────────┤
79 │gre │ A Level 3 GRE tunnel over │
80 │ │ IPv4. See RFC 2784[2] for │
81 │ │ details. Name "gre0" │
82 │ │ should not be used, as the │
83 │ │ kernel creates a device │
84 │ │ with this name when the │
85 │ │ corresponding kernel │
86 │ │ module is loaded. │
87 ├──────────┼────────────────────────────┤
88 │gretap │ A Level 2 GRE tunnel over │
89 │ │ IPv4. Name "gretap0" │
90 │ │ should not be used, as the │
91 │ │ kernel creates a device │
92 │ │ with this name when the │
93 │ │ corresponding kernel │
94 │ │ module is loaded. │
95 ├──────────┼────────────────────────────┤
96 │erspan │ ERSPAN mirrors traffic on │
97 │ │ one or more source ports │
98 │ │ and delivers the mirrored │
99 │ │ traffic to one or more │
100 │ │ destination ports on │
101 │ │ another switch. The │
102 │ │ traffic is encapsulated in │
103 │ │ generic routing │
104 │ │ encapsulation (GRE) and is │
105 │ │ therefore routable across │
106 │ │ a layer 3 network between │
107 │ │ the source switch and the │
108 │ │ destination switch. Name │
109 │ │ "erspan0" should not be │
110 │ │ used, as the kernel │
111 │ │ creates a device with this │
112 │ │ name when the │
113 │ │ corresponding kernel │
114 │ │ module is loaded. │
115 ├──────────┼────────────────────────────┤
116 │ip6gre │ A Level 3 GRE tunnel over │
117 │ │ IPv6. │
118 ├──────────┼────────────────────────────┤
119 │ip6tnl │ An IPv4 or IPv6 tunnel │
120 │ │ over IPv6 │
121 ├──────────┼────────────────────────────┤
122 │ip6gretap │ A Level 2 GRE tunnel over │
123 │ │ IPv6. │
124 ├──────────┼────────────────────────────┤
125 │ipip │ An IPv4 over IPv4 tunnel. │
126 ├──────────┼────────────────────────────┤
127 │ipvlan │ An IPVLAN device is a │
128 │ │ stacked device which │
129 │ │ receives packets from its │
130 │ │ underlying device based on │
131 │ │ IP address filtering. │
132 ├──────────┼────────────────────────────┤
133 │ipvtap │ An IPVTAP device is a │
134 │ │ stacked device which │
135 │ │ receives packets from its │
136 │ │ underlying device based on │
137 │ │ IP address filtering and │
138 │ │ can be accessed using the │
139 │ │ tap user space interface. │
140 ├──────────┼────────────────────────────┤
141 │macvlan │ A macvlan device is a │
142 │ │ stacked device which │
143 │ │ receives packets from its │
144 │ │ underlying device based on │
145 │ │ MAC address filtering. │
146 ├──────────┼────────────────────────────┤
147 │macvtap │ A macvtap device is a │
148 │ │ stacked device which │
149 │ │ receives packets from its │
150 │ │ underlying device based on │
151 │ │ MAC address filtering. │
152 ├──────────┼────────────────────────────┤
153 │sit │ An IPv6 over IPv4 tunnel. │
154 ├──────────┼────────────────────────────┤
155 │tap │ A persistent Level 2 │
156 │ │ tunnel between a network │
157 │ │ device and a device node. │
158 ├──────────┼────────────────────────────┤
159 │tun │ A persistent Level 3 │
160 │ │ tunnel between a network │
161 │ │ device and a device node. │
162 ├──────────┼────────────────────────────┤
163 │veth │ An Ethernet tunnel between │
164 │ │ a pair of network devices. │
165 ├──────────┼────────────────────────────┤
166 │vlan │ A VLAN is a stacked device │
167 │ │ which receives packets │
168 │ │ from its underlying device │
169 │ │ based on VLAN tagging. See │
170 │ │ IEEE 802.1Q[3] for │
171 │ │ details. │
172 ├──────────┼────────────────────────────┤
173 │vti │ An IPv4 over IPSec tunnel. │
174 ├──────────┼────────────────────────────┤
175 │vti6 │ An IPv6 over IPSec tunnel. │
176 ├──────────┼────────────────────────────┤
177 │vxlan │ A virtual extensible LAN │
178 │ │ (vxlan), for connecting │
179 │ │ Cloud computing │
180 │ │ deployments. │
181 ├──────────┼────────────────────────────┤
182 │geneve │ A GEneric NEtwork │
183 │ │ Virtualization │
184 │ │ Encapsulation (GENEVE) │
185 │ │ netdev driver. │
186 ├──────────┼────────────────────────────┤
187 │l2tp │ A Layer 2 Tunneling │
188 │ │ Protocol (L2TP) is a │
189 │ │ tunneling protocol used to │
190 │ │ support virtual private │
191 │ │ networks (VPNs) or as part │
192 │ │ of the delivery of │
193 │ │ services by ISPs. It does │
194 │ │ not provide any encryption │
195 │ │ or confidentiality by │
196 │ │ itself │
197 ├──────────┼────────────────────────────┤
198 │macsec │ Media Access Control │
199 │ │ Security (MACsec) is an │
200 │ │ 802.1AE IEEE │
201 │ │ industry-standard security │
202 │ │ technology that provides │
203 │ │ secure communication for │
204 │ │ all traffic on Ethernet │
205 │ │ links. MACsec provides │
206 │ │ point-to-point security on │
207 │ │ Ethernet links between │
208 │ │ directly connected nodes │
209 │ │ and is capable of │
210 │ │ identifying and preventing │
211 │ │ most security threats. │
212 ├──────────┼────────────────────────────┤
213 │vrf │ A Virtual Routing and │
214 │ │ Forwarding (VRF[4]) │
215 │ │ interface to create │
216 │ │ separate routing and │
217 │ │ forwarding domains. │
218 ├──────────┼────────────────────────────┤
219 │vcan │ The virtual CAN driver │
220 │ │ (vcan). Similar to the │
221 │ │ network loopback devices, │
222 │ │ vcan offers a virtual │
223 │ │ local CAN interface. │
224 ├──────────┼────────────────────────────┤
225 │vxcan │ The virtual CAN tunnel │
226 │ │ driver (vxcan). Similar to │
227 │ │ the virtual ethernet │
228 │ │ driver veth, vxcan │
229 │ │ implements a local CAN │
230 │ │ traffic tunnel between two │
231 │ │ virtual CAN network │
232 │ │ devices. When creating a │
233 │ │ vxcan, two vxcan devices │
234 │ │ are created as pair. When │
235 │ │ one end receives the │
236 │ │ packet it appears on its │
237 │ │ pair and vice versa. The │
238 │ │ vxcan can be used for │
239 │ │ cross namespace │
240 │ │ communication. │
241 ├──────────┼────────────────────────────┤
242 │wireguard │ WireGuard Secure Network │
243 │ │ Tunnel. │
244 ├──────────┼────────────────────────────┤
245 │nlmon │ A Netlink monitor device. │
246 │ │ Use an nlmon device when │
247 │ │ you want to monitor system │
248 │ │ Netlink messages. │
249 ├──────────┼────────────────────────────┤
250 │fou │ Foo-over-UDP tunneling. │
251 ├──────────┼────────────────────────────┤
252 │xfrm │ A virtual tunnel interface │
253 │ │ like vti/vti6 but with │
254 │ │ several advantages. │
255 ├──────────┼────────────────────────────┤
256 │ifb │ The Intermediate │
257 │ │ Functional Block (ifb) │
258 │ │ pseudo network interface │
259 │ │ acts as a QoS concentrator │
260 │ │ for multiple different │
261 │ │ sources of traffic. │
262 ├──────────┼────────────────────────────┤
263 │bareudp │ Bare UDP tunnels provide a │
264 │ │ generic L3 encapsulation │
265 │ │ support for tunnelling │
266 │ │ different L3 protocols │
267 │ │ like MPLS, IP etc. inside │
268 │ │ of an UDP tunnel. │
269 ├──────────┼────────────────────────────┤
270 │batadv │ B.A.T.M.A.N. Advanced[5] │
271 │ │ is a routing protocol for │
272 │ │ multi-hop mobile ad-hoc │
273 │ │ networks which operates on │
274 │ │ layer 2. │
275 ├──────────┼────────────────────────────┤
276 │ipoib │ An IP over Infiniband │
277 │ │ subinterface. │
278 ├──────────┼────────────────────────────┤
279 │wlan │ A virtual wireless network │
280 │ │ (WLAN) interface. │
281 └──────────┴────────────────────────────┘
282
284 A virtual network device is only created if the [Match] section matches
285 the current environment, or if the section is empty. The following keys
286 are accepted:
287
288 Host=
289 Matches against the hostname or machine ID of the host. See
290 ConditionHost= in systemd.unit(5) for details. When prefixed with
291 an exclamation mark ("!"), the result is negated. If an empty
292 string is assigned, the previously assigned value is cleared.
