1SYSTEMD.NETDEV(5) systemd.network SYSTEMD.NETDEV(5)
2
6 systemd.netdev - Virtual Network Device configuration
7
9 netdev.netdev
10
12 Network setup is performed by systemd-networkd(8).
13 The main Virtual Network Device file must have the extension .netdev;
15 other extensions are ignored. Virtual network devices are created as
16 soon as networkd is started. If a netdev with the specified name
17 already exists, networkd will use that as-is rather than create its
18 own. Note that the settings of the pre-existing netdev will not be
19 changed by networkd.
20 The .netdev files are read from the files located in the system network
22 directory /usr/lib/systemd/network, the volatile runtime network
23 directory /run/systemd/network and the local administration network
24 directory /etc/systemd/network. All configuration files are
25 collectively sorted and processed in lexical order, regardless of the
26 directories in which they live. However, files with identical filenames
27 replace each other. Files in /etc have the highest priority, files in
28 /run take precedence over files with the same name in /usr/lib. This
29 can be used to override a system-supplied configuration file with a
30 local file if needed. As a special case, an empty file (file size 0) or
31 symlink with the same name pointing to /dev/null disables the
32 configuration file entirely (it is "masked").
33 Along with the netdev file foo.netdev, a "drop-in" directory
35 foo.netdev.d/ may exist. All files with the suffix ".conf" from this
36 directory will be parsed after the file itself is parsed. This is
37 useful to alter or add configuration settings, without having to modify
38 the main configuration file. Each drop-in file must have appropriate
39 section headers.
40 In addition to /etc/systemd/network, drop-in ".d" directories can be
42 placed in /usr/lib/systemd/network or /run/systemd/network directories.
43 Drop-in files in /etc take precedence over those in /run which in turn
44 take precedence over those in /usr/lib. Drop-in files under any of
45 these directories take precedence over the main netdev file wherever
46 located. (Of course, since /run is temporary and /usr/lib is for
47 vendors, it is unlikely drop-ins should be used in either of those
48 places.)
49
51 The following kinds of virtual network devices may be configured in
52 .netdev files:
53 Table 1. Supported kinds of virtual network devices
55 ┌──────────┬────────────────────────────┐
56 │Kind │ Description │
57 ├──────────┼────────────────────────────┤
58 │bond │ A bond device is an │
59 │ │ aggregation of all its │
60 │ │ slave devices. See Linux │
61 │ │ Ethernet Bonding Driver │
62 │ │ HOWTO[1] for details.Local │
63 │ │ configuration │
64 ├──────────┼────────────────────────────┤
65 │bridge │ A bridge device is a │
66 │ │ software switch, and each │
67 │ │ of its slave devices and │
68 │ │ the bridge itself are │
69 │ │ ports of the switch. │
70 ├──────────┼────────────────────────────┤
71 │dummy │ A dummy device drops all │
72 │ │ packets sent to it. │
73 ├──────────┼────────────────────────────┤
74 │gre │ A Level 3 GRE tunnel over │
75 │ │ IPv4. See RFC 2784[2] for │
76 │ │ details. │
77 ├──────────┼────────────────────────────┤
78 │gretap │ A Level 2 GRE tunnel over │
79 │ │ IPv4. │
80 ├──────────┼────────────────────────────┤
81 │ip6gre │ A Level 3 GRE tunnel over │
82 │ │ IPv6. │
83 ├──────────┼────────────────────────────┤
84 │ip6tnl │ An IPv4 or IPv6 tunnel │
85 │ │ over IPv6 │
86 ├──────────┼────────────────────────────┤
87 │ip6gretap │ A Level 2 GRE tunnel over │
88 │ │ IPv6. │
89 ├──────────┼────────────────────────────┤
90 │ipip │ An IPv4 over IPv4 tunnel. │
91 ├──────────┼────────────────────────────┤
92 │ipvlan │ An ipvlan device is a │
93 │ │ stacked device which │
94 │ │ receives packets from its │
95 │ │ underlying device based on │
96 │ │ IP address filtering. │
97 ├──────────┼────────────────────────────┤
98 │macvlan │ A macvlan device is a │
99 │ │ stacked device which │
100 │ │ receives packets from its │
101 │ │ underlying device based on │
102 │ │ MAC address filtering. │
103 ├──────────┼────────────────────────────┤
104 │macvtap │ A macvtap device is a │