293
294 Virtualization=
295 Checks whether the system is executed in a virtualized environment
296 and optionally test whether it is a specific implementation. See
297 ConditionVirtualization= in systemd.unit(5) for details. When
298 prefixed with an exclamation mark ("!"), the result is negated. If
299 an empty string is assigned, the previously assigned value is
300 cleared.
301
302 KernelCommandLine=
303 Checks whether a specific kernel command line option is set. See
304 ConditionKernelCommandLine= in systemd.unit(5) for details. When
305 prefixed with an exclamation mark ("!"), the result is negated. If
306 an empty string is assigned, the previously assigned value is
307 cleared.
308
309 KernelVersion=
310 Checks whether the kernel version (as reported by uname -r) matches
311 a certain expression. See ConditionKernelVersion= in
312 systemd.unit(5) for details. When prefixed with an exclamation mark
313 ("!"), the result is negated. If an empty string is assigned, the
314 previously assigned value is cleared.
315
316 Credential=
317 Checks whether the specified credential was passed to the
318 systemd-udevd.service service. See System and Service
319 Credentials[6] for details. When prefixed with an exclamation mark
320 ("!"), the result is negated. If an empty string is assigned, the
321 previously assigned value is cleared.
322
323 Architecture=
324 Checks whether the system is running on a specific architecture.
325 See ConditionArchitecture= in systemd.unit(5) for details. When
326 prefixed with an exclamation mark ("!"), the result is negated. If
327 an empty string is assigned, the previously assigned value is
328 cleared.
329
330 Firmware=
331 Checks whether the system is running on a machine with the
332 specified firmware. See ConditionFirmware= in systemd.unit(5) for
333 details. When prefixed with an exclamation mark ("!"), the result
334 is negated. If an empty string is assigned, the previously assigned
335 value is cleared.
336
338 The [NetDev] section accepts the following keys:
339
340 Description=
341 A free-form description of the netdev.
342
343 Name=
344 The interface name used when creating the netdev. This setting is
345 compulsory.
346
347 Kind=
348 The netdev kind. This setting is compulsory. See the "Supported
349 netdev kinds" section for the valid keys.
350
351 MTUBytes=
352 The maximum transmission unit in bytes to set for the device. The
353 usual suffixes K, M, G are supported and are understood to the base
354 of 1024. For "tun" or "tap" devices, MTUBytes= setting is not
355 currently supported in [NetDev] section. Please specify it in
356 [Link] section of corresponding systemd.network(5) files.
357
358 MACAddress=
359 Specifies the MAC address to use for the device, or takes the
360 special value "none". When "none", systemd-networkd does not
361 request the MAC address for the device, and the kernel will assign
362 a random MAC address. For "tun", "tap", or "l2tp" devices, the
363 MACAddress= setting in the [NetDev] section is not supported and
364 will be ignored. Please specify it in the [Link] section of the
365 corresponding systemd.network(5) file. If this option is not set,
366 "vlan" device inherits the MAC address of the master interface. For
367 other kind of netdevs, if this option is not set, then the MAC
368 address is generated based on the interface name and the machine-
369 id(5).
370
371 Note, even if "none" is specified, systemd-udevd will assign the
372 persistent MAC address for the device, as 99-default.link has
373 MACAddressPolicy=persistent. So, it is also necessary to create a
374 custom .link file for the device, if the MAC address assignment is
375 not desired.
376
378 The [Bridge] section only applies for netdevs of kind "bridge", and
379 accepts the following keys:
380
381 HelloTimeSec=
382 HelloTimeSec specifies the number of seconds between two hello
383 packets sent out by the root bridge and the designated bridges.
384 Hello packets are used to communicate information about the
385 topology throughout the entire bridged local area network.
386
387 MaxAgeSec=
388 MaxAgeSec specifies the number of seconds of maximum message age.
389 If the last seen (received) hello packet is more than this number
390 of seconds old, the bridge in question will start the takeover
391 procedure in attempt to become the Root Bridge itself.
392
393 ForwardDelaySec=
394 ForwardDelaySec specifies the number of seconds spent in each of
395 the Listening and Learning states before the Forwarding state is
396 entered.
397
398 AgeingTimeSec=
399 This specifies the number of seconds a MAC Address will be kept in
400 the forwarding database after having a packet received from this
401 MAC Address.
402
403 Priority=
404 The priority of the bridge. An integer between 0 and 65535. A lower
405 value means higher priority. The bridge having the lowest priority
406 will be elected as root bridge.
407
408 GroupForwardMask=
409 A 16-bit bitmask represented as an integer which allows forwarding
410 of link local frames with 802.1D reserved addresses
411 (01:80:C2:00:00:0X). A logical AND is performed between the
412 specified bitmask and the exponentiation of 2^X, the lower nibble
413 of the last octet of the MAC address. For example, a value of 8
414 would allow forwarding of frames addressed to 01:80:C2:00:00:03
415 (802.1X PAE).
416
417 DefaultPVID=
418 This specifies the default port VLAN ID of a newly attached bridge
419 port. Set this to an integer in the range 1...4094 or "none" to
420 disable the PVID.
421
422 MulticastQuerier=
423 Takes a boolean. This setting controls the IFLA_BR_MCAST_QUERIER
424 option in the kernel. If enabled, the kernel will send general ICMP
425 queries from a zero source address. This feature should allow
426 faster convergence on startup, but it causes some multicast-aware
427 switches to misbehave and disrupt forwarding of multicast packets.
428 When unset, the kernel's default will be used.
429
430 MulticastSnooping=
431 Takes a boolean. This setting controls the IFLA_BR_MCAST_SNOOPING
432 option in the kernel. If enabled, IGMP snooping monitors the
433 Internet Group Management Protocol (IGMP) traffic between hosts and
434 multicast routers. When unset, the kernel's default will be used.
435
436 VLANFiltering=
437 Takes a boolean. This setting controls the IFLA_BR_VLAN_FILTERING
438 option in the kernel. If enabled, the bridge will be started in
439 VLAN-filtering mode. When unset, the kernel's default will be used.
440
441 VLANProtocol=
442 Allows setting the protocol used for VLAN filtering. Takes 802.1q
443 or, 802.1ad, and defaults to unset and kernel's default is used.
444
445 STP=
446 Takes a boolean. This enables the bridge's Spanning Tree Protocol
447 (STP). When unset, the kernel's default will be used.
448
449 MulticastIGMPVersion=
450 Allows changing bridge's multicast Internet Group Management
451 Protocol (IGMP) version. Takes an integer 2 or 3. When unset, the
452 kernel's default will be used.
453
455 The [VLAN] section only applies for netdevs of kind "vlan", and accepts
456 the following key:
457
458 Id=
459 The VLAN ID to use. An integer in the range 0...4094. This setting
460 is compulsory.
461
462 Protocol=
463 Allows setting the protocol used for the VLAN interface. Takes
464 "802.1q" or, "802.1ad", and defaults to unset and kernel's default
465 is used.
466
467 GVRP=
468 Takes a boolean. The Generic VLAN Registration Protocol (GVRP) is a
469 protocol that allows automatic learning of VLANs on a network. When
470 unset, the kernel's default will be used.
471
472 MVRP=
473 Takes a boolean. Multiple VLAN Registration Protocol (MVRP)
474 formerly known as GARP VLAN Registration Protocol (GVRP) is a
475 standards-based Layer 2 network protocol, for automatic
476 configuration of VLAN information on switches. It was defined in
477 the 802.1ak amendment to 802.1Q-2005. When unset, the kernel's
478 default will be used.
479
480 LooseBinding=
481 Takes a boolean. The VLAN loose binding mode, in which only the
482 operational state is passed from the parent to the associated
483 VLANs, but the VLAN device state is not changed. When unset, the
484 kernel's default will be used.
485
486 ReorderHeader=
487 Takes a boolean. When enabled, the VLAN reorder header is used and
488 VLAN interfaces behave like physical interfaces. When unset, the
489 kernel's default will be used.
490
491 EgressQOSMaps=, IngressQOSMaps=
492 Defines a mapping of Linux internal packet priority (SO_PRIORITY)
493 to VLAN header PCP field for outgoing and incoming frames,
494 respectively. Takes a whitespace-separated list of integer pairs,
495 where each integer must be in the range 1...4294967294, in the
496 format "from"-"to", e.g., "21-7 45-5". Note that "from" must be
497 greater than or equal to "to". When unset, the kernel's default
498 will be used.
499
501 The [MACVLAN] section only applies for netdevs of kind "macvlan", and
502 accepts the following key:
503
504 Mode=
505 The MACVLAN mode to use. The supported options are "private",
506 "vepa", "bridge", "passthru", and "source".
507
508 SourceMACAddress=
509 A whitespace-separated list of remote hardware addresses allowed on
510 the MACVLAN. This option only has an effect in source mode. Use
511 full colon-, hyphen- or dot-delimited hexadecimal. This option may
512 appear more than once, in which case the lists are merged. If the
513 empty string is assigned to this option, the list of hardware
514 addresses defined prior to this is reset. Defaults to unset.
515
516 BroadcastMulticastQueueLength=
517 Specifies the length of the receive queue for broadcast/multicast
518 packets. An unsigned integer in the range 0...4294967294. Defaults
519 to unset.
520
522 The [MACVTAP] section applies for netdevs of kind "macvtap" and accepts
523 the same keys as [MACVLAN].
524
526 The [IPVLAN] section only applies for netdevs of kind "ipvlan", and
527 accepts the following key:
528
529 Mode=
530 The IPVLAN mode to use. The supported options are "L2","L3" and
531 "L3S".
532
533 Flags=
534 The IPVLAN flags to use. The supported options are
535 "bridge","private" and "vepa".
536
538 The [IPVTAP] section only applies for netdevs of kind "ipvtap" and
539 accepts the same keys as [IPVLAN].
540
542 The [VXLAN] section only applies for netdevs of kind "vxlan", and
543 accepts the following keys:
544
545 VNI=
546 The VXLAN Network Identifier (or VXLAN Segment ID). Takes a number
547 in the range 1...16777215.
548
549 Remote=
550 Configures destination IP address.
551
552 Local=
553 Configures local IP address. It must be an address on the
554 underlying interface of the VXLAN interface, or one of the special
555 values "ipv4_link_local", "ipv6_link_local", "dhcp4", "dhcp6", and
556 "slaac". If one of the special values is specified, an address
557 which matches the corresponding type on the underlying interface
558 will be used. Defaults to unset.
559
560 Group=
561 Configures VXLAN multicast group IP address. All members of a VXLAN
562 must use the same multicast group address.
563
564 TOS=
565 The Type Of Service byte value for a vxlan interface.
566
567 TTL=
568 A fixed Time To Live N on Virtual eXtensible Local Area Network
569 packets. Takes "inherit" or a number in the range 0...255. 0 is a
570 special value meaning inherit the inner protocol's TTL value.
571 "inherit" means that it will inherit the outer protocol's TTL
572 value.
573
574 MacLearning=
575 Takes a boolean. When true, enables dynamic MAC learning to
576 discover remote MAC addresses.
577
578 FDBAgeingSec=
579 The lifetime of Forwarding Database entry learnt by the kernel, in
580 seconds.
581
582 MaximumFDBEntries=
583 Configures maximum number of FDB entries.
584
585 ReduceARPProxy=
586 Takes a boolean. When true, bridge-connected VXLAN tunnel endpoint
587 answers ARP requests from the local bridge on behalf of remote
588 Distributed Overlay Virtual Ethernet (DOVE)[7] clients. Defaults to
589 false.
590
591 L2MissNotification=
592 Takes a boolean. When true, enables netlink LLADDR miss
593 notifications.
594
595 L3MissNotification=
596 Takes a boolean. When true, enables netlink IP address miss
597 notifications.
598
599 RouteShortCircuit=
600 Takes a boolean. When true, route short circuiting is turned on.
601
602 UDPChecksum=
603 Takes a boolean. When true, transmitting UDP checksums when doing
604 VXLAN/IPv4 is turned on.
605
606 UDP6ZeroChecksumTx=
607 Takes a boolean. When true, sending zero checksums in VXLAN/IPv6 is
608 turned on.
609
610 UDP6ZeroChecksumRx=
611 Takes a boolean. When true, receiving zero checksums in VXLAN/IPv6
612 is turned on.
613
614 RemoteChecksumTx=
615 Takes a boolean. When true, remote transmit checksum offload of
616 VXLAN is turned on.
617
618 RemoteChecksumRx=
619 Takes a boolean. When true, remote receive checksum offload in
620 VXLAN is turned on.
621
622 GroupPolicyExtension=
623 Takes a boolean. When true, it enables Group Policy VXLAN extension
624 security label mechanism across network peers based on VXLAN. For
625 details about the Group Policy VXLAN, see the VXLAN Group Policy[8]
626 document. Defaults to false.
627
628 GenericProtocolExtension=
629 Takes a boolean. When true, Generic Protocol Extension extends the
630 existing VXLAN protocol to provide protocol typing, OAM, and
631 versioning capabilities. For details about the VXLAN GPE Header,
632 see the Generic Protocol Extension for VXLAN[9] document. If
633 destination port is not specified and Generic Protocol Extension is
634 set then default port of 4790 is used. Defaults to false.
635
636 DestinationPort=
637 Configures the default destination UDP port. If the destination
638 port is not specified then Linux kernel default will be used. Set
639 to 4789 to get the IANA assigned value.
640
641 PortRange=
642 Configures the source port range for the VXLAN. The kernel assigns
643 the source UDP port based on the flow to help the receiver to do
644 load balancing. When this option is not set, the normal range of
645 local UDP ports is used.
646
647 FlowLabel=
648 Specifies the flow label to use in outgoing packets. The valid
649 range is 0-1048575.
650
651 IPDoNotFragment=
652 Allows setting the IPv4 Do not Fragment (DF) bit in outgoing
653 packets, or to inherit its value from the IPv4 inner header. Takes
654 a boolean value, or "inherit". Set to "inherit" if the encapsulated
655 protocol is IPv6. When unset, the kernel's default will be used.
656
657 Independent=
658 Takes a boolean. When true, the vxlan interface is created without
659 any underlying network interface. Defaults to false, which means
660 that a .network file that requests this VXLAN interface using
661 VXLAN= is required for the VXLAN to be created.
662
664 The [GENEVE] section only applies for netdevs of kind "geneve", and
665 accepts the following keys:
666
667 Id=
668 Specifies the Virtual Network Identifier (VNI) to use, a number
669 between 0 and 16777215. This field is mandatory.
670
671 Remote=
672 Specifies the unicast destination IP address to use in outgoing
673 packets.
674
675 TOS=
676 Specifies the TOS value to use in outgoing packets. Takes a number
677 between 1 and 255.
678
679 TTL=
680 Accepts the same values as in the [VXLAN] section, except that when
681 unset or set to 0, the kernel's default will be used, meaning that
682 packet TTL will be set from /proc/sys/net/ipv4/ip_default_ttl.
683
684 UDPChecksum=
685 Takes a boolean. When true, specifies that UDP checksum is
686 calculated for transmitted packets over IPv4.
687
688 UDP6ZeroChecksumTx=
689 Takes a boolean. When true, skip UDP checksum calculation for
690 transmitted packets over IPv6.
691
692 UDP6ZeroChecksumRx=
693 Takes a boolean. When true, allows incoming UDP packets over IPv6
694 with zero checksum field.
695
696 DestinationPort=
697 Specifies destination port. Defaults to 6081. If not set or
698 assigned the empty string, the default port of 6081 is used.
699
700 FlowLabel=
701 Specifies the flow label to use in outgoing packets.
702
703 IPDoNotFragment=
704 Accepts the same key as in [VXLAN] section.
705
707 The [BareUDP] section only applies for netdevs of kind "bareudp", and
708 accepts the following keys:
709
710 DestinationPort=
711 Specifies the destination UDP port (in range 1...65535). This is
712 mandatory.
713
714 EtherType=
715 Specifies the L3 protocol. Takes one of "ipv4", "ipv6", "mpls-uc"
716 or "mpls-mc". This is mandatory.