105 │ │ stacked device which │
106 │ │ receives packets from its │
107 │ │ underlying device based on │
108 │ │ MAC address filtering. │
109 ├──────────┼────────────────────────────┤
110 │sit │ An IPv6 over IPv4 tunnel. │
111 ├──────────┼────────────────────────────┤
112 │tap │ A persistent Level 2 │
113 │ │ tunnel between a network │
114 │ │ device and a device node. │
115 ├──────────┼────────────────────────────┤
116 │tun │ A persistent Level 3 │
117 │ │ tunnel between a network │
118 │ │ device and a device node. │
119 ├──────────┼────────────────────────────┤
120 │veth │ An Ethernet tunnel between │
121 │ │ a pair of network devices. │
122 ├──────────┼────────────────────────────┤
123 │vlan │ A VLAN is a stacked device │
124 │ │ which receives packets │
125 │ │ from its underlying device │
126 │ │ based on VLAN tagging. See │
127 │ │ IEEE 802.1Q[3] for │
128 │ │ details. │
129 ├──────────┼────────────────────────────┤
130 │vti │ An IPv4 over IPSec tunnel. │
131 ├──────────┼────────────────────────────┤
132 │vti6 │ An IPv6 over IPSec tunnel. │
133 ├──────────┼────────────────────────────┤
134 │vxlan │ A virtual extensible LAN │
135 │ │ (vxlan), for connecting │
136 │ │ Cloud computing │
137 │ │ deployments. │
138 ├──────────┼────────────────────────────┤
139 │geneve │ A GEneric NEtwork │
140 │ │ Virtualization │
141 │ │ Encapsulation (GENEVE) │
142 │ │ netdev driver. │
143 ├──────────┼────────────────────────────┤
144 │vrf │ A Virtual Routing and │
145 │ │ Forwarding (VRF[4]) │
146 │ │ interface to create │
147 │ │ separate routing and │
148 │ │ forwarding domains. │
149 ├──────────┼────────────────────────────┤
150 │vcan │ The virtual CAN driver │
151 │ │ (vcan). Similar to the │
152 │ │ network loopback devices, │
153 │ │ vcan offers a virtual │
154 │ │ local CAN interface. │
155 ├──────────┼────────────────────────────┤
156 │vxcan │ The virtual CAN tunnel │
157 │ │ driver (vxcan). Similar to │
158 │ │ the virtual ethernet │
159 │ │ driver veth, vxcan │
160 │ │ implements a local CAN │
161 │ │ traffic tunnel between two │
162 │ │ virtual CAN network │
163 │ │ devices. When creating a │
164 │ │ vxcan, two vxcan devices │
165 │ │ are created as pair. When │
166 │ │ one end receives the │
167 │ │ packet it appears on its │
168 │ │ pair and vice versa. The │
169 │ │ vxcan can be used for │
170 │ │ cross namespace │
171 │ │ communication. │
172 ├──────────┼────────────────────────────┤
173 │wireguard │ WireGuard Secure Network │
174 │ │ Tunnel. │
175 ├──────────┼────────────────────────────┤
176 │netdevsim │ A simulator. This │
177 │ │ simulated networking │
178 │ │ device is used for testing │
179 │ │ various networking APIs │
180 │ │ and at this time is │
181 │ │ particularly focused on │
182 │ │ testing hardware │
183 │ │ offloading related │
184 │ │ interfaces. │
185 └──────────┴────────────────────────────┘
186
188 A virtual network device is only created if the "[Match]" section
189 matches the current environment, or if the section is empty. The
190 following keys are accepted:
191 Host=
193 Matches against the hostname or machine ID of the host. See
194 "ConditionHost=" in systemd.unit(5) for details.
195 Virtualization=
197 Checks whether the system is executed in a virtualized environment
198 and optionally test whether it is a specific implementation. See
199 "ConditionVirtualization=" in systemd.unit(5) for details.
200 KernelCommandLine=
202 Checks whether a specific kernel command line option is set (or if
203 prefixed with the exclamation mark unset). See
204 "ConditionKernelCommandLine=" in systemd.unit(5) for details.
205 KernelVersion=
207 Checks whether the kernel version (as reported by uname -r) matches
208 a certain expression (or if prefixed with the exclamation mark does
209 not match it). See "ConditionKernelVersion=" in systemd.unit(5) for
210 details.
211 Architecture=
213 Checks whether the system is running on a specific architecture.
214 See "ConditionArchitecture=" in systemd.unit(5) for details.
215
217 The "[NetDev]" section accepts the following keys:
218 Description=
220 A free-form description of the netdev.
221 Name=
223 The interface name used when creating the netdev. This option is
224 compulsory.