717
719 The [L2TP] section only applies for netdevs of kind "l2tp", and accepts
720 the following keys:
721
722 TunnelId=
723 Specifies the tunnel identifier. Takes an number in the range
724 1...4294967295. The value used must match the "PeerTunnelId=" value
725 being used at the peer. This setting is compulsory.
726
727 PeerTunnelId=
728 Specifies the peer tunnel id. Takes a number in the range
729 1...4294967295. The value used must match the "TunnelId=" value
730 being used at the peer. This setting is compulsory.
731
732 Remote=
733 Specifies the IP address of the remote peer. This setting is
734 compulsory.
735
736 Local=
737 Specifies the IP address of a local interface. Takes an IP address,
738 or the special values "auto", "static", or "dynamic". Optionally a
739 name of a local interface can be specified after "@", e.g.
740 "192.168.0.1@eth0" or "auto@eth0". When an address is specified,
741 then a local or specified interface must have the address, and the
742 remote address must be accessible through the local address. If
743 "auto", then one of the addresses on a local or specified interface
744 which is accessible to the remote address will be used. Similarly,
745 if "static" or "dynamic" is set, then one of the static or dynamic
746 addresses will be used. Defaults to "auto".
747
748 EncapsulationType=
749 Specifies the encapsulation type of the tunnel. Takes one of "udp"
750 or "ip".
751
752 UDPSourcePort=
753 Specifies the UDP source port to be used for the tunnel. When UDP
754 encapsulation is selected it's mandatory. Ignored when IP
755 encapsulation is selected.
756
757 UDPDestinationPort=
758 Specifies destination port. When UDP encapsulation is selected it's
759 mandatory. Ignored when IP encapsulation is selected.
760
761 UDPChecksum=
762 Takes a boolean. When true, specifies that UDP checksum is
763 calculated for transmitted packets over IPv4.
764
765 UDP6ZeroChecksumTx=
766 Takes a boolean. When true, skip UDP checksum calculation for
767 transmitted packets over IPv6.
768
769 UDP6ZeroChecksumRx=
770 Takes a boolean. When true, allows incoming UDP packets over IPv6
771 with zero checksum field.
772
774 The [L2TPSession] section only applies for netdevs of kind "l2tp", and
775 accepts the following keys:
776
777 Name=
778 Specifies the name of the session. This setting is compulsory.
779
780 SessionId=
781 Specifies the session identifier. Takes an number in the range
782 1...4294967295. The value used must match the "SessionId=" value
783 being used at the peer. This setting is compulsory.
784
785 PeerSessionId=
786 Specifies the peer session identifier. Takes an number in the range
787 1...4294967295. The value used must match the "PeerSessionId="
788 value being used at the peer. This setting is compulsory.
789
790 Layer2SpecificHeader=
791 Specifies layer2specific header type of the session. One of "none"
792 or "default". Defaults to "default".
793
795 The [MACsec] section only applies for network devices of kind "macsec",
796 and accepts the following keys:
797
798 Port=
799 Specifies the port to be used for the MACsec transmit channel. The
800 port is used to make secure channel identifier (SCI). Takes a value
801 between 1 and 65535. Defaults to unset.
802
803 Encrypt=
804 Takes a boolean. When true, enable encryption. Defaults to unset.
805
807 The [MACsecReceiveChannel] section only applies for network devices of
808 kind "macsec", and accepts the following keys:
809
810 Port=
811 Specifies the port to be used for the MACsec receive channel. The
812 port is used to make secure channel identifier (SCI). Takes a value
813 between 1 and 65535. This option is compulsory, and is not set by
814 default.
815
816 MACAddress=
817 Specifies the MAC address to be used for the MACsec receive
818 channel. The MAC address used to make secure channel identifier
819 (SCI). This setting is compulsory, and is not set by default.
820
822 The [MACsecTransmitAssociation] section only applies for network
823 devices of kind "macsec", and accepts the following keys:
824
825 PacketNumber=
826 Specifies the packet number to be used for replay protection and
827 the construction of the initialization vector (along with the
828 secure channel identifier [SCI]). Takes a value between
829 1-4,294,967,295. Defaults to unset.
830
831 KeyId=
832 Specifies the identification for the key. Takes a number between
833 0-255. This option is compulsory, and is not set by default.
834
835 Key=
836 Specifies the encryption key used in the transmission channel. The
837 same key must be configured on the peer’s matching receive channel.
838 This setting is compulsory, and is not set by default. Takes a
839 128-bit key encoded in a hexadecimal string, for example
840 "dffafc8d7b9a43d5b9a3dfbbf6a30c16".
841
842 KeyFile=
843 Takes an absolute path to a file which contains a 128-bit key
844 encoded in a hexadecimal string, which will be used in the
845 transmission channel. When this option is specified, Key= is
846 ignored. Note that the file must be readable by the user
847 "systemd-network", so it should be, e.g., owned by
848 "root:systemd-network" with a "0640" file mode. If the path refers
849 to an AF_UNIX stream socket in the file system a connection is made
850 to it and the key read from it.
851
852 Activate=
853 Takes a boolean. If enabled, then the security association is
854 activated. Defaults to unset.
855
856 UseForEncoding=
857 Takes a boolean. If enabled, then the security association is used
858 for encoding. Only one [MACsecTransmitAssociation] section can
859 enable this option. When enabled, Activate=yes is implied. Defaults
860 to unset.
861
863 The [MACsecReceiveAssociation] section only applies for network devices
864 of kind "macsec", and accepts the following keys:
865
866 Port=
867 Accepts the same key as in [MACsecReceiveChannel] section.
868
869 MACAddress=
870 Accepts the same key as in [MACsecReceiveChannel] section.
871
872 PacketNumber=
873 Accepts the same key as in [MACsecTransmitAssociation] section.
874
875 KeyId=
876 Accepts the same key as in [MACsecTransmitAssociation] section.
877
878 Key=
879 Accepts the same key as in [MACsecTransmitAssociation] section.
880
881 KeyFile=
882 Accepts the same key as in [MACsecTransmitAssociation] section.
883
884 Activate=
885 Accepts the same key as in [MACsecTransmitAssociation] section.
886
888 The [Tunnel] section only applies for netdevs of kind "ipip", "sit",
889 "gre", "gretap", "ip6gre", "ip6gretap", "vti", "vti6", "ip6tnl", and
890 "erspan" and accepts the following keys:
891
892 External=
893 Takes a boolean value. When true, then the tunnel is externally
894 controlled, which is also known as collect metadata mode, and most
895 settings below like Local= or Remote= are ignored. This implies
896 Independent=. Defaults to false.
897
898 Local=
899 A static local address for tunneled packets. It must be an address
900 on another interface of this host, or one of the special values
901 "any", "ipv4_link_local", "ipv6_link_local", "dhcp4", "dhcp6", and
902 "slaac". If one of the special values except for "any" is
903 specified, an address which matches the corresponding type on the
904 underlying interface will be used. Defaults to "any".
905
906 Remote=
907 The remote endpoint of the tunnel. Takes an IP address or the
908 special value "any".
909
910 TOS=
911 The Type Of Service byte value for a tunnel interface. For details
912 about the TOS, see the Type of Service in the Internet Protocol
913 Suite[10] document.
914
915 TTL=
916 A fixed Time To Live N on tunneled packets. N is a number in the
917 range 1...255. 0 is a special value meaning that packets inherit
918 the TTL value. The default value for IPv4 tunnels is 0 (inherit).
919 The default value for IPv6 tunnels is 64.
920
921 DiscoverPathMTU=
922 Takes a boolean. When true, enables Path MTU Discovery on the
923 tunnel.
924
925 IPv6FlowLabel=
926 Configures the 20-bit flow label (see RFC 6437[11]) field in the
927 IPv6 header (see RFC 2460[12]), which is used by a node to label
928 packets of a flow. It is only used for IPv6 tunnels. A flow label
929 of zero is used to indicate packets that have not been labeled. It
930 can be configured to a value in the range 0...0xFFFFF, or be set to
931 "inherit", in which case the original flowlabel is used.
932
933 CopyDSCP=
934 Takes a boolean. When true, the Differentiated Service Code Point
935 (DSCP) field will be copied to the inner header from outer header
936 during the decapsulation of an IPv6 tunnel packet. DSCP is a field
937 in an IP packet that enables different levels of service to be
938 assigned to network traffic. Defaults to "no".
939
940 EncapsulationLimit=
941 The Tunnel Encapsulation Limit option specifies how many additional
942 levels of encapsulation are permitted to be prepended to the
943 packet. For example, a Tunnel Encapsulation Limit option containing
944 a limit value of zero means that a packet carrying that option may
945 not enter another tunnel before exiting the current tunnel. (see
946 RFC 2473[13]). The valid range is 0...255 and "none". Defaults to
947 4.
948
949 Key=
950 The Key= parameter specifies the same key to use in both directions
951 (InputKey= and OutputKey=). The Key= is either a number or an IPv4
952 address-like dotted quad. It is used as mark-configured SAD/SPD
953 entry as part of the lookup key (both in data and control path) in
954 IP XFRM (framework used to implement IPsec protocol). See ip-xfrm —
955 transform configuration[14] for details. It is only used for
956 VTI/VTI6, GRE, GRETAP, and ERSPAN tunnels.
957
958 InputKey=
959 The InputKey= parameter specifies the key to use for input. The
960 format is same as Key=. It is only used for VTI/VTI6, GRE, GRETAP,
961 and ERSPAN tunnels.
962
963 OutputKey=
964 The OutputKey= parameter specifies the key to use for output. The
965 format is same as Key=. It is only used for VTI/VTI6, GRE, GRETAP,
966 and ERSPAN tunnels.
967
968 Mode=
969 An "ip6tnl" tunnel can be in one of three modes "ip6ip6" for IPv6
970 over IPv6, "ipip6" for IPv4 over IPv6 or "any" for either.
971
972 Independent=
973 Takes a boolean. When false (the default), the tunnel is always
974 created over some network device, and a .network file that requests
975 this tunnel using Tunnel= is required for the tunnel to be created.
976 When true, the tunnel is created independently of any network as
977 "tunnel@NONE".
978
979 AssignToLoopback=
980 Takes a boolean. If set to "yes", the loopback interface "lo" is
981 used as the underlying device of the tunnel interface. Defaults to
982 "no".
983
984 AllowLocalRemote=
985 Takes a boolean. When true allows tunnel traffic on ip6tnl devices
986 where the remote endpoint is a local host address. When unset, the
987 kernel's default will be used.
988
989 FooOverUDP=
990 Takes a boolean. Specifies whether FooOverUDP= tunnel is to be
991 configured. Defaults to false. This takes effects only for IPIP,
992 SIT, GRE, and GRETAP tunnels. For more detail information see Foo
993 over UDP[15]
994
995 FOUDestinationPort=
996 This setting specifies the UDP destination port for encapsulation.
997 This field is mandatory when FooOverUDP=yes, and is not set by
998 default.
999
1000 FOUSourcePort=
1001 This setting specifies the UDP source port for encapsulation.
1002 Defaults to 0 — that is, the source port for packets is left to the
1003 network stack to decide.
1004
1005 Encapsulation=
1006 Accepts the same key as in the [FooOverUDP] section.
1007
1008 IPv6RapidDeploymentPrefix=
1009 Reconfigure the tunnel for IPv6 Rapid Deployment[16], also known as
1010 6rd. The value is an ISP-specific IPv6 prefix with a non-zero
1011 length. Only applicable to SIT tunnels.
1012
1013 ISATAP=
1014 Takes a boolean. If set, configures the tunnel as Intra-Site
1015 Automatic Tunnel Addressing Protocol (ISATAP) tunnel. Only
1016 applicable to SIT tunnels. When unset, the kernel's default will be
1017 used.
1018
1019 SerializeTunneledPackets=
1020 Takes a boolean. If set to yes, then packets are serialized. Only
1021 applies for GRE, GRETAP, and ERSPAN tunnels. When unset, the
1022 kernel's default will be used.
1023
1024 ERSPANVersion=
1025 Specifies the ERSPAN version number. Takes 0 for version 0 (a.k.a.
1026 type I), 1 for version 1 (a.k.a. type II), or 2 for version 2
1027 (a.k.a. type III). Defaults to 1.
1028
1029 ERSPANIndex=
1030 Specifies the ERSPAN v1 index field for the interface. Takes an
1031 integer in the range 0...1048575, which is associated with the
1032 ERSPAN traffic's source port and direction. Only used when
1033 ERSPANVersion=1. Defaults to 0.
1034
1035 ERSPANDirection=
1036 Specifies the ERSPAN v2 mirrored traffic's direction. Takes
1037 "ingress" or "egress". Only used when ERSPANVersion=2. Defaults to
1038 "ingress".
1039
1040 ERSPANHardwareId=
1041 Specifies an unique identifier of the ERSPAN v2 engine. Takes an
1042 integer in the range 0...63. Only used when ERSPANVersion=2.
1043 Defaults to 0.
1044
1046 The [FooOverUDP] section only applies for netdevs of kind "fou" and
1047 accepts the following keys:
1048
1049 Encapsulation=
1050 Specifies the encapsulation mechanism used to store networking
1051 packets of various protocols inside the UDP packets. Supports the
1052 following values: "FooOverUDP" provides the simplest no-frills
1053 model of UDP encapsulation, it simply encapsulates packets directly
1054 in the UDP payload. "GenericUDPEncapsulation" is a generic and
1055 extensible encapsulation, it allows encapsulation of packets for
1056 any IP protocol and optional data as part of the encapsulation. For
1057 more detailed information see Generic UDP Encapsulation[17].
1058 Defaults to "FooOverUDP".
1059
1060 Port=
1061 Specifies the port number where the encapsulated packets will
1062 arrive. Those packets will be removed and manually fed back into
1063 the network stack with the encapsulation removed to be sent to the
1064 real destination. This option is mandatory.
1065
1066 PeerPort=
1067 Specifies the peer port number. Defaults to unset. Note that when
1068 peer port is set "Peer=" address is mandatory.
1069
1070 Protocol=
1071 The Protocol= specifies the protocol number of the packets arriving
1072 at the UDP port. When Encapsulation=FooOverUDP, this field is
1073 mandatory and is not set by default. Takes an IP protocol name such
1074 as "gre" or "ipip", or an integer within the range 1...255. When
1075 Encapsulation=GenericUDPEncapsulation, this must not be specified.
1076
1077 Peer=
1078 Configures peer IP address. Note that when peer address is set
1079 "PeerPort=" is mandatory.
1080
1081 Local=
1082 Configures local IP address.
1083
1085 The [Peer] section only applies for netdevs of kind "veth" and accepts
1086 the following keys:
1087
1088 Name=
1089 The interface name used when creating the netdev. This setting is
1090 compulsory.
1091
1092 MACAddress=
1093 The peer MACAddress, if not set, it is generated in the same way as
1094 the MAC address of the main interface.
1095
1097 The [VXCAN] section only applies for netdevs of kind "vxcan" and
1098 accepts the following key:
1099
1100 Peer=
1101 The peer interface name used when creating the netdev. This setting
1102 is compulsory.
1103
1105 The [Tun] section only applies for netdevs of kind "tun", and accepts
1106 the following keys:
1107
1108 MultiQueue=
1109 Takes a boolean. Configures whether to use multiple file
1110 descriptors (queues) to parallelize packets sending and receiving.
1111 Defaults to "no".
1112
1113 PacketInfo=
1114 Takes a boolean. Configures whether packets should be prepended
1115 with four extra bytes (two flag bytes and two protocol bytes). If
1116 disabled, it indicates that the packets will be pure IP packets.
1117 Defaults to "no".
1118
1119 VNetHeader=
1120 Takes a boolean. Configures IFF_VNET_HDR flag for a tun or tap
1121 device. It allows sending and receiving larger Generic Segmentation
1122 Offload (GSO) packets. This may increase throughput significantly.
1123 Defaults to "no".
1124
1125 User=
1126 User to grant access to the /dev/net/tun device.
1127
1128 Group=
1129 Group to grant access to the /dev/net/tun device.
1130
1131 KeepCarrier=
1132 Takes a boolean. If enabled, to make the interface maintain its
1133 carrier status, the file descriptor of the interface is kept open.
1134 This may be useful to keep the interface in running state, for
1135 example while the backing process is temporarily shutdown. Defaults
1136 to "no".
1137
1139 The [Tap] section only applies for netdevs of kind "tap", and accepts
1140 the same keys as the [Tun] section.