225 Kind=
227 The netdev kind. This option is compulsory. See the "Supported
228 netdev kinds" section for the valid keys.
229 MTUBytes=
231 The maximum transmission unit in bytes to set for the device. The
232 usual suffixes K, M, G, are supported and are understood to the
233 base of 1024. This key is not currently supported for "tun" or
234 "tap" devices.
235 MACAddress=
237 The MAC address to use for the device. If none is given, one is
238 generated based on the interface name and the machine-id(5). This
239 key is not currently supported for "tun" or "tap" devices.
240
242 The "[Bridge]" section only applies for netdevs of kind "bridge", and
243 accepts the following keys:
244 HelloTimeSec=
246 HelloTimeSec specifies the number of seconds between two hello
247 packets sent out by the root bridge and the designated bridges.
248 Hello packets are used to communicate information about the
249 topology throughout the entire bridged local area network.
250 MaxAgeSec=
252 MaxAgeSec specifies the number of seconds of maximum message age.
253 If the last seen (received) hello packet is more than this number
254 of seconds old, the bridge in question will start the takeover
255 procedure in attempt to become the Root Bridge itself.
256 ForwardDelaySec=
258 ForwardDelaySec specifies the number of seconds spent in each of
259 the Listening and Learning states before the Forwarding state is
260 entered.
261 AgeingTimeSec=
263 This specifies the number of seconds a MAC Address will be kept in
264 the forwarding database after having a packet received from this
265 MAC Address.
266 Priority=
268 The priority of the bridge. An integer between 0 and 65535. A lower
269 value means higher priority. The bridge having the lowest priority
270 will be elected as root bridge.
271 GroupForwardMask=
273 A 16-bit bitmask represented as an integer which allows forwarding
274 of link local frames with 802.1D reserved addresses
275 (01:80:C2:00:00:0X). A logical AND is performed between the
276 specified bitmask and the exponentiation of 2^X, the lower nibble
277 of the last octet of the MAC address. For example, a value of 8
278 would allow forwarding of frames addressed to 01:80:C2:00:00:03
279 (802.1X PAE).
280 DefaultPVID=
282 This specifies the default port VLAN ID of a newly attached bridge
283 port. Set this to an integer in the range 1–4094 or "none" to
284 disable the PVID.
285 MulticastQuerier=
287 A boolean. This setting controls the IFLA_BR_MCAST_QUERIER option
288 in the kernel. If enabled, the kernel will send general ICMP
289 queries from a zero source address. This feature should allow
290 faster convergence on startup, but it causes some multicast-aware
291 switches to misbehave and disrupt forwarding of multicast packets.
292 When unset, the kernel's default setting applies.
293 MulticastSnooping=
295 A boolean. This setting controls the IFLA_BR_MCAST_SNOOPING option
296 in the kernel. If enabled, IGMP snooping monitors the Internet
297 Group Management Protocol (IGMP) traffic between hosts and
298 multicast routers. When unset, the kernel's default setting
299 applies.
300 VLANFiltering=
302 A boolean. This setting controls the IFLA_BR_VLAN_FILTERING option
303 in the kernel. If enabled, the bridge will be started in
304 VLAN-filtering mode. When unset, the kernel's default setting
305 applies.
306 STP=
308 A boolean. This enables the bridge's Spanning Tree Protocol (STP).
309 When unset, the kernel's default setting applies.
310
312 The "[VLAN]" section only applies for netdevs of kind "vlan", and
313 accepts the following key:
314 Id=
316 The VLAN ID to use. An integer in the range 0–4094. This option is
317 compulsory.
318 GVRP=
320 The Generic VLAN Registration Protocol (GVRP) is a protocol that
321 allows automatic learning of VLANs on a network. A boolean. When
322 unset, the kernel's default setting applies.
323 MVRP=
325 Multiple VLAN Registration Protocol (MVRP) formerly known as GARP
326 VLAN Registration Protocol (GVRP) is a standards-based Layer 2
327 network protocol, for automatic configuration of VLAN information
328 on switches. It was defined in the 802.1ak amendment to
329 802.1Q-2005. A boolean. When unset, the kernel's default setting
330 applies.
331 LooseBinding=
333 The VLAN loose binding mode, in which only the operational state is
334 passed from the parent to the associated VLANs, but the VLAN device
335 state is not changed. A boolean. When unset, the kernel's default
336 setting applies.
337 ReorderHeader=
339 The VLAN reorder header is set VLAN interfaces behave like physical
340 interfaces. A boolean. When unset, the kernel's default setting
341 applies.