1141
1143 The [WireGuard] section accepts the following keys:
1144
1145 PrivateKey=
1146 The Base64 encoded private key for the interface. It can be
1147 generated using the wg genkey command (see wg(8)). This option or
1148 PrivateKeyFile= is mandatory to use WireGuard. Note that because
1149 this information is secret, you may want to set the permissions of
1150 the .netdev file to be owned by "root:systemd-network" with a
1151 "0640" file mode.
1152
1153 PrivateKeyFile=
1154 Takes an absolute path to a file which contains the Base64 encoded
1155 private key for the interface. When this option is specified, then
1156 PrivateKey= is ignored. Note that the file must be readable by the
1157 user "systemd-network", so it should be, e.g., owned by
1158 "root:systemd-network" with a "0640" file mode. If the path refers
1159 to an AF_UNIX stream socket in the file system a connection is made
1160 to it and the key read from it.
1161
1162 ListenPort=
1163 Sets UDP port for listening. Takes either value between 1 and 65535
1164 or "auto". If "auto" is specified, the port is automatically
1165 generated based on interface name. Defaults to "auto".
1166
1167 FirewallMark=
1168 Sets a firewall mark on outgoing WireGuard packets from this
1169 interface. Takes a number between 1 and 4294967295.
1170
1171 RouteTable=
1172 The table identifier for the routes to the addresses specified in
1173 the AllowedIPs=. Takes a negative boolean value, one of the
1174 predefined names "default", "main", and "local", names defined in
1175 RouteTable= in networkd.conf(5), or a number in the range
1176 1...4294967295. When "off" the routes to the addresses specified in
1177 the AllowedIPs= setting will not be configured. Defaults to false.
1178 This setting will be ignored when the same setting is specified in
1179 the [WireGuardPeer] section.
1180
1181 RouteMetric=
1182 The priority of the routes to the addresses specified in the
1183 AllowedIPs=. Takes an integer in the range 0...4294967295. Defaults
1184 to 0 for IPv4 addresses, and 1024 for IPv6 addresses. This setting
1185 will be ignored when the same setting is specified in the
1186 [WireGuardPeer] section.
1187
1189 The [WireGuardPeer] section accepts the following keys:
1190
1191 PublicKey=
1192 Sets a Base64 encoded public key calculated by wg pubkey (see
1193 wg(8)) from a private key, and usually transmitted out of band to
1194 the author of the configuration file. This option is mandatory for
1195 this section.
1196
1197 PresharedKey=
1198 Optional preshared key for the interface. It can be generated by
1199 the wg genpsk command. This option adds an additional layer of
1200 symmetric-key cryptography to be mixed into the already existing
1201 public-key cryptography, for post-quantum resistance. Note that
1202 because this information is secret, you may want to set the
1203 permissions of the .netdev file to be owned by
1204 "root:systemd-network" with a "0640" file mode.
1205
1206 PresharedKeyFile=
1207 Takes an absolute path to a file which contains the Base64 encoded
1208 preshared key for the peer. When this option is specified, then
1209 PresharedKey= is ignored. Note that the file must be readable by
1210 the user "systemd-network", so it should be, e.g., owned by
1211 "root:systemd-network" with a "0640" file mode. If the path refers
1212 to an AF_UNIX stream socket in the file system a connection is made
1213 to it and the key read from it.
1214
1215 AllowedIPs=
1216 Sets a comma-separated list of IP (v4 or v6) addresses with CIDR
1217 masks from which this peer is allowed to send incoming traffic and
1218 to which outgoing traffic for this peer is directed.
1219
1220 The catch-all 0.0.0.0/0 may be specified for matching all IPv4
1221 addresses, and ::/0 may be specified for matching all IPv6
1222 addresses.
1223
1224 Note that this only affects routing inside the network interface
1225 itself, i.e. the packets that pass through the tunnel itself. To
1226 cause packets to be sent via the tunnel in the first place, an
1227 appropriate route needs to be added as well — either in the
1228 "[Routes]" section on the ".network" matching the wireguard
1229 interface, or externally to systemd-networkd.
1230
1231 Endpoint=
1232 Sets an endpoint IP address or hostname, followed by a colon, and
1233 then a port number. IPv6 address must be in the square brackets.
1234 For example, "111.222.333.444:51820" for IPv4 and
1235 "[1111:2222::3333]:51820" for IPv6 address. This endpoint will be
1236 updated automatically once to the most recent source IP address and
1237 port of correctly authenticated packets from the peer at
1238 configuration time.
1239
1240 PersistentKeepalive=
1241 Sets a seconds interval, between 1 and 65535 inclusive, of how
1242 often to send an authenticated empty packet to the peer for the
1243 purpose of keeping a stateful firewall or NAT mapping valid
1244 persistently. For example, if the interface very rarely sends
1245 traffic, but it might at anytime receive traffic from a peer, and
1246 it is behind NAT, the interface might benefit from having a
1247 persistent keepalive interval of 25 seconds. If set to 0 or "off",
1248 this option is disabled. By default or when unspecified, this
1249 option is off. Most users will not need this.
1250
1251 RouteTable=
1252 The table identifier for the routes to the addresses specified in
1253 the AllowedIPs=. Takes a negative boolean value, one of the
1254 predefined names "default", "main", and "local", names defined in
1255 RouteTable= in networkd.conf(5), or a number in the range
1256 1...4294967295. Defaults to unset, and the value specified in the
1257 same setting in the [WireGuard] section will be used.
1258
1259 RouteMetric=
1260 The priority of the routes to the addresses specified in the
1261 AllowedIPs=. Takes an integer in the range 0...4294967295. Defaults
1262 to unset, and the value specified in the same setting in the
1263 [WireGuard] section will be used.
1264
1266 The [Bond] section accepts the following key:
1267
1268 Mode=
1269 Specifies one of the bonding policies. The default is "balance-rr"
1270 (round robin). Possible values are "balance-rr", "active-backup",
1271 "balance-xor", "broadcast", "802.3ad", "balance-tlb", and
1272 "balance-alb".
1273
1274 TransmitHashPolicy=
1275 Selects the transmit hash policy to use for slave selection in
1276 balance-xor, 802.3ad, and tlb modes. Possible values are "layer2",
1277 "layer3+4", "layer2+3", "encap2+3", and "encap3+4".
1278
1279 LACPTransmitRate=
1280 Specifies the rate with which link partner transmits Link
1281 Aggregation Control Protocol Data Unit packets in 802.3ad mode.
1282 Possible values are "slow", which requests partner to transmit
1283 LACPDUs every 30 seconds, and "fast", which requests partner to
1284 transmit LACPDUs every second. The default value is "slow".
1285
1286 MIIMonitorSec=
1287 Specifies the frequency that Media Independent Interface link
1288 monitoring will occur. A value of zero disables MII link
1289 monitoring. This value is rounded down to the nearest millisecond.
1290 The default value is 0.
1291
1292 UpDelaySec=
1293 Specifies the delay before a link is enabled after a link up status
1294 has been detected. This value is rounded down to a multiple of
1295 MIIMonitorSec=. The default value is 0.
1296
1297 DownDelaySec=
1298 Specifies the delay before a link is disabled after a link down
1299 status has been detected. This value is rounded down to a multiple
1300 of MIIMonitorSec=. The default value is 0.
1301
1302 LearnPacketIntervalSec=
1303 Specifies the number of seconds between instances where the bonding
1304 driver sends learning packets to each slave peer switch. The valid
1305 range is 1...0x7fffffff; the default value is 1. This option has an
1306 effect only for the balance-tlb and balance-alb modes.
1307
1308 AdSelect=
1309 Specifies the 802.3ad aggregation selection logic to use. Possible
1310 values are "stable", "bandwidth" and "count".
1311
1312 AdActorSystemPriority=
1313 Specifies the 802.3ad actor system priority. Takes a number in the
1314 range 1...65535.
1315
1316 AdUserPortKey=
1317 Specifies the 802.3ad user defined portion of the port key. Takes a
1318 number in the range 0...1023.
1319
1320 AdActorSystem=
1321 Specifies the 802.3ad system MAC address. This cannot be a null or
1322 multicast address.
1323
1324 FailOverMACPolicy=
1325 Specifies whether the active-backup mode should set all slaves to
1326 the same MAC address at the time of enslavement or, when enabled,
1327 to perform special handling of the bond's MAC address in accordance
1328 with the selected policy. The default policy is none. Possible
1329 values are "none", "active" and "follow".