342
344 The "[MACVLAN]" section only applies for netdevs of kind "macvlan", and
345 accepts the following key:
346 Mode=
348 The MACVLAN mode to use. The supported options are "private",
349 "vepa", "bridge", and "passthru".
350
352 The "[MACVTAP]" section applies for netdevs of kind "macvtap" and
353 accepts the same key as "[MACVLAN]".
354
356 The "[IPVLAN]" section only applies for netdevs of kind "ipvlan", and
357 accepts the following key:
358 Mode=
360 The IPVLAN mode to use. The supported options are "L2","L3" and
361 "L3S".
362 Flags=
364 The IPVLAN flags to use. The supported options are
365 "bridge","private" and "vepa".
366
368 The "[VXLAN]" section only applies for netdevs of kind "vxlan", and
369 accepts the following keys:
370 Id=
372 The VXLAN ID to use.
373 Remote=
375 Configures destination IP address.
376 Local=
378 Configures local IP address.
379 TOS=
381 The Type Of Service byte value for a vxlan interface.
382 TTL=
384 A fixed Time To Live N on Virtual eXtensible Local Area Network
385 packets. N is a number in the range 1–255. 0 is a special value
386 meaning that packets inherit the TTL value.
387 MacLearning=
389 A boolean. When true, enables dynamic MAC learning to discover
390 remote MAC addresses.
391 FDBAgeingSec=
393 The lifetime of Forwarding Database entry learnt by the kernel, in
394 seconds.
395 MaximumFDBEntries=
397 Configures maximum number of FDB entries.
398 ReduceARPProxy=
400 A boolean. When true, bridge-connected VXLAN tunnel endpoint
401 answers ARP requests from the local bridge on behalf of remote
402 Distributed Overlay Virtual Ethernet (DVOE)[5] clients. Defaults to
403 false.
404 L2MissNotification=
406 A boolean. When true, enables netlink LLADDR miss notifications.
407 L3MissNotification=
409 A boolean. When true, enables netlink IP address miss
410 notifications.
411 RouteShortCircuit=
413 A boolean. When true, route short circuiting is turned on.
414 UDPChecksum=
416 A boolean. When true, transmitting UDP checksums when doing
417 VXLAN/IPv4 is turned on.
418 UDP6ZeroChecksumTx=
420 A boolean. When true, sending zero checksums in VXLAN/IPv6 is
421 turned on.
422 UDP6ZeroChecksumRx=
424 A boolean. When true, receiving zero checksums in VXLAN/IPv6 is
425 turned on.
426 RemoteChecksumTx=
428 A boolean. When true, remote transmit checksum offload of VXLAN is
429 turned on.
430 RemoteChecksumRx=
432 A boolean. When true, remote receive checksum offload in VXLAN is
433 turned on.
434 GroupPolicyExtension=
436 A boolean. When true, it enables Group Policy VXLAN extension
437 security label mechanism across network peers based on VXLAN. For
438 details about the Group Policy VXLAN, see the VXLAN Group Policy[6]
439 document. Defaults to false.
440 DestinationPort=
442 Configures the default destination UDP port on a per-device basis.
443 If destination port is not specified then Linux kernel default will
444 be used. Set destination port 4789 to get the IANA assigned value.
445 If not set or if the destination port is assigned the empty string
446 the default port of 4789 is used.
447 PortRange=
449 Configures VXLAN port range. VXLAN bases source UDP port based on
450 flow to help the receiver to be able to load balance based on outer
451 header flow. It restricts the port range to the normal UDP local
452 ports, and allows overriding via configuration.
453 FlowLabel=
455 Specifies the flow label to use in outgoing packets. The valid
456 range is 0-1048575.
457
459 The "[GENEVE]" section only applies for netdevs of kind "geneve", and
460 accepts the following keys:
461 Id=
463 Specifies the Virtual Network Identifier (VNI) to use. Ranges
464 [0-16777215].
465 Remote=
467 Specifies the unicast destination IP address to use in outgoing
468 packets.
469 TOS=
471 Specifies the TOS value to use in outgoing packets. Ranges [1-255].
472 TTL=
474 Specifies the TTL value to use in outgoing packets. Ranges [1-255].
475 UDPChecksum=
477 A boolean. When true, specifies if UDP checksum is calculated for
478 transmitted packets over IPv4.
479 UDP6ZeroChecksumTx=
481 A boolean. When true, skip UDP checksum calculation for transmitted
482 packets over IPv6.
483 UDP6ZeroChecksumRx=
485 A boolean. When true, allows incoming UDP packets over IPv6 with
486 zero checksum field.
487 DestinationPort=
489 Specifies destination port. Defaults to 6081. If not set or
490 assigned the empty string, the default port of 6081 is used.
491 FlowLabel=
493 Specifies the flow label to use in outgoing packets.
494
496 The "[Tunnel]" section only applies for netdevs of kind "ipip", "sit",
497 "gre", "gretap", "ip6gre", "ip6gretap", "vti", "vti6", and "ip6tnl" and
498 accepts the following keys:
499 Local=
501 A static local address for tunneled packets. It must be an address
502 on another interface of this host.
503 Remote=
505 The remote endpoint of the tunnel.
506 TOS=
508 The Type Of Service byte value for a tunnel interface. For details
509 about the TOS, see the Type of Service in the Internet Protocol
510 Suite[7] document.
511 TTL=
513 A fixed Time To Live N on tunneled packets. N is a number in the
514 range 1–255. 0 is a special value meaning that packets inherit the
515 TTL value. The default value for IPv4 tunnels is: inherit. The
516 default value for IPv6 tunnels is 64.
517 DiscoverPathMTU=
519 A boolean. When true, enables Path MTU Discovery on the tunnel.
520 IPv6FlowLabel=
522 Configures the 20-bit flow label (see RFC 6437[8]) field in the
523 IPv6 header (see RFC 2460[9]), which is used by a node to label
524 packets of a flow. It is only used for IPv6 tunnels. A flow label
525 of zero is used to indicate packets that have not been labeled. It
526 can be configured to a value in the range 0–0xFFFFF, or be set to
527 "inherit", in which case the original flowlabel is used.
528 CopyDSCP=
530 A boolean. When true, the Differentiated Service Code Point (DSCP)
531 field will be copied to the inner header from outer header during
532 the decapsulation of an IPv6 tunnel packet. DSCP is a field in an
533 IP packet that enables different levels of service to be assigned
534 to network traffic. Defaults to "no".
535 EncapsulationLimit=
537 The Tunnel Encapsulation Limit option specifies how many additional
538 levels of encapsulation are permitted to be prepended to the
539 packet. For example, a Tunnel Encapsulation Limit option containing
540 a limit value of zero means that a packet carrying that option may
541 not enter another tunnel before exiting the current tunnel. (see
542 RFC 2473[10]). The valid range is 0–255 and "none". Defaults to 4.
543 Key=
545 The Key= parameter specifies the same key to use in both directions
546 (InputKey= and OutputKey=). The Key= is either a number or an IPv4
547 address-like dotted quad. It is used as mark-configured SAD/SPD
548 entry as part of the lookup key (both in data and control path) in
549 ip xfrm (framework used to implement IPsec protocol). See ip-xfrm —
550 transform configuration[11] for details. It is only used for
551 VTI/VTI6 tunnels.
552 InputKey=
554 The InputKey= parameter specifies the key to use for input. The
555 format is same as Key=. It is only used for VTI/VTI6 tunnels.
556 OutputKey=
558 The OutputKey= parameter specifies the key to use for output. The
559 format is same as Key=. It is only used for VTI/VTI6 tunnels.
560 Mode=
562 An "ip6tnl" tunnel can be in one of three modes "ip6ip6" for IPv6
563 over IPv6, "ipip6" for IPv4 over IPv6 or "any" for either.
564 Independent=
566 A boolean. When true tunnel does not require .network file. Created
567 as "tunnel@NONE". Defaults to "false".
568 AllowLocalRemote=
570 A boolean. When true allows tunnel traffic on ip6tnl devices where
571 the remote endpoint is a local host address. Defaults to unset.
572
574 The "[Peer]" section only applies for netdevs of kind "veth" and
575 accepts the following keys:
576 Name=
578 The interface name used when creating the netdev. This option is
579 compulsory.
580 MACAddress=
582 The peer MACAddress, if not set, it is generated in the same way as
583 the MAC address of the main interface.
584
586 The "[VXCAN]" section only applies for netdevs of kind "vxcan" and
587 accepts the following key:
588 Peer=
590 The peer interface name used when creating the netdev. This option
591 is compulsory.
592
594 The "[Tun]" section only applies for netdevs of kind "tun", and accepts
595 the following keys:
596 OneQueue=
598 Takes a boolean argument. Configures whether all packets are queued
599 at the device (enabled), or a fixed number of packets are queued at
600 the device and the rest at the "qdisc". Defaults to "no".