1330
1331 ARPValidate=
1332 Specifies whether or not ARP probes and replies should be validated
1333 in any mode that supports ARP monitoring, or whether non-ARP
1334 traffic should be filtered (disregarded) for link monitoring
1335 purposes. Possible values are "none", "active", "backup" and "all".
1336
1337 ARPIntervalSec=
1338 Specifies the ARP link monitoring frequency. A value of 0 disables
1339 ARP monitoring. The default value is 0, and the default unit
1340 seconds.
1341
1342 ARPIPTargets=
1343 Specifies the IP addresses to use as ARP monitoring peers when
1344 ARPIntervalSec= is greater than 0. These are the targets of the ARP
1345 request sent to determine the health of the link to the targets.
1346 Specify these values in IPv4 dotted decimal format. At least one IP
1347 address must be given for ARP monitoring to function. The maximum
1348 number of targets that can be specified is 16. The default value is
1349 no IP addresses.
1350
1351 ARPAllTargets=
1352 Specifies the quantity of ARPIPTargets= that must be reachable in
1353 order for the ARP monitor to consider a slave as being up. This
1354 option affects only active-backup mode for slaves with ARPValidate
1355 enabled. Possible values are "any" and "all".
1356
1357 PrimaryReselectPolicy=
1358 Specifies the reselection policy for the primary slave. This
1359 affects how the primary slave is chosen to become the active slave
1360 when failure of the active slave or recovery of the primary slave
1361 occurs. This option is designed to prevent flip-flopping between
1362 the primary slave and other slaves. Possible values are "always",
1363 "better" and "failure".
1364
1365 ResendIGMP=
1366 Specifies the number of IGMP membership reports to be issued after
1367 a failover event. One membership report is issued immediately after
1368 the failover, subsequent packets are sent in each 200ms interval.
1369 The valid range is 0...255. Defaults to 1. A value of 0 prevents
1370 the IGMP membership report from being issued in response to the
1371 failover event.
1372
1373 PacketsPerSlave=
1374 Specify the number of packets to transmit through a slave before
1375 moving to the next one. When set to 0, then a slave is chosen at
1376 random. The valid range is 0...65535. Defaults to 1. This option
1377 only has effect when in balance-rr mode.
1378
1379 GratuitousARP=
1380 Specify the number of peer notifications (gratuitous ARPs and
1381 unsolicited IPv6 Neighbor Advertisements) to be issued after a
1382 failover event. As soon as the link is up on the new slave, a peer
1383 notification is sent on the bonding device and each VLAN
1384 sub-device. This is repeated at each link monitor interval
1385 (ARPIntervalSec or MIIMonitorSec, whichever is active) if the
1386 number is greater than 1. The valid range is 0...255. The default
1387 value is 1. These options affect only the active-backup mode.
1388
1389 AllSlavesActive=
1390 Takes a boolean. Specifies that duplicate frames (received on
1391 inactive ports) should be dropped when false, or delivered when
1392 true. Normally, bonding will drop duplicate frames (received on
1393 inactive ports), which is desirable for most users. But there are
1394 some times it is nice to allow duplicate frames to be delivered.
1395 The default value is false (drop duplicate frames received on
1396 inactive ports).
1397
1398 DynamicTransmitLoadBalancing=
1399 Takes a boolean. Specifies if dynamic shuffling of flows is
1400 enabled. Applies only for balance-tlb mode. Defaults to unset.
1401
1402 MinLinks=
1403 Specifies the minimum number of links that must be active before
1404 asserting carrier. The default value is 0.
1405
1406 For more detail information see Linux Ethernet Bonding Driver HOWTO[1]
1407
1409 The [Xfrm] section accepts the following keys:
1410
1411 InterfaceId=
1412 Sets the ID/key of the xfrm interface which needs to be associated
1413 with a SA/policy. Can be decimal or hexadecimal, valid range is
1414 1-0xffffffff. This is mandatory.
1415
1416 Independent=
1417 Takes a boolean. If false (the default), the xfrm interface must
1418 have an underlying device which can be used for hardware
1419 offloading.
1420
1421 For more detail information see Virtual XFRM Interfaces[18].
1422
1424 The [VRF] section only applies for netdevs of kind "vrf" and accepts
1425 the following key:
1426
1427 Table=
1428 The numeric routing table identifier. This setting is compulsory.
1429
1431 The [BatmanAdvanced] section only applies for netdevs of kind "batadv"
1432 and accepts the following keys:
1433
1434 GatewayMode=
1435 Takes one of "off", "server", or "client". A batman-adv node can
1436 either run in server mode (sharing its internet connection with the
1437 mesh) or in client mode (searching for the most suitable internet
1438 connection in the mesh) or having the gateway support turned off
1439 entirely (which is the default setting).
1440
1441 Aggregation=
1442 Takes a boolean value. Enables or disables aggregation of
1443 originator messages. Defaults to true.
1444
1445 BridgeLoopAvoidance=
1446 Takes a boolean value. Enables or disables avoidance of loops on
1447 bridges. Defaults to true.
1448
1449 DistributedArpTable=
1450 Takes a boolean value. Enables or disables the distributed ARP
1451 table. Defaults to true.
1452
1453 Fragmentation=
1454 Takes a boolean value. Enables or disables fragmentation. Defaults
1455 to true.
1456
1457 HopPenalty=
1458 The hop penalty setting allows one to modify batctl(8) preference
1459 for multihop routes vs. short routes. This integer value is applied
1460 to the TQ (Transmit Quality) of each forwarded OGM (Originator
1461 Message), thereby propagating the cost of an extra hop (the packet
1462 has to be received and retransmitted which costs airtime). A higher
1463 hop penalty will make it more unlikely that other nodes will choose
1464 this node as intermediate hop towards any given destination. The
1465 default hop penalty of '15' is a reasonable value for most setups
1466 and probably does not need to be changed. However, mobile nodes
1467 could choose a value of 255 (maximum value) to avoid being chosen
1468 as a router by other nodes. The minimum value is 0.
1469
1470 OriginatorIntervalSec=
1471 The value specifies the interval in seconds, unless another time
1472 unit is specified in which batman-adv floods the network with its
1473 protocol information. See systemd.time(7) for more information.
1474
1475 GatewayBandwidthDown=
1476 If the node is a server, this parameter is used to inform other
1477 nodes in the network about this node's internet connection download
1478 bandwidth in bits per second. Just enter any number suffixed with
1479 K, M, G or T (base 1000) and the batman-adv module will propagate
1480 the entered value in the mesh.
1481
1482 GatewayBandwidthUp=
1483 If the node is a server, this parameter is used to inform other
1484 nodes in the network about this node's internet connection upload
1485 bandwidth in bits per second. Just enter any number suffixed with
1486 K, M, G or T (base 1000) and the batman-adv module will propagate
1487 the entered value in the mesh.
1488
1489 RoutingAlgorithm=
1490 This can be either "batman-v" or "batman-iv" and describes which
1491 routing_algo of batctl(8) to use. The algorithm cannot be changed
1492 after interface creation. Defaults to "batman-v".
1493
1495 The [IPoIB] section only applies for netdevs of kind "ipoib" and
1496 accepts the following keys:
1497
1498 PartitionKey=
1499 Takes an integer in the range 1...0xffff, except for 0x8000.
1500 Defaults to unset, and the kernel's default is used.
1501
1502 Mode=
1503 Takes one of the special values "datagram" or "connected". Defaults
1504 to unset, and the kernel's default is used.
1505
1506 When "datagram", the Infiniband unreliable datagram (UD) transport
1507 is used, and so the interface MTU is equal to the IB L2 MTU minus
1508 the IPoIB encapsulation header (4 bytes). For example, in a typical
1509 IB fabric with a 2K MTU, the IPoIB MTU will be 2048 - 4 = 2044
1510 bytes.
1511
1512 When "connected", the Infiniband reliable connected (RC) transport
1513 is used. Connected mode takes advantage of the connected nature of
1514 the IB transport and allows an MTU up to the maximal IP packet size
1515 of 64K, which reduces the number of IP packets needed for handling
1516 large UDP datagrams, TCP segments, etc and increases the
1517 performance for large messages.
1518
1519 IgnoreUserspaceMulticastGroup=
1520 Takes an boolean value. When true, the kernel ignores multicast
1521 groups handled by userspace. Defaults to unset, and the kernel's
1522 default is used.