601 MultiQueue=
603 Takes a boolean argument. Configures whether to use multiple file
604 descriptors (queues) to parallelize packets sending and receiving.
605 Defaults to "no".
606 PacketInfo=
608 Takes a boolean argument. Configures whether packets should be
609 prepended with four extra bytes (two flag bytes and two protocol
610 bytes). If disabled, it indicates that the packets will be pure IP
611 packets. Defaults to "no".
612 VNetHeader=
614 Takes a boolean argument. Configures IFF_VNET_HDR flag for a tap
615 device. It allows sending and receiving larger Generic Segmentation
616 Offload (GSO) packets. This may increase throughput significantly.
617 Defaults to "no".
618 User=
620 User to grant access to the /dev/net/tun device.
621 Group=
623 Group to grant access to the /dev/net/tun device.
624
626 The "[Tap]" section only applies for netdevs of kind "tap", and accepts
627 the same keys as the "[Tun]" section.
628
630 The "[WireGuard]" section accepts the following keys:
631 PrivateKey=
633 The Base64 encoded private key for the interface. It can be
634 generated using the wg genkey command (see wg(8)). This option is
635 mandatory to use WireGuard. Note that because this information is
636 secret, you may want to set the permissions of the .netdev file to
637 be owned by "root:systemd-network" with a "0640" file mode.
638 ListenPort=
640 Sets UDP port for listening. Takes either value between 1 and 65535
641 or "auto". If "auto" is specified, the port is automatically
642 generated based on interface name. Defaults to "auto".
643 FwMark=
645 Sets a firewall mark on outgoing WireGuard packets from this
646 interface.
647
649 The "[WireGuardPeer]" section accepts the following keys:
650 PublicKey=
652 Sets a Base64 encoded public key calculated by wg pubkey (see
653 wg(8)) from a private key, and usually transmitted out of band to
654 the author of the configuration file. This option is mandatory for
655 this section.
656 PresharedKey=
658 Optional preshared key for the interface. It can be generated by
659 the wg genpsk command. This option adds an additional layer of
660 symmetric-key cryptography to be mixed into the already existing
661 public-key cryptography, for post-quantum resistance. Note that
662 because this information is secret, you may want to set the
663 permissions of the .netdev file to be owned by
664 "root:systemd-networkd" with a "0640" file mode.
665 AllowedIPs=
667 Sets a comma-separated list of IP (v4 or v6) addresses with CIDR
668 masks from which this peer is allowed to send incoming traffic and
669 to which outgoing traffic for this peer is directed. The catch-all
670 0.0.0.0/0 may be specified for matching all IPv4 addresses, and
671 ::/0 may be specified for matching all IPv6 addresses.
672 Endpoint=
674 Sets an endpoint IP address or hostname, followed by a colon, and
675 then a port number. This endpoint will be updated automatically
676 once to the most recent source IP address and port of correctly
677 authenticated packets from the peer at configuration time.
678 PersistentKeepalive=
680 Sets a seconds interval, between 1 and 65535 inclusive, of how
681 often to send an authenticated empty packet to the peer for the
682 purpose of keeping a stateful firewall or NAT mapping valid
683 persistently. For example, if the interface very rarely sends
684 traffic, but it might at anytime receive traffic from a peer, and
685 it is behind NAT, the interface might benefit from having a
686 persistent keepalive interval of 25 seconds. If set to 0 or "off",
687 this option is disabled. By default or when unspecified, this
688 option is off. Most users will not need this.
689
691 The "[Bond]" section accepts the following key:
692 Mode=
694 Specifies one of the bonding policies. The default is "balance-rr"
695 (round robin). Possible values are "balance-rr", "active-backup",
696 "balance-xor", "broadcast", "802.3ad", "balance-tlb", and
697 "balance-alb".
698 TransmitHashPolicy=
700 Selects the transmit hash policy to use for slave selection in
701 balance-xor, 802.3ad, and tlb modes. Possible values are "layer2",
702 "layer3+4", "layer2+3", "encap2+3", and "encap3+4".
703 LACPTransmitRate=
705 Specifies the rate with which link partner transmits Link
706 Aggregation Control Protocol Data Unit packets in 802.3ad mode.
707 Possible values are "slow", which requests partner to transmit
708 LACPDUs every 30 seconds, and "fast", which requests partner to
709 transmit LACPDUs every second. The default value is "slow".
710 MIIMonitorSec=
712 Specifies the frequency that Media Independent Interface link
713 monitoring will occur. A value of zero disables MII link
714 monitoring. This value is rounded down to the nearest millisecond.
715 The default value is 0.
716 UpDelaySec=
718 Specifies the delay before a link is enabled after a link up status
719 has been detected. This value is rounded down to a multiple of
720 MIIMonitorSec. The default value is 0.
721 DownDelaySec=
723 Specifies the delay before a link is disabled after a link down
724 status has been detected. This value is rounded down to a multiple
725 of MIIMonitorSec. The default value is 0.
726 LearnPacketIntervalSec=
728 Specifies the number of seconds between instances where the bonding
729 driver sends learning packets to each slave peer switch. The valid
730 range is 1–0x7fffffff; the default value is 1. This option has an
731 effect only for the balance-tlb and balance-alb modes.
732 AdSelect=
734 Specifies the 802.3ad aggregation selection logic to use. Possible
735 values are "stable", "bandwidth" and "count".
736 FailOverMACPolicy=
738 Specifies whether the active-backup mode should set all slaves to
739 the same MAC address at the time of enslavement or, when enabled,
740 to perform special handling of the bond's MAC address in accordance
741 with the selected policy. The default policy is none. Possible
742 values are "none", "active" and "follow".
743 ARPValidate=
745 Specifies whether or not ARP probes and replies should be validated
746 in any mode that supports ARP monitoring, or whether non-ARP
747 traffic should be filtered (disregarded) for link monitoring
748 purposes. Possible values are "none", "active", "backup" and "all".
749 ARPIntervalSec=
751 Specifies the ARP link monitoring frequency in milliseconds. A
752 value of 0 disables ARP monitoring. The default value is 0.
753 ARPIPTargets=
755 Specifies the IP addresses to use as ARP monitoring peers when
756 ARPIntervalSec is greater than 0. These are the targets of the ARP
757 request sent to determine the health of the link to the targets.
758 Specify these values in IPv4 dotted decimal format. At least one IP
759 address must be given for ARP monitoring to function. The maximum
760 number of targets that can be specified is 16. The default value is
761 no IP addresses.
762 ARPAllTargets=
764 Specifies the quantity of ARPIPTargets that must be reachable in
765 order for the ARP monitor to consider a slave as being up. This
766 option affects only active-backup mode for slaves with ARPValidate
767 enabled. Possible values are "any" and "all".
768 PrimaryReselectPolicy=
770 Specifies the reselection policy for the primary slave. This
771 affects how the primary slave is chosen to become the active slave
772 when failure of the active slave or recovery of the primary slave
773 occurs. This option is designed to prevent flip-flopping between
774 the primary slave and other slaves. Possible values are "always",
775 "better" and "failure".
776 ResendIGMP=
778 Specifies the number of IGMP membership reports to be issued after
779 a failover event. One membership report is issued immediately after
780 the failover, subsequent packets are sent in each 200ms interval.
781 The valid range is 0–255. Defaults to 1. A value of 0 prevents the
782 IGMP membership report from being issued in response to the
783 failover event.
784 PacketsPerSlave=
786 Specify the number of packets to transmit through a slave before
787 moving to the next one. When set to 0, then a slave is chosen at
788 random. The valid range is 0–65535. Defaults to 1. This option only
789 has effect when in balance-rr mode.
790 GratuitousARP=
792 Specify the number of peer notifications (gratuitous ARPs and
793 unsolicited IPv6 Neighbor Advertisements) to be issued after a
794 failover event. As soon as the link is up on the new slave, a peer
795 notification is sent on the bonding device and each VLAN
796 sub-device. This is repeated at each link monitor interval
797 (ARPIntervalSec or MIIMonitorSec, whichever is active) if the
798 number is greater than 1. The valid range is 0–255. The default
799 value is 1. These options affect only the active-backup mode.
800 AllSlavesActive=
802 A boolean. Specifies that duplicate frames (received on inactive
803 ports) should be dropped when false, or delivered when true.
804 Normally, bonding will drop duplicate frames (received on inactive
805 ports), which is desirable for most users. But there are some times
806 it is nice to allow duplicate frames to be delivered. The default
807 value is false (drop duplicate frames received on inactive ports).
808 MinLinks=
810 Specifies the minimum number of links that must be active before
811 asserting carrier. The default value is 0.