1523
1525 The [WLAN] section only applies to WLAN interfaces, and accepts the
1526 following keys:
1527
1528 PhysicalDevice=
1529 Specifies the name or index of the physical WLAN device (e.g. "0"
1530 or "phy0"). The list of the physical WLAN devices that exist on the
1531 host can be obtained by iw phy command. This option is mandatory.
1532
1533 Type=
1534 Specifies the type of the interface. Takes one of the "ad-hoc",
1535 "station", "ap", "ap-vlan", "wds", "monitor", "mesh-point",
1536 "p2p-client", "p2p-go", "p2p-device", "ocb", and "nan". This option
1537 is mandatory.
1538
1539 WDS=
1540 Enables the Wireless Distribution System (WDS) mode on the
1541 interface. The mode is also known as the "4 address mode". Takes a
1542 boolean value. Defaults to unset, and the kernel's default will be
1543 used.
1544
1546 Example 1. /etc/systemd/network/25-bridge.netdev
1547
1548 [NetDev]
1549 Name=bridge0
1550 Kind=bridge
1551
1552 Example 2. /etc/systemd/network/25-vlan1.netdev
1553
1554 [Match]
1555 Virtualization=no
1556
1557 [NetDev]
1558 Name=vlan1
1559 Kind=vlan
1560
1561 [VLAN]
1562 Id=1
1563
1564 Example 3. /etc/systemd/network/25-ipip.netdev
1565
1566 [NetDev]
1567 Name=ipip-tun
1568 Kind=ipip
1569 MTUBytes=1480
1570
1571 [Tunnel]
1572 Local=192.168.223.238
1573 Remote=192.169.224.239
1574 TTL=64
1575
1576 Example 4. /etc/systemd/network/1-fou-tunnel.netdev
1577
1578 [NetDev]
1579 Name=fou-tun
1580 Kind=fou
1581
1582 [FooOverUDP]
1583 Port=5555
1584 Protocol=4
1585
1586
1587 Example 5. /etc/systemd/network/25-fou-ipip.netdev
1588
1589 [NetDev]
1590 Name=ipip-tun
1591 Kind=ipip
1592
1593 [Tunnel]
1594 Independent=yes
1595 Local=10.65.208.212
1596 Remote=10.65.208.211
1597 FooOverUDP=yes
1598 FOUDestinationPort=5555
1599
1600
1601 Example 6. /etc/systemd/network/25-tap.netdev
1602
1603 [NetDev]
1604 Name=tap-test
1605 Kind=tap
1606
1607 [Tap]
1608 MultiQueue=yes
1609 PacketInfo=yes
1610
1611 Example 7. /etc/systemd/network/25-sit.netdev
1612
1613 [NetDev]
1614 Name=sit-tun
1615 Kind=sit
1616 MTUBytes=1480
1617
1618 [Tunnel]
1619 Local=10.65.223.238
1620 Remote=10.65.223.239
1621
1622 Example 8. /etc/systemd/network/25-6rd.netdev
1623
1624 [NetDev]
1625 Name=6rd-tun
1626 Kind=sit
1627 MTUBytes=1480
1628
1629 [Tunnel]
1630 Local=10.65.223.238
1631 IPv6RapidDeploymentPrefix=2602::/24
1632
1633 Example 9. /etc/systemd/network/25-gre.netdev
1634
1635 [NetDev]
1636 Name=gre-tun
1637 Kind=gre
1638 MTUBytes=1480
1639
1640 [Tunnel]
1641 Local=10.65.223.238
1642 Remote=10.65.223.239
1643
1644 Example 10. /etc/systemd/network/25-ip6gre.netdev
1645
1646 [NetDev]
1647 Name=ip6gre-tun
1648 Kind=ip6gre
1649
1650 [Tunnel]
1651 Key=123
1652
1653 Example 11. /etc/systemd/network/25-vti.netdev
1654
1655 [NetDev]
1656 Name=vti-tun
1657 Kind=vti
1658 MTUBytes=1480
1659
1660 [Tunnel]
1661 Local=10.65.223.238
1662 Remote=10.65.223.239
1663
1664 Example 12. /etc/systemd/network/25-veth.netdev
1665
1666 [NetDev]
1667 Name=veth-test
1668 Kind=veth
1669
1670 [Peer]
1671 Name=veth-peer
1672
1673 Example 13. /etc/systemd/network/25-bond.netdev
1674
1675 [NetDev]
1676 Name=bond1
1677 Kind=bond
1678
1679 [Bond]
1680 Mode=802.3ad
1681 TransmitHashPolicy=layer3+4
1682 MIIMonitorSec=1s
1683 LACPTransmitRate=fast
1684
1685 Example 14. /etc/systemd/network/25-dummy.netdev
1686
1687 [NetDev]
1688 Name=dummy-test
1689 Kind=dummy
1690 MACAddress=12:34:56:78:9a:bc
1691
1692 Example 15. /etc/systemd/network/25-vrf.netdev
1693
1694 Create a VRF interface with table 42.
1695
1696 [NetDev]
1697 Name=vrf-test
1698 Kind=vrf
1699
1700 [VRF]
1701 Table=42
1702
1703 Example 16. /etc/systemd/network/25-macvtap.netdev
1704
1705 Create a MacVTap device.
1706
1707 [NetDev]
1708 Name=macvtap-test
1709 Kind=macvtap
1710
1711
1712 Example 17. /etc/systemd/network/25-wireguard.netdev
1713
1714 [NetDev]
1715 Name=wg0
1716 Kind=wireguard
1717
1718 [WireGuard]
1719 PrivateKey=EEGlnEPYJV//kbvvIqxKkQwOiS+UENyPncC4bF46ong=
1720 ListenPort=51820
1721
1722 [WireGuardPeer]
1723 PublicKey=RDf+LSpeEre7YEIKaxg+wbpsNV7du+ktR99uBEtIiCA=
1724 AllowedIPs=fd31:bf08:57cb::/48,192.168.26.0/24
1725 Endpoint=wireguard.example.com:51820
1726
1727 Example 18. /etc/systemd/network/27-xfrm.netdev
1728
1729 [NetDev]
1730 Name=xfrm0
1731 Kind=xfrm
1732
1733 [Xfrm]
1734 Independent=yes
1735
1737 systemd(1), systemd-networkd(8), systemd.link(5), systemd.network(5),
1738 systemd-network-generator.service(8)
1739
1741 1. Linux Ethernet Bonding Driver HOWTO
1742 https://docs.kernel.org/networking/bonding.html
1743
1744 2. RFC 2784
1745 https://tools.ietf.org/html/rfc2784
1746
1747 3. IEEE 802.1Q
1748 http://www.ieee802.org/1/pages/802.1Q.html
1749
1750 4. VRF
1751 https://docs.kernel.org/networking/vrf.html
1752
1753 5. B.A.T.M.A.N. Advanced
1754 https://www.open-mesh.org/projects/open-mesh/wiki
1755
1756 6. System and Service Credentials
1757 https://systemd.io/CREDENTIALS
1758
1759 7. (DOVE)
1760 https://en.wikipedia.org/wiki/Distributed_Overlay_Virtual_Ethernet
1761
1762 8. VXLAN Group Policy
1763 https://tools.ietf.org/html/draft-smith-vxlan-group-policy
1764
1765 9. Generic Protocol Extension for VXLAN
1766 https://tools.ietf.org/html/draft-ietf-nvo3-vxlan-gpe-07
1767
1768 10. Type of Service in the Internet Protocol Suite
1769 http://tools.ietf.org/html/rfc1349
1770
1771 11. RFC 6437
1772 https://tools.ietf.org/html/rfc6437
1773
1774 12. RFC 2460
1775 https://tools.ietf.org/html/rfc2460
1776
1777 13. RFC 2473
1778 https://tools.ietf.org/html/rfc2473#section-4.1.1
1779
1780 14. ip-xfrm — transform configuration
1781 https://man7.org/linux/man-pages/man8/ip-xfrm.8.html
1782
1783 15. Foo over UDP
1784 https://lwn.net/Articles/614348
1785
1786 16. IPv6 Rapid Deployment
1787 https://tools.ietf.org/html/rfc5569
1788
1789 17. Generic UDP Encapsulation
1790 https://lwn.net/Articles/615044
1791
1792 18. Virtual XFRM Interfaces
1793 https://lwn.net/Articles/757391
1794
1795
1796
1797systemd 253 SYSTEMD.NETDEV(5)