812 For more detail information see Linux Ethernet Bonding Driver HOWTO[1]
814
816 Example 1. /etc/systemd/network/25-bridge.netdev
817 [NetDev]
819 Name=bridge0
820 Kind=bridge
821 Example 2. /etc/systemd/network/25-vlan1.netdev
823 [Match]
825 Virtualization=no
826 [NetDev]
828 Name=vlan1
829 Kind=vlan
830 [VLAN]
832 Id=1
833 Example 3. /etc/systemd/network/25-ipip.netdev
835 [NetDev]
837 Name=ipip-tun
838 Kind=ipip
839 MTUBytes=1480
840 [Tunnel]
842 Local=192.168.223.238
843 Remote=192.169.224.239
844 TTL=64
845 Example 4. /etc/systemd/network/25-tap.netdev
847 [NetDev]
849 Name=tap-test
850 Kind=tap
851 [Tap]
853 MultiQueue=true
854 PacketInfo=true
855 Example 5. /etc/systemd/network/25-sit.netdev
857 [NetDev]
859 Name=sit-tun
860 Kind=sit
861 MTUBytes=1480
862 [Tunnel]
864 Local=10.65.223.238
865 Remote=10.65.223.239
866 Example 6. /etc/systemd/network/25-gre.netdev
868 [NetDev]
870 Name=gre-tun
871 Kind=gre
872 MTUBytes=1480
873 [Tunnel]
875 Local=10.65.223.238
876 Remote=10.65.223.239
877 Example 7. /etc/systemd/network/25-vti.netdev
879 [NetDev]
881 Name=vti-tun
882 Kind=vti
883 MTUBytes=1480
884 [Tunnel]
886 Local=10.65.223.238
887 Remote=10.65.223.239
888 Example 8. /etc/systemd/network/25-veth.netdev
890 [NetDev]
892 Name=veth-test
893 Kind=veth
894 [Peer]
896 Name=veth-peer
897 Example 9. /etc/systemd/network/25-bond.netdev
899 [NetDev]
901 Name=bond1
902 Kind=bond
903 [Bond]
905 Mode=802.3ad
906 TransmitHashPolicy=layer3+4
907 MIIMonitorSec=1s
908 LACPTransmitRate=fast
909 Example 10. /etc/systemd/network/25-dummy.netdev
911 [NetDev]
913 Name=dummy-test
914 Kind=dummy
915 MACAddress=12:34:56:78:9a:bc
916 Example 11. /etc/systemd/network/25-vrf.netdev
918 Create a VRF interface with table 42.
920 [NetDev]
922 Name=vrf-test
923 Kind=vrf
924 [VRF]
926 Table=42
927 Example 12. /etc/systemd/network/25-macvtap.netdev
929 Create a MacVTap device.
931 [NetDev]
933 Name=macvtap-test
934 Kind=macvtap
935 Example 13. /etc/systemd/network/25-wireguard.netdev
938 [NetDev]
940 Name=wg0
941 Kind=wireguard
942 [WireGuard]
944 PrivateKey=EEGlnEPYJV//kbvvIqxKkQwOiS+UENyPncC4bF46ong=
945 ListenPort=51820
946 [WireGuardPeer]
948 PublicKey=RDf+LSpeEre7YEIKaxg+wbpsNV7du+ktR99uBEtIiCA=
949 AllowedIPs=fd31:bf08:57cb::/48,192.168.26.0/24
950 Endpoint=wireguard.example.com:51820
951
953 systemd(1), systemd-networkd(8), systemd.link(5), systemd.network(5)
954
956 1. Linux Ethernet Bonding Driver HOWTO
957 https://www.kernel.org/doc/Documentation/networking/bonding.txt
958 2. RFC 2784
960 https://tools.ietf.org/html/rfc2784
961 3. IEEE 802.1Q
963 http://www.ieee802.org/1/pages/802.1Q.html
964 4. VRF
966 https://www.kernel.org/doc/Documentation/networking/vrf.txt
967 5. (DVOE)
969 https://en.wikipedia.org/wiki/Distributed_Overlay_Virtual_Ethernet
970 6. VXLAN Group Policy
972 https://tools.ietf.org/html/draft-smith-vxlan-group-policy
973 7. Type of Service in the Internet Protocol Suite
975 http://tools.ietf.org/html/rfc1349
976 8. RFC 6437
978 https://tools.ietf.org/html/rfc6437
979 9. RFC 2460
981 https://tools.ietf.org/html/rfc2460
982 10. RFC 2473
984 https://tools.ietf.org/html/rfc2473#section-4.1.1
985 11. ip-xfrm — transform configuration
987 http://man7.org/linux/man-pages/man8/ip-xfrm.8.html
988systemd 239 SYSTEMD.NETDEV(5